azorult | dd668abafa9cbdf937e710f2e2e7f6228ca99c7a226b507d43f887c03dff8509

Analysis

max time kernel
143s
max time network
151s
platform
windows7_x64
resource
win7
submitted
30-06-2020 12:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PI.exe
Size

339KB
MD5

e9b130e7262d0aafa2c0ba84d28539dd
SHA1

5e799f43441bd288094370b03bdfa554eafb6324
SHA256

dd668abafa9cbdf937e710f2e2e7f6228ca99c7a226b507d43f887c03dff8509
SHA512

7e934097fbd3e1500c7810794c1fda4267aa64d70197d0623c6dca5f2e91d67960d5e11ec87cfa853c457b5342eebb4d7fc98d5892efd7ad239a32211f0322b5

Score

10^/10

spyware discovery trojan infostealer azorult

Malware Config

Extracted

Family

azorult

http://45.95.168.162/city/index.php

Signatures

Suspicious behavior: EnumeratesProcesses 12605 IoCs

Processes:

PI.exe

pid	process
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Delays execution with timeout.exe 7 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

1644 timeout.exe
1304 timeout.exe
1956 timeout.exe
1128 timeout.exe
1280 timeout.exe
1152 timeout.exe
1576 timeout.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1644	timeout.exe
1304	timeout.exe
1956	timeout.exe
1128	timeout.exe
1280	timeout.exe
1152	timeout.exe
1576	timeout.exe

Suspicious use of WriteProcessMemory 1087 IoCs

Processes:

PI.execmd.exePI.execmd.exePI.exe

description	pid	process	target process
PID 1612 wrote to memory of 1072	1612	PI.exe	RegAsm.exe
PID 1612 wrote to memory of 1072	1612	PI.exe	RegAsm.exe
PID 1612 wrote to memory of 1072	1612	PI.exe	RegAsm.exe
PID 1612 wrote to memory of 1072	1612	PI.exe	RegAsm.exe
PID 1612 wrote to memory of 1072	1612	PI.exe	RegAsm.exe
PID 1612 wrote to memory of 1072	1612	PI.exe	RegAsm.exe
PID 1612 wrote to memory of 1072	1612	PI.exe	RegAsm.exe
PID 1612 wrote to memory of 1052	1612	PI.exe	RegAsm.exe
PID 1612 wrote to memory of 1052	1612	PI.exe	RegAsm.exe
PID 1612 wrote to memory of 1052	1612	PI.exe	RegAsm.exe
PID 1612 wrote to memory of 1052	1612	PI.exe	RegAsm.exe
PID 1612 wrote to memory of 1052	1612	PI.exe	RegAsm.exe
PID 1612 wrote to memory of 1052	1612	PI.exe	RegAsm.exe
PID 1612 wrote to memory of 1052	1612	PI.exe	RegAsm.exe
PID 1612 wrote to memory of 1052	1612	PI.exe	RegAsm.exe
PID 1612 wrote to memory of 1768	1612	PI.exe	cmd.exe
PID 1612 wrote to memory of 1768	1612	PI.exe	cmd.exe
PID 1612 wrote to memory of 1768	1612	PI.exe	cmd.exe
PID 1612 wrote to memory of 1768	1612	PI.exe	cmd.exe
PID 1768 wrote to memory of 1420	1768	cmd.exe	choice.exe
PID 1768 wrote to memory of 1420	1768	cmd.exe	choice.exe
PID 1768 wrote to memory of 1420	1768	cmd.exe	choice.exe
PID 1768 wrote to memory of 1420	1768	cmd.exe	choice.exe
PID 1612 wrote to memory of 1416	1612	PI.exe	PI.exe
PID 1612 wrote to memory of 1416	1612	PI.exe	PI.exe
PID 1612 wrote to memory of 1416	1612	PI.exe	PI.exe
PID 1612 wrote to memory of 1416	1612	PI.exe	PI.exe
PID 1416 wrote to memory of 1948	1416	PI.exe	RegAsm.exe
PID 1416 wrote to memory of 1948	1416	PI.exe	RegAsm.exe
PID 1416 wrote to memory of 1948	1416	PI.exe	RegAsm.exe
PID 1416 wrote to memory of 1948	1416	PI.exe	RegAsm.exe
PID 1416 wrote to memory of 1948	1416	PI.exe	RegAsm.exe
PID 1416 wrote to memory of 1948	1416	PI.exe	RegAsm.exe
PID 1416 wrote to memory of 1948	1416	PI.exe	RegAsm.exe
PID 1416 wrote to memory of 1948	1416	PI.exe	RegAsm.exe
PID 1416 wrote to memory of 1972	1416	PI.exe	cmd.exe
PID 1416 wrote to memory of 1972	1416	PI.exe	cmd.exe
PID 1416 wrote to memory of 1972	1416	PI.exe	cmd.exe
PID 1416 wrote to memory of 1972	1416	PI.exe	cmd.exe
PID 1416 wrote to memory of 2000	1416	PI.exe	PI.exe
PID 1416 wrote to memory of 2000	1416	PI.exe	PI.exe
PID 1416 wrote to memory of 2000	1416	PI.exe	PI.exe
PID 1416 wrote to memory of 2000	1416	PI.exe	PI.exe
PID 1972 wrote to memory of 1592	1972	cmd.exe	choice.exe
PID 1972 wrote to memory of 1592	1972	cmd.exe	choice.exe
PID 1972 wrote to memory of 1592	1972	cmd.exe	choice.exe
PID 1972 wrote to memory of 1592	1972	cmd.exe	choice.exe
PID 2000 wrote to memory of 1652	2000	PI.exe	RegAsm.exe
PID 2000 wrote to memory of 1652	2000	PI.exe	RegAsm.exe
PID 2000 wrote to memory of 1652	2000	PI.exe	RegAsm.exe
PID 2000 wrote to memory of 1652	2000	PI.exe	RegAsm.exe
PID 2000 wrote to memory of 1652	2000	PI.exe	RegAsm.exe
PID 2000 wrote to memory of 1652	2000	PI.exe	RegAsm.exe
PID 2000 wrote to memory of 1652	2000	PI.exe	RegAsm.exe
PID 2000 wrote to memory of 1664	2000	PI.exe	RegAsm.exe
PID 2000 wrote to memory of 1664	2000	PI.exe	RegAsm.exe
PID 2000 wrote to memory of 1664	2000	PI.exe	RegAsm.exe
PID 2000 wrote to memory of 1664	2000	PI.exe	RegAsm.exe
PID 2000 wrote to memory of 1664	2000	PI.exe	RegAsm.exe
PID 2000 wrote to memory of 1664	2000	PI.exe	RegAsm.exe
PID 2000 wrote to memory of 1664	2000	PI.exe	RegAsm.exe
PID 2000 wrote to memory of 1664	2000	PI.exe	RegAsm.exe
PID 2000 wrote to memory of 1632	2000	PI.exe	cmd.exe
PID 2000 wrote to memory of 1632	2000	PI.exe	cmd.exe

Suspicious behavior: MapViewOfSection 71 IoCs

Processes:

PI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exe

pid	process
1612	PI.exe
1612	PI.exe
1416	PI.exe
2000	PI.exe
2000	PI.exe
620	PI.exe
1536	PI.exe
1628	PI.exe
1656	PI.exe
1656	PI.exe
1656	PI.exe
580	PI.exe
324	PI.exe
1940	PI.exe
1380	PI.exe
1048	PI.exe
1048	PI.exe
1048	PI.exe
1048	PI.exe
792	PI.exe
1076	PI.exe
1076	PI.exe
1076	PI.exe
1076	PI.exe
1076	PI.exe
1076	PI.exe
1076	PI.exe
1076	PI.exe
1964	PI.exe
1164	PI.exe
1368	PI.exe
828	PI.exe
828	PI.exe
828	PI.exe
1932	PI.exe
588	PI.exe
588	PI.exe
588	PI.exe
588	PI.exe
1916	PI.exe
1916	PI.exe
1916	PI.exe
1916	PI.exe
1916	PI.exe
1856	PI.exe
1052	PI.exe
1572	PI.exe
1572	PI.exe
1632	PI.exe
1632	PI.exe
1632	PI.exe
1864	PI.exe
1952	PI.exe
1832	PI.exe
1832	PI.exe
1672	PI.exe
2016	PI.exe
2028	PI.exe
832	PI.exe
1132	PI.exe
276	PI.exe
1520	PI.exe
240	PI.exe
820	PI.exe

Loads dropped DLL 112 IoCs

Processes:

RegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exe

pid	process
1052	RegAsm.exe
1052	RegAsm.exe
1052	RegAsm.exe
1052	RegAsm.exe
1052	RegAsm.exe
1052	RegAsm.exe
1052	RegAsm.exe
1052	RegAsm.exe
1052	RegAsm.exe
1052	RegAsm.exe
1052	RegAsm.exe
1052	RegAsm.exe
1052	RegAsm.exe
1052	RegAsm.exe
1052	RegAsm.exe
1052	RegAsm.exe
1504	RegAsm.exe
1504	RegAsm.exe
1504	RegAsm.exe
1504	RegAsm.exe
1504	RegAsm.exe
1504	RegAsm.exe
1504	RegAsm.exe
1504	RegAsm.exe
1504	RegAsm.exe
1504	RegAsm.exe
1504	RegAsm.exe
1504	RegAsm.exe
1504	RegAsm.exe
1504	RegAsm.exe
1504	RegAsm.exe
1504	RegAsm.exe
528	RegAsm.exe
528	RegAsm.exe
528	RegAsm.exe
528	RegAsm.exe
528	RegAsm.exe
528	RegAsm.exe
528	RegAsm.exe
528	RegAsm.exe
528	RegAsm.exe
528	RegAsm.exe
528	RegAsm.exe
528	RegAsm.exe
528	RegAsm.exe
528	RegAsm.exe
528	RegAsm.exe
528	RegAsm.exe
1316	RegAsm.exe
1316	RegAsm.exe
1316	RegAsm.exe
1316	RegAsm.exe
1316	RegAsm.exe
1316	RegAsm.exe
1316	RegAsm.exe
1316	RegAsm.exe
1316	RegAsm.exe
1316	RegAsm.exe
1316	RegAsm.exe
1316	RegAsm.exe
1316	RegAsm.exe
1316	RegAsm.exe
1316	RegAsm.exe
1316	RegAsm.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Checks processor information in registry 2 TTPs 14 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe

Checks for installed software on the system 1 TTPs 210 IoCs

discovery

Query Registry

T1012

Processes:

RegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\DisplayName	RegAsm.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	RegAsm.exe
Key enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\DisplayName	RegAsm.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	RegAsm.exe
Key enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\DisplayName	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName	RegAsm.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall	RegAsm.exe

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Suspicious use of SetThreadContext 42 IoCs

Processes:

description	pid	process	target process
PID 1612 set thread context of 1052	1612	PI.exe	RegAsm.exe
PID 1416 set thread context of 1948	1416	PI.exe	RegAsm.exe
PID 2000 set thread context of 1664	2000	PI.exe	RegAsm.exe
PID 620 set thread context of 1272	620	PI.exe	RegAsm.exe
PID 1536 set thread context of 1868	1536	PI.exe	RegAsm.exe
PID 1628 set thread context of 1116	1628	PI.exe	RegAsm.exe
PID 1656 set thread context of 1852	1656	PI.exe	RegAsm.exe
PID 580 set thread context of 1560	580	PI.exe	RegAsm.exe
PID 324 set thread context of 1604	324	PI.exe	RegAsm.exe
PID 1940 set thread context of 1028	1940	PI.exe	RegAsm.exe
PID 1380 set thread context of 1804	1380	PI.exe	RegAsm.exe
PID 1048 set thread context of 1592	1048	PI.exe	RegAsm.exe
PID 792 set thread context of 1504	792	PI.exe	RegAsm.exe
PID 1076 set thread context of 1752	1076	PI.exe	RegAsm.exe
PID 1964 set thread context of 1140	1964	PI.exe	RegAsm.exe
PID 1164 set thread context of 1588	1164	PI.exe	RegAsm.exe
PID 1368 set thread context of 1080	1368	PI.exe	RegAsm.exe
PID 828 set thread context of 556	828	PI.exe	RegAsm.exe
PID 1932 set thread context of 1588	1932	PI.exe	RegAsm.exe
PID 588 set thread context of 1080	588	PI.exe	RegAsm.exe
PID 1916 set thread context of 528	1916	PI.exe	RegAsm.exe
PID 1856 set thread context of 1544	1856	PI.exe	RegAsm.exe
PID 1052 set thread context of 1088	1052	PI.exe	RegAsm.exe
PID 1572 set thread context of 1420	1572	PI.exe	RegAsm.exe
PID 1632 set thread context of 1316	1632	PI.exe	RegAsm.exe
PID 1864 set thread context of 1488	1864	PI.exe	RegAsm.exe
PID 1952 set thread context of 884	1952	PI.exe	RegAsm.exe
PID 1832 set thread context of 1752	1832	PI.exe	RegAsm.exe
PID 1672 set thread context of 1608	1672	PI.exe	RegAsm.exe
PID 2016 set thread context of 860	2016	PI.exe	RegAsm.exe
PID 2028 set thread context of 1572	2028	PI.exe	RegAsm.exe
PID 832 set thread context of 1488	832	PI.exe	RegAsm.exe
PID 1132 set thread context of 1708	1132	PI.exe	RegAsm.exe
PID 276 set thread context of 1772	276	PI.exe	RegAsm.exe
PID 1520 set thread context of 1688	1520	PI.exe	RegAsm.exe
PID 240 set thread context of 1664	240	PI.exe	RegAsm.exe
PID 820 set thread context of 1608	820	PI.exe	RegAsm.exe
PID 560 set thread context of 1140	560	PI.exe	RegAsm.exe
PID 1920 set thread context of 1088	1920	PI.exe	RegAsm.exe
PID 1692 set thread context of 1048	1692	PI.exe	RegAsm.exe
PID 268 set thread context of 1604	268	PI.exe	RegAsm.exe
PID 1056 set thread context of 1544	1056	PI.exe	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	1612	PI.exe
Token: SeDebugPrivilege	1416	PI.exe
Token: SeDebugPrivilege	2000	PI.exe
Token: SeDebugPrivilege	620	PI.exe
Token: SeDebugPrivilege	1536	PI.exe
Token: SeDebugPrivilege	1628	PI.exe
Token: SeDebugPrivilege	1656	PI.exe
Token: SeDebugPrivilege	580	PI.exe
Token: SeDebugPrivilege	324	PI.exe
Token: SeDebugPrivilege	1940	PI.exe
Token: SeDebugPrivilege	1380	PI.exe
Token: SeDebugPrivilege	1048	PI.exe
Token: SeDebugPrivilege	792	PI.exe
Token: SeDebugPrivilege	1076	PI.exe
Token: SeDebugPrivilege	1964	PI.exe
Token: SeDebugPrivilege	1164	PI.exe
Token: SeDebugPrivilege	1368	PI.exe
Token: SeDebugPrivilege	828	PI.exe
Token: SeDebugPrivilege	1932	PI.exe
Token: SeDebugPrivilege	588	PI.exe
Token: SeDebugPrivilege	1916	PI.exe
Token: SeDebugPrivilege	1856	PI.exe
Token: SeDebugPrivilege	1052	PI.exe
Token: SeDebugPrivilege	1572	PI.exe
Token: SeDebugPrivilege	1632	PI.exe
Token: SeDebugPrivilege	1864	PI.exe
Token: SeDebugPrivilege	1952	PI.exe
Token: SeDebugPrivilege	1832	PI.exe
Token: SeDebugPrivilege	1672	PI.exe
Token: SeDebugPrivilege	2016	PI.exe
Token: SeDebugPrivilege	2028	PI.exe
Token: SeDebugPrivilege	832	PI.exe
Token: SeDebugPrivilege	1132	PI.exe
Token: SeDebugPrivilege	276	PI.exe
Token: SeDebugPrivilege	1520	PI.exe
Token: SeDebugPrivilege	240	PI.exe
Token: SeDebugPrivilege	820	PI.exe
Token: SeDebugPrivilege	560	PI.exe
Token: SeDebugPrivilege	1920	PI.exe
Token: SeDebugPrivilege	1692	PI.exe
Token: SeDebugPrivilege	268	PI.exe

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:1072

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Loads dropped DLL
- Checks processor information in registry
- Checks for installed software on the system
PID:1052

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "RegAsm.exe"
3⤵
PID:2012

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
4⤵
- Delays execution with timeout.exe
PID:1128

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
3⤵
PID:1420

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
2⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1416

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1948

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:1592

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
3⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:1652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:1664

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
4⤵
PID:1632

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
5⤵
PID:1364

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
4⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:620

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
PID:1272

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
5⤵
PID:240

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
6⤵
PID:1580

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
5⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1536

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
PID:1868

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
6⤵
PID:1148

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
7⤵
PID:1948

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
6⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
7⤵
PID:1116

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
7⤵
PID:1080

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
8⤵
PID:112

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
7⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
8⤵
PID:1936

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
8⤵
PID:1928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
8⤵
PID:1852

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
8⤵
PID:520

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
9⤵
PID:1540

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
8⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
9⤵
PID:1560

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
9⤵
PID:1896

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
10⤵
PID:828

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
9⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:324

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
10⤵
PID:1604

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
10⤵
PID:1116

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
11⤵
PID:1980

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
10⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
11⤵
PID:1028

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
11⤵
PID:1488

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
12⤵
PID:572

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
11⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1380

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
12⤵
PID:1804

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
12⤵
PID:1652

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
13⤵
PID:1544

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
12⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1048

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
PID:1828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
PID:1964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
PID:1264

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
PID:1592

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
13⤵
PID:1560

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
14⤵
PID:1520

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
13⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
14⤵
- Loads dropped DLL
- Checks processor information in registry
- Checks for installed software on the system
PID:1504

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "RegAsm.exe"
15⤵
PID:1920

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
16⤵
- Delays execution with timeout.exe
PID:1280

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
14⤵
PID:1576

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
15⤵
PID:268

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
14⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
15⤵
PID:1372

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
15⤵
PID:112

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
15⤵
PID:1572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
15⤵
PID:1080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
15⤵
PID:2016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
15⤵
PID:1644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
15⤵
PID:584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
15⤵
PID:1752

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
15⤵
PID:1836

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
16⤵
PID:1584

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
15⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
16⤵
PID:1140

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
16⤵
PID:1152

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
17⤵
PID:1952

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
16⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
17⤵
PID:1588

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
17⤵
PID:1496

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
18⤵
PID:1060

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
17⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
18⤵
PID:1080

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
18⤵
PID:2020

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
19⤵
PID:876

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
18⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
19⤵
PID:1708

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
19⤵
PID:1028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
19⤵
PID:556

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
19⤵
PID:1140

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
20⤵
PID:1488

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
19⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
20⤵
PID:1588

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
20⤵
PID:1900

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
21⤵
PID:1652

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
20⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
21⤵
PID:1076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
21⤵
PID:560

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
21⤵
PID:860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
21⤵
PID:1080

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
21⤵
PID:1416

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
22⤵
PID:1656

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
21⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
22⤵
PID:1032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
22⤵
PID:1360

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
22⤵
PID:1828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
22⤵
PID:1116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
22⤵
- Loads dropped DLL
- Checks processor information in registry
- Checks for installed software on the system
PID:528

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "RegAsm.exe"
23⤵
PID:1584

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
24⤵
- Delays execution with timeout.exe
PID:1152

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
22⤵
PID:784

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
23⤵
PID:1564

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
22⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1856

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
23⤵
PID:1544

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
23⤵
PID:1364

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
24⤵
PID:364

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
23⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
24⤵
PID:1088

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
24⤵
PID:1600

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
25⤵
PID:1688

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
24⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
25⤵
PID:1116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
25⤵
PID:1420

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
25⤵
PID:1612

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
26⤵
PID:1592

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
25⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
26⤵
PID:1028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
26⤵
PID:740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
26⤵
- Loads dropped DLL
- Checks processor information in registry
- Checks for installed software on the system
PID:1316

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "RegAsm.exe"
27⤵
PID:1116

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
28⤵
- Delays execution with timeout.exe
PID:1576

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
26⤵
PID:332

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
27⤵
PID:520

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
26⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
27⤵
PID:1488

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
27⤵
PID:112

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
28⤵
PID:1272

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
27⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
28⤵
PID:884

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
28⤵
PID:1940

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
29⤵
PID:324

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
28⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
29⤵
PID:1652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
29⤵
- Checks processor information in registry
- Checks for installed software on the system
PID:1752

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "RegAsm.exe"
30⤵
PID:1176

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
31⤵
- Delays execution with timeout.exe
PID:1644

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
29⤵
PID:1052

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
30⤵
PID:1908

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
29⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
30⤵
PID:1608

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
30⤵
PID:1660

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
31⤵
PID:1148

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
30⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
31⤵
PID:860

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
31⤵
PID:572

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
32⤵
PID:364

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
31⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
32⤵
PID:1572

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
32⤵
PID:1844

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
33⤵
PID:1632

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
32⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
33⤵
- Checks processor information in registry
- Checks for installed software on the system
PID:1488

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "RegAsm.exe"
34⤵
PID:1536

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
35⤵
- Delays execution with timeout.exe
PID:1304

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
33⤵
PID:1072

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
34⤵
PID:1776

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
33⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1132

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
34⤵
PID:1708

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
34⤵
PID:1824

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
35⤵
PID:2024

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
34⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:276

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
35⤵
PID:1772

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
35⤵
PID:1364

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
36⤵
PID:1056

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
35⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1520

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
36⤵
PID:1688

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
36⤵
PID:1780

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
37⤵
PID:2028

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
36⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:240

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
37⤵
PID:1664

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
37⤵
PID:1360

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
38⤵
PID:1936

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
37⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:820

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
38⤵
PID:1940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
38⤵
PID:1656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
38⤵
- Checks processor information in registry
- Checks for installed software on the system
PID:1608

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "RegAsm.exe"
39⤵
PID:1780

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
40⤵
- Delays execution with timeout.exe
PID:1956

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
38⤵
PID:876

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
39⤵
PID:1116

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
38⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:560

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
39⤵
PID:1140

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
39⤵
PID:1688

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
40⤵
PID:1032

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
39⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1920

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
40⤵
PID:1088

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
40⤵
PID:1932

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
41⤵
PID:464

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
40⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
41⤵
PID:1048

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
41⤵
PID:1524

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
42⤵
PID:1272

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
41⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:268

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
42⤵
PID:1604

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
42⤵
PID:1264

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
43⤵
PID:1508

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
42⤵
- Suspicious use of SetThreadContext
PID:1056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
43⤵
PID:1544

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-convert-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-convert-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-convert-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-convert-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-convert-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-convert-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-convert-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-environment-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-environment-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-environment-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-environment-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-environment-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-environment-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-environment-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-filesystem-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-filesystem-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-filesystem-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-filesystem-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-filesystem-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-filesystem-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-filesystem-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-heap-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-heap-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-heap-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-heap-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-heap-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-heap-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-heap-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-locale-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-locale-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-locale-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-locale-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-locale-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-locale-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-locale-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-math-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-math-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-math-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-math-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-math-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-math-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-math-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-multibyte-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-multibyte-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-multibyte-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-multibyte-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-multibyte-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-multibyte-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-multibyte-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-runtime-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-runtime-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-runtime-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-runtime-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-runtime-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-runtime-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-runtime-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-stdio-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-stdio-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-stdio-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-stdio-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-stdio-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-stdio-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-stdio-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-string-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-string-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-string-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-string-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-string-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-string-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-string-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-time-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-time-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-time-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-time-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-time-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-time-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-time-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-utility-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-utility-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-utility-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-utility-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-utility-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-utility-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-utility-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
memory/112-64-0x0000000000000000-mapping.dmp

Download
memory/112-339-0x0000000000000000-mapping.dmp

Download
memory/240-479-0x0000000000000000-mapping.dmp

Download
memory/240-36-0x0000000000000000-mapping.dmp

Download
memory/268-552-0x0000000000000000-mapping.dmp

Download
memory/268-158-0x0000000000000000-mapping.dmp

Download
memory/276-457-0x0000000000000000-mapping.dmp

Download
memory/324-87-0x0000000000000000-mapping.dmp

Download
memory/324-354-0x0000000000000000-mapping.dmp

Download
memory/332-326-0x0000000000000000-mapping.dmp

Download
memory/364-276-0x0000000000000000-mapping.dmp

Download
memory/364-403-0x0000000000000000-mapping.dmp

Download
memory/464-543-0x0000000000000000-mapping.dmp

Download
memory/520-73-0x0000000000000000-mapping.dmp

Download
memory/520-329-0x0000000000000000-mapping.dmp

Download
memory/528-255-0x000000000041A1F8-mapping.dmp

Download
memory/556-206-0x000000000041A1F8-mapping.dmp

Download
memory/560-519-0x0000000000000000-mapping.dmp

Download
memory/572-398-0x0000000000000000-mapping.dmp

Download
memory/572-108-0x0000000000000000-mapping.dmp

Download
memory/580-76-0x0000000000000000-mapping.dmp

Download
memory/588-226-0x0000000000000000-mapping.dmp

Download
memory/620-32-0x0000000000000000-mapping.dmp

Download
memory/784-257-0x0000000000000000-mapping.dmp

Download
memory/792-147-0x0000000000000000-mapping.dmp

Download
memory/820-507-0x0000000000000000-mapping.dmp

Download
memory/828-204-0x0000000000000000-mapping.dmp

Download
memory/828-86-0x0000000000000000-mapping.dmp

Download
memory/832-433-0x0000000000000000-mapping.dmp

Download
memory/860-395-0x000000000041A1F8-mapping.dmp

Download
memory/876-203-0x0000000000000000-mapping.dmp

Download
memory/876-517-0x0000000000000000-mapping.dmp

Download
memory/884-343-0x000000000041A1F8-mapping.dmp

Download
memory/1028-100-0x000000000041A1F8-mapping.dmp

Download
memory/1032-531-0x0000000000000000-mapping.dmp

Download
memory/1048-544-0x000000000041A1F8-mapping.dmp

Download
memory/1048-120-0x0000000000000000-mapping.dmp

Download
memory/1052-2-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1052-6-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1052-5-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1052-7-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1052-4-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1052-0-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1052-1-0x000000000041A1F8-mapping.dmp

Download
memory/1052-3-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1052-277-0x0000000000000000-mapping.dmp

Download
memory/1052-378-0x0000000000000000-mapping.dmp

Download
memory/1056-563-0x0000000000000000-mapping.dmp

Download
memory/1056-468-0x0000000000000000-mapping.dmp

Download
memory/1060-192-0x0000000000000000-mapping.dmp

Download
memory/1072-442-0x0000000000000000-mapping.dmp

Download
memory/1076-160-0x0000000000000000-mapping.dmp

Download
memory/1080-195-0x000000000041A1F8-mapping.dmp

Download
memory/1080-228-0x000000000041A1F8-mapping.dmp

Download
memory/1080-58-0x0000000000000000-mapping.dmp

Download
memory/1088-533-0x000000000041A1F8-mapping.dmp

Download
memory/1088-279-0x000000000041A1F8-mapping.dmp

Download
memory/1116-96-0x0000000000000000-mapping.dmp

Download
memory/1116-56-0x000000000041A1F8-mapping.dmp

Download
memory/1116-520-0x0000000000000000-mapping.dmp

Download
memory/1116-374-0x0000000000000000-mapping.dmp

Download
memory/1128-159-0x0000000000000000-mapping.dmp

Download
memory/1132-445-0x0000000000000000-mapping.dmp

Download
memory/1140-173-0x000000000041A1F8-mapping.dmp

Download
memory/1140-208-0x0000000000000000-mapping.dmp

Download
memory/1140-522-0x000000000041A1F8-mapping.dmp

Download
memory/1148-48-0x0000000000000000-mapping.dmp

Download
memory/1148-392-0x0000000000000000-mapping.dmp

Download
memory/1152-177-0x0000000000000000-mapping.dmp

Download
memory/1152-328-0x0000000000000000-mapping.dmp

Download
memory/1164-181-0x0000000000000000-mapping.dmp

Download
memory/1176-434-0x0000000000000000-mapping.dmp

Download
memory/1264-560-0x0000000000000000-mapping.dmp

Download
memory/1272-553-0x0000000000000000-mapping.dmp

Download
memory/1272-340-0x0000000000000000-mapping.dmp

Download
memory/1272-34-0x000000000041A1F8-mapping.dmp

Download
memory/1280-266-0x0000000000000000-mapping.dmp

Download
memory/1304-510-0x0000000000000000-mapping.dmp

Download
memory/1316-325-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1316-319-0x000000000041A1F8-mapping.dmp

Download
memory/1316-324-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1316-327-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1316-323-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1316-322-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1360-504-0x0000000000000000-mapping.dmp

Download
memory/1364-272-0x0000000000000000-mapping.dmp

Download
memory/1364-31-0x0000000000000000-mapping.dmp

Download
memory/1364-463-0x0000000000000000-mapping.dmp

Download
memory/1368-193-0x0000000000000000-mapping.dmp

Download
memory/1380-109-0x0000000000000000-mapping.dmp

Download
memory/1416-233-0x0000000000000000-mapping.dmp

Download
memory/1416-10-0x0000000000000000-mapping.dmp

Download
memory/1420-292-0x000000000041A1F8-mapping.dmp

Download
memory/1420-9-0x0000000000000000-mapping.dmp

Download
memory/1488-332-0x000000000041A1F8-mapping.dmp

Download
memory/1488-214-0x0000000000000000-mapping.dmp

Download
memory/1488-440-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1488-444-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1488-439-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1488-437-0x000000000041A1F8-mapping.dmp

Download
memory/1488-105-0x0000000000000000-mapping.dmp

Download
memory/1488-443-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1488-441-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1496-186-0x0000000000000000-mapping.dmp

Download
memory/1504-149-0x000000000041A1F8-mapping.dmp

Download
memory/1508-564-0x0000000000000000-mapping.dmp

Download
memory/1520-467-0x0000000000000000-mapping.dmp

Download
memory/1520-145-0x0000000000000000-mapping.dmp

Download
memory/1524-551-0x0000000000000000-mapping.dmp

Download
memory/1536-508-0x0000000000000000-mapping.dmp

Download
memory/1536-43-0x0000000000000000-mapping.dmp

Download
memory/1540-75-0x0000000000000000-mapping.dmp

Download
memory/1544-268-0x000000000041A1F8-mapping.dmp

Download
memory/1544-119-0x0000000000000000-mapping.dmp

Download
memory/1560-78-0x000000000041A1F8-mapping.dmp

Download
memory/1560-140-0x0000000000000000-mapping.dmp

Download
memory/1564-264-0x0000000000000000-mapping.dmp

Download
memory/1572-412-0x000000000041A1F8-mapping.dmp

Download
memory/1572-288-0x0000000000000000-mapping.dmp

Download
memory/1576-380-0x0000000000000000-mapping.dmp

Download
memory/1576-155-0x0000000000000000-mapping.dmp

Download
memory/1580-42-0x0000000000000000-mapping.dmp

Download
memory/1584-170-0x0000000000000000-mapping.dmp

Download
memory/1584-320-0x0000000000000000-mapping.dmp

Download
memory/1588-217-0x000000000041A1F8-mapping.dmp

Download
memory/1588-184-0x000000000041A1F8-mapping.dmp

Download
memory/1592-316-0x0000000000000000-mapping.dmp

Download
memory/1592-21-0x0000000000000000-mapping.dmp

Download
memory/1592-128-0x000000000041A1F8-mapping.dmp

Download
memory/1600-285-0x0000000000000000-mapping.dmp

Download
memory/1604-89-0x000000000041A1F8-mapping.dmp

Download
memory/1604-555-0x000000000041A1F8-mapping.dmp

Download
memory/1608-511-0x000000000041A1F8-mapping.dmp

Download
memory/1608-384-0x000000000041A1F8-mapping.dmp

Download
memory/1612-312-0x0000000000000000-mapping.dmp

Download
memory/1628-53-0x0000000000000000-mapping.dmp

Download
memory/1632-432-0x0000000000000000-mapping.dmp

Download
memory/1632-317-0x0000000000000000-mapping.dmp

Download
memory/1632-27-0x0000000000000000-mapping.dmp

Download
memory/1644-435-0x0000000000000000-mapping.dmp

Download
memory/1652-115-0x0000000000000000-mapping.dmp

Download
memory/1652-225-0x0000000000000000-mapping.dmp

Download
memory/1656-238-0x0000000000000000-mapping.dmp

Download
memory/1656-65-0x0000000000000000-mapping.dmp

Download
memory/1660-391-0x0000000000000000-mapping.dmp

Download
memory/1664-484-0x000000000041A1F8-mapping.dmp

Download
memory/1664-23-0x000000000041A1F8-mapping.dmp

Download
memory/1672-382-0x0000000000000000-mapping.dmp

Download
memory/1688-287-0x0000000000000000-mapping.dmp

Download
memory/1688-527-0x0000000000000000-mapping.dmp

Download
memory/1688-470-0x000000000041A1F8-mapping.dmp

Download
memory/1692-541-0x0000000000000000-mapping.dmp

Download
memory/1708-448-0x000000000041A1F8-mapping.dmp

Download
memory/1752-371-0x000000000041A1F8-mapping.dmp

Download
memory/1752-162-0x000000000041A1F8-mapping.dmp

Download
memory/1768-8-0x0000000000000000-mapping.dmp

Download
memory/1772-459-0x000000000041A1F8-mapping.dmp

Download
memory/1776-446-0x0000000000000000-mapping.dmp

Download
memory/1780-477-0x0000000000000000-mapping.dmp

Download
memory/1780-583-0x0000000000000000-mapping.dmp

Download
memory/1804-111-0x000000000041A1F8-mapping.dmp

Download
memory/1824-451-0x0000000000000000-mapping.dmp

Download
memory/1832-358-0x0000000000000000-mapping.dmp

Download
memory/1836-169-0x0000000000000000-mapping.dmp

Download
memory/1844-428-0x0000000000000000-mapping.dmp

Download
memory/1852-67-0x000000000041A1F8-mapping.dmp

Download
memory/1856-265-0x0000000000000000-mapping.dmp

Download
memory/1864-330-0x0000000000000000-mapping.dmp

Download
memory/1868-45-0x000000000041A1F8-mapping.dmp

Download
memory/1896-81-0x0000000000000000-mapping.dmp

Download
memory/1900-224-0x0000000000000000-mapping.dmp

Download
memory/1908-381-0x0000000000000000-mapping.dmp

Download
memory/1916-242-0x0000000000000000-mapping.dmp

Download
memory/1920-259-0x0000000000000000-mapping.dmp

Download
memory/1920-530-0x0000000000000000-mapping.dmp

Download
memory/1932-215-0x0000000000000000-mapping.dmp

Download
memory/1932-538-0x0000000000000000-mapping.dmp

Download
memory/1936-506-0x0000000000000000-mapping.dmp

Download
memory/1940-350-0x0000000000000000-mapping.dmp

Download
memory/1940-98-0x0000000000000000-mapping.dmp

Download
memory/1948-12-0x000000000041A1F8-mapping.dmp

Download
memory/1948-54-0x0000000000000000-mapping.dmp

Download
memory/1952-341-0x0000000000000000-mapping.dmp

Download
memory/1952-182-0x0000000000000000-mapping.dmp

Download
memory/1956-584-0x0000000000000000-mapping.dmp

Download
memory/1964-171-0x0000000000000000-mapping.dmp

Download
memory/1972-16-0x0000000000000000-mapping.dmp

Download
memory/1980-97-0x0000000000000000-mapping.dmp

Download
memory/2000-20-0x0000000000000000-mapping.dmp

Download
memory/2012-157-0x0000000000000000-mapping.dmp

Download
memory/2016-393-0x0000000000000000-mapping.dmp

Download
memory/2020-200-0x0000000000000000-mapping.dmp

Download
memory/2024-456-0x0000000000000000-mapping.dmp

Download
memory/2028-481-0x0000000000000000-mapping.dmp

Download
memory/2028-406-0x0000000000000000-mapping.dmp

Download