azorult | dd668abafa9cbdf937e710f2e2e7f6228ca99c7a226b507d43f887c03dff8509

Analysis

max time kernel
92s
max time network
152s
platform
windows10_x64
resource
win10v200430
submitted
30-06-2020 12:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PI.exe
Size

339KB
MD5

e9b130e7262d0aafa2c0ba84d28539dd
SHA1

5e799f43441bd288094370b03bdfa554eafb6324
SHA256

dd668abafa9cbdf937e710f2e2e7f6228ca99c7a226b507d43f887c03dff8509
SHA512

7e934097fbd3e1500c7810794c1fda4267aa64d70197d0623c6dca5f2e91d67960d5e11ec87cfa853c457b5342eebb4d7fc98d5892efd7ad239a32211f0322b5

Score

10^/10

spyware discovery trojan infostealer azorult

Malware Config

Extracted

Family

azorult

http://45.95.168.162/city/index.php

Signatures

Suspicious use of AdjustPrivilegeToken 145 IoCs

Processes:

PI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exePI.exe

description	pid	process
Token: SeDebugPrivilege	1612	PI.exe
Token: SeDebugPrivilege	296	PI.exe
Token: SeDebugPrivilege	3832	PI.exe
Token: SeDebugPrivilege	3356	PI.exe
Token: SeDebugPrivilege	3748	PI.exe
Token: SeDebugPrivilege	1320	PI.exe
Token: SeDebugPrivilege	3384	PI.exe
Token: SeDebugPrivilege	3252	PI.exe
Token: SeDebugPrivilege	3852	PI.exe
Token: SeDebugPrivilege	4064	PI.exe
Token: SeDebugPrivilege	1188	PI.exe
Token: SeDebugPrivilege	3792	PI.exe
Token: SeDebugPrivilege	3824	PI.exe
Token: SeDebugPrivilege	756	PI.exe
Token: SeDebugPrivilege	3652	PI.exe
Token: SeDebugPrivilege	3596	PI.exe
Token: SeDebugPrivilege	4004	PI.exe
Token: SeDebugPrivilege	1168	PI.exe
Token: SeDebugPrivilege	2760	PI.exe
Token: SeDebugPrivilege	3816	PI.exe
Token: SeDebugPrivilege	4164	PI.exe
Token: SeDebugPrivilege	4320	PI.exe
Token: SeDebugPrivilege	4476	PI.exe
Token: SeDebugPrivilege	4748	PI.exe
Token: SeDebugPrivilege	4912	PI.exe
Token: SeDebugPrivilege	4100	PI.exe
Token: SeDebugPrivilege	4032	PI.exe
Token: SeDebugPrivilege	1136	PI.exe
Token: SeDebugPrivilege	1532	PI.exe
Token: SeDebugPrivilege	4956	PI.exe
Token: SeDebugPrivilege	1736	PI.exe
Token: SeDebugPrivilege	4316	PI.exe
Token: SeDebugPrivilege	4260	PI.exe
Token: SeDebugPrivilege	4640	PI.exe
Token: SeDebugPrivilege	4672	PI.exe
Token: SeDebugPrivilege	5076	PI.exe
Token: SeDebugPrivilege	4124	PI.exe
Token: SeDebugPrivilege	4196	PI.exe
Token: SeDebugPrivilege	1336	PI.exe
Token: SeDebugPrivilege	3324	PI.exe
Token: SeDebugPrivilege	5060	PI.exe
Token: SeDebugPrivilege	3588	PI.exe
Token: SeDebugPrivilege	5072	PI.exe
Token: SeDebugPrivilege	4116	PI.exe
Token: SeDebugPrivilege	3248	PI.exe
Token: SeDebugPrivilege	4572	PI.exe
Token: SeDebugPrivilege	936	PI.exe
Token: SeDebugPrivilege	3384	PI.exe
Token: SeDebugPrivilege	3928	PI.exe
Token: SeDebugPrivilege	1136	PI.exe
Token: SeDebugPrivilege	2876	PI.exe
Token: SeDebugPrivilege	4776	PI.exe
Token: SeDebugPrivilege	4024	PI.exe
Token: SeDebugPrivilege	3760	PI.exe
Token: SeDebugPrivilege	4500	PI.exe
Token: SeDebugPrivilege	4464	PI.exe
Token: SeDebugPrivilege	4884	PI.exe
Token: SeDebugPrivilege	5068	PI.exe
Token: SeDebugPrivilege	4028	PI.exe
Token: SeDebugPrivilege	4880	PI.exe
Token: SeDebugPrivilege	4320	PI.exe
Token: SeDebugPrivilege	4232	PI.exe
Token: SeDebugPrivilege	4528	PI.exe
Token: SeDebugPrivilege	4908	PI.exe

Suspicious behavior: EnumeratesProcesses 47638 IoCs

Processes:

PI.exe

pid	process
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe
1612	PI.exe

Loads dropped DLL 137 IoCs

Processes:

RegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exe

pid	process
1844	RegAsm.exe
1844	RegAsm.exe
1844	RegAsm.exe
1844	RegAsm.exe
3256	RegAsm.exe
3256	RegAsm.exe
3256	RegAsm.exe
3256	RegAsm.exe
1788	RegAsm.exe
1788	RegAsm.exe
1788	RegAsm.exe
1788	RegAsm.exe
3228	RegAsm.exe
3228	RegAsm.exe
3228	RegAsm.exe
3228	RegAsm.exe
3228	RegAsm.exe
4528	RegAsm.exe
4528	RegAsm.exe
4528	RegAsm.exe
4528	RegAsm.exe
4528	RegAsm.exe
4596	RegAsm.exe
4596	RegAsm.exe
4596	RegAsm.exe
4596	RegAsm.exe
4596	RegAsm.exe
3816	RegAsm.exe
3816	RegAsm.exe
3816	RegAsm.exe
3816	RegAsm.exe
5044	RegAsm.exe
5044	RegAsm.exe
5044	RegAsm.exe
5044	RegAsm.exe
4600	RegAsm.exe
4600	RegAsm.exe
4600	RegAsm.exe
4600	RegAsm.exe
2160	RegAsm.exe
2160	RegAsm.exe
2160	RegAsm.exe
2160	RegAsm.exe
4388	RegAsm.exe
4388	RegAsm.exe
4388	RegAsm.exe
4388	RegAsm.exe
5080	RegAsm.exe
5080	RegAsm.exe
5080	RegAsm.exe
5080	RegAsm.exe
4448	RegAsm.exe
4448	RegAsm.exe
4448	RegAsm.exe
4448	RegAsm.exe
4812	RegAsm.exe
4812	RegAsm.exe
4812	RegAsm.exe
4812	RegAsm.exe
684	RegAsm.exe
684	RegAsm.exe
684	RegAsm.exe
684	RegAsm.exe
684	RegAsm.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe

Checks for installed software on the system 1 TTPs 992 IoCs

discovery

Query Registry

T1012

Processes:

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\DisplayName	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC\DisplayName	RegAsm.exe
Key enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore\DisplayName	RegAsm.exe
Key enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName	RegAsm.exe
Key enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall\OneDriveSetup.exe\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063\DisplayName	RegAsm.exe
Key enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData\DisplayName	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\DisplayName	RegAsm.exe
Key enumerated	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\DisplayName	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2\DisplayName	RegAsm.exe
Key enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall	RegAsm.exe
Key enumerated	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall	RegAsm.exe

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Suspicious behavior: MapViewOfSection 187 IoCs

Processes:

pid	process
1612	PI.exe
296	PI.exe
296	PI.exe
3832	PI.exe
3356	PI.exe
3748	PI.exe
1320	PI.exe
3384	PI.exe
3252	PI.exe
3852	PI.exe
4064	PI.exe
1188	PI.exe
3792	PI.exe
3824	PI.exe
756	PI.exe
3652	PI.exe
3596	PI.exe
4004	PI.exe
1168	PI.exe
2760	PI.exe
3816	PI.exe
3816	PI.exe
4164	PI.exe
4320	PI.exe
4476	PI.exe
4748	PI.exe
4748	PI.exe
4912	PI.exe
4100	PI.exe
4032	PI.exe
4032	PI.exe
1136	PI.exe
1136	PI.exe
1532	PI.exe
4956	PI.exe
4956	PI.exe
1736	PI.exe
4316	PI.exe
4260	PI.exe
4640	PI.exe
4640	PI.exe
4672	PI.exe
5076	PI.exe
4124	PI.exe
4196	PI.exe
1336	PI.exe
3324	PI.exe
3324	PI.exe
5060	PI.exe
5060	PI.exe
3588	PI.exe
5072	PI.exe
4116	PI.exe
3248	PI.exe
4572	PI.exe
936	PI.exe
3384	PI.exe
3384	PI.exe
3928	PI.exe
1136	PI.exe
2876	PI.exe
4776	PI.exe
4776	PI.exe
4024	PI.exe

Suspicious use of SetThreadContext 146 IoCs

Processes:

description	pid	process	target process
PID 1612 set thread context of 1844	1612	PI.exe	RegAsm.exe
PID 296 set thread context of 4060	296	PI.exe	RegAsm.exe
PID 3832 set thread context of 3996	3832	PI.exe	RegAsm.exe
PID 3356 set thread context of 1436	3356	PI.exe	RegAsm.exe
PID 3748 set thread context of 2684	3748	PI.exe	RegAsm.exe
PID 1320 set thread context of 3588	1320	PI.exe	RegAsm.exe
PID 3384 set thread context of 4060	3384	PI.exe	RegAsm.exe
PID 3252 set thread context of 2768	3252	PI.exe	RegAsm.exe
PID 3852 set thread context of 3256	3852	PI.exe	RegAsm.exe
PID 4064 set thread context of 1884	4064	PI.exe	RegAsm.exe
PID 1188 set thread context of 3908	1188	PI.exe	RegAsm.exe
PID 3792 set thread context of 2836	3792	PI.exe	RegAsm.exe
PID 3824 set thread context of 3908	3824	PI.exe	RegAsm.exe
PID 756 set thread context of 60	756	PI.exe	RegAsm.exe
PID 3652 set thread context of 3688	3652	PI.exe	RegAsm.exe
PID 3596 set thread context of 1788	3596	PI.exe	RegAsm.exe
PID 4004 set thread context of 3044	4004	PI.exe	RegAsm.exe
PID 1168 set thread context of 2252	1168	PI.exe	RegAsm.exe
PID 2760 set thread context of 2876	2760	PI.exe	RegAsm.exe
PID 3816 set thread context of 3228	3816	PI.exe	RegAsm.exe
PID 4164 set thread context of 4196	4164	PI.exe	RegAsm.exe
PID 4320 set thread context of 4352	4320	PI.exe	RegAsm.exe
PID 4476 set thread context of 4528	4476	PI.exe	RegAsm.exe
PID 4748 set thread context of 4788	4748	PI.exe	RegAsm.exe
PID 4912 set thread context of 4944	4912	PI.exe	RegAsm.exe
PID 4100 set thread context of 1404	4100	PI.exe	RegAsm.exe
PID 4032 set thread context of 2496	4032	PI.exe	RegAsm.exe
PID 1136 set thread context of 1648	1136	PI.exe	RegAsm.exe
PID 1532 set thread context of 4340	1532	PI.exe	RegAsm.exe
PID 4956 set thread context of 4596	4956	PI.exe	RegAsm.exe
PID 1736 set thread context of 1972	1736	PI.exe	RegAsm.exe
PID 4316 set thread context of 4292	4316	PI.exe	RegAsm.exe
PID 4260 set thread context of 4928	4260	PI.exe	RegAsm.exe
PID 4640 set thread context of 4604	4640	PI.exe	RegAsm.exe
PID 4672 set thread context of 4332	4672	PI.exe	RegAsm.exe
PID 5076 set thread context of 5008	5076	PI.exe	RegAsm.exe
PID 4124 set thread context of 4780	4124	PI.exe	RegAsm.exe
PID 4196 set thread context of 3816	4196	PI.exe	RegAsm.exe
PID 1336 set thread context of 3484	1336	PI.exe	RegAsm.exe
PID 3324 set thread context of 2396	3324	PI.exe	RegAsm.exe
PID 5060 set thread context of 2072	5060	PI.exe	RegAsm.exe
PID 3588 set thread context of 5044	3588	PI.exe	RegAsm.exe
PID 5072 set thread context of 2076	5072	PI.exe	RegAsm.exe
PID 4116 set thread context of 5116	4116	PI.exe	RegAsm.exe
PID 3248 set thread context of 5040	3248	PI.exe	RegAsm.exe
PID 4572 set thread context of 4920	4572	PI.exe	RegAsm.exe
PID 936 set thread context of 4236	936	PI.exe	RegAsm.exe
PID 3384 set thread context of 5024	3384	PI.exe	RegAsm.exe
PID 3928 set thread context of 4600	3928	PI.exe	RegAsm.exe
PID 1136 set thread context of 1248	1136	PI.exe	RegAsm.exe
PID 2876 set thread context of 4544	2876	PI.exe	RegAsm.exe
PID 4776 set thread context of 2672	4776	PI.exe	RegAsm.exe
PID 4024 set thread context of 2160	4024	PI.exe	RegAsm.exe
PID 3760 set thread context of 4876	3760	PI.exe	RegAsm.exe
PID 4500 set thread context of 3740	4500	PI.exe	RegAsm.exe
PID 4464 set thread context of 4280	4464	PI.exe	RegAsm.exe
PID 4884 set thread context of 4928	4884	PI.exe	RegAsm.exe
PID 5068 set thread context of 4520	5068	PI.exe	RegAsm.exe
PID 4028 set thread context of 4568	4028	PI.exe	RegAsm.exe
PID 4880 set thread context of 4388	4880	PI.exe	RegAsm.exe
PID 4320 set thread context of 2036	4320	PI.exe	RegAsm.exe
PID 4232 set thread context of 3384	4232	PI.exe	RegAsm.exe
PID 4528 set thread context of 4244	4528	PI.exe	RegAsm.exe
PID 4908 set thread context of 5080	4908	PI.exe	RegAsm.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Delays execution with timeout.exe 32 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
4292	timeout.exe
3484	timeout.exe
5048	timeout.exe
2504	timeout.exe
3824	timeout.exe
4720	timeout.exe
4160	timeout.exe
3996	timeout.exe
1936	timeout.exe
1112	timeout.exe
3852	timeout.exe
4652	timeout.exe
4548	timeout.exe
4692	timeout.exe
4836	timeout.exe
4792	timeout.exe
2084	timeout.exe
1336	timeout.exe
4048	timeout.exe
4756	timeout.exe
1012	timeout.exe
4144	timeout.exe
3256	timeout.exe
5092	timeout.exe
4772	timeout.exe
4112	timeout.exe
4224	timeout.exe
4804	timeout.exe
3624	timeout.exe
3368	timeout.exe
4200	timeout.exe
4344	timeout.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of WriteProcessMemory 2212 IoCs

Processes:

PI.execmd.exePI.execmd.exePI.execmd.exePI.execmd.exePI.execmd.exe

description	pid	process	target process
PID 1612 wrote to memory of 1844	1612	PI.exe	RegAsm.exe
PID 1612 wrote to memory of 1844	1612	PI.exe	RegAsm.exe
PID 1612 wrote to memory of 1844	1612	PI.exe	RegAsm.exe
PID 1612 wrote to memory of 1844	1612	PI.exe	RegAsm.exe
PID 1612 wrote to memory of 2084	1612	PI.exe	cmd.exe
PID 1612 wrote to memory of 2084	1612	PI.exe	cmd.exe
PID 1612 wrote to memory of 2084	1612	PI.exe	cmd.exe
PID 2084 wrote to memory of 2668	2084	cmd.exe	choice.exe
PID 2084 wrote to memory of 2668	2084	cmd.exe	choice.exe
PID 2084 wrote to memory of 2668	2084	cmd.exe	choice.exe
PID 1612 wrote to memory of 296	1612	PI.exe	PI.exe
PID 1612 wrote to memory of 296	1612	PI.exe	PI.exe
PID 1612 wrote to memory of 296	1612	PI.exe	PI.exe
PID 296 wrote to memory of 1456	296	PI.exe	RegAsm.exe
PID 296 wrote to memory of 1456	296	PI.exe	RegAsm.exe
PID 296 wrote to memory of 1456	296	PI.exe	RegAsm.exe
PID 296 wrote to memory of 4060	296	PI.exe	RegAsm.exe
PID 296 wrote to memory of 4060	296	PI.exe	RegAsm.exe
PID 296 wrote to memory of 4060	296	PI.exe	RegAsm.exe
PID 296 wrote to memory of 4060	296	PI.exe	RegAsm.exe
PID 296 wrote to memory of 4048	296	PI.exe	cmd.exe
PID 296 wrote to memory of 4048	296	PI.exe	cmd.exe
PID 296 wrote to memory of 4048	296	PI.exe	cmd.exe
PID 296 wrote to memory of 3832	296	PI.exe	PI.exe
PID 296 wrote to memory of 3832	296	PI.exe	PI.exe
PID 296 wrote to memory of 3832	296	PI.exe	PI.exe
PID 4048 wrote to memory of 3868	4048	cmd.exe	choice.exe
PID 4048 wrote to memory of 3868	4048	cmd.exe	choice.exe
PID 4048 wrote to memory of 3868	4048	cmd.exe	choice.exe
PID 3832 wrote to memory of 3996	3832	PI.exe	RegAsm.exe
PID 3832 wrote to memory of 3996	3832	PI.exe	RegAsm.exe
PID 3832 wrote to memory of 3996	3832	PI.exe	RegAsm.exe
PID 3832 wrote to memory of 3996	3832	PI.exe	RegAsm.exe
PID 3832 wrote to memory of 3372	3832	PI.exe	cmd.exe
PID 3832 wrote to memory of 3372	3832	PI.exe	cmd.exe
PID 3832 wrote to memory of 3372	3832	PI.exe	cmd.exe
PID 3372 wrote to memory of 744	3372	cmd.exe	choice.exe
PID 3372 wrote to memory of 744	3372	cmd.exe	choice.exe
PID 3372 wrote to memory of 744	3372	cmd.exe	choice.exe
PID 3832 wrote to memory of 3356	3832	PI.exe	PI.exe
PID 3832 wrote to memory of 3356	3832	PI.exe	PI.exe
PID 3832 wrote to memory of 3356	3832	PI.exe	PI.exe
PID 3356 wrote to memory of 1436	3356	PI.exe	RegAsm.exe
PID 3356 wrote to memory of 1436	3356	PI.exe	RegAsm.exe
PID 3356 wrote to memory of 1436	3356	PI.exe	RegAsm.exe
PID 3356 wrote to memory of 1436	3356	PI.exe	RegAsm.exe
PID 3356 wrote to memory of 2220	3356	PI.exe	cmd.exe
PID 3356 wrote to memory of 2220	3356	PI.exe	cmd.exe
PID 3356 wrote to memory of 2220	3356	PI.exe	cmd.exe
PID 2220 wrote to memory of 1168	2220	cmd.exe	choice.exe
PID 2220 wrote to memory of 1168	2220	cmd.exe	choice.exe
PID 2220 wrote to memory of 1168	2220	cmd.exe	choice.exe
PID 3356 wrote to memory of 3748	3356	PI.exe	PI.exe
PID 3356 wrote to memory of 3748	3356	PI.exe	PI.exe
PID 3356 wrote to memory of 3748	3356	PI.exe	PI.exe
PID 3748 wrote to memory of 2684	3748	PI.exe	RegAsm.exe
PID 3748 wrote to memory of 2684	3748	PI.exe	RegAsm.exe
PID 3748 wrote to memory of 2684	3748	PI.exe	RegAsm.exe
PID 3748 wrote to memory of 2684	3748	PI.exe	RegAsm.exe
PID 3748 wrote to memory of 2808	3748	PI.exe	cmd.exe
PID 3748 wrote to memory of 2808	3748	PI.exe	cmd.exe
PID 3748 wrote to memory of 2808	3748	PI.exe	cmd.exe
PID 2808 wrote to memory of 3624	2808	cmd.exe	choice.exe
PID 2808 wrote to memory of 3624	2808	cmd.exe	choice.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Loads dropped DLL
- Checks processor information in registry
- Checks for installed software on the system
PID:1844

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "RegAsm.exe"
3⤵
PID:2168

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
4⤵
- Delays execution with timeout.exe
PID:3996

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2084

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
3⤵
PID:2668

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:296

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:4060

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:4048

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:3868

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:3996

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:3372

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
5⤵
PID:744

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3356

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
PID:1436

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:2220

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
6⤵
PID:1168

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
5⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
PID:2684

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
6⤵
- Suspicious use of WriteProcessMemory
PID:2808

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
7⤵
PID:3624

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
6⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:1320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
7⤵
PID:3588

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
7⤵
PID:3952

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
8⤵
PID:3744

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
7⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:3384

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
8⤵
PID:4060

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
8⤵
PID:2880

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
9⤵
PID:1448

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
8⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:3252

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
9⤵
PID:2768

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
9⤵
PID:3604

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
10⤵
PID:3584

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
9⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:3852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
10⤵
- Loads dropped DLL
- Checks processor information in registry
- Checks for installed software on the system
PID:3256

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "RegAsm.exe"
11⤵
PID:1660

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
12⤵
- Delays execution with timeout.exe
PID:1936

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
10⤵
PID:3972

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
11⤵
PID:1648

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
10⤵
PID:3700

C:\Windows\SysWOW64\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature: /caller-name:mscoreei.dll
11⤵
PID:1408

C:\Windows\System32\FonDUE.EXE
"C:\Windows\sysnative\FonDUE.EXE" /enable-feature: /caller-name:mscoreei.dll
12⤵
PID:3372

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
10⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:4064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
11⤵
PID:1884

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
11⤵
PID:4028

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
12⤵
PID:2224

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
11⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:1188

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
12⤵
PID:3908

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
12⤵
PID:2084

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
13⤵
PID:2672

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
12⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:3792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
PID:2836

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
13⤵
PID:3248

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
14⤵
PID:3816

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
13⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:3824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
14⤵
PID:3908

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
14⤵
PID:2300

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
15⤵
PID:3924

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
14⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
15⤵
PID:60

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
15⤵
PID:2052

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
16⤵
PID:2836

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
15⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:3652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
16⤵
PID:3688

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
16⤵
PID:4032

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
17⤵
PID:2964

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
16⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:3596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
17⤵
- Loads dropped DLL
- Checks processor information in registry
- Checks for installed software on the system
PID:1788

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "RegAsm.exe"
18⤵
PID:2252

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
19⤵
- Delays execution with timeout.exe
PID:1112

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
17⤵
PID:1628

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
18⤵
PID:3852

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
17⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:4004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
18⤵
PID:3044

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
18⤵
PID:4056

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
19⤵
PID:1652

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
18⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:1168

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
19⤵
PID:2252

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
19⤵
PID:936

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
20⤵
PID:2280

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
19⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:2760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
20⤵
PID:2876

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
20⤵
PID:3760

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
21⤵
PID:3596

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
20⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:3816

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
21⤵
PID:2168

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
21⤵
- Loads dropped DLL
- Checks processor information in registry
- Checks for installed software on the system
PID:3228

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "RegAsm.exe"
22⤵
PID:4508

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
23⤵
- Delays execution with timeout.exe
PID:4652

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
21⤵
PID:3932

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
22⤵
PID:4136

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
21⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:4164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
22⤵
PID:4196

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
22⤵
PID:4248

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
23⤵
PID:4292

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
22⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:4320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
23⤵
PID:4352

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
23⤵
PID:4428

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
24⤵
PID:4632

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
23⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:4476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
24⤵
- Loads dropped DLL
- Checks processor information in registry
- Checks for installed software on the system
PID:4528

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "RegAsm.exe"
25⤵
PID:2072

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
26⤵
- Delays execution with timeout.exe
PID:4792

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
24⤵
PID:4668

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
25⤵
PID:4720

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
24⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:4748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
25⤵
PID:4780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
25⤵
PID:4788

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
25⤵
PID:4840

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
26⤵
PID:4884

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
25⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:4912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
26⤵
PID:4944

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
26⤵
PID:5008

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
27⤵
PID:5084

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
26⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:4100

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
27⤵
PID:1404

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
27⤵
PID:4144

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
28⤵
PID:3880

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
27⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:4032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
28⤵
PID:4060

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
28⤵
PID:2496

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
28⤵
PID:3864

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
29⤵
PID:3872

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
28⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:1136

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
29⤵
PID:4412

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
29⤵
PID:1648

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
29⤵
PID:3588

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
30⤵
PID:4404

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
29⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:1532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
30⤵
PID:4340

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
30⤵
PID:2840

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
31⤵
PID:2968

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
30⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:4956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
31⤵
PID:4516

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
31⤵
- Loads dropped DLL
- Checks processor information in registry
- Checks for installed software on the system
PID:4596

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "RegAsm.exe"
32⤵
PID:4288

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
33⤵
- Delays execution with timeout.exe
PID:4292

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
31⤵
PID:3952

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
32⤵
PID:3604

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
31⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:1736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
32⤵
PID:1972

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
32⤵
PID:4772

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
33⤵
PID:1924

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
32⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:4316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
33⤵
PID:4292

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
33⤵
PID:1152

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
34⤵
PID:1228

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
33⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:4260

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
34⤵
PID:4928

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
34⤵
PID:996

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
35⤵
PID:4448

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
34⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:4640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
35⤵
PID:4556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
35⤵
PID:4604

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
35⤵
PID:4100

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
36⤵
PID:4840

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
35⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:4672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
36⤵
PID:4332

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
36⤵
PID:1416

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
37⤵
PID:4944

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
36⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:5076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
37⤵
PID:5008

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
37⤵
PID:4820

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
38⤵
PID:1168

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
37⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:4124

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
38⤵
PID:4780

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
38⤵
PID:1876

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
39⤵
PID:4700

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
38⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:4196

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
39⤵
- Loads dropped DLL
- Checks processor information in registry
- Checks for installed software on the system
PID:3816

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "RegAsm.exe"
40⤵
PID:1200

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
41⤵
- Delays execution with timeout.exe
PID:2084

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
39⤵
PID:4720

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
40⤵
PID:4580

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
39⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:1336

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
40⤵
PID:3484

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
40⤵
PID:4492

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
41⤵
PID:4112

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
40⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:3324

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
41⤵
PID:4800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
41⤵
PID:2396

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
41⤵
PID:3760

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
42⤵
PID:4604

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
41⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:5060

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
42⤵
PID:3544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
42⤵
PID:2072

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
42⤵
PID:2220

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
43⤵
PID:4860

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
42⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:3588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
43⤵
- Loads dropped DLL
- Checks processor information in registry
- Checks for installed software on the system
PID:5044

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "RegAsm.exe"
44⤵
PID:4576

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
45⤵
- Delays execution with timeout.exe
PID:4720

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
43⤵
PID:992

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
44⤵
PID:1976

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
43⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:5072

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
44⤵
PID:2076

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
44⤵
PID:1632

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
45⤵
PID:4048

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
44⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:4116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
45⤵
PID:5116

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
45⤵
PID:5008

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
46⤵
PID:4276

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
45⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:3248

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
46⤵
PID:5040

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
46⤵
PID:3584

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
47⤵
PID:5104

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
46⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:4572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
47⤵
PID:4920

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
47⤵
PID:1736

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
48⤵
PID:744

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
47⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:936

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
48⤵
PID:4236

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
48⤵
PID:4044

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
49⤵
PID:3880

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
48⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:3384

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
49⤵
PID:4320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
49⤵
PID:5024

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
49⤵
PID:4932

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
50⤵
PID:4784

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
49⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:3928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
50⤵
- Loads dropped DLL
- Checks processor information in registry
- Checks for installed software on the system
PID:4600

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "RegAsm.exe"
51⤵
PID:1380

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
52⤵
- Delays execution with timeout.exe
PID:1336

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
50⤵
PID:64

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
51⤵
PID:5016

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
50⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:1136

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
51⤵
PID:1248

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
51⤵
PID:5072

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
52⤵
PID:3792

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
51⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:2876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
52⤵
PID:4544

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
52⤵
PID:4412

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
53⤵
PID:952

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
52⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:4776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
53⤵
PID:5108

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
53⤵
PID:2672

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
53⤵
PID:4956

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
54⤵
PID:1200

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
53⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:4024

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
54⤵
PID:4028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
54⤵
- Loads dropped DLL
- Checks processor information in registry
- Checks for installed software on the system
PID:2160

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "RegAsm.exe"
55⤵
PID:4160

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
56⤵
- Delays execution with timeout.exe
PID:4048

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
54⤵
PID:4780

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
55⤵
PID:3228

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
54⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
PID:3760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
55⤵
PID:4876

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
55⤵
PID:3820

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
56⤵
PID:4948

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
55⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
PID:4500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
56⤵
PID:3740

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
56⤵
PID:4936

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
57⤵
PID:4572

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
56⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
PID:4464

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
57⤵
PID:4280

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
57⤵
PID:4924

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
58⤵
PID:1972

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
57⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
PID:4884

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
58⤵
PID:4668

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
58⤵
PID:4928

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
58⤵
PID:4304

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
59⤵
PID:4124

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
58⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
PID:5068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
59⤵
PID:4456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
59⤵
PID:4520

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
59⤵
PID:4240

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
60⤵
PID:1876

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
59⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
PID:4028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
60⤵
PID:4568

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
60⤵
PID:1100

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
61⤵
PID:1844

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
60⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
PID:4880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
61⤵
PID:2708

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
61⤵
- Loads dropped DLL
- Checks processor information in registry
- Checks for installed software on the system
PID:4388

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "RegAsm.exe"
62⤵
PID:4220

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
63⤵
- Delays execution with timeout.exe
PID:3484

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
61⤵
PID:4056

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
62⤵
PID:4276

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
61⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
PID:4320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
62⤵
PID:2036

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
62⤵
PID:4808

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
63⤵
PID:3044

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
62⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
PID:4232

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
63⤵
PID:1448

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
63⤵
PID:3384

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
63⤵
PID:3952

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
64⤵
PID:4328

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
63⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
PID:4528

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
64⤵
PID:4244

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
64⤵
PID:4836

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
65⤵
PID:3876

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
64⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
PID:4908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
65⤵
- Loads dropped DLL
- Checks processor information in registry
- Checks for installed software on the system
PID:5080

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "RegAsm.exe"
66⤵
PID:4052

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
67⤵
- Delays execution with timeout.exe
PID:4548

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
65⤵
PID:4356

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
66⤵
PID:3584

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
65⤵
PID:4508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
66⤵
PID:4464

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
66⤵
PID:4780

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
67⤵
PID:5060

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
66⤵
PID:4688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
67⤵
PID:5000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
67⤵
PID:5100

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
67⤵
PID:4996

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
68⤵
PID:4308

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
67⤵
PID:4376

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
68⤵
PID:4696

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
68⤵
PID:548

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
69⤵
PID:4292

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
68⤵
PID:4368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
69⤵
- Loads dropped DLL
- Checks processor information in registry
- Checks for installed software on the system
PID:4448

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "RegAsm.exe"
70⤵
PID:4488

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
71⤵
- Delays execution with timeout.exe
PID:5092

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
69⤵
PID:4180

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
70⤵
PID:4644

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
69⤵
PID:3384

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
70⤵
PID:4704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
70⤵
PID:4584

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
70⤵
PID:4392

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
71⤵
PID:4472

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
70⤵
PID:1752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
71⤵
PID:3544

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
71⤵
PID:4232

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
72⤵
PID:1844

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
71⤵
PID:4104

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
72⤵
- Loads dropped DLL
- Checks processor information in registry
PID:4812

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "RegAsm.exe"
73⤵
PID:4176

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
74⤵
- Delays execution with timeout.exe
PID:3852

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
72⤵
PID:4484

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
73⤵
PID:4824

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
72⤵
PID:5012

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
73⤵
PID:1976

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
73⤵
PID:4908

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
74⤵
PID:3736

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
73⤵
PID:2876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
74⤵
PID:3612

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
74⤵
PID:3044

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
75⤵
PID:4732

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
74⤵
PID:4956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
75⤵
PID:2072

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
75⤵
PID:4616

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
75⤵
PID:2676

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
76⤵
PID:4916

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
75⤵
PID:4112

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
76⤵
PID:5108

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
76⤵
PID:4424

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
77⤵
PID:1208

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
76⤵
PID:2496

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
77⤵
PID:4384

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
77⤵
PID:1444

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
77⤵
PID:4828

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
77⤵
PID:2784

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
78⤵
PID:4288

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
77⤵
PID:5024

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
78⤵
PID:3816

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
78⤵
PID:4248

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
79⤵
PID:1348

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
78⤵
PID:744

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
79⤵
PID:296

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
79⤵
PID:4220

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
80⤵
PID:3612

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
79⤵
PID:3800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
80⤵
- Loads dropped DLL
- Checks processor information in registry
- Checks for installed software on the system
PID:684

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "RegAsm.exe"
81⤵
PID:2216

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
82⤵
- Delays execution with timeout.exe
PID:4756

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
80⤵
PID:1136

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
81⤵
PID:4876

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
80⤵
PID:4152

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
81⤵
PID:4672

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
81⤵
PID:3256

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
82⤵
PID:4156

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
81⤵
PID:4392

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
82⤵
PID:1844

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
82⤵
PID:3744

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
83⤵
PID:4480

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
82⤵
PID:4816

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
83⤵
PID:4196

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
83⤵
- Checks processor information in registry
- Checks for installed software on the system
PID:736

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "RegAsm.exe"
84⤵
PID:4228

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
85⤵
- Delays execution with timeout.exe
PID:1012

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
83⤵
PID:5116

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
84⤵
PID:4420

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
83⤵
PID:4404

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
84⤵
PID:4048

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
84⤵
PID:4828

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
85⤵
PID:4576

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
84⤵
PID:2684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
85⤵
PID:4028

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
85⤵
PID:3700

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
86⤵
PID:1972

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
85⤵
PID:2388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
86⤵
- Checks processor information in registry
- Checks for installed software on the system
PID:4368

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "RegAsm.exe"
87⤵
PID:1444

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
88⤵
- Delays execution with timeout.exe
PID:4112

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
86⤵
PID:64

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
87⤵
PID:4216

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
86⤵
PID:4916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
87⤵
PID:4356

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
87⤵
PID:4100

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
88⤵
PID:4144

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
87⤵
PID:5108

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
88⤵
PID:4396

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
88⤵
PID:4236

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
89⤵
PID:4132

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
88⤵
PID:4752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
89⤵
PID:3804

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
89⤵
PID:4204

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
90⤵
PID:3928

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
89⤵
PID:4792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
90⤵
PID:4588

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
90⤵
PID:4064

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
91⤵
PID:1736

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
90⤵
PID:4500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
91⤵
PID:3816

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
91⤵
PID:2944

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
92⤵
PID:3256

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
91⤵
PID:2300

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
92⤵
PID:2504

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
92⤵
- Checks processor information in registry
- Checks for installed software on the system
PID:2624

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "RegAsm.exe"
93⤵
PID:3924

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
94⤵
- Delays execution with timeout.exe
PID:4224

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
92⤵
PID:5104

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
93⤵
PID:5076

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
92⤵
PID:4600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
93⤵
PID:3324

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
93⤵
PID:3652

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
94⤵
PID:4424

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
93⤵
PID:3820

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
94⤵
PID:4700

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
94⤵
PID:4764

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
95⤵
PID:2252

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
94⤵
PID:4396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
95⤵
- Checks processor information in registry
- Checks for installed software on the system
PID:5016

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "RegAsm.exe"
96⤵
PID:4852

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
97⤵
- Delays execution with timeout.exe
PID:4692

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
95⤵
PID:4896

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
96⤵
PID:3584

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
95⤵
PID:4220

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
96⤵
PID:1568

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
96⤵
PID:4172

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
97⤵
PID:3860

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
96⤵
PID:4200

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
97⤵
PID:2840

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
97⤵
PID:1100

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
97⤵
PID:4652

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
98⤵
PID:2628

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
97⤵
PID:2760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
98⤵
PID:64

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
98⤵
PID:4888

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
99⤵
PID:4368

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
98⤵
PID:4116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
99⤵
- Checks processor information in registry
- Checks for installed software on the system
PID:5060

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "RegAsm.exe"
100⤵
PID:4788

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
101⤵
- Delays execution with timeout.exe
PID:5048

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
99⤵
PID:1536

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
100⤵
PID:2504

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
99⤵
PID:5036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
100⤵
PID:2880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
100⤵
PID:4632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
100⤵
PID:4872

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
100⤵
PID:4704

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
101⤵
PID:4060

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
100⤵
PID:3324

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
101⤵
PID:4388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
101⤵
PID:4528

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
101⤵
PID:4456

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
102⤵
PID:1300

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
101⤵
PID:3952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
102⤵
- Checks processor information in registry
- Checks for installed software on the system
PID:1724

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "RegAsm.exe"
103⤵
PID:3792

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
104⤵
- Delays execution with timeout.exe
PID:4200

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
102⤵
PID:3908

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
103⤵
PID:4672

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
102⤵
PID:952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
103⤵
PID:4664

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
103⤵
PID:2216

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
104⤵
PID:4864

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
103⤵
PID:4168

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
104⤵
PID:4052

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
104⤵
PID:1648

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
105⤵
PID:4616

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
104⤵
PID:1216

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
105⤵
- Checks processor information in registry
- Checks for installed software on the system
PID:2676

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "RegAsm.exe"
106⤵
PID:4240

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
107⤵
- Delays execution with timeout.exe
PID:4836

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
105⤵
PID:1652

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
106⤵
PID:3736

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
105⤵
PID:736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
106⤵
PID:2220

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
106⤵
PID:4236

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
107⤵
PID:2964

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
106⤵
PID:4728

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
107⤵
PID:4968

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
107⤵
PID:2532

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
108⤵
PID:4500

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
107⤵
PID:4116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
108⤵
PID:4504

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
108⤵
PID:3804

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
109⤵
PID:4592

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
108⤵
PID:4812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
109⤵
PID:4668

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
109⤵
PID:4648

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
109⤵
PID:1208

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
110⤵
PID:4288

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
109⤵
PID:1660

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
110⤵
PID:5088

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
110⤵
PID:4436

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
111⤵
PID:3732

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
110⤵
PID:1844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
111⤵
PID:4776

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
111⤵
PID:4956

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
112⤵
PID:4408

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
111⤵
PID:5000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
112⤵
PID:3852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
112⤵
- Checks processor information in registry
PID:1332

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "RegAsm.exe"
113⤵
PID:4184

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
114⤵
- Delays execution with timeout.exe
PID:4344

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
112⤵
PID:1016

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
113⤵
PID:5108

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
112⤵
PID:4556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
113⤵
PID:3688

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
113⤵
PID:4660

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
114⤵
PID:4964

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
113⤵
PID:4688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
114⤵
PID:3376

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
114⤵
PID:3256

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
115⤵
PID:4604

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
114⤵
PID:4476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
115⤵
- Checks processor information in registry
- Checks for installed software on the system
PID:4664

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "RegAsm.exe"
116⤵
PID:4416

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
117⤵
- Delays execution with timeout.exe
PID:2504

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
115⤵
PID:5112

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
116⤵
PID:4452

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
115⤵
PID:4748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
116⤵
PID:3008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
116⤵
PID:1136

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
116⤵
PID:1012

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
116⤵
PID:3652

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
117⤵
PID:1648

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
116⤵
PID:2968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
117⤵
PID:4732

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
117⤵
PID:1972

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
118⤵
PID:4192

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
117⤵
PID:4980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
118⤵
- Checks processor information in registry
- Checks for installed software on the system
PID:4304

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "RegAsm.exe"
119⤵
PID:4444

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
120⤵
- Delays execution with timeout.exe
PID:4144

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
118⤵
PID:3632

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
119⤵
PID:2032

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
118⤵
PID:4820

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
119⤵
PID:4160

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
119⤵
PID:2840

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
119⤵
PID:3816

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
120⤵
PID:3748

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
119⤵
PID:4564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
120⤵
PID:4704

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
120⤵
PID:4268

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
121⤵
PID:4420

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
120⤵
PID:4292

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
121⤵
PID:4388

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
121⤵
PID:4308

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
122⤵
PID:684

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
121⤵
PID:4700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
122⤵
PID:3860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
122⤵
PID:2936

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
122⤵
PID:4768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
122⤵
- Checks processor information in registry
- Checks for installed software on the system
PID:2708

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "RegAsm.exe"
123⤵
PID:4668

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
124⤵
- Delays execution with timeout.exe
PID:4804

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
122⤵
PID:2068

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
123⤵
PID:3740

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
122⤵
PID:2216

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
123⤵
PID:4044

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
123⤵
PID:3588

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
124⤵
PID:4064

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
123⤵
PID:1136

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
124⤵
PID:5076

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
124⤵
PID:4868

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
125⤵
PID:2964

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
124⤵
PID:4828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
125⤵
- Checks processor information in registry
- Checks for installed software on the system
PID:1720

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "RegAsm.exe"
126⤵
PID:4696

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
127⤵
- Delays execution with timeout.exe
PID:3824

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
125⤵
PID:2532

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
126⤵
PID:4048

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
125⤵
PID:4184

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
126⤵
PID:5080

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
126⤵
PID:1844

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
127⤵
PID:5104

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
126⤵
PID:952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
127⤵
PID:4864

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
127⤵
PID:4960

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
128⤵
PID:4164

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
127⤵
PID:4304

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
128⤵
PID:2280

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
128⤵
- Checks processor information in registry
- Checks for installed software on the system
PID:1752

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "RegAsm.exe"
129⤵
PID:4352

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
130⤵
- Delays execution with timeout.exe
PID:3624

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
128⤵
PID:1648

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
129⤵
PID:3544

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
128⤵
PID:4932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
129⤵
PID:4752

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
129⤵
PID:4104

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
130⤵
PID:4572

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
129⤵
PID:2300

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
130⤵
PID:4360

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
130⤵
PID:4172

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
131⤵
PID:2880

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
130⤵
PID:4876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
131⤵
- Checks processor information in registry
- Checks for installed software on the system
PID:3796

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "RegAsm.exe"
132⤵
PID:2416

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
133⤵
- Delays execution with timeout.exe
PID:4772

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
131⤵
PID:1736

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
132⤵
PID:4384

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
131⤵
PID:4228

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
132⤵
PID:4408

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
132⤵
PID:4968

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
133⤵
PID:4268

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
132⤵
PID:4264

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
133⤵
PID:4800

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
133⤵
PID:4444

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
134⤵
PID:1536

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
133⤵
PID:1924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
134⤵
PID:5080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
134⤵
PID:2168

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
134⤵
PID:4468

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
135⤵
PID:1804

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
134⤵
PID:4320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
135⤵
- Checks processor information in registry
- Checks for installed software on the system
PID:4864

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "RegAsm.exe"
136⤵
PID:1876

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
137⤵
- Delays execution with timeout.exe
PID:4160

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
135⤵
PID:4580

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
136⤵
PID:3800

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
135⤵
PID:4716

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
136⤵
PID:4536

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
136⤵
PID:4680

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
136⤵
PID:4564

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
137⤵
PID:5000

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
136⤵
PID:4692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
137⤵
PID:4032

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
137⤵
PID:4304

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
138⤵
PID:2052

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
137⤵
PID:1396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
138⤵
PID:4232

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
138⤵
PID:4200

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
139⤵
PID:2216

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
138⤵
PID:1980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
139⤵
PID:2224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
139⤵
PID:3952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
139⤵
- Checks processor information in registry
- Checks for installed software on the system
PID:5076

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "RegAsm.exe"
140⤵
PID:1152

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
141⤵
- Delays execution with timeout.exe
PID:3368

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
139⤵
PID:5100

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
140⤵
PID:4544

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
139⤵
PID:4408

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
140⤵
PID:3748

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
140⤵
PID:4524

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
141⤵
PID:1480

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
140⤵
PID:2496

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
141⤵
PID:4136

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
141⤵
PID:4228

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
142⤵
PID:4532

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
141⤵
PID:4664

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
142⤵
- Checks processor information in registry
PID:4760

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "RegAsm.exe"
143⤵
PID:5044

C:\Windows\SysWOW64\timeout.exe
C:\Windows\system32\timeout.exe 3
144⤵
- Delays execution with timeout.exe
PID:3256

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
142⤵
PID:4652

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
143⤵
PID:4900

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
142⤵
PID:4892

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
143⤵
PID:5040

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
143⤵
PID:1112

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
144⤵
PID:4252

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
143⤵
PID:4344

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
144⤵
PID:4744

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
144⤵
PID:3860

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
145⤵
PID:1208

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
144⤵
PID:4712

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
145⤵
PID:4956

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
145⤵
PID:4908

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
146⤵
PID:1332

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
145⤵
PID:1532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
146⤵
PID:1568

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
146⤵
PID:60

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
147⤵
PID:2860

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
146⤵
PID:4468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
147⤵
PID:5064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
147⤵
PID:4684

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
memory/60-258-0x000000000041A1F8-mapping.dmp

Download
memory/60-1940-0x0000000000000000-mapping.dmp

Download
memory/64-1276-0x0000000000000000-mapping.dmp

Download
memory/64-1459-0x000000000041A1F8-mapping.dmp

Download
memory/64-817-0x0000000000000000-mapping.dmp

Download
memory/296-1218-0x000000000041A1F8-mapping.dmp

Download
memory/296-5-0x0000000000000000-mapping.dmp

Download
memory/548-1042-0x0000000000000000-mapping.dmp

Download
memory/684-1740-0x0000000000000000-mapping.dmp

Download
memory/684-1226-0x000000000041A1F8-mapping.dmp

Download
memory/736-1251-0x000000000041A1F8-mapping.dmp

Download
memory/736-1523-0x0000000000000000-mapping.dmp

Download
memory/744-779-0x0000000000000000-mapping.dmp

Download
memory/744-20-0x0000000000000000-mapping.dmp

Download
memory/744-1216-0x0000000000000000-mapping.dmp

Download
memory/756-250-0x0000000000000000-mapping.dmp

Download
memory/936-757-0x0000000000000000-mapping.dmp

Download
memory/936-301-0x0000000000000000-mapping.dmp

Download
memory/952-1498-0x0000000000000000-mapping.dmp

Download
memory/952-1778-0x0000000000000000-mapping.dmp

Download
memory/952-835-0x0000000000000000-mapping.dmp

Download
memory/992-673-0x0000000000000000-mapping.dmp

Download
memory/996-531-0x0000000000000000-mapping.dmp

Download
memory/1012-1277-0x0000000000000000-mapping.dmp

Download
memory/1012-1695-0x000000000041A1F8-mapping.dmp

Download
memory/1016-1667-0x0000000000000000-mapping.dmp

Download
memory/1100-1449-0x000000000041A1F8-mapping.dmp

Download
memory/1100-983-0x0000000000000000-mapping.dmp

Download
memory/1112-1915-0x0000000000000000-mapping.dmp

Download
memory/1112-318-0x0000000000000000-mapping.dmp

Download
memory/1136-1754-0x0000000000000000-mapping.dmp

Download
memory/1136-438-0x0000000000000000-mapping.dmp

Download
memory/1136-819-0x0000000000000000-mapping.dmp

Download
memory/1136-1228-0x0000000000000000-mapping.dmp

Download
memory/1152-1901-0x0000000000000000-mapping.dmp

Download
memory/1152-502-0x0000000000000000-mapping.dmp

Download
memory/1168-26-0x0000000000000000-mapping.dmp

Download
memory/1168-630-0x0000000000000000-mapping.dmp

Download
memory/1168-297-0x0000000000000000-mapping.dmp

Download
memory/1188-155-0x0000000000000000-mapping.dmp

Download
memory/1200-841-0x0000000000000000-mapping.dmp

Download
memory/1200-663-0x0000000000000000-mapping.dmp

Download
memory/1208-1926-0x0000000000000000-mapping.dmp

Download
memory/1208-1173-0x0000000000000000-mapping.dmp

Download
memory/1208-1604-0x0000000000000000-mapping.dmp

Download
memory/1216-1515-0x0000000000000000-mapping.dmp

Download
memory/1228-504-0x0000000000000000-mapping.dmp

Download
memory/1248-821-0x000000000041A1F8-mapping.dmp

Download
memory/1300-1488-0x0000000000000000-mapping.dmp

Download
memory/1320-49-0x0000000000000000-mapping.dmp

Download
memory/1332-1665-0x000000000041A1F8-mapping.dmp

Download
memory/1332-1935-0x0000000000000000-mapping.dmp

Download
memory/1336-842-0x0000000000000000-mapping.dmp

Download
memory/1336-645-0x0000000000000000-mapping.dmp

Download
memory/1348-1215-0x0000000000000000-mapping.dmp

Download
memory/1380-840-0x0000000000000000-mapping.dmp

Download
memory/1396-1872-0x0000000000000000-mapping.dmp

Download
memory/1404-374-0x000000000041A1F8-mapping.dmp

Download
memory/1408-147-0x0000000000000000-mapping.dmp

Download
memory/1416-593-0x0000000000000000-mapping.dmp

Download
memory/1436-23-0x000000000041A1F8-mapping.dmp

Download
memory/1444-1407-0x0000000000000000-mapping.dmp

Download
memory/1448-135-0x0000000000000000-mapping.dmp

Download
memory/1480-1893-0x0000000000000000-mapping.dmp

Download
memory/1532-474-0x0000000000000000-mapping.dmp

Download
memory/1532-1936-0x0000000000000000-mapping.dmp

Download
memory/1536-1469-0x0000000000000000-mapping.dmp

Download
memory/1536-1834-0x0000000000000000-mapping.dmp

Download
memory/1568-1938-0x000000000041A1F8-mapping.dmp

Download
memory/1568-1443-0x000000000041A1F8-mapping.dmp

Download
memory/1628-289-0x0000000000000000-mapping.dmp

Download
memory/1632-679-0x0000000000000000-mapping.dmp

Download
memory/1648-1795-0x0000000000000000-mapping.dmp

Download
memory/1648-1508-0x0000000000000000-mapping.dmp

Download
memory/1648-444-0x000000000041A1F8-mapping.dmp

Download
memory/1648-1698-0x0000000000000000-mapping.dmp

Download
memory/1648-145-0x0000000000000000-mapping.dmp

Download
memory/1652-296-0x0000000000000000-mapping.dmp

Download
memory/1652-1520-0x0000000000000000-mapping.dmp

Download
memory/1660-280-0x0000000000000000-mapping.dmp

Download
memory/1660-1621-0x0000000000000000-mapping.dmp

Download
memory/1720-1768-0x000000000041A1F8-mapping.dmp

Download
memory/1724-1493-0x000000000041A1F8-mapping.dmp

Download
memory/1736-492-0x0000000000000000-mapping.dmp

Download
memory/1736-1405-0x0000000000000000-mapping.dmp

Download
memory/1736-1821-0x0000000000000000-mapping.dmp

Download
memory/1736-745-0x0000000000000000-mapping.dmp

Download
memory/1752-1791-0x000000000041A1F8-mapping.dmp

Download
memory/1752-1058-0x0000000000000000-mapping.dmp

Download
memory/1788-287-0x000000000041A1F8-mapping.dmp

Download
memory/1804-1848-0x0000000000000000-mapping.dmp

Download
memory/1844-2-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1844-0-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1844-985-0x0000000000000000-mapping.dmp

Download
memory/1844-1655-0x0000000000000000-mapping.dmp

Download
memory/1844-1072-0x0000000000000000-mapping.dmp

Download
memory/1844-1777-0x0000000000000000-mapping.dmp

Download
memory/1844-1243-0x000000000041A1F8-mapping.dmp

Download
memory/1844-1-0x000000000041A1F8-mapping.dmp

Download
memory/1876-1876-0x0000000000000000-mapping.dmp

Download
memory/1876-635-0x0000000000000000-mapping.dmp

Download
memory/1876-977-0x0000000000000000-mapping.dmp

Download
memory/1884-150-0x000000000041A1F8-mapping.dmp

Download
memory/1924-1837-0x0000000000000000-mapping.dmp

Download
memory/1924-497-0x0000000000000000-mapping.dmp

Download
memory/1936-283-0x0000000000000000-mapping.dmp

Download
memory/1972-1703-0x0000000000000000-mapping.dmp

Download
memory/1972-928-0x0000000000000000-mapping.dmp

Download
memory/1972-494-0x000000000041A1F8-mapping.dmp

Download
memory/1972-1275-0x0000000000000000-mapping.dmp

Download
memory/1976-1078-0x000000000041A1F8-mapping.dmp

Download
memory/1976-674-0x0000000000000000-mapping.dmp

Download
memory/1980-1880-0x0000000000000000-mapping.dmp

Download
memory/2032-1716-0x0000000000000000-mapping.dmp

Download
memory/2036-994-0x000000000041A1F8-mapping.dmp

Download
memory/2052-1871-0x0000000000000000-mapping.dmp

Download
memory/2052-270-0x0000000000000000-mapping.dmp

Download
memory/2068-1746-0x0000000000000000-mapping.dmp

Download
memory/2072-662-0x000000000041A1F8-mapping.dmp

Download
memory/2072-483-0x0000000000000000-mapping.dmp

Download
memory/2076-677-0x000000000041A1F8-mapping.dmp

Download
memory/2084-667-0x0000000000000000-mapping.dmp

Download
memory/2084-3-0x0000000000000000-mapping.dmp

Download
memory/2084-171-0x0000000000000000-mapping.dmp

Download
memory/2160-845-0x000000000041A1F8-mapping.dmp

Download
memory/2168-139-0x0000000000000000-mapping.dmp

Download
memory/2168-1843-0x000000000041A1F8-mapping.dmp

Download
memory/2216-1879-0x0000000000000000-mapping.dmp

Download
memory/2216-1246-0x0000000000000000-mapping.dmp

Download
memory/2216-1748-0x0000000000000000-mapping.dmp

Download
memory/2216-1502-0x0000000000000000-mapping.dmp

Download
memory/2220-666-0x0000000000000000-mapping.dmp

Download
memory/2220-1525-0x000000000041A1F8-mapping.dmp

Download
memory/2220-25-0x0000000000000000-mapping.dmp

Download
memory/2224-154-0x0000000000000000-mapping.dmp

Download
memory/2252-1433-0x0000000000000000-mapping.dmp

Download
memory/2252-299-0x000000000041A1F8-mapping.dmp

Download
memory/2252-314-0x0000000000000000-mapping.dmp

Download
memory/2280-302-0x0000000000000000-mapping.dmp

Download
memory/2300-236-0x0000000000000000-mapping.dmp

Download
memory/2300-1410-0x0000000000000000-mapping.dmp

Download
memory/2300-1803-0x0000000000000000-mapping.dmp

Download
memory/2388-1270-0x0000000000000000-mapping.dmp

Download
memory/2396-653-0x000000000041A1F8-mapping.dmp

Download
memory/2416-1846-0x0000000000000000-mapping.dmp

Download
memory/2496-1891-0x0000000000000000-mapping.dmp

Download
memory/2496-1146-0x0000000000000000-mapping.dmp

Download
memory/2496-410-0x000000000041A1F8-mapping.dmp

Download
memory/2504-1714-0x0000000000000000-mapping.dmp

Download
memory/2504-1470-0x0000000000000000-mapping.dmp

Download
memory/2532-1771-0x0000000000000000-mapping.dmp

Download
memory/2532-1539-0x0000000000000000-mapping.dmp

Download
memory/2624-1413-0x000000000041A1F8-mapping.dmp

Download
memory/2628-1452-0x0000000000000000-mapping.dmp

Download
memory/2668-4-0x0000000000000000-mapping.dmp

Download
memory/2672-214-0x0000000000000000-mapping.dmp

Download
memory/2672-837-0x000000000041A1F8-mapping.dmp

Download
memory/2676-1104-0x0000000000000000-mapping.dmp

Download
memory/2676-1518-0x000000000041A1F8-mapping.dmp

Download
memory/2684-1260-0x0000000000000000-mapping.dmp

Download
memory/2684-29-0x000000000041A1F8-mapping.dmp

Download
memory/2708-1744-0x000000000041A1F8-mapping.dmp

Download
memory/2760-1457-0x0000000000000000-mapping.dmp

Download
memory/2760-303-0x0000000000000000-mapping.dmp

Download
memory/2768-127-0x000000000041A1F8-mapping.dmp

Download
memory/2784-1164-0x0000000000000000-mapping.dmp

Download
memory/2808-31-0x0000000000000000-mapping.dmp

Download
memory/2836-189-0x000000000041A1F8-mapping.dmp

Download
memory/2836-276-0x0000000000000000-mapping.dmp

Download
memory/2840-1719-0x000000000041A1F8-mapping.dmp

Download
memory/2840-482-0x0000000000000000-mapping.dmp

Download
memory/2860-1942-0x0000000000000000-mapping.dmp

Download
memory/2876-1082-0x0000000000000000-mapping.dmp

Download
memory/2876-825-0x0000000000000000-mapping.dmp

Download
memory/2876-309-0x000000000041A1F8-mapping.dmp

Download
memory/2880-1814-0x0000000000000000-mapping.dmp

Download
memory/2880-112-0x0000000000000000-mapping.dmp

Download
memory/2944-1406-0x0000000000000000-mapping.dmp

Download
memory/2964-1528-0x0000000000000000-mapping.dmp

Download
memory/2964-1764-0x0000000000000000-mapping.dmp

Download
memory/2964-284-0x0000000000000000-mapping.dmp

Download
memory/2968-484-0x0000000000000000-mapping.dmp

Download
memory/2968-1699-0x0000000000000000-mapping.dmp

Download
memory/3044-997-0x0000000000000000-mapping.dmp

Download
memory/3044-293-0x000000000041A1F8-mapping.dmp

Download
memory/3044-1086-0x0000000000000000-mapping.dmp

Download
memory/3228-848-0x0000000000000000-mapping.dmp

Download
memory/3228-316-0x000000000041A1F8-mapping.dmp

Download
memory/3248-203-0x0000000000000000-mapping.dmp

Download
memory/3248-686-0x0000000000000000-mapping.dmp

Download
memory/3252-121-0x0000000000000000-mapping.dmp

Download
memory/3256-1683-0x0000000000000000-mapping.dmp

Download
memory/3256-141-0x000000000041A1F8-mapping.dmp

Download
memory/3256-1234-0x0000000000000000-mapping.dmp

Download
memory/3256-1409-0x0000000000000000-mapping.dmp

Download
memory/3256-1933-0x0000000000000000-mapping.dmp

Download
memory/3324-1477-0x0000000000000000-mapping.dmp

Download
memory/3324-651-0x0000000000000000-mapping.dmp

Download
memory/3324-1419-0x000000000041A1F8-mapping.dmp

Download
memory/3356-21-0x0000000000000000-mapping.dmp

Download
memory/3368-1903-0x0000000000000000-mapping.dmp

Download
memory/3372-17-0x0000000000000000-mapping.dmp

Download
memory/3372-153-0x0000000000000000-mapping.dmp

Download
memory/3376-1681-0x000000000041A1F8-mapping.dmp

Download
memory/3384-1052-0x0000000000000000-mapping.dmp

Download
memory/3384-1000-0x000000000041A1F8-mapping.dmp

Download
memory/3384-84-0x0000000000000000-mapping.dmp

Download
memory/3384-793-0x0000000000000000-mapping.dmp

Download
memory/3484-1018-0x0000000000000000-mapping.dmp

Download
memory/3484-647-0x000000000041A1F8-mapping.dmp

Download
memory/3544-1060-0x000000000041A1F8-mapping.dmp

Download
memory/3544-1796-0x0000000000000000-mapping.dmp

Download
memory/3584-137-0x0000000000000000-mapping.dmp

Download
memory/3584-701-0x0000000000000000-mapping.dmp

Download
memory/3584-1021-0x0000000000000000-mapping.dmp

Download
memory/3584-1440-0x0000000000000000-mapping.dmp

Download
memory/3588-55-0x000000000041A1F8-mapping.dmp

Download
memory/3588-669-0x0000000000000000-mapping.dmp

Download
memory/3588-460-0x0000000000000000-mapping.dmp

Download
memory/3588-1752-0x0000000000000000-mapping.dmp

Download
memory/3596-285-0x0000000000000000-mapping.dmp

Download
memory/3596-312-0x0000000000000000-mapping.dmp

Download
memory/3604-491-0x0000000000000000-mapping.dmp

Download
memory/3604-136-0x0000000000000000-mapping.dmp

Download
memory/3612-1084-0x000000000041A1F8-mapping.dmp

Download
memory/3612-1222-0x0000000000000000-mapping.dmp

Download
memory/3624-33-0x0000000000000000-mapping.dmp

Download
memory/3624-1820-0x0000000000000000-mapping.dmp

Download
memory/3632-1715-0x0000000000000000-mapping.dmp

Download
memory/3652-1421-0x0000000000000000-mapping.dmp

Download
memory/3652-1697-0x0000000000000000-mapping.dmp

Download
memory/3652-277-0x0000000000000000-mapping.dmp

Download
memory/3688-279-0x000000000041A1F8-mapping.dmp

Download
memory/3688-1671-0x000000000041A1F8-mapping.dmp

Download
memory/3700-1265-0x0000000000000000-mapping.dmp

Download
memory/3700-146-0x0000000000000000-mapping.dmp

Download
memory/3732-1654-0x0000000000000000-mapping.dmp

Download
memory/3736-1081-0x0000000000000000-mapping.dmp

Download
memory/3736-1522-0x0000000000000000-mapping.dmp

Download
memory/3740-857-0x000000000041A1F8-mapping.dmp

Download
memory/3740-1747-0x0000000000000000-mapping.dmp

Download
memory/3744-1245-0x0000000000000000-mapping.dmp

Download
memory/3744-98-0x0000000000000000-mapping.dmp

Download
memory/3748-1888-0x000000000041A1F8-mapping.dmp

Download
memory/3748-1722-0x0000000000000000-mapping.dmp

Download
memory/3748-27-0x0000000000000000-mapping.dmp

Download
memory/3760-311-0x0000000000000000-mapping.dmp

Download
memory/3760-659-0x0000000000000000-mapping.dmp

Download
memory/3760-849-0x0000000000000000-mapping.dmp

Download
memory/3792-182-0x0000000000000000-mapping.dmp

Download
memory/3792-824-0x0000000000000000-mapping.dmp

Download
memory/3792-1516-0x0000000000000000-mapping.dmp

Download
memory/3796-1818-0x000000000041A1F8-mapping.dmp

Download
memory/3800-1223-0x0000000000000000-mapping.dmp

Download
memory/3800-1855-0x0000000000000000-mapping.dmp

Download
memory/3804-1567-0x0000000000000000-mapping.dmp

Download
memory/3804-1323-0x000000000041A1F8-mapping.dmp

Download
memory/3816-1721-0x0000000000000000-mapping.dmp

Download
memory/3816-1186-0x000000000041A1F8-mapping.dmp

Download
memory/3816-235-0x0000000000000000-mapping.dmp

Download
memory/3816-313-0x0000000000000000-mapping.dmp

Download
memory/3816-641-0x000000000041A1F8-mapping.dmp

Download
memory/3816-1398-0x000000000041A1F8-mapping.dmp

Download
memory/3820-853-0x0000000000000000-mapping.dmp

Download
memory/3820-1427-0x0000000000000000-mapping.dmp

Download
memory/3824-216-0x0000000000000000-mapping.dmp

Download
memory/3824-1794-0x0000000000000000-mapping.dmp

Download
memory/3832-10-0x0000000000000000-mapping.dmp

Download
memory/3852-1224-0x0000000000000000-mapping.dmp

Download
memory/3852-138-0x0000000000000000-mapping.dmp

Download
memory/3852-290-0x0000000000000000-mapping.dmp

Download
memory/3860-1446-0x0000000000000000-mapping.dmp

Download
memory/3860-1921-0x0000000000000000-mapping.dmp

Download
memory/3864-425-0x0000000000000000-mapping.dmp

Download
memory/3868-11-0x0000000000000000-mapping.dmp

Download
memory/3872-470-0x0000000000000000-mapping.dmp

Download
memory/3876-1014-0x0000000000000000-mapping.dmp

Download
memory/3880-424-0x0000000000000000-mapping.dmp

Download
memory/3880-808-0x0000000000000000-mapping.dmp

Download
memory/3908-1495-0x0000000000000000-mapping.dmp

Download
memory/3908-222-0x000000000041A1F8-mapping.dmp

Download
memory/3908-161-0x000000000041A1F8-mapping.dmp

Download
memory/3924-1432-0x0000000000000000-mapping.dmp

Download
memory/3924-275-0x0000000000000000-mapping.dmp

Download
memory/3928-1365-0x0000000000000000-mapping.dmp

Download
memory/3928-812-0x0000000000000000-mapping.dmp

Download
memory/3932-319-0x0000000000000000-mapping.dmp

Download
memory/3952-1489-0x0000000000000000-mapping.dmp

Download
memory/3952-1002-0x0000000000000000-mapping.dmp

Download
memory/3952-490-0x0000000000000000-mapping.dmp

Download
memory/3952-68-0x0000000000000000-mapping.dmp

Download
memory/3972-144-0x0000000000000000-mapping.dmp

Download
memory/3996-143-0x0000000000000000-mapping.dmp

Download
memory/3996-13-0x000000000041A1F8-mapping.dmp

Download
memory/4004-291-0x0000000000000000-mapping.dmp

Download
memory/4024-843-0x0000000000000000-mapping.dmp

Download
memory/4028-1263-0x000000000041A1F8-mapping.dmp

Download
memory/4028-978-0x0000000000000000-mapping.dmp

Download
memory/4028-152-0x0000000000000000-mapping.dmp

Download
memory/4032-403-0x0000000000000000-mapping.dmp

Download
memory/4032-1863-0x000000000041A1F8-mapping.dmp

Download
memory/4032-282-0x0000000000000000-mapping.dmp

Download
memory/4044-1750-0x000000000041A1F8-mapping.dmp

Download
memory/4044-781-0x0000000000000000-mapping.dmp

Download
memory/4048-680-0x0000000000000000-mapping.dmp

Download
memory/4048-1257-0x000000000041A1F8-mapping.dmp

Download
memory/4048-9-0x0000000000000000-mapping.dmp

Download
memory/4048-1772-0x0000000000000000-mapping.dmp

Download
memory/4048-984-0x0000000000000000-mapping.dmp

Download
memory/4052-1043-0x0000000000000000-mapping.dmp

Download
memory/4052-1506-0x000000000041A1F8-mapping.dmp

Download
memory/4056-990-0x0000000000000000-mapping.dmp

Download
memory/4056-295-0x0000000000000000-mapping.dmp

Download
memory/4060-92-0x000000000041A1F8-mapping.dmp

Download
memory/4060-1476-0x0000000000000000-mapping.dmp

Download
memory/4060-7-0x000000000041A1F8-mapping.dmp

Download
memory/4064-1378-0x0000000000000000-mapping.dmp

Download
memory/4064-1753-0x0000000000000000-mapping.dmp

Download
memory/4064-148-0x0000000000000000-mapping.dmp

Download
memory/4100-1283-0x0000000000000000-mapping.dmp

Download
memory/4100-367-0x0000000000000000-mapping.dmp

Download
memory/4100-561-0x0000000000000000-mapping.dmp

Download
memory/4104-1067-0x0000000000000000-mapping.dmp

Download
memory/4104-1801-0x0000000000000000-mapping.dmp

Download
memory/4112-650-0x0000000000000000-mapping.dmp

Download
memory/4112-1117-0x0000000000000000-mapping.dmp

Download
memory/4112-1411-0x0000000000000000-mapping.dmp

Download
memory/4116-681-0x0000000000000000-mapping.dmp

Download
memory/4116-1465-0x0000000000000000-mapping.dmp

Download
memory/4116-1548-0x0000000000000000-mapping.dmp

Download
memory/4124-961-0x0000000000000000-mapping.dmp

Download
memory/4124-631-0x0000000000000000-mapping.dmp

Download
memory/4132-1329-0x0000000000000000-mapping.dmp

Download
memory/4136-320-0x0000000000000000-mapping.dmp

Download
memory/4136-1899-0x000000000041A1F8-mapping.dmp

Download
memory/4144-387-0x0000000000000000-mapping.dmp

Download
memory/4144-1284-0x0000000000000000-mapping.dmp

Download
memory/4144-1741-0x0000000000000000-mapping.dmp

Download
memory/4152-1230-0x0000000000000000-mapping.dmp

Download
memory/4156-1235-0x0000000000000000-mapping.dmp

Download
memory/4160-1878-0x0000000000000000-mapping.dmp

Download
memory/4160-982-0x0000000000000000-mapping.dmp

Download
memory/4164-1788-0x0000000000000000-mapping.dmp

Download
memory/4164-321-0x0000000000000000-mapping.dmp

Download
memory/4168-1504-0x0000000000000000-mapping.dmp

Download
memory/4172-1807-0x0000000000000000-mapping.dmp

Download
memory/4172-1445-0x0000000000000000-mapping.dmp

Download
memory/4176-1221-0x0000000000000000-mapping.dmp

Download
memory/4180-1050-0x0000000000000000-mapping.dmp

Download
memory/4184-1773-0x0000000000000000-mapping.dmp

Download
memory/4184-1684-0x0000000000000000-mapping.dmp

Download
memory/4192-1708-0x0000000000000000-mapping.dmp

Download
memory/4196-638-0x0000000000000000-mapping.dmp

Download
memory/4196-323-0x000000000041A1F8-mapping.dmp

Download
memory/4200-1877-0x0000000000000000-mapping.dmp

Download
memory/4200-1447-0x0000000000000000-mapping.dmp

Download
memory/4200-1521-0x0000000000000000-mapping.dmp

Download
memory/4204-1340-0x0000000000000000-mapping.dmp

Download
memory/4216-1278-0x0000000000000000-mapping.dmp

Download
memory/4220-1220-0x0000000000000000-mapping.dmp

Download
memory/4220-1013-0x0000000000000000-mapping.dmp

Download
memory/4220-1441-0x0000000000000000-mapping.dmp

Download
memory/4224-1435-0x0000000000000000-mapping.dmp

Download
memory/4228-1272-0x0000000000000000-mapping.dmp

Download
memory/4228-1902-0x0000000000000000-mapping.dmp

Download
memory/4228-1823-0x0000000000000000-mapping.dmp

Download
memory/4232-1874-0x000000000041A1F8-mapping.dmp

Download
memory/4232-998-0x0000000000000000-mapping.dmp

Download
memory/4232-1066-0x0000000000000000-mapping.dmp

Download
memory/4236-1294-0x0000000000000000-mapping.dmp

Download
memory/4236-763-0x000000000041A1F8-mapping.dmp

Download
memory/4236-1527-0x0000000000000000-mapping.dmp

Download
memory/4240-1660-0x0000000000000000-mapping.dmp

Download
memory/4240-968-0x0000000000000000-mapping.dmp

Download
memory/4244-1010-0x000000000041A1F8-mapping.dmp

Download
memory/4248-325-0x0000000000000000-mapping.dmp

Download
memory/4248-1201-0x0000000000000000-mapping.dmp

Download
memory/4252-1916-0x0000000000000000-mapping.dmp

Download
memory/4260-511-0x0000000000000000-mapping.dmp

Download
memory/4264-1829-0x0000000000000000-mapping.dmp

Download
memory/4268-1727-0x0000000000000000-mapping.dmp

Download
memory/4268-1828-0x0000000000000000-mapping.dmp

Download
memory/4276-687-0x0000000000000000-mapping.dmp

Download
memory/4276-991-0x0000000000000000-mapping.dmp

Download
memory/4280-879-0x000000000041A1F8-mapping.dmp

Download
memory/4288-1630-0x0000000000000000-mapping.dmp

Download
memory/4288-1195-0x0000000000000000-mapping.dmp

Download
memory/4288-636-0x0000000000000000-mapping.dmp

Download
memory/4292-640-0x0000000000000000-mapping.dmp

Download
memory/4292-500-0x000000000041A1F8-mapping.dmp

Download
memory/4292-1728-0x0000000000000000-mapping.dmp

Download
memory/4292-326-0x0000000000000000-mapping.dmp

Download
memory/4292-1044-0x0000000000000000-mapping.dmp

Download
memory/4304-1865-0x0000000000000000-mapping.dmp

Download
memory/4304-1789-0x0000000000000000-mapping.dmp

Download
memory/4304-931-0x0000000000000000-mapping.dmp

Download
memory/4304-1712-0x000000000041A1F8-mapping.dmp

Download
memory/4308-1037-0x0000000000000000-mapping.dmp

Download
memory/4308-1738-0x0000000000000000-mapping.dmp

Download
memory/4316-498-0x0000000000000000-mapping.dmp

Download
memory/4320-992-0x0000000000000000-mapping.dmp

Download
memory/4320-327-0x0000000000000000-mapping.dmp

Download
memory/4320-1847-0x0000000000000000-mapping.dmp

Download
memory/4328-1008-0x0000000000000000-mapping.dmp

Download
memory/4332-580-0x000000000041A1F8-mapping.dmp

Download
memory/4340-479-0x000000000041A1F8-mapping.dmp

Download
memory/4344-1687-0x0000000000000000-mapping.dmp

Download
memory/4344-1917-0x0000000000000000-mapping.dmp

Download
memory/4352-329-0x000000000041A1F8-mapping.dmp

Download
memory/4352-1816-0x0000000000000000-mapping.dmp

Download
memory/4356-1020-0x0000000000000000-mapping.dmp

Download
memory/4356-1281-0x000000000041A1F8-mapping.dmp

Download
memory/4360-1805-0x000000000041A1F8-mapping.dmp

Download
memory/4368-1273-0x000000000041A1F8-mapping.dmp

Download
memory/4368-1463-0x0000000000000000-mapping.dmp

Download
memory/4368-1046-0x0000000000000000-mapping.dmp

Download
memory/4376-1038-0x0000000000000000-mapping.dmp

Download
memory/4384-1822-0x0000000000000000-mapping.dmp

Download
memory/4388-1731-0x000000000041A1F8-mapping.dmp

Download
memory/4388-988-0x000000000041A1F8-mapping.dmp

Download
memory/4392-1056-0x0000000000000000-mapping.dmp

Download
memory/4392-1236-0x0000000000000000-mapping.dmp

Download
memory/4396-1287-0x000000000041A1F8-mapping.dmp

Download
memory/4396-1434-0x0000000000000000-mapping.dmp

Download
memory/4404-1255-0x0000000000000000-mapping.dmp

Download
memory/4404-481-0x0000000000000000-mapping.dmp

Download
memory/4408-1886-0x0000000000000000-mapping.dmp

Download
memory/4408-1661-0x0000000000000000-mapping.dmp

Download
memory/4408-1825-0x000000000041A1F8-mapping.dmp

Download
memory/4412-829-0x0000000000000000-mapping.dmp

Download
memory/4416-1711-0x0000000000000000-mapping.dmp

Download
memory/4420-1254-0x0000000000000000-mapping.dmp

Download
memory/4420-1737-0x0000000000000000-mapping.dmp

Download
memory/4424-1422-0x0000000000000000-mapping.dmp

Download
memory/4424-1135-0x0000000000000000-mapping.dmp

Download
memory/4428-336-0x0000000000000000-mapping.dmp

Download
memory/4436-1635-0x0000000000000000-mapping.dmp

Download
memory/4444-1739-0x0000000000000000-mapping.dmp

Download
memory/4444-1833-0x0000000000000000-mapping.dmp

Download
memory/4448-1048-0x000000000041A1F8-mapping.dmp

Download
memory/4448-569-0x0000000000000000-mapping.dmp

Download
memory/4452-1692-0x0000000000000000-mapping.dmp

Download
memory/4456-1484-0x0000000000000000-mapping.dmp

Download
memory/4464-871-0x0000000000000000-mapping.dmp

Download
memory/4464-1024-0x000000000041A1F8-mapping.dmp

Download
memory/4468-1941-0x0000000000000000-mapping.dmp

Download
memory/4468-1845-0x0000000000000000-mapping.dmp

Download
memory/4472-1057-0x0000000000000000-mapping.dmp

Download
memory/4476-1686-0x0000000000000000-mapping.dmp

Download
memory/4476-337-0x0000000000000000-mapping.dmp

Download
memory/4480-1247-0x0000000000000000-mapping.dmp

Download
memory/4484-1074-0x0000000000000000-mapping.dmp

Download
memory/4488-1068-0x0000000000000000-mapping.dmp

Download
memory/4492-649-0x0000000000000000-mapping.dmp

Download
memory/4500-855-0x0000000000000000-mapping.dmp

Download
memory/4500-1573-0x0000000000000000-mapping.dmp

Download
memory/4500-1392-0x0000000000000000-mapping.dmp

Download
memory/4504-1553-0x000000000041A1F8-mapping.dmp

Download
memory/4508-338-0x0000000000000000-mapping.dmp

Download
memory/4508-1022-0x0000000000000000-mapping.dmp

Download
memory/4520-953-0x000000000041A1F8-mapping.dmp

Download
memory/4524-1890-0x0000000000000000-mapping.dmp

Download
memory/4528-340-0x000000000041A1F8-mapping.dmp

Download
memory/4528-1007-0x0000000000000000-mapping.dmp

Download
memory/4528-1479-0x000000000041A1F8-mapping.dmp

Download
memory/4532-1904-0x0000000000000000-mapping.dmp

Download
memory/4544-827-0x000000000041A1F8-mapping.dmp

Download
memory/4544-1885-0x0000000000000000-mapping.dmp

Download
memory/4548-1045-0x0000000000000000-mapping.dmp

Download
memory/4556-1669-0x0000000000000000-mapping.dmp

Download
memory/4564-1859-0x0000000000000000-mapping.dmp

Download
memory/4564-1723-0x0000000000000000-mapping.dmp

Download
memory/4568-980-0x000000000041A1F8-mapping.dmp

Download
memory/4572-723-0x0000000000000000-mapping.dmp

Download
memory/4572-867-0x0000000000000000-mapping.dmp

Download
memory/4572-1802-0x0000000000000000-mapping.dmp

Download
memory/4576-1261-0x0000000000000000-mapping.dmp

Download
memory/4576-811-0x0000000000000000-mapping.dmp

Download
memory/4580-1853-0x0000000000000000-mapping.dmp

Download
memory/4580-644-0x0000000000000000-mapping.dmp

Download
memory/4584-1054-0x000000000041A1F8-mapping.dmp

Download
memory/4588-1359-0x000000000041A1F8-mapping.dmp

Download
memory/4592-1602-0x0000000000000000-mapping.dmp

Download
memory/4596-488-0x000000000041A1F8-mapping.dmp

Download
memory/4600-1417-0x0000000000000000-mapping.dmp

Download
memory/4600-815-0x000000000041A1F8-mapping.dmp

Download
memory/4604-665-0x0000000000000000-mapping.dmp

Download
memory/4604-1685-0x0000000000000000-mapping.dmp

Download
memory/4604-547-0x000000000041A1F8-mapping.dmp

Download
memory/4616-1514-0x0000000000000000-mapping.dmp

Download
memory/4616-1096-0x000000000041A1F8-mapping.dmp

Download
memory/4632-342-0x0000000000000000-mapping.dmp

Download
memory/4640-542-0x0000000000000000-mapping.dmp

Download
memory/4644-1051-0x0000000000000000-mapping.dmp

Download
memory/4648-1587-0x000000000041A1F8-mapping.dmp

Download
memory/4652-1909-0x0000000000000000-mapping.dmp

Download
memory/4652-343-0x0000000000000000-mapping.dmp

Download
memory/4652-1451-0x0000000000000000-mapping.dmp

Download
memory/4660-1673-0x0000000000000000-mapping.dmp

Download
memory/4664-1689-0x000000000041A1F8-mapping.dmp

Download
memory/4664-1905-0x0000000000000000-mapping.dmp

Download
memory/4664-1500-0x000000000041A1F8-mapping.dmp

Download
memory/4668-344-0x0000000000000000-mapping.dmp

Download
memory/4668-1767-0x0000000000000000-mapping.dmp

Download
memory/4672-574-0x0000000000000000-mapping.dmp

Download
memory/4672-1232-0x000000000041A1F8-mapping.dmp

Download
memory/4672-1497-0x0000000000000000-mapping.dmp

Download
memory/4680-1857-0x000000000041A1F8-mapping.dmp

Download
memory/4684-1944-0x000000000041A1F8-mapping.dmp

Download
memory/4688-1675-0x0000000000000000-mapping.dmp

Download
memory/4688-1028-0x0000000000000000-mapping.dmp

Download
memory/4692-1861-0x0000000000000000-mapping.dmp

Download
memory/4692-1464-0x0000000000000000-mapping.dmp

Download
memory/4696-1792-0x0000000000000000-mapping.dmp

Download
memory/4696-1040-0x000000000041A1F8-mapping.dmp

Download
memory/4700-637-0x0000000000000000-mapping.dmp

Download
memory/4700-1742-0x0000000000000000-mapping.dmp

Download
memory/4700-1429-0x000000000041A1F8-mapping.dmp

Download
memory/4704-1475-0x0000000000000000-mapping.dmp

Download
memory/4704-1725-0x000000000041A1F8-mapping.dmp

Download
memory/4712-1928-0x0000000000000000-mapping.dmp

Download
memory/4716-1854-0x0000000000000000-mapping.dmp

Download
memory/4720-643-0x0000000000000000-mapping.dmp

Download
memory/4720-813-0x0000000000000000-mapping.dmp

Download
memory/4720-345-0x0000000000000000-mapping.dmp

Download
memory/4728-1529-0x0000000000000000-mapping.dmp

Download
memory/4732-1087-0x0000000000000000-mapping.dmp

Download
memory/4732-1701-0x000000000041A1F8-mapping.dmp

Download
memory/4744-1919-0x000000000041A1F8-mapping.dmp

Download
memory/4748-1693-0x0000000000000000-mapping.dmp

Download
memory/4748-346-0x0000000000000000-mapping.dmp

Download
memory/4752-1314-0x0000000000000000-mapping.dmp

Download
memory/4752-1799-0x000000000041A1F8-mapping.dmp

Download
memory/4756-1248-0x0000000000000000-mapping.dmp

Download
memory/4760-1907-0x000000000041A1F8-mapping.dmp

Download
memory/4764-1431-0x0000000000000000-mapping.dmp

Download
memory/4772-1851-0x0000000000000000-mapping.dmp

Download
memory/4772-496-0x0000000000000000-mapping.dmp

Download
memory/4776-834-0x0000000000000000-mapping.dmp

Download
memory/4776-1657-0x000000000041A1F8-mapping.dmp

Download
memory/4780-633-0x000000000041A1F8-mapping.dmp

Download
memory/4780-1026-0x0000000000000000-mapping.dmp

Download
memory/4780-847-0x0000000000000000-mapping.dmp

Download
memory/4784-810-0x0000000000000000-mapping.dmp

Download
memory/4788-348-0x000000000041A1F8-mapping.dmp

Download
memory/4788-1490-0x0000000000000000-mapping.dmp

Download
memory/4792-486-0x0000000000000000-mapping.dmp

Download
memory/4792-1353-0x0000000000000000-mapping.dmp

Download
memory/4800-1831-0x000000000041A1F8-mapping.dmp

Download
memory/4804-1770-0x0000000000000000-mapping.dmp

Download
memory/4808-996-0x0000000000000000-mapping.dmp

Download
memory/4812-1070-0x000000000041A1F8-mapping.dmp

Download
memory/4812-1581-0x0000000000000000-mapping.dmp

Download
memory/4816-1249-0x0000000000000000-mapping.dmp

Download
memory/4820-627-0x0000000000000000-mapping.dmp

Download
memory/4820-1717-0x0000000000000000-mapping.dmp

Download
memory/4824-1075-0x0000000000000000-mapping.dmp

Download
memory/4828-1152-0x000000000041A1F8-mapping.dmp

Download
memory/4828-1259-0x0000000000000000-mapping.dmp

Download
memory/4828-1765-0x0000000000000000-mapping.dmp

Download
memory/4836-1663-0x0000000000000000-mapping.dmp

Download
memory/4836-1012-0x0000000000000000-mapping.dmp

Download
memory/4840-601-0x0000000000000000-mapping.dmp

Download
memory/4840-350-0x0000000000000000-mapping.dmp

Download
memory/4852-1462-0x0000000000000000-mapping.dmp

Download
memory/4860-668-0x0000000000000000-mapping.dmp

Download
memory/4864-1503-0x0000000000000000-mapping.dmp

Download
memory/4864-1781-0x000000000041A1F8-mapping.dmp

Download
memory/4864-1850-0x000000000041A1F8-mapping.dmp

Download
memory/4868-1763-0x0000000000000000-mapping.dmp

Download
memory/4872-1473-0x000000000041A1F8-mapping.dmp

Download
memory/4876-1229-0x0000000000000000-mapping.dmp

Download
memory/4876-851-0x000000000041A1F8-mapping.dmp

Download
memory/4876-1815-0x0000000000000000-mapping.dmp

Download
memory/4880-986-0x0000000000000000-mapping.dmp

Download
memory/4884-906-0x0000000000000000-mapping.dmp

Download
memory/4884-351-0x0000000000000000-mapping.dmp

Download
memory/4888-1461-0x0000000000000000-mapping.dmp

Download
memory/4892-1911-0x0000000000000000-mapping.dmp

Download
memory/4896-1439-0x0000000000000000-mapping.dmp

Download
memory/4900-1910-0x0000000000000000-mapping.dmp

Download
memory/4908-1934-0x0000000000000000-mapping.dmp

Download
memory/4908-1015-0x0000000000000000-mapping.dmp

Download
memory/4908-1080-0x0000000000000000-mapping.dmp

Download
memory/4912-352-0x0000000000000000-mapping.dmp

Download
memory/4916-1141-0x0000000000000000-mapping.dmp

Download
memory/4916-1279-0x0000000000000000-mapping.dmp

Download
memory/4920-730-0x000000000041A1F8-mapping.dmp

Download
memory/4924-893-0x0000000000000000-mapping.dmp

Download
memory/4928-518-0x000000000041A1F8-mapping.dmp

Download
memory/4928-913-0x000000000041A1F8-mapping.dmp

Download
memory/4932-809-0x0000000000000000-mapping.dmp

Download
memory/4932-1797-0x0000000000000000-mapping.dmp

Download
memory/4936-859-0x0000000000000000-mapping.dmp

Download
memory/4944-354-0x000000000041A1F8-mapping.dmp

Download
memory/4944-625-0x0000000000000000-mapping.dmp

Download
memory/4948-854-0x0000000000000000-mapping.dmp

Download
memory/4956-1659-0x0000000000000000-mapping.dmp

Download
memory/4956-485-0x0000000000000000-mapping.dmp

Download
memory/4956-1088-0x0000000000000000-mapping.dmp

Download
memory/4956-1930-0x000000000041A1F8-mapping.dmp

Download
memory/4956-839-0x0000000000000000-mapping.dmp

Download
memory/4960-1787-0x0000000000000000-mapping.dmp

Download
memory/4964-1674-0x0000000000000000-mapping.dmp

Download
memory/4968-1827-0x0000000000000000-mapping.dmp

Download
memory/4968-1531-0x000000000041A1F8-mapping.dmp

Download
memory/4980-1709-0x0000000000000000-mapping.dmp

Download
memory/4996-1032-0x0000000000000000-mapping.dmp

Download
memory/5000-1662-0x0000000000000000-mapping.dmp

Download
memory/5000-1860-0x0000000000000000-mapping.dmp

Download
memory/5008-356-0x0000000000000000-mapping.dmp

Download
memory/5008-611-0x000000000041A1F8-mapping.dmp

Download
memory/5008-685-0x0000000000000000-mapping.dmp

Download
memory/5012-1076-0x0000000000000000-mapping.dmp

Download
memory/5016-818-0x0000000000000000-mapping.dmp

Download
memory/5016-1437-0x000000000041A1F8-mapping.dmp

Download
memory/5024-1178-0x0000000000000000-mapping.dmp

Download
memory/5024-799-0x000000000041A1F8-mapping.dmp

Download
memory/5036-1471-0x0000000000000000-mapping.dmp

Download
memory/5040-693-0x000000000041A1F8-mapping.dmp

Download
memory/5040-1913-0x000000000041A1F8-mapping.dmp

Download
memory/5044-671-0x000000000041A1F8-mapping.dmp

Download
memory/5044-1931-0x0000000000000000-mapping.dmp

Download
memory/5048-1496-0x0000000000000000-mapping.dmp

Download
memory/5060-660-0x0000000000000000-mapping.dmp

Download
memory/5060-1027-0x0000000000000000-mapping.dmp

Download
memory/5060-1467-0x000000000041A1F8-mapping.dmp

Download
memory/5068-947-0x0000000000000000-mapping.dmp

Download
memory/5072-823-0x0000000000000000-mapping.dmp

Download
memory/5072-675-0x0000000000000000-mapping.dmp

Download
memory/5076-1756-0x000000000041A1F8-mapping.dmp

Download
memory/5076-606-0x0000000000000000-mapping.dmp

Download
memory/5076-1416-0x0000000000000000-mapping.dmp

Download
memory/5076-1882-0x000000000041A1F8-mapping.dmp

Download
memory/5080-1775-0x000000000041A1F8-mapping.dmp

Download
memory/5080-1017-0x000000000041A1F8-mapping.dmp

Download
memory/5084-364-0x0000000000000000-mapping.dmp

Download
memory/5088-1628-0x000000000041A1F8-mapping.dmp

Download
memory/5092-1073-0x0000000000000000-mapping.dmp

Download
memory/5100-1884-0x0000000000000000-mapping.dmp

Download
memory/5100-1030-0x000000000041A1F8-mapping.dmp

Download
memory/5104-1779-0x0000000000000000-mapping.dmp

Download
memory/5104-718-0x0000000000000000-mapping.dmp

Download
memory/5104-1415-0x0000000000000000-mapping.dmp

Download
memory/5108-1285-0x0000000000000000-mapping.dmp

Download
memory/5108-1124-0x000000000041A1F8-mapping.dmp

Download
memory/5108-1668-0x0000000000000000-mapping.dmp

Download
memory/5112-1691-0x0000000000000000-mapping.dmp

Download
memory/5116-1253-0x0000000000000000-mapping.dmp

Download
memory/5116-683-0x000000000041A1F8-mapping.dmp

Download