nanocore | f1fddc0cfd9632772ba10b059d83a1bb34b01a81766e61804bc39ca3898c5211

Analysis

max time kernel
143s
max time network
148s
platform
windows10_x64
resource
win10v200430
submitted
30-06-2020 07:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

nass.exe
Size

710KB
MD5

9430ffb97fd0940e0c6fcaa11d409202
SHA1

17b3a43c427429aa84624ab6a7f21c3621cdc464
SHA256

f1fddc0cfd9632772ba10b059d83a1bb34b01a81766e61804bc39ca3898c5211
SHA512

eeadcb7f802d07d17a31648b23b732beaae11b5a9e35853af47e6d8f3d5f0f84ef3ceb621cf6e236bc1e5e6b6f18ce855446494ed548ceeeb26d9017b91d6b40

Score

10^/10

persistence evasion trojan keylogger stealer spyware nanocore

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

mogs20.hopto.org:1085

185.244.30.251:1085

Mutex

1c8e1b25-da1c-4b7f-872b-7991ecf830f7

Attributes

activate_away_mode
true
backup_connection_host
185.244.30.251
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-03-26T22:47:50.934251036Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
1085
default_group
ANGEL RAPHAEL
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
1c8e1b25-da1c-4b7f-872b-7991ecf830f7
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
mogs20.hopto.org
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

Suspicious use of SetThreadContext 263 IoCs

Processes:

nass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exe

description	pid	process	target process
PID 3824 set thread context of 2924	3824	nass.exe	RegAsm.exe
PID 864 set thread context of 688	864	nass.exe	RegAsm.exe
PID 1200 set thread context of 1492	1200	nass.exe	RegAsm.exe
PID 1924 set thread context of 2176	1924	nass.exe	RegAsm.exe
PID 2784 set thread context of 3848	2784	nass.exe	RegAsm.exe
PID 3936 set thread context of 3208	3936	nass.exe	RegAsm.exe
PID 496 set thread context of 744	496	nass.exe	RegAsm.exe
PID 2900 set thread context of 3020	2900	nass.exe	RegAsm.exe
PID 2272 set thread context of 3096	2272	nass.exe	RegAsm.exe
PID 1128 set thread context of 3180	1128	nass.exe	RegAsm.exe
PID 1004 set thread context of 1164	1004	nass.exe	RegAsm.exe
PID 2164 set thread context of 1408	2164	nass.exe	RegAsm.exe
PID 2076 set thread context of 3568	2076	nass.exe	RegAsm.exe
PID 2160 set thread context of 3312	2160	nass.exe	RegAsm.exe
PID 416 set thread context of 3800	416	nass.exe	RegAsm.exe
PID 3744 set thread context of 1572	3744	nass.exe	RegAsm.exe
PID 1788 set thread context of 1416	1788	nass.exe	RegAsm.exe
PID 1004 set thread context of 3856	1004	nass.exe	RegAsm.exe
PID 3032 set thread context of 3932	3032	nass.exe	RegAsm.exe
PID 3016 set thread context of 592	3016	nass.exe	RegAsm.exe
PID 1984 set thread context of 1544	1984	nass.exe	RegAsm.exe
PID 3064 set thread context of 1132	3064	nass.exe	RegAsm.exe
PID 3944 set thread context of 2852	3944	nass.exe	RegAsm.exe
PID 3556 set thread context of 1004	3556	nass.exe	RegAsm.exe
PID 744 set thread context of 2760	744	nass.exe	RegAsm.exe
PID 648 set thread context of 3560	648	nass.exe	RegAsm.exe
PID 3960 set thread context of 3940	3960	nass.exe	RegAsm.exe
PID 3928 set thread context of 2664	3928	nass.exe	RegAsm.exe
PID 2224 set thread context of 1912	2224	nass.exe	RegAsm.exe
PID 1148 set thread context of 1660	1148	nass.exe	RegAsm.exe
PID 3624 set thread context of 1612	3624	nass.exe	RegAsm.exe
PID 1984 set thread context of 2812	1984	nass.exe	RegAsm.exe
PID 2588 set thread context of 3956	2588	nass.exe	RegAsm.exe
PID 2224 set thread context of 3588	2224	nass.exe	RegAsm.exe
PID 1148 set thread context of 3132	1148	nass.exe	RegAsm.exe
PID 3624 set thread context of 1328	3624	nass.exe	RegAsm.exe
PID 3848 set thread context of 3024	3848	nass.exe	RegAsm.exe
PID 3572 set thread context of 4000	3572	nass.exe	RegAsm.exe
PID 1508 set thread context of 2596	1508	nass.exe	RegAsm.exe
PID 812 set thread context of 1392	812	nass.exe	RegAsm.exe
PID 3860 set thread context of 1200	3860	nass.exe	RegAsm.exe
PID 3984 set thread context of 3940	3984	nass.exe	RegAsm.exe
PID 3964 set thread context of 3064	3964	nass.exe	RegAsm.exe
PID 1508 set thread context of 1916	1508	nass.exe	RegAsm.exe
PID 3824 set thread context of 3544	3824	nass.exe	RegAsm.exe
PID 3604 set thread context of 1320	3604	nass.exe	RegAsm.exe
PID 1572 set thread context of 3984	1572	nass.exe	RegAsm.exe
PID 1164 set thread context of 3860	1164	nass.exe	RegAsm.exe
PID 3068 set thread context of 416	3068	nass.exe	RegAsm.exe
PID 1888 set thread context of 1444	1888	nass.exe	RegAsm.exe
PID 1316 set thread context of 3936	1316	nass.exe	RegAsm.exe
PID 2708 set thread context of 512	2708	nass.exe	RegAsm.exe
PID 1000 set thread context of 2204	1000	nass.exe	RegAsm.exe
PID 2108 set thread context of 1392	2108	nass.exe	RegAsm.exe
PID 3808 set thread context of 3300	3808	nass.exe	RegAsm.exe
PID 3584 set thread context of 1908	3584	nass.exe	RegAsm.exe
PID 1132 set thread context of 3956	1132	nass.exe	RegAsm.exe
PID 1924 set thread context of 3684	1924	nass.exe	RegAsm.exe
PID 2488 set thread context of 500	2488	nass.exe	RegAsm.exe
PID 3032 set thread context of 4016	3032	nass.exe	RegAsm.exe
PID 1316 set thread context of 3560	1316	nass.exe	RegAsm.exe
PID 1176 set thread context of 3984	1176	nass.exe	RegAsm.exe
PID 2596 set thread context of 1148	2596	nass.exe	RegAsm.exe
PID 1200 set thread context of 1508	1200	nass.exe	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 264 IoCs

Processes:

nass.exenass.exenass.exeRegAsm.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exenass.exe

description	pid	process
Token: SeDebugPrivilege	3824	nass.exe
Token: SeDebugPrivilege	864	nass.exe
Token: SeDebugPrivilege	1200	nass.exe
Token: SeDebugPrivilege	688	RegAsm.exe
Token: SeDebugPrivilege	1924	nass.exe
Token: SeDebugPrivilege	2784	nass.exe
Token: SeDebugPrivilege	3936	nass.exe
Token: SeDebugPrivilege	496	nass.exe
Token: SeDebugPrivilege	2900	nass.exe
Token: SeDebugPrivilege	2272	nass.exe
Token: SeDebugPrivilege	1128	nass.exe
Token: SeDebugPrivilege	1004	nass.exe
Token: SeDebugPrivilege	2164	nass.exe
Token: SeDebugPrivilege	2076	nass.exe
Token: SeDebugPrivilege	2160	nass.exe
Token: SeDebugPrivilege	416	nass.exe
Token: SeDebugPrivilege	3744	nass.exe
Token: SeDebugPrivilege	1788	nass.exe
Token: SeDebugPrivilege	1004	nass.exe
Token: SeDebugPrivilege	3032	nass.exe
Token: SeDebugPrivilege	3016	nass.exe
Token: SeDebugPrivilege	1984	nass.exe
Token: SeDebugPrivilege	3064	nass.exe
Token: SeDebugPrivilege	3944	nass.exe
Token: SeDebugPrivilege	3556	nass.exe
Token: SeDebugPrivilege	744	nass.exe
Token: SeDebugPrivilege	648	nass.exe
Token: SeDebugPrivilege	3960	nass.exe
Token: SeDebugPrivilege	3928	nass.exe
Token: SeDebugPrivilege	2224	nass.exe
Token: SeDebugPrivilege	1148	nass.exe
Token: SeDebugPrivilege	3624	nass.exe
Token: SeDebugPrivilege	1984	nass.exe
Token: SeDebugPrivilege	2588	nass.exe
Token: SeDebugPrivilege	2224	nass.exe
Token: SeDebugPrivilege	1148	nass.exe
Token: SeDebugPrivilege	3624	nass.exe
Token: SeDebugPrivilege	3848	nass.exe
Token: SeDebugPrivilege	3572	nass.exe
Token: SeDebugPrivilege	1508	nass.exe
Token: SeDebugPrivilege	812	nass.exe
Token: SeDebugPrivilege	3860	nass.exe
Token: SeDebugPrivilege	3984	nass.exe
Token: SeDebugPrivilege	3964	nass.exe
Token: SeDebugPrivilege	1508	nass.exe
Token: SeDebugPrivilege	3824	nass.exe
Token: SeDebugPrivilege	3604	nass.exe
Token: SeDebugPrivilege	1572	nass.exe
Token: SeDebugPrivilege	1164	nass.exe
Token: SeDebugPrivilege	3068	nass.exe
Token: SeDebugPrivilege	1888	nass.exe
Token: SeDebugPrivilege	1316	nass.exe
Token: SeDebugPrivilege	2708	nass.exe
Token: SeDebugPrivilege	1000	nass.exe
Token: SeDebugPrivilege	2108	nass.exe
Token: SeDebugPrivilege	3808	nass.exe
Token: SeDebugPrivilege	3584	nass.exe
Token: SeDebugPrivilege	1132	nass.exe
Token: SeDebugPrivilege	1924	nass.exe
Token: SeDebugPrivilege	2488	nass.exe
Token: SeDebugPrivilege	3032	nass.exe
Token: SeDebugPrivilege	1316	nass.exe
Token: SeDebugPrivilege	1176	nass.exe
Token: SeDebugPrivilege	2596	nass.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RegAsm.exe

pid process

688 RegAsm.exe

pid	process
688	RegAsm.exe

Adds Run entry to start application 2 TTPs 264 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegAsm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nass.exe"	nass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegAsm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nass.exe"	nass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegAsm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nass.exe"	nass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegAsm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nass.exe"	nass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegAsm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nass.exe"	nass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegAsm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nass.exe"	nass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegAsm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nass.exe"	nass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegAsm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nass.exe"	nass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegAsm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nass.exe"	nass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegAsm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nass.exe"	nass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegAsm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nass.exe"	nass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegAsm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nass.exe"	nass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegAsm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nass.exe"	nass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegAsm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nass.exe"	nass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegAsm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nass.exe"	nass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegAsm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nass.exe"	nass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegAsm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nass.exe"	nass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegAsm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nass.exe"	nass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegAsm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nass.exe"	nass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegAsm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nass.exe"	nass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegAsm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nass.exe"	nass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegAsm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nass.exe"	nass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegAsm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nass.exe"	nass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegAsm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nass.exe"	nass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegAsm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nass.exe"	nass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegAsm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nass.exe"	nass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegAsm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nass.exe"	nass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegAsm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nass.exe"	nass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegAsm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nass.exe"	nass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegAsm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nass.exe"	nass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegAsm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nass.exe"	nass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegAsm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nass.exe"	nass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegAsm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nass.exe"	nass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegAsm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nass.exe"	nass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegAsm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nass.exe"	nass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegAsm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nass.exe"	nass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegAsm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nass.exe"	nass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegAsm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nass.exe"	nass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegAsm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nass.exe"	nass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegAsm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nass.exe"	nass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegAsm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nass.exe"	nass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegAsm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nass.exe"	nass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegAsm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nass.exe"	nass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegAsm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nass.exe"	nass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegAsm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nass.exe"	nass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegAsm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nass.exe"	nass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegAsm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nass.exe"	nass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegAsm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nass.exe"	nass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegAsm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nass.exe"	nass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegAsm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nass.exe"	nass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegAsm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nass.exe"	nass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegAsm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nass.exe"	nass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegAsm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nass.exe"	nass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegAsm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nass.exe"	nass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegAsm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nass.exe"	nass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegAsm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nass.exe"	nass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegAsm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nass.exe"	nass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegAsm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nass.exe"	nass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegAsm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nass.exe"	nass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegAsm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nass.exe"	nass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegAsm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nass.exe"	nass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegAsm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nass.exe"	nass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegAsm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nass.exe"	nass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegAsm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nass.exe"	nass.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

RegAsm.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegAsm.exe

Suspicious use of WriteProcessMemory 2139 IoCs

Processes:

nass.exenass.exenass.exenass.exenass.exenass.exenass.exe

description	pid	process	target process
PID 3824 wrote to memory of 2924	3824	nass.exe	RegAsm.exe
PID 3824 wrote to memory of 2924	3824	nass.exe	RegAsm.exe
PID 3824 wrote to memory of 2924	3824	nass.exe	RegAsm.exe
PID 3824 wrote to memory of 2924	3824	nass.exe	RegAsm.exe
PID 3824 wrote to memory of 864	3824	nass.exe	nass.exe
PID 3824 wrote to memory of 864	3824	nass.exe	nass.exe
PID 3824 wrote to memory of 864	3824	nass.exe	nass.exe
PID 864 wrote to memory of 688	864	nass.exe	RegAsm.exe
PID 864 wrote to memory of 688	864	nass.exe	RegAsm.exe
PID 864 wrote to memory of 688	864	nass.exe	RegAsm.exe
PID 864 wrote to memory of 688	864	nass.exe	RegAsm.exe
PID 864 wrote to memory of 1200	864	nass.exe	nass.exe
PID 864 wrote to memory of 1200	864	nass.exe	nass.exe
PID 864 wrote to memory of 1200	864	nass.exe	nass.exe
PID 1200 wrote to memory of 1420	1200	nass.exe	RegAsm.exe
PID 1200 wrote to memory of 1420	1200	nass.exe	RegAsm.exe
PID 1200 wrote to memory of 1420	1200	nass.exe	RegAsm.exe
PID 1200 wrote to memory of 1492	1200	nass.exe	RegAsm.exe
PID 1200 wrote to memory of 1492	1200	nass.exe	RegAsm.exe
PID 1200 wrote to memory of 1492	1200	nass.exe	RegAsm.exe
PID 1200 wrote to memory of 1492	1200	nass.exe	RegAsm.exe
PID 1200 wrote to memory of 1924	1200	nass.exe	nass.exe
PID 1200 wrote to memory of 1924	1200	nass.exe	nass.exe
PID 1200 wrote to memory of 1924	1200	nass.exe	nass.exe
PID 1924 wrote to memory of 2112	1924	nass.exe	RegAsm.exe
PID 1924 wrote to memory of 2112	1924	nass.exe	RegAsm.exe
PID 1924 wrote to memory of 2112	1924	nass.exe	RegAsm.exe
PID 1924 wrote to memory of 2132	1924	nass.exe	RegAsm.exe
PID 1924 wrote to memory of 2132	1924	nass.exe	RegAsm.exe
PID 1924 wrote to memory of 2132	1924	nass.exe	RegAsm.exe
PID 1924 wrote to memory of 2136	1924	nass.exe	RegAsm.exe
PID 1924 wrote to memory of 2136	1924	nass.exe	RegAsm.exe
PID 1924 wrote to memory of 2136	1924	nass.exe	RegAsm.exe
PID 1924 wrote to memory of 2148	1924	nass.exe	RegAsm.exe
PID 1924 wrote to memory of 2148	1924	nass.exe	RegAsm.exe
PID 1924 wrote to memory of 2148	1924	nass.exe	RegAsm.exe
PID 1924 wrote to memory of 2176	1924	nass.exe	RegAsm.exe
PID 1924 wrote to memory of 2176	1924	nass.exe	RegAsm.exe
PID 1924 wrote to memory of 2176	1924	nass.exe	RegAsm.exe
PID 1924 wrote to memory of 2176	1924	nass.exe	RegAsm.exe
PID 1924 wrote to memory of 2784	1924	nass.exe	nass.exe
PID 1924 wrote to memory of 2784	1924	nass.exe	nass.exe
PID 1924 wrote to memory of 2784	1924	nass.exe	nass.exe
PID 2784 wrote to memory of 3848	2784	nass.exe	RegAsm.exe
PID 2784 wrote to memory of 3848	2784	nass.exe	RegAsm.exe
PID 2784 wrote to memory of 3848	2784	nass.exe	RegAsm.exe
PID 2784 wrote to memory of 3848	2784	nass.exe	RegAsm.exe
PID 2784 wrote to memory of 3936	2784	nass.exe	nass.exe
PID 2784 wrote to memory of 3936	2784	nass.exe	nass.exe
PID 2784 wrote to memory of 3936	2784	nass.exe	nass.exe
PID 3936 wrote to memory of 3208	3936	nass.exe	RegAsm.exe
PID 3936 wrote to memory of 3208	3936	nass.exe	RegAsm.exe
PID 3936 wrote to memory of 3208	3936	nass.exe	RegAsm.exe
PID 3936 wrote to memory of 3208	3936	nass.exe	RegAsm.exe
PID 3936 wrote to memory of 496	3936	nass.exe	nass.exe
PID 3936 wrote to memory of 496	3936	nass.exe	nass.exe
PID 3936 wrote to memory of 496	3936	nass.exe	nass.exe
PID 496 wrote to memory of 744	496	nass.exe	RegAsm.exe
PID 496 wrote to memory of 744	496	nass.exe	RegAsm.exe
PID 496 wrote to memory of 744	496	nass.exe	RegAsm.exe
PID 496 wrote to memory of 744	496	nass.exe	RegAsm.exe
PID 496 wrote to memory of 2900	496	nass.exe	nass.exe
PID 496 wrote to memory of 2900	496	nass.exe	nass.exe
PID 496 wrote to memory of 2900	496	nass.exe	nass.exe

Suspicious behavior: MapViewOfSection 362 IoCs

Processes:

pid	process
3824	nass.exe
864	nass.exe
1200	nass.exe
1200	nass.exe
1924	nass.exe
1924	nass.exe
1924	nass.exe
1924	nass.exe
1924	nass.exe
2784	nass.exe
3936	nass.exe
496	nass.exe
2900	nass.exe
2900	nass.exe
2272	nass.exe
2272	nass.exe
1128	nass.exe
1004	nass.exe
2164	nass.exe
2076	nass.exe
2076	nass.exe
2076	nass.exe
2160	nass.exe
416	nass.exe
3744	nass.exe
3744	nass.exe
1788	nass.exe
1788	nass.exe
1004	nass.exe
3032	nass.exe
3016	nass.exe
1984	nass.exe
3064	nass.exe
3944	nass.exe
3556	nass.exe
744	nass.exe
648	nass.exe
3960	nass.exe
3960	nass.exe
3960	nass.exe
3960	nass.exe
3928	nass.exe
2224	nass.exe
1148	nass.exe
3624	nass.exe
1984	nass.exe
2588	nass.exe
2224	nass.exe
1148	nass.exe
3624	nass.exe
3848	nass.exe
3572	nass.exe
1508	nass.exe
1508	nass.exe
812	nass.exe
3860	nass.exe
3984	nass.exe
3964	nass.exe
1508	nass.exe
3824	nass.exe
3604	nass.exe
1572	nass.exe
1572	nass.exe
1164	nass.exe

Suspicious behavior: EnumeratesProcesses 73106 IoCs

Processes:

nass.exe

pid	process
3824	nass.exe
3824	nass.exe
3824	nass.exe
3824	nass.exe
3824	nass.exe
3824	nass.exe
3824	nass.exe
3824	nass.exe
3824	nass.exe
3824	nass.exe
3824	nass.exe
3824	nass.exe
3824	nass.exe
3824	nass.exe
3824	nass.exe
3824	nass.exe
3824	nass.exe
3824	nass.exe
3824	nass.exe
3824	nass.exe
3824	nass.exe
3824	nass.exe
3824	nass.exe
3824	nass.exe
3824	nass.exe
3824	nass.exe
3824	nass.exe
3824	nass.exe
3824	nass.exe
3824	nass.exe
3824	nass.exe
3824	nass.exe
3824	nass.exe
3824	nass.exe
3824	nass.exe
3824	nass.exe
3824	nass.exe
3824	nass.exe
3824	nass.exe
3824	nass.exe
3824	nass.exe
3824	nass.exe
3824	nass.exe
3824	nass.exe
3824	nass.exe
3824	nass.exe
3824	nass.exe
3824	nass.exe
3824	nass.exe
3824	nass.exe
3824	nass.exe
3824	nass.exe
3824	nass.exe
3824	nass.exe
3824	nass.exe
3824	nass.exe
3824	nass.exe
3824	nass.exe
3824	nass.exe
3824	nass.exe
3824	nass.exe
3824	nass.exe
3824	nass.exe
3824	nass.exe

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Adds Run entry to start application
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: EnumeratesProcesses
PID:3824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:2924

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
PID:864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: GetForegroundWindowSpam
- Checks whether UAC is enabled
PID:688

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
PID:1200

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:1420

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:1492

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
PID:1924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
PID:2112

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
PID:2132

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
PID:2136

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
PID:2148

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
PID:2176

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
5⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
PID:2784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
PID:3848

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
6⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
PID:3936

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
7⤵
PID:3208

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
7⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
PID:496

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
8⤵
PID:744

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
8⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
PID:2900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
9⤵
PID:4016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
9⤵
PID:3020

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
9⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
PID:2272

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
10⤵
PID:3908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
10⤵
PID:3096

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
10⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
PID:1128

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
11⤵
PID:3180

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
11⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Adds Run entry to start application
- Suspicious behavior: MapViewOfSection
PID:1004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
12⤵
PID:1164

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
12⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Adds Run entry to start application
- Suspicious behavior: MapViewOfSection
PID:2164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
PID:1408

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
13⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
PID:2076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
14⤵
PID:1924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
14⤵
PID:3980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
14⤵
PID:3568

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
14⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
PID:2160

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
15⤵
PID:3312

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
15⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
PID:416

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
16⤵
PID:3800

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
16⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Adds Run entry to start application
- Suspicious behavior: MapViewOfSection
PID:3744

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
17⤵
PID:3840

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
17⤵
PID:1572

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
17⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
PID:1788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
18⤵
PID:1720

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
18⤵
PID:1416

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
18⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
PID:1004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
19⤵
PID:3856

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
19⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Adds Run entry to start application
- Suspicious behavior: MapViewOfSection
PID:3032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
20⤵
PID:3932

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
20⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
PID:3016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
21⤵
PID:592

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
21⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
PID:1984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
22⤵
PID:1544

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
22⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
PID:3064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
23⤵
PID:1132

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
23⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
PID:3944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
24⤵
PID:2852

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
24⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
PID:3556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
25⤵
PID:1004

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
25⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
PID:744

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
26⤵
PID:2760

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
26⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
PID:648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
27⤵
PID:3560

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
27⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
PID:3960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
28⤵
PID:2692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
28⤵
PID:420

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
28⤵
PID:1144

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
28⤵
PID:3940

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
28⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
PID:3928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
29⤵
PID:2664

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
29⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
PID:2224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
30⤵
PID:1912

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
30⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
PID:1148

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
31⤵
PID:1660

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
31⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
PID:3624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
32⤵
PID:1612

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
32⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
PID:1984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
33⤵
PID:2812

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
33⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Adds Run entry to start application
- Suspicious behavior: MapViewOfSection
PID:2588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
34⤵
PID:3956

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
34⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Adds Run entry to start application
- Suspicious behavior: MapViewOfSection
PID:2224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
35⤵
PID:3588

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
35⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Adds Run entry to start application
- Suspicious behavior: MapViewOfSection
PID:1148

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
36⤵
PID:3132

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
36⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
PID:3624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
37⤵
PID:1328

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
37⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
PID:3848

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
38⤵
PID:3024

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
38⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
PID:3572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
39⤵
PID:4000

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
39⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Adds Run entry to start application
- Suspicious behavior: MapViewOfSection
PID:1508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
40⤵
PID:3556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
40⤵
PID:2596

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
40⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
PID:812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
41⤵
PID:1392

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
41⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
PID:3860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
42⤵
PID:1200

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
42⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
PID:3984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
43⤵
PID:3940

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
43⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
PID:3964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
44⤵
PID:3064

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
44⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
PID:1508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
45⤵
PID:1916

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
45⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Adds Run entry to start application
- Suspicious behavior: MapViewOfSection
PID:3824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
46⤵
PID:3544

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
46⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
PID:3604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
47⤵
PID:1320

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
47⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
PID:1572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
48⤵
PID:3048

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
48⤵
PID:3984

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
48⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Adds Run entry to start application
- Suspicious behavior: MapViewOfSection
PID:1164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
49⤵
PID:3880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
49⤵
PID:3860

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
49⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
50⤵
PID:416

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
50⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1888

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
51⤵
PID:1444

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
51⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
52⤵
PID:3936

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
52⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2708

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
53⤵
PID:4000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
53⤵
PID:3880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
53⤵
PID:512

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
53⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
54⤵
PID:2204

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
54⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2108

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
55⤵
PID:1392

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
55⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
56⤵
PID:1984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
56⤵
PID:3300

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
56⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
57⤵
PID:1908

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
57⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1132

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
58⤵
PID:3956

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
58⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Adds Run entry to start application
PID:1924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
59⤵
PID:3992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
59⤵
PID:3684

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
59⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Adds Run entry to start application
PID:2488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
60⤵
PID:500

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
60⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
61⤵
PID:3928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
61⤵
PID:2136

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
61⤵
PID:4016

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
61⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
62⤵
PID:3560

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
62⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1176

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
63⤵
PID:3984

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
63⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
64⤵
PID:1148

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
64⤵
- Suspicious use of SetThreadContext
PID:1200

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
65⤵
PID:1508

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
65⤵
PID:1660

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
66⤵
PID:4056

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
66⤵
PID:3936

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
67⤵
PID:4036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
67⤵
PID:2876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
67⤵
PID:3940

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
67⤵
PID:2176

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
68⤵
PID:2056

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
68⤵
PID:3920

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
69⤵
PID:2840

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
69⤵
PID:3208

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
70⤵
PID:1988

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
70⤵
- Adds Run entry to start application
PID:3096

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
71⤵
PID:1552

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
71⤵
PID:2452

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
72⤵
PID:1520

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
72⤵
PID:2268

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
73⤵
PID:3936

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
73⤵
PID:2204

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
74⤵
PID:1180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
74⤵
PID:3608

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
74⤵
PID:1544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
75⤵
PID:3300

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
75⤵
PID:3516

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
75⤵
PID:4036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
75⤵
PID:3888

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
75⤵
PID:3208

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
76⤵
PID:3932

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
76⤵
PID:1796

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
77⤵
PID:1140

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
77⤵
PID:1984

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
77⤵
- Adds Run entry to start application
PID:500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
78⤵
PID:908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
78⤵
PID:3724

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
78⤵
PID:1572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
79⤵
PID:3080

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
79⤵
PID:1788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
80⤵
PID:3884

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
80⤵
PID:752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
81⤵
PID:2452

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
81⤵
PID:3088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
82⤵
PID:3848

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
82⤵
- Adds Run entry to start application
PID:3880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
83⤵
PID:3956

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
83⤵
PID:1676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
84⤵
PID:3788

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
84⤵
PID:3800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
85⤵
PID:3216

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
85⤵
PID:1572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
85⤵
PID:1180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
85⤵
PID:1144

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
85⤵
PID:3556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
86⤵
PID:1328

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
86⤵
PID:3812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
87⤵
PID:4040

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
87⤵
- Adds Run entry to start application
PID:2708

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
88⤵
PID:3560

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
88⤵
PID:1132

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
88⤵
PID:1180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
89⤵
PID:4068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
89⤵
PID:776

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
89⤵
PID:2108

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
90⤵
PID:2596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
90⤵
PID:864

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
90⤵
- Adds Run entry to start application
PID:1332

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
91⤵
PID:3684

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
91⤵
PID:1164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
92⤵
PID:3964

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
92⤵
PID:3980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
93⤵
PID:3364

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
93⤵
PID:3984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
94⤵
PID:3096

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
94⤵
PID:3536

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
95⤵
PID:656

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
95⤵
PID:3556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
96⤵
PID:1332

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
96⤵
PID:1180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
97⤵
PID:360

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
97⤵
PID:3396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
98⤵
PID:4028

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
98⤵
- Adds Run entry to start application
PID:3596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
99⤵
PID:2160

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
99⤵
- Adds Run entry to start application
PID:2852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
100⤵
PID:2500

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
100⤵
PID:996

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
101⤵
PID:3872

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
101⤵
PID:820

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
102⤵
PID:2276

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
102⤵
PID:3208

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
102⤵
- Adds Run entry to start application
PID:2168

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
103⤵
PID:1328

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
103⤵
PID:3888

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
104⤵
PID:644

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
104⤵
PID:2488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
105⤵
PID:3508

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
105⤵
- Adds Run entry to start application
PID:1004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
106⤵
PID:4016

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
106⤵
- Adds Run entry to start application
PID:1492

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
107⤵
PID:1568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
107⤵
PID:2792

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
107⤵
PID:1612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
108⤵
PID:1988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
108⤵
PID:3560

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
108⤵
PID:3096

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
108⤵
PID:1888

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
109⤵
PID:656

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
109⤵
- Adds Run entry to start application
PID:2664

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
110⤵
PID:3588

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
110⤵
PID:3604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
111⤵
PID:1128

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
111⤵
- Adds Run entry to start application
PID:3724

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
112⤵
PID:1988

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
112⤵
PID:3780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
113⤵
PID:1132

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
113⤵
PID:1332

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
114⤵
PID:1504

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
114⤵
PID:1676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
115⤵
PID:3220

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
115⤵
PID:3244

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
116⤵
PID:1436

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
116⤵
PID:1948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
117⤵
PID:2708

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
117⤵
PID:3596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
118⤵
PID:1520

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
118⤵
PID:1316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
119⤵
PID:512

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
119⤵
PID:3312

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
120⤵
PID:3396

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
120⤵
PID:3016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
121⤵
PID:3872

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
121⤵
- Adds Run entry to start application
PID:2160

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
122⤵
PID:3724

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
122⤵
PID:3560

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
123⤵
PID:1176

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
123⤵
PID:3960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
124⤵
PID:1572

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
124⤵
PID:3964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
125⤵
PID:2812

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
125⤵
PID:2504

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
126⤵
PID:4068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
126⤵
PID:1008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
126⤵
PID:1988

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
126⤵
- Adds Run entry to start application
PID:1720

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
127⤵
PID:2880

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
127⤵
PID:3868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
128⤵
PID:3956

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
128⤵
- Adds Run entry to start application
PID:3540

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
129⤵
PID:3220

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
129⤵
PID:3880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
130⤵
PID:1436

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
130⤵
PID:3300

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
131⤵
PID:3080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
131⤵
PID:3712

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
131⤵
PID:3312

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
132⤵
PID:3016

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
132⤵
- Adds Run entry to start application
PID:776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
133⤵
PID:2176

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
133⤵
PID:3812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
134⤵
PID:1508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
134⤵
PID:820

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
134⤵
- Adds Run entry to start application
PID:3088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
135⤵
PID:3960

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
135⤵
- Adds Run entry to start application
PID:4056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
136⤵
PID:1008

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
136⤵
PID:808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
137⤵
PID:3932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
137⤵
PID:3912

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
137⤵
PID:3068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
138⤵
PID:3024

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
138⤵
PID:2276

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
138⤵
PID:1492

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
139⤵
PID:3984

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
139⤵
- Adds Run entry to start application
PID:1128

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
140⤵
PID:3624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
140⤵
PID:3780

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
140⤵
PID:3544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
141⤵
PID:3932

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
141⤵
PID:1660

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
142⤵
PID:3980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
142⤵
PID:416

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
142⤵
PID:3244

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
143⤵
PID:2488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
143⤵
PID:3088

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
143⤵
PID:4028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
144⤵
PID:3836

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
144⤵
- Adds Run entry to start application
PID:3508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
145⤵
PID:4020

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
145⤵
- Adds Run entry to start application
PID:3084

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
146⤵
PID:808

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
146⤵
PID:2596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
147⤵
PID:3280

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
147⤵
PID:4000

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
147⤵
PID:2152

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
148⤵
PID:1436

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
148⤵
- Adds Run entry to start application
PID:1324

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
149⤵
PID:3992

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
149⤵
PID:4028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
150⤵
PID:2708

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
150⤵
PID:3508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
151⤵
PID:1132

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
151⤵
PID:1336

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
151⤵
PID:1008

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
151⤵
PID:3588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
152⤵
PID:3912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
152⤵
PID:3872

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
152⤵
PID:3020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
153⤵
PID:3596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
153⤵
PID:1544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
153⤵
PID:2108

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
153⤵
PID:3712

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
154⤵
PID:340

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
154⤵
PID:1324

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
154⤵
- Adds Run entry to start application
PID:1316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
155⤵
PID:1132

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
155⤵
PID:3064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
156⤵
PID:3832

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
156⤵
PID:3132

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
157⤵
PID:2740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
157⤵
PID:1568

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
157⤵
PID:416

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
158⤵
PID:3216

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
158⤵
PID:2588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
159⤵
PID:3208

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
159⤵
PID:812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
160⤵
PID:1908

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
160⤵
- Adds Run entry to start application
PID:2852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
161⤵
PID:940

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
161⤵
PID:3908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
162⤵
PID:3584

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
162⤵
- Adds Run entry to start application
PID:1572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
163⤵
PID:656

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
163⤵
PID:1128

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
164⤵
PID:1792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
164⤵
PID:3992

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
164⤵
- Adds Run entry to start application
PID:3364

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
165⤵
PID:3960

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
165⤵
PID:3724

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
166⤵
PID:2148

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
166⤵
PID:1276

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
166⤵
PID:3888

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
166⤵
- Adds Run entry to start application
PID:3800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
167⤵
PID:2852

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
167⤵
PID:3088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
168⤵
PID:2204

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
168⤵
PID:1180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
169⤵
PID:1200

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
169⤵
PID:3964

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
169⤵
PID:3788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
170⤵
PID:1492

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
170⤵
PID:996

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
171⤵
PID:1544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
171⤵
PID:696

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
171⤵
PID:1392

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
172⤵
PID:3016

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
172⤵
PID:1328

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
173⤵
PID:3800

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
173⤵
PID:1792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
174⤵
PID:3220

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
174⤵
PID:1908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
175⤵
PID:1520

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
175⤵
PID:2132

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
175⤵
PID:3096

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
176⤵
PID:1008

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
176⤵
PID:3916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
177⤵
PID:3540

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
177⤵
PID:3208

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
178⤵
PID:2468

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
178⤵
PID:3992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
179⤵
PID:908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
179⤵
PID:1948

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
179⤵
PID:2656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
180⤵
PID:2000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
180⤵
PID:808

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
180⤵
PID:1508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
181⤵
PID:2504

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
181⤵
PID:2108

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
182⤵
PID:2176

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
182⤵
PID:1164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
183⤵
PID:864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
183⤵
PID:3880

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
183⤵
PID:3724

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
184⤵
PID:2136

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
184⤵
PID:2000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
185⤵
PID:3912

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
185⤵
- Adds Run entry to start application
PID:1984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
186⤵
PID:3812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
186⤵
PID:3896

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
186⤵
PID:3872

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
187⤵
PID:3824

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
187⤵
PID:2792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
188⤵
PID:1200

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
188⤵
PID:3496

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
189⤵
PID:3516

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
189⤵
PID:1568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
190⤵
PID:2528

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
190⤵
PID:2488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
191⤵
PID:904

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
191⤵
- Adds Run entry to start application
PID:1572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
192⤵
PID:4068

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
192⤵
- Adds Run entry to start application
PID:3096

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
193⤵
PID:2588

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
193⤵
- Adds Run entry to start application
PID:2108

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
194⤵
PID:3684

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
194⤵
PID:4036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
195⤵
PID:2132

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
195⤵
PID:2700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
196⤵
PID:1676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
196⤵
PID:3280

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
196⤵
PID:1008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
197⤵
PID:2204

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
197⤵
PID:1032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
198⤵
PID:3832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
198⤵
PID:2784

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
198⤵
PID:1276

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
199⤵
PID:1912

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
199⤵
PID:1328

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
200⤵
PID:3508

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
200⤵
PID:3496

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
201⤵
PID:3712

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
201⤵
PID:3840

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
201⤵
PID:3824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
202⤵
PID:3920

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
202⤵
PID:2760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
203⤵
PID:1336

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
203⤵
PID:696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
204⤵
PID:3608

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
204⤵
PID:3068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
205⤵
PID:3544

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
205⤵
- Adds Run entry to start application
PID:1684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
206⤵
PID:3592

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
206⤵
- Adds Run entry to start application
PID:2596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
207⤵
PID:1128

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
207⤵
- Adds Run entry to start application
PID:1520

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
208⤵
PID:2160

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
208⤵
PID:3868

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
208⤵
PID:3624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
209⤵
PID:2468

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
209⤵
- Adds Run entry to start application
PID:3560

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
210⤵
PID:696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
210⤵
PID:3588

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
210⤵
PID:512

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
211⤵
PID:3068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
211⤵
PID:1792

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
211⤵
PID:3556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
212⤵
PID:1324

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
212⤵
- Adds Run entry to start application
PID:3064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
213⤵
PID:2880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
213⤵
PID:2596

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
213⤵
- Adds Run entry to start application
PID:4016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
214⤵
PID:1564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
214⤵
PID:1080

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
214⤵
PID:3992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
215⤵
PID:3780

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
215⤵
PID:1612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
216⤵
PID:1180

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
216⤵
PID:2812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
217⤵
PID:3984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
217⤵
PID:2148

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
217⤵
PID:2160

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
218⤵
PID:1916

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
218⤵
PID:2708

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
219⤵
PID:3940

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
219⤵
PID:696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
220⤵
PID:2000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
220⤵
PID:4028

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
220⤵
- Adds Run entry to start application
PID:1572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
221⤵
PID:3884

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
221⤵
PID:1128

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
222⤵
PID:2528

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
222⤵
PID:1200

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
223⤵
PID:3568

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
223⤵
PID:1856

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
224⤵
PID:1912

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
224⤵
PID:2664

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
225⤵
PID:2708

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
225⤵
PID:3896

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
226⤵
PID:3084

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
226⤵
PID:3300

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
227⤵
PID:2204

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
227⤵
PID:2152

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
228⤵
PID:1984

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
228⤵
- Adds Run entry to start application
PID:2880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
229⤵
PID:1408

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
229⤵
PID:1416

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
229⤵
PID:4016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
230⤵
PID:3872

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
230⤵
PID:1544

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
230⤵
PID:2176

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
231⤵
PID:776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
231⤵
PID:4068

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
231⤵
PID:696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
232⤵
PID:2412

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
232⤵
PID:3960

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
232⤵
PID:2132

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
233⤵
PID:3744

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
233⤵
PID:1200

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
233⤵
PID:2160

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
234⤵
PID:1004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
234⤵
PID:2588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
234⤵
PID:3872

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
234⤵
PID:2224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
234⤵
PID:4000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
234⤵
PID:1080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
234⤵
PID:3916

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
234⤵
PID:3920

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
235⤵
PID:1504

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
235⤵
- Adds Run entry to start application
PID:3992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
236⤵
PID:1008

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
236⤵
- Adds Run entry to start application
PID:1436

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
237⤵
PID:3744

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
237⤵
- Adds Run entry to start application
PID:3608

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
238⤵
PID:2712

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
238⤵
PID:1080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
239⤵
PID:1032

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
239⤵
- Adds Run entry to start application
PID:3860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
240⤵
PID:592

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
240⤵
PID:3516

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
241⤵
PID:3964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
241⤵
PID:2708

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
241⤵
- Adds Run entry to start application
PID:3992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
242⤵
PID:904

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
242⤵
- Adds Run entry to start application
PID:1988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
243⤵
PID:2204

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
243⤵
PID:4040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
244⤵
PID:2884

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
244⤵
PID:2296

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
245⤵
PID:1856

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
245⤵
PID:2716

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
246⤵
PID:3860

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
246⤵
PID:696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
247⤵
PID:3068

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
247⤵
PID:940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
248⤵
PID:2000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
248⤵
PID:2792

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
248⤵
- Adds Run entry to start application
PID:3544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
249⤵
PID:3312

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
249⤵
PID:3608

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
250⤵
PID:3780

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
250⤵
PID:2528

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
251⤵
PID:2608

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
251⤵
PID:1336

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
252⤵
PID:1332

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
252⤵
PID:1908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
253⤵
PID:3884

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
253⤵
PID:3048

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
253⤵
- Adds Run entry to start application
PID:2132

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
254⤵
PID:3588

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
254⤵
PID:2160

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
255⤵
PID:3604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
255⤵
PID:1436

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
255⤵
- Adds Run entry to start application
PID:2760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
256⤵
PID:2504

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
256⤵
PID:3896

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
257⤵
PID:1916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
257⤵
PID:1568

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
257⤵
PID:3908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
258⤵
PID:3916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
258⤵
PID:1324

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
258⤵
PID:1788

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
258⤵
PID:3984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
259⤵
PID:820

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
259⤵
- Adds Run entry to start application
PID:2072

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
260⤵
PID:3496

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
260⤵
- Adds Run entry to start application
PID:3816

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
261⤵
PID:2160

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
261⤵
PID:1148

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
262⤵
PID:776

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
262⤵
PID:2700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
263⤵
PID:752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
263⤵
PID:2136

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
263⤵
- Adds Run entry to start application
PID:1856

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
264⤵
PID:1924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
264⤵
PID:3656

C:\Users\Admin\AppData\Local\Temp\nass.exe
"C:\Users\Admin\AppData\Local\Temp\nass.exe"
264⤵
PID:1032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
265⤵
PID:3744

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

Download Submit
memory/360-287-0x000000000041E792-mapping.dmp

Download
memory/416-146-0x000000000041E792-mapping.dmp

Download
memory/416-41-0x0000000000000000-mapping.dmp

Download
memory/416-422-0x000000000041E792-mapping.dmp

Download
memory/416-468-0x0000000000000000-mapping.dmp

Download
memory/496-17-0x0000000000000000-mapping.dmp

Download
memory/500-176-0x000000000041E792-mapping.dmp

Download
memory/500-228-0x0000000000000000-mapping.dmp

Download
memory/512-627-0x0000000000000000-mapping.dmp

Download
memory/512-353-0x000000000041E792-mapping.dmp

Download
memory/512-155-0x000000000041E792-mapping.dmp

Download
memory/592-59-0x000000000041E792-mapping.dmp

Download
memory/592-716-0x000000000041E792-mapping.dmp

Download
memory/644-308-0x000000000041E792-mapping.dmp

Download
memory/648-75-0x0000000000000000-mapping.dmp

Download
memory/656-485-0x000000000041E792-mapping.dmp

Download
memory/656-323-0x000000000041E792-mapping.dmp

Download
memory/656-281-0x000000000041E792-mapping.dmp

Download
memory/688-4-0x000000000041E792-mapping.dmp

Download
memory/696-606-0x0000000000000000-mapping.dmp

Download
memory/696-735-0x0000000000000000-mapping.dmp

Download
memory/696-690-0x0000000000000000-mapping.dmp

Download
memory/696-654-0x0000000000000000-mapping.dmp

Download
memory/696-509-0x000000000041E792-mapping.dmp

Download
memory/744-19-0x000000000041E792-mapping.dmp

Download
memory/744-72-0x0000000000000000-mapping.dmp

Download
memory/752-237-0x0000000000000000-mapping.dmp

Download
memory/776-782-0x000000000041E792-mapping.dmp

Download
memory/776-393-0x0000000000000000-mapping.dmp

Download
memory/776-263-0x000000000041E792-mapping.dmp

Download
memory/808-405-0x0000000000000000-mapping.dmp

Download
memory/808-536-0x000000000041E792-mapping.dmp

Download
memory/808-434-0x000000000041E792-mapping.dmp

Download
memory/812-474-0x0000000000000000-mapping.dmp

Download
memory/812-117-0x0000000000000000-mapping.dmp

Download
memory/820-398-0x000000000041E792-mapping.dmp

Download
memory/820-300-0x0000000000000000-mapping.dmp

Download
memory/820-773-0x000000000041E792-mapping.dmp

Download
memory/864-266-0x000000000041E792-mapping.dmp

Download
memory/864-2-0x0000000000000000-mapping.dmp

Download
memory/904-722-0x000000000041E792-mapping.dmp

Download
memory/904-569-0x000000000041E792-mapping.dmp

Download
memory/940-479-0x000000000041E792-mapping.dmp

Download
memory/940-738-0x0000000000000000-mapping.dmp

Download
memory/996-297-0x0000000000000000-mapping.dmp

Download
memory/996-507-0x0000000000000000-mapping.dmp

Download
memory/1000-156-0x0000000000000000-mapping.dmp

Download
memory/1004-51-0x0000000000000000-mapping.dmp

Download
memory/1004-71-0x000000000041E792-mapping.dmp

Download
memory/1004-312-0x0000000000000000-mapping.dmp

Download
memory/1004-29-0x0000000000000000-mapping.dmp

Download
memory/1008-704-0x000000000041E792-mapping.dmp

Download
memory/1008-449-0x000000000041E792-mapping.dmp

Download
memory/1008-404-0x000000000041E792-mapping.dmp

Download
memory/1008-524-0x000000000041E792-mapping.dmp

Download
memory/1008-585-0x0000000000000000-mapping.dmp

Download
memory/1032-713-0x000000000041E792-mapping.dmp

Download
memory/1032-789-0x0000000000000000-mapping.dmp

Download
memory/1032-588-0x0000000000000000-mapping.dmp

Download
memory/1080-711-0x0000000000000000-mapping.dmp

Download
memory/1080-638-0x000000000041E792-mapping.dmp

Download
memory/1128-414-0x0000000000000000-mapping.dmp

Download
memory/1128-26-0x0000000000000000-mapping.dmp

Download
memory/1128-486-0x0000000000000000-mapping.dmp

Download
memory/1128-617-0x000000000041E792-mapping.dmp

Download
memory/1128-329-0x000000000041E792-mapping.dmp

Download
memory/1128-660-0x0000000000000000-mapping.dmp

Download
memory/1132-461-0x000000000041E792-mapping.dmp

Download
memory/1132-65-0x000000000041E792-mapping.dmp

Download
memory/1132-168-0x0000000000000000-mapping.dmp

Download
memory/1132-335-0x000000000041E792-mapping.dmp

Download
memory/1132-260-0x000000000041E792-mapping.dmp

Download
memory/1144-251-0x000000000041E792-mapping.dmp

Download
memory/1148-102-0x0000000000000000-mapping.dmp

Download
memory/1148-87-0x0000000000000000-mapping.dmp

Download
memory/1148-188-0x000000000041E792-mapping.dmp

Download
memory/1148-780-0x0000000000000000-mapping.dmp

Download
memory/1164-543-0x0000000000000000-mapping.dmp

Download
memory/1164-141-0x0000000000000000-mapping.dmp

Download
memory/1164-270-0x0000000000000000-mapping.dmp

Download
memory/1164-31-0x000000000041E792-mapping.dmp

Download
memory/1176-365-0x000000000041E792-mapping.dmp

Download
memory/1176-183-0x0000000000000000-mapping.dmp

Download
memory/1180-501-0x0000000000000000-mapping.dmp

Download
memory/1180-285-0x0000000000000000-mapping.dmp

Download
memory/1180-644-0x000000000041E792-mapping.dmp

Download
memory/1180-261-0x0000000000000000-mapping.dmp

Download
memory/1200-122-0x000000000041E792-mapping.dmp

Download
memory/1200-663-0x0000000000000000-mapping.dmp

Download
memory/1200-189-0x0000000000000000-mapping.dmp

Download
memory/1200-560-0x000000000041E792-mapping.dmp

Download
memory/1200-5-0x0000000000000000-mapping.dmp

Download
memory/1200-695-0x000000000041E792-mapping.dmp

Download
memory/1276-591-0x0000000000000000-mapping.dmp

Download
memory/1316-351-0x0000000000000000-mapping.dmp

Download
memory/1316-180-0x0000000000000000-mapping.dmp

Download
memory/1316-150-0x0000000000000000-mapping.dmp

Download
memory/1316-459-0x0000000000000000-mapping.dmp

Download
memory/1320-137-0x000000000041E792-mapping.dmp

Download
memory/1324-441-0x0000000000000000-mapping.dmp

Download
memory/1324-458-0x000000000041E792-mapping.dmp

Download
memory/1324-632-0x000000000041E792-mapping.dmp

Download
memory/1328-107-0x000000000041E792-mapping.dmp

Download
memory/1328-254-0x000000000041E792-mapping.dmp

Download
memory/1328-594-0x0000000000000000-mapping.dmp

Download
memory/1328-513-0x0000000000000000-mapping.dmp

Download
memory/1328-305-0x000000000041E792-mapping.dmp

Download
memory/1332-336-0x0000000000000000-mapping.dmp

Download
memory/1332-752-0x000000000041E792-mapping.dmp

Download
memory/1332-267-0x0000000000000000-mapping.dmp

Download
memory/1332-284-0x000000000041E792-mapping.dmp

Download
memory/1336-605-0x000000000041E792-mapping.dmp

Download
memory/1336-750-0x0000000000000000-mapping.dmp

Download
memory/1392-161-0x000000000041E792-mapping.dmp

Download
memory/1392-119-0x000000000041E792-mapping.dmp

Download
memory/1392-510-0x0000000000000000-mapping.dmp

Download
memory/1408-34-0x000000000041E792-mapping.dmp

Download
memory/1416-683-0x000000000041E792-mapping.dmp

Download
memory/1416-49-0x000000000041E792-mapping.dmp

Download
memory/1436-761-0x000000000041E792-mapping.dmp

Download
memory/1436-705-0x0000000000000000-mapping.dmp

Download
memory/1436-440-0x000000000041E792-mapping.dmp

Download
memory/1436-386-0x000000000041E792-mapping.dmp

Download
memory/1436-344-0x000000000041E792-mapping.dmp

Download
memory/1444-149-0x000000000041E792-mapping.dmp

Download
memory/1492-506-0x000000000041E792-mapping.dmp

Download
memory/1492-7-0x000000000041E792-mapping.dmp

Download
memory/1492-411-0x0000000000000000-mapping.dmp

Download
memory/1492-315-0x0000000000000000-mapping.dmp

Download
memory/1504-701-0x000000000041E792-mapping.dmp

Download
memory/1504-338-0x000000000041E792-mapping.dmp

Download
memory/1508-129-0x0000000000000000-mapping.dmp

Download
memory/1508-114-0x0000000000000000-mapping.dmp

Download
memory/1508-537-0x0000000000000000-mapping.dmp

Download
memory/1508-191-0x000000000041E792-mapping.dmp

Download
memory/1520-350-0x000000000041E792-mapping.dmp

Download
memory/1520-618-0x0000000000000000-mapping.dmp

Download
memory/1520-212-0x000000000041E792-mapping.dmp

Download
memory/1544-686-0x000000000041E792-mapping.dmp

Download
memory/1544-62-0x000000000041E792-mapping.dmp

Download
memory/1544-219-0x0000000000000000-mapping.dmp

Download
memory/1552-209-0x000000000041E792-mapping.dmp

Download
memory/1568-564-0x0000000000000000-mapping.dmp

Download
memory/1568-467-0x000000000041E792-mapping.dmp

Download
memory/1568-767-0x000000000041E792-mapping.dmp

Download
memory/1572-231-0x0000000000000000-mapping.dmp

Download
memory/1572-657-0x0000000000000000-mapping.dmp

Download
memory/1572-570-0x0000000000000000-mapping.dmp

Download
memory/1572-368-0x000000000041E792-mapping.dmp

Download
memory/1572-483-0x0000000000000000-mapping.dmp

Download
memory/1572-138-0x0000000000000000-mapping.dmp

Download
memory/1572-46-0x000000000041E792-mapping.dmp

Download
memory/1612-92-0x000000000041E792-mapping.dmp

Download
memory/1612-318-0x0000000000000000-mapping.dmp

Download
memory/1612-642-0x0000000000000000-mapping.dmp

Download
memory/1660-89-0x000000000041E792-mapping.dmp

Download
memory/1660-420-0x0000000000000000-mapping.dmp

Download
memory/1660-192-0x0000000000000000-mapping.dmp

Download
memory/1676-339-0x0000000000000000-mapping.dmp

Download
memory/1676-246-0x0000000000000000-mapping.dmp

Download
memory/1684-612-0x0000000000000000-mapping.dmp

Download
memory/1720-375-0x0000000000000000-mapping.dmp

Download
memory/1788-234-0x0000000000000000-mapping.dmp

Download
memory/1788-770-0x000000000041E792-mapping.dmp

Download
memory/1788-47-0x0000000000000000-mapping.dmp

Download
memory/1792-516-0x0000000000000000-mapping.dmp

Download
memory/1792-629-0x000000000041E792-mapping.dmp

Download
memory/1796-225-0x0000000000000000-mapping.dmp

Download
memory/1856-731-0x000000000041E792-mapping.dmp

Download
memory/1856-666-0x0000000000000000-mapping.dmp

Download
memory/1856-786-0x0000000000000000-mapping.dmp

Download
memory/1888-321-0x0000000000000000-mapping.dmp

Download
memory/1888-147-0x0000000000000000-mapping.dmp

Download
memory/1908-167-0x000000000041E792-mapping.dmp

Download
memory/1908-476-0x000000000041E792-mapping.dmp

Download
memory/1908-519-0x0000000000000000-mapping.dmp

Download
memory/1908-753-0x0000000000000000-mapping.dmp

Download
memory/1912-593-0x000000000041E792-mapping.dmp

Download
memory/1912-668-0x000000000041E792-mapping.dmp

Download
memory/1912-86-0x000000000041E792-mapping.dmp

Download
memory/1916-650-0x000000000041E792-mapping.dmp

Download
memory/1916-131-0x000000000041E792-mapping.dmp

Download
memory/1924-8-0x0000000000000000-mapping.dmp

Download
memory/1924-171-0x0000000000000000-mapping.dmp

Download
memory/1948-345-0x0000000000000000-mapping.dmp

Download
memory/1948-533-0x000000000041E792-mapping.dmp

Download
memory/1984-93-0x0000000000000000-mapping.dmp

Download
memory/1984-552-0x0000000000000000-mapping.dmp

Download
memory/1984-680-0x000000000041E792-mapping.dmp

Download
memory/1984-60-0x0000000000000000-mapping.dmp

Download
memory/1984-227-0x000000000041E792-mapping.dmp

Download
memory/1988-723-0x0000000000000000-mapping.dmp

Download
memory/1988-332-0x000000000041E792-mapping.dmp

Download
memory/1988-374-0x000000000041E792-mapping.dmp

Download
memory/1988-206-0x000000000041E792-mapping.dmp

Download
memory/2000-549-0x0000000000000000-mapping.dmp

Download
memory/2056-200-0x000000000041E792-mapping.dmp

Download
memory/2072-774-0x0000000000000000-mapping.dmp

Download
memory/2076-35-0x0000000000000000-mapping.dmp

Download
memory/2108-576-0x0000000000000000-mapping.dmp

Download
memory/2108-455-0x000000000041E792-mapping.dmp

Download
memory/2108-264-0x0000000000000000-mapping.dmp

Download
memory/2108-159-0x0000000000000000-mapping.dmp

Download
memory/2108-540-0x0000000000000000-mapping.dmp

Download
memory/2132-756-0x0000000000000000-mapping.dmp

Download
memory/2132-693-0x0000000000000000-mapping.dmp

Download
memory/2132-581-0x000000000041E792-mapping.dmp

Download
memory/2132-521-0x000000000041E792-mapping.dmp

Download
memory/2136-548-0x000000000041E792-mapping.dmp

Download
memory/2136-785-0x000000000041E792-mapping.dmp

Download
memory/2148-647-0x000000000041E792-mapping.dmp

Download
memory/2152-438-0x0000000000000000-mapping.dmp

Download
memory/2152-678-0x0000000000000000-mapping.dmp

Download
memory/2160-696-0x0000000000000000-mapping.dmp

Download
memory/2160-648-0x0000000000000000-mapping.dmp

Download
memory/2160-779-0x000000000041E792-mapping.dmp

Download
memory/2160-360-0x0000000000000000-mapping.dmp

Download
memory/2160-759-0x0000000000000000-mapping.dmp

Download
memory/2160-38-0x0000000000000000-mapping.dmp

Download
memory/2160-293-0x000000000041E792-mapping.dmp

Download
memory/2164-32-0x0000000000000000-mapping.dmp

Download
memory/2168-303-0x0000000000000000-mapping.dmp

Download
memory/2176-395-0x000000000041E792-mapping.dmp

Download
memory/2176-542-0x000000000041E792-mapping.dmp

Download
memory/2176-687-0x0000000000000000-mapping.dmp

Download
memory/2176-10-0x000000000041E792-mapping.dmp

Download
memory/2176-198-0x0000000000000000-mapping.dmp

Download
memory/2204-500-0x000000000041E792-mapping.dmp

Download
memory/2204-677-0x000000000041E792-mapping.dmp

Download
memory/2204-725-0x000000000041E792-mapping.dmp

Download
memory/2204-216-0x0000000000000000-mapping.dmp

Download
memory/2204-587-0x000000000041E792-mapping.dmp

Download
memory/2204-158-0x000000000041E792-mapping.dmp

Download
memory/2224-99-0x0000000000000000-mapping.dmp

Download
memory/2224-84-0x0000000000000000-mapping.dmp

Download
memory/2268-213-0x0000000000000000-mapping.dmp

Download
memory/2272-23-0x0000000000000000-mapping.dmp

Download
memory/2276-410-0x000000000041E792-mapping.dmp

Download
memory/2296-729-0x0000000000000000-mapping.dmp

Download
memory/2452-210-0x0000000000000000-mapping.dmp

Download
memory/2452-239-0x000000000041E792-mapping.dmp

Download
memory/2468-623-0x000000000041E792-mapping.dmp

Download
memory/2468-530-0x000000000041E792-mapping.dmp

Download
memory/2488-174-0x0000000000000000-mapping.dmp

Download
memory/2488-309-0x0000000000000000-mapping.dmp

Download
memory/2488-567-0x0000000000000000-mapping.dmp

Download
memory/2500-296-0x000000000041E792-mapping.dmp

Download
memory/2504-764-0x000000000041E792-mapping.dmp

Download
memory/2504-372-0x0000000000000000-mapping.dmp

Download
memory/2504-539-0x000000000041E792-mapping.dmp

Download
memory/2528-747-0x0000000000000000-mapping.dmp

Download
memory/2528-566-0x000000000041E792-mapping.dmp

Download
memory/2528-662-0x000000000041E792-mapping.dmp

Download
memory/2588-96-0x0000000000000000-mapping.dmp

Download
memory/2588-575-0x000000000041E792-mapping.dmp

Download
memory/2588-471-0x0000000000000000-mapping.dmp

Download
memory/2596-635-0x000000000041E792-mapping.dmp

Download
memory/2596-116-0x000000000041E792-mapping.dmp

Download
memory/2596-435-0x0000000000000000-mapping.dmp

Download
memory/2596-615-0x0000000000000000-mapping.dmp

Download
memory/2596-186-0x0000000000000000-mapping.dmp

Download
memory/2608-749-0x000000000041E792-mapping.dmp

Download
memory/2656-534-0x0000000000000000-mapping.dmp

Download
memory/2664-324-0x0000000000000000-mapping.dmp

Download
memory/2664-83-0x000000000041E792-mapping.dmp

Download
memory/2664-669-0x0000000000000000-mapping.dmp

Download
memory/2700-783-0x0000000000000000-mapping.dmp

Download
memory/2700-582-0x0000000000000000-mapping.dmp

Download
memory/2708-258-0x0000000000000000-mapping.dmp

Download
memory/2708-651-0x0000000000000000-mapping.dmp

Download
memory/2708-347-0x000000000041E792-mapping.dmp

Download
memory/2708-719-0x000000000041E792-mapping.dmp

Download
memory/2708-446-0x000000000041E792-mapping.dmp

Download
memory/2708-153-0x0000000000000000-mapping.dmp

Download
memory/2708-671-0x000000000041E792-mapping.dmp

Download
memory/2712-710-0x000000000041E792-mapping.dmp

Download
memory/2716-732-0x0000000000000000-mapping.dmp

Download
memory/2760-762-0x0000000000000000-mapping.dmp

Download
memory/2760-74-0x000000000041E792-mapping.dmp

Download
memory/2760-603-0x0000000000000000-mapping.dmp

Download
memory/2784-11-0x0000000000000000-mapping.dmp

Download
memory/2784-590-0x000000000041E792-mapping.dmp

Download
memory/2792-740-0x000000000041E792-mapping.dmp

Download
memory/2792-317-0x000000000041E792-mapping.dmp

Download
memory/2792-558-0x0000000000000000-mapping.dmp

Download
memory/2812-371-0x000000000041E792-mapping.dmp

Download
memory/2812-645-0x0000000000000000-mapping.dmp

Download
memory/2812-95-0x000000000041E792-mapping.dmp

Download
memory/2840-203-0x000000000041E792-mapping.dmp

Download
memory/2852-294-0x0000000000000000-mapping.dmp

Download
memory/2852-68-0x000000000041E792-mapping.dmp

Download
memory/2852-497-0x000000000041E792-mapping.dmp

Download
memory/2852-477-0x0000000000000000-mapping.dmp

Download
memory/2880-681-0x0000000000000000-mapping.dmp

Download
memory/2880-377-0x000000000041E792-mapping.dmp

Download
memory/2884-728-0x000000000041E792-mapping.dmp

Download
memory/2900-20-0x0000000000000000-mapping.dmp

Download
memory/2924-0-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2924-1-0x000000000041E792-mapping.dmp

Download
memory/3016-357-0x0000000000000000-mapping.dmp

Download
memory/3016-57-0x0000000000000000-mapping.dmp

Download
memory/3016-392-0x000000000041E792-mapping.dmp

Download
memory/3016-512-0x000000000041E792-mapping.dmp

Download
memory/3020-22-0x000000000041E792-mapping.dmp

Download
memory/3020-453-0x0000000000000000-mapping.dmp

Download
memory/3024-110-0x000000000041E792-mapping.dmp

Download
memory/3032-54-0x0000000000000000-mapping.dmp

Download
memory/3032-177-0x0000000000000000-mapping.dmp

Download
memory/3048-755-0x000000000041E792-mapping.dmp

Download
memory/3064-63-0x0000000000000000-mapping.dmp

Download
memory/3064-462-0x0000000000000000-mapping.dmp

Download
memory/3064-128-0x000000000041E792-mapping.dmp

Download
memory/3064-633-0x0000000000000000-mapping.dmp

Download
memory/3068-609-0x0000000000000000-mapping.dmp

Download
memory/3068-737-0x000000000041E792-mapping.dmp

Download
memory/3068-144-0x0000000000000000-mapping.dmp

Download
memory/3068-408-0x0000000000000000-mapping.dmp

Download
memory/3080-233-0x000000000041E792-mapping.dmp

Download
memory/3084-674-0x000000000041E792-mapping.dmp

Download
memory/3084-432-0x0000000000000000-mapping.dmp

Download
memory/3088-240-0x0000000000000000-mapping.dmp

Download
memory/3088-498-0x0000000000000000-mapping.dmp

Download
memory/3088-425-0x000000000041E792-mapping.dmp

Download
memory/3088-399-0x0000000000000000-mapping.dmp

Download
memory/3096-25-0x000000000041E792-mapping.dmp

Download
memory/3096-278-0x000000000041E792-mapping.dmp

Download
memory/3096-320-0x000000000041E792-mapping.dmp

Download
memory/3096-573-0x0000000000000000-mapping.dmp

Download
memory/3096-522-0x0000000000000000-mapping.dmp

Download
memory/3096-207-0x0000000000000000-mapping.dmp

Download
memory/3132-465-0x0000000000000000-mapping.dmp

Download
memory/3132-104-0x000000000041E792-mapping.dmp

Download
memory/3180-28-0x000000000041E792-mapping.dmp

Download
memory/3208-204-0x0000000000000000-mapping.dmp

Download
memory/3208-528-0x0000000000000000-mapping.dmp

Download
memory/3208-473-0x000000000041E792-mapping.dmp

Download
memory/3208-222-0x0000000000000000-mapping.dmp

Download
memory/3208-16-0x000000000041E792-mapping.dmp

Download
memory/3208-302-0x000000000041E792-mapping.dmp

Download
memory/3216-470-0x000000000041E792-mapping.dmp

Download
memory/3220-383-0x000000000041E792-mapping.dmp

Download
memory/3220-341-0x000000000041E792-mapping.dmp

Download
memory/3220-518-0x000000000041E792-mapping.dmp

Download
memory/3244-423-0x0000000000000000-mapping.dmp

Download
memory/3244-342-0x0000000000000000-mapping.dmp

Download
memory/3280-584-0x000000000041E792-mapping.dmp

Download
memory/3300-164-0x000000000041E792-mapping.dmp

Download
memory/3300-675-0x0000000000000000-mapping.dmp

Download
memory/3300-387-0x0000000000000000-mapping.dmp

Download
memory/3312-40-0x000000000041E792-mapping.dmp

Download
memory/3312-743-0x000000000041E792-mapping.dmp

Download
memory/3312-390-0x0000000000000000-mapping.dmp

Download
memory/3312-354-0x0000000000000000-mapping.dmp

Download
memory/3364-489-0x0000000000000000-mapping.dmp

Download
memory/3364-275-0x000000000041E792-mapping.dmp

Download
memory/3396-356-0x000000000041E792-mapping.dmp

Download
memory/3396-288-0x0000000000000000-mapping.dmp

Download
memory/3496-776-0x000000000041E792-mapping.dmp

Download
memory/3496-597-0x0000000000000000-mapping.dmp

Download
memory/3496-561-0x0000000000000000-mapping.dmp

Download
memory/3508-311-0x000000000041E792-mapping.dmp

Download
memory/3508-596-0x000000000041E792-mapping.dmp

Download
memory/3508-447-0x0000000000000000-mapping.dmp

Download
memory/3508-429-0x0000000000000000-mapping.dmp

Download
memory/3516-563-0x000000000041E792-mapping.dmp

Download
memory/3516-717-0x0000000000000000-mapping.dmp

Download
memory/3536-279-0x0000000000000000-mapping.dmp

Download
memory/3540-381-0x0000000000000000-mapping.dmp

Download
memory/3540-527-0x000000000041E792-mapping.dmp

Download
memory/3544-134-0x000000000041E792-mapping.dmp

Download
memory/3544-417-0x0000000000000000-mapping.dmp

Download
memory/3544-741-0x0000000000000000-mapping.dmp

Download
memory/3544-611-0x000000000041E792-mapping.dmp

Download
memory/3556-69-0x0000000000000000-mapping.dmp

Download
memory/3556-252-0x0000000000000000-mapping.dmp

Download
memory/3556-630-0x0000000000000000-mapping.dmp

Download
memory/3556-282-0x0000000000000000-mapping.dmp

Download
memory/3560-182-0x000000000041E792-mapping.dmp

Download
memory/3560-363-0x0000000000000000-mapping.dmp

Download
memory/3560-77-0x000000000041E792-mapping.dmp

Download
memory/3560-624-0x0000000000000000-mapping.dmp

Download
memory/3568-37-0x000000000041E792-mapping.dmp

Download
memory/3568-665-0x000000000041E792-mapping.dmp

Download
memory/3572-111-0x0000000000000000-mapping.dmp

Download
memory/3584-482-0x000000000041E792-mapping.dmp

Download
memory/3584-165-0x0000000000000000-mapping.dmp

Download
memory/3588-326-0x000000000041E792-mapping.dmp

Download
memory/3588-626-0x000000000041E792-mapping.dmp

Download
memory/3588-450-0x0000000000000000-mapping.dmp

Download
memory/3588-101-0x000000000041E792-mapping.dmp

Download
memory/3588-758-0x000000000041E792-mapping.dmp

Download
memory/3592-614-0x000000000041E792-mapping.dmp

Download
memory/3596-348-0x0000000000000000-mapping.dmp

Download
memory/3596-291-0x0000000000000000-mapping.dmp

Download
memory/3604-327-0x0000000000000000-mapping.dmp

Download
memory/3604-135-0x0000000000000000-mapping.dmp

Download
memory/3608-744-0x0000000000000000-mapping.dmp

Download
memory/3608-218-0x000000000041E792-mapping.dmp

Download
memory/3608-708-0x0000000000000000-mapping.dmp

Download
memory/3608-608-0x000000000041E792-mapping.dmp

Download
memory/3624-105-0x0000000000000000-mapping.dmp

Download
memory/3624-90-0x0000000000000000-mapping.dmp

Download
memory/3624-621-0x0000000000000000-mapping.dmp

Download
memory/3656-788-0x000000000041E792-mapping.dmp

Download
memory/3684-269-0x000000000041E792-mapping.dmp

Download
memory/3684-578-0x000000000041E792-mapping.dmp

Download
memory/3684-173-0x000000000041E792-mapping.dmp

Download
memory/3712-456-0x0000000000000000-mapping.dmp

Download
memory/3712-389-0x000000000041E792-mapping.dmp

Download
memory/3724-230-0x000000000041E792-mapping.dmp

Download
memory/3724-330-0x0000000000000000-mapping.dmp

Download
memory/3724-546-0x0000000000000000-mapping.dmp

Download
memory/3724-362-0x000000000041E792-mapping.dmp

Download
memory/3724-492-0x0000000000000000-mapping.dmp

Download
memory/3744-44-0x0000000000000000-mapping.dmp

Download
memory/3744-707-0x000000000041E792-mapping.dmp

Download
memory/3780-416-0x000000000041E792-mapping.dmp

Download
memory/3780-333-0x0000000000000000-mapping.dmp

Download
memory/3780-641-0x000000000041E792-mapping.dmp

Download
memory/3780-746-0x000000000041E792-mapping.dmp

Download
memory/3788-248-0x000000000041E792-mapping.dmp

Download
memory/3788-504-0x0000000000000000-mapping.dmp

Download
memory/3800-43-0x000000000041E792-mapping.dmp

Download
memory/3800-515-0x000000000041E792-mapping.dmp

Download
memory/3800-249-0x0000000000000000-mapping.dmp

Download
memory/3800-495-0x0000000000000000-mapping.dmp

Download
memory/3808-162-0x0000000000000000-mapping.dmp

Download
memory/3812-255-0x0000000000000000-mapping.dmp

Download
memory/3812-396-0x0000000000000000-mapping.dmp

Download
memory/3816-777-0x0000000000000000-mapping.dmp

Download
memory/3824-557-0x000000000041E792-mapping.dmp

Download
memory/3824-600-0x0000000000000000-mapping.dmp

Download
memory/3824-132-0x0000000000000000-mapping.dmp

Download
memory/3832-464-0x000000000041E792-mapping.dmp

Download
memory/3836-428-0x000000000041E792-mapping.dmp

Download
memory/3840-599-0x000000000041E792-mapping.dmp

Download
memory/3848-108-0x0000000000000000-mapping.dmp

Download
memory/3848-13-0x000000000041E792-mapping.dmp

Download
memory/3848-242-0x000000000041E792-mapping.dmp

Download
memory/3856-53-0x000000000041E792-mapping.dmp

Download
memory/3860-734-0x000000000041E792-mapping.dmp

Download
memory/3860-143-0x000000000041E792-mapping.dmp

Download
memory/3860-120-0x0000000000000000-mapping.dmp

Download
memory/3860-714-0x0000000000000000-mapping.dmp

Download
memory/3868-378-0x0000000000000000-mapping.dmp

Download
memory/3868-620-0x000000000041E792-mapping.dmp

Download
memory/3872-359-0x000000000041E792-mapping.dmp

Download
memory/3872-452-0x000000000041E792-mapping.dmp

Download
memory/3872-299-0x000000000041E792-mapping.dmp

Download
memory/3872-555-0x0000000000000000-mapping.dmp

Download
memory/3880-243-0x0000000000000000-mapping.dmp

Download
memory/3880-384-0x0000000000000000-mapping.dmp

Download
memory/3880-545-0x000000000041E792-mapping.dmp

Download
memory/3884-236-0x000000000041E792-mapping.dmp

Download
memory/3884-659-0x000000000041E792-mapping.dmp

Download
memory/3888-494-0x000000000041E792-mapping.dmp

Download
memory/3888-306-0x0000000000000000-mapping.dmp

Download
memory/3888-221-0x000000000041E792-mapping.dmp

Download
memory/3896-672-0x0000000000000000-mapping.dmp

Download
memory/3896-554-0x000000000041E792-mapping.dmp

Download
memory/3896-765-0x0000000000000000-mapping.dmp

Download
memory/3908-768-0x0000000000000000-mapping.dmp

Download
memory/3908-480-0x0000000000000000-mapping.dmp

Download
memory/3912-407-0x000000000041E792-mapping.dmp

Download
memory/3912-551-0x000000000041E792-mapping.dmp

Download
memory/3916-525-0x0000000000000000-mapping.dmp

Download
memory/3916-698-0x000000000041E792-mapping.dmp

Download
memory/3920-201-0x0000000000000000-mapping.dmp

Download
memory/3920-602-0x000000000041E792-mapping.dmp

Download
memory/3920-699-0x0000000000000000-mapping.dmp

Download
memory/3928-81-0x0000000000000000-mapping.dmp

Download
memory/3932-224-0x000000000041E792-mapping.dmp

Download
memory/3932-419-0x000000000041E792-mapping.dmp

Download
memory/3932-56-0x000000000041E792-mapping.dmp

Download
memory/3936-215-0x000000000041E792-mapping.dmp

Download
memory/3936-14-0x0000000000000000-mapping.dmp

Download
memory/3936-152-0x000000000041E792-mapping.dmp

Download
memory/3936-195-0x0000000000000000-mapping.dmp

Download
memory/3940-80-0x000000000041E792-mapping.dmp

Download
memory/3940-197-0x000000000041E792-mapping.dmp

Download
memory/3940-653-0x000000000041E792-mapping.dmp

Download
memory/3940-125-0x000000000041E792-mapping.dmp

Download
memory/3944-66-0x0000000000000000-mapping.dmp

Download
memory/3956-170-0x000000000041E792-mapping.dmp

Download
memory/3956-245-0x000000000041E792-mapping.dmp

Download
memory/3956-380-0x000000000041E792-mapping.dmp

Download
memory/3956-98-0x000000000041E792-mapping.dmp

Download
memory/3960-692-0x000000000041E792-mapping.dmp

Download
memory/3960-366-0x0000000000000000-mapping.dmp

Download
memory/3960-401-0x000000000041E792-mapping.dmp

Download
memory/3960-491-0x000000000041E792-mapping.dmp

Download
memory/3960-78-0x0000000000000000-mapping.dmp

Download
memory/3964-369-0x0000000000000000-mapping.dmp

Download
memory/3964-272-0x000000000041E792-mapping.dmp

Download
memory/3964-503-0x000000000041E792-mapping.dmp

Download
memory/3964-126-0x0000000000000000-mapping.dmp

Download
memory/3980-273-0x0000000000000000-mapping.dmp

Download
memory/3984-276-0x0000000000000000-mapping.dmp

Download
memory/3984-185-0x000000000041E792-mapping.dmp

Download
memory/3984-140-0x000000000041E792-mapping.dmp

Download
memory/3984-771-0x0000000000000000-mapping.dmp

Download
memory/3984-413-0x000000000041E792-mapping.dmp

Download
memory/3984-123-0x0000000000000000-mapping.dmp

Download
memory/3992-531-0x0000000000000000-mapping.dmp

Download
memory/3992-639-0x0000000000000000-mapping.dmp

Download
memory/3992-488-0x000000000041E792-mapping.dmp

Download
memory/3992-443-0x000000000041E792-mapping.dmp

Download
memory/3992-702-0x0000000000000000-mapping.dmp

Download
memory/3992-720-0x0000000000000000-mapping.dmp

Download
memory/4000-113-0x000000000041E792-mapping.dmp

Download
memory/4000-437-0x000000000041E792-mapping.dmp

Download
memory/4016-314-0x000000000041E792-mapping.dmp

Download
memory/4016-684-0x0000000000000000-mapping.dmp

Download
memory/4016-636-0x0000000000000000-mapping.dmp

Download
memory/4016-179-0x000000000041E792-mapping.dmp

Download
memory/4020-431-0x000000000041E792-mapping.dmp

Download
memory/4028-444-0x0000000000000000-mapping.dmp

Download
memory/4028-656-0x000000000041E792-mapping.dmp

Download
memory/4028-290-0x000000000041E792-mapping.dmp

Download
memory/4028-426-0x0000000000000000-mapping.dmp

Download
memory/4036-579-0x0000000000000000-mapping.dmp

Download
memory/4040-257-0x000000000041E792-mapping.dmp

Download
memory/4040-726-0x0000000000000000-mapping.dmp

Download
memory/4056-194-0x000000000041E792-mapping.dmp

Download
memory/4056-402-0x0000000000000000-mapping.dmp

Download
memory/4068-689-0x000000000041E792-mapping.dmp

Download
memory/4068-572-0x000000000041E792-mapping.dmp

Download