formbook | f4ca965db7cfd5944b5d6902f391f91f7c3994973955f2af97a91ec146977cc4

Analysis

max time kernel
150s
max time network
99s
platform
windows7_x64
resource
win7v200430
submitted
30-06-2020 06:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MFC PROJECT DETAILS.exe
Size

406KB
MD5

0f594997983db981f447a2ee5d640129
SHA1

bf31d7905e28e9ab32348471bb7a497d82c6aff7
SHA256

f4ca965db7cfd5944b5d6902f391f91f7c3994973955f2af97a91ec146977cc4
SHA512

0ee59d76aaee737b67336c5fd142e7f175ac5dbfce33052fd2ae7ea39dae2279d9363f660529caf26ec899a81331c48a6d873b26f09376b0cdea7bfb94902f58

Score

10^/10

trojan spyware stealer formbook persistence evasion

Malware Config

Signatures

Drops file in Program Files directory 1 IoCs

Processes:

NETSTAT.EXE

description ioc process

File opened for modification C:\Program Files (x86)\Kwr5\Cookiesrfcp.exe NETSTAT.EXE
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Explorer.EXE

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Explorer.EXE

description	ioc	process
File opened for modification	C:\Program Files (x86)\Kwr5\Cookiesrfcp.exe	NETSTAT.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Explorer.EXE

Suspicious use of WriteProcessMemory 1224 IoCs

Processes:

MFC PROJECT DETAILS.exe

description	pid	process	target process
PID 1360 wrote to memory of 1480	1360	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 1360 wrote to memory of 1480	1360	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 1360 wrote to memory of 1480	1360	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 1360 wrote to memory of 1480	1360	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 1360 wrote to memory of 1480	1360	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 1360 wrote to memory of 1480	1360	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 1360 wrote to memory of 1480	1360	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 1360 wrote to memory of 1508	1360	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 1360 wrote to memory of 1508	1360	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 1360 wrote to memory of 1508	1360	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 1360 wrote to memory of 1508	1360	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 1360 wrote to memory of 1508	1360	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 1360 wrote to memory of 1508	1360	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 1360 wrote to memory of 1508	1360	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 1360 wrote to memory of 324	1360	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 1360 wrote to memory of 324	1360	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 1360 wrote to memory of 324	1360	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 1360 wrote to memory of 324	1360	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 1360 wrote to memory of 324	1360	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 1360 wrote to memory of 324	1360	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 1360 wrote to memory of 324	1360	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 1360 wrote to memory of 1572	1360	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 1360 wrote to memory of 1572	1360	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 1360 wrote to memory of 1572	1360	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 1360 wrote to memory of 1572	1360	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 1360 wrote to memory of 1572	1360	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 1360 wrote to memory of 1572	1360	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 1360 wrote to memory of 1572	1360	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 1360 wrote to memory of 1004	1360	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 1360 wrote to memory of 1004	1360	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 1360 wrote to memory of 1004	1360	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 1360 wrote to memory of 1004	1360	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 1360 wrote to memory of 1004	1360	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 1360 wrote to memory of 1004	1360	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 1360 wrote to memory of 1004	1360	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 1360 wrote to memory of 1000	1360	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 1360 wrote to memory of 1000	1360	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 1360 wrote to memory of 1000	1360	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 1360 wrote to memory of 1000	1360	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 1360 wrote to memory of 1000	1360	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 1360 wrote to memory of 1000	1360	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 1360 wrote to memory of 1000	1360	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 1360 wrote to memory of 1616	1360	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 1360 wrote to memory of 1616	1360	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 1360 wrote to memory of 1616	1360	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 1360 wrote to memory of 1616	1360	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 1360 wrote to memory of 1616	1360	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 1360 wrote to memory of 1616	1360	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 1360 wrote to memory of 1616	1360	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 1360 wrote to memory of 1612	1360	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 1360 wrote to memory of 1612	1360	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 1360 wrote to memory of 1612	1360	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 1360 wrote to memory of 1612	1360	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 1360 wrote to memory of 1612	1360	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 1360 wrote to memory of 1612	1360	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 1360 wrote to memory of 1612	1360	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 1360 wrote to memory of 780	1360	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 1360 wrote to memory of 780	1360	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 1360 wrote to memory of 780	1360	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 1360 wrote to memory of 780	1360	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 1360 wrote to memory of 780	1360	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 1360 wrote to memory of 780	1360	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 1360 wrote to memory of 780	1360	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 1360 wrote to memory of 336	1360	MFC PROJECT DETAILS.exe	RegAsm.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

Explorer.EXE

pid process

1324 Explorer.EXE
1324 Explorer.EXE
1324 Explorer.EXE
1324 Explorer.EXE
1324 Explorer.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1324	Explorer.EXE
1324	Explorer.EXE
1324	Explorer.EXE
1324	Explorer.EXE
1324	Explorer.EXE

Suspicious behavior: MapViewOfSection 192 IoCs

Processes:

MFC PROJECT DETAILS.exe

pid	process
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe

Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1324 Explorer.EXE
1324 Explorer.EXE
1324 Explorer.EXE
1324 Explorer.EXE

pid	process
1324	Explorer.EXE
1324	Explorer.EXE
1324	Explorer.EXE
1324	Explorer.EXE

Adds Run entry to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

NETSTAT.EXE

description	ioc	process
Key created	\Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	NETSTAT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\K4D0B4BP-27 = "C:\\Program Files (x86)\\Kwr5\\Cookiesrfcp.exe"	NETSTAT.EXE

Suspicious use of AdjustPrivilegeToken 59 IoCs

Processes:

RegAsm.exeMFC PROJECT DETAILS.exeMFC PROJECT DETAILS.exeRegAsm.exeMFC PROJECT DETAILS.exeRegAsm.exeMFC PROJECT DETAILS.exeRegAsm.exeMFC PROJECT DETAILS.exeRegAsm.exeRegAsm.exeMFC PROJECT DETAILS.exeMFC PROJECT DETAILS.exeRegAsm.exeMFC PROJECT DETAILS.exeRegAsm.exeMFC PROJECT DETAILS.exeRegAsm.exeNETSTAT.EXERegAsm.exeMFC PROJECT DETAILS.exemsiexec.exeNETSTAT.EXEwuapp.execmd.exeMFC PROJECT DETAILS.exeRegAsm.exerundll32.exemsiexec.exeMFC PROJECT DETAILS.exeRegAsm.exeMFC PROJECT DETAILS.exeRegAsm.exeMFC PROJECT DETAILS.exeRegAsm.exeMFC PROJECT DETAILS.exeRegAsm.exesvchost.exeMFC PROJECT DETAILS.exeRegAsm.exeMFC PROJECT DETAILS.exechkdsk.exeRegAsm.exewscript.exeRegAsm.exeMFC PROJECT DETAILS.execontrol.exeNAPSTAT.EXERegAsm.exeMFC PROJECT DETAILS.exeMFC PROJECT DETAILS.exeRegAsm.exeraserver.execmstp.exemsdt.exewininit.execscript.execontrol.exewuapp.exe

description	pid	process
Token: SeDebugPrivilege	2176	RegAsm.exe
Token: SeDebugPrivilege	1360	MFC PROJECT DETAILS.exe
Token: SeDebugPrivilege	2260	MFC PROJECT DETAILS.exe
Token: SeDebugPrivilege	2288	RegAsm.exe
Token: SeDebugPrivilege	2364	MFC PROJECT DETAILS.exe
Token: SeDebugPrivilege	2392	RegAsm.exe
Token: SeDebugPrivilege	2480	MFC PROJECT DETAILS.exe
Token: SeDebugPrivilege	2508	RegAsm.exe
Token: SeDebugPrivilege	2584	MFC PROJECT DETAILS.exe
Token: SeDebugPrivilege	2628	RegAsm.exe
Token: SeDebugPrivilege	2732	RegAsm.exe
Token: SeDebugPrivilege	2704	MFC PROJECT DETAILS.exe
Token: SeDebugPrivilege	2844	MFC PROJECT DETAILS.exe
Token: SeDebugPrivilege	2872	RegAsm.exe
Token: SeDebugPrivilege	2948	MFC PROJECT DETAILS.exe
Token: SeDebugPrivilege	2976	RegAsm.exe
Token: SeDebugPrivilege	3064	MFC PROJECT DETAILS.exe
Token: SeDebugPrivilege	2296	RegAsm.exe
Token: SeDebugPrivilege	2416	NETSTAT.EXE
Token: SeDebugPrivilege	1388	RegAsm.exe
Token: SeDebugPrivilege	1052	MFC PROJECT DETAILS.exe
Token: SeDebugPrivilege	2532	msiexec.exe
Token: SeDebugPrivilege	2760	NETSTAT.EXE
Token: SeDebugPrivilege	2836	wuapp.exe
Token: SeDebugPrivilege	3000	cmd.exe
Token: SeDebugPrivilege	1772	MFC PROJECT DETAILS.exe
Token: SeDebugPrivilege	572	RegAsm.exe
Token: SeDebugPrivilege	1004	rundll32.exe
Token: SeDebugPrivilege	1824	msiexec.exe
Token: SeDebugPrivilege	1596	MFC PROJECT DETAILS.exe
Token: SeDebugPrivilege	1568	RegAsm.exe
Token: SeDebugPrivilege	2004	MFC PROJECT DETAILS.exe
Token: SeDebugPrivilege	1992	RegAsm.exe
Token: SeDebugPrivilege	1580	MFC PROJECT DETAILS.exe
Token: SeDebugPrivilege	2072	RegAsm.exe
Token: SeDebugPrivilege	2300	MFC PROJECT DETAILS.exe
Token: SeDebugPrivilege	1412	RegAsm.exe
Token: SeDebugPrivilege	1864	svchost.exe
Token: SeDebugPrivilege	2412	MFC PROJECT DETAILS.exe
Token: SeDebugPrivilege	2472	RegAsm.exe
Token: SeDebugPrivilege	2796	MFC PROJECT DETAILS.exe
Token: SeDebugPrivilege	2832	chkdsk.exe
Token: SeDebugPrivilege	2556	RegAsm.exe
Token: SeDebugPrivilege	2136	wscript.exe
Token: SeDebugPrivilege	2888	RegAsm.exe
Token: SeDebugPrivilege	2208	MFC PROJECT DETAILS.exe
Token: SeDebugPrivilege	2668	control.exe
Token: SeDebugPrivilege	2252	NAPSTAT.EXE
Token: SeDebugPrivilege	2404	RegAsm.exe
Token: SeDebugPrivilege	2432	MFC PROJECT DETAILS.exe
Token: SeDebugPrivilege	1848	MFC PROJECT DETAILS.exe
Token: SeDebugPrivilege	2268	RegAsm.exe
Token: SeDebugPrivilege	2728	raserver.exe
Token: SeDebugPrivilege	2460	cmstp.exe
Token: SeDebugPrivilege	2948	msdt.exe
Token: SeDebugPrivilege	2848	wininit.exe
Token: SeDebugPrivilege	2756	cscript.exe
Token: SeDebugPrivilege	1088	control.exe
Token: SeDebugPrivilege	1812	wuapp.exe

Suspicious behavior: EnumeratesProcesses 3522 IoCs

Processes:

RegAsm.exeMFC PROJECT DETAILS.exe

pid	process
2176	RegAsm.exe
2176	RegAsm.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe
1360	MFC PROJECT DETAILS.exe

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

NETSTAT.EXE

description	ioc	process
Key created	\Registry\User\S-1-5-21-910373003-3952921535-3480519689-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	NETSTAT.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

chkdsk.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe

Suspicious use of SetThreadContext 48 IoCs

Processes:

MFC PROJECT DETAILS.exeRegAsm.exeMFC PROJECT DETAILS.exeMFC PROJECT DETAILS.exeRegAsm.exeMFC PROJECT DETAILS.exeRegAsm.exeRegAsm.exeMFC PROJECT DETAILS.exeMFC PROJECT DETAILS.exeRegAsm.exeRegAsm.exeMFC PROJECT DETAILS.exeMFC PROJECT DETAILS.exeRegAsm.exeMFC PROJECT DETAILS.exeRegAsm.exeRegAsm.exeMFC PROJECT DETAILS.exeRegAsm.exeMFC PROJECT DETAILS.exeRegAsm.exeMFC PROJECT DETAILS.exeRegAsm.exeMFC PROJECT DETAILS.exeRegAsm.exeMFC PROJECT DETAILS.exeRegAsm.exeMFC PROJECT DETAILS.exeMFC PROJECT DETAILS.exeRegAsm.exeMFC PROJECT DETAILS.exeRegAsm.exeNETSTAT.EXEMFC PROJECT DETAILS.exeRegAsm.exeRegAsm.exeMFC PROJECT DETAILS.exeRegAsm.exeMFC PROJECT DETAILS.exeRegAsm.exe

description	pid	process	target process
PID 1360 set thread context of 2176	1360	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 2176 set thread context of 1324	2176	RegAsm.exe	Explorer.EXE
PID 2260 set thread context of 2288	2260	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 2364 set thread context of 2392	2364	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 2288 set thread context of 1324	2288	RegAsm.exe	Explorer.EXE
PID 2480 set thread context of 2508	2480	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 2392 set thread context of 1324	2392	RegAsm.exe	Explorer.EXE
PID 2508 set thread context of 1324	2508	RegAsm.exe	Explorer.EXE
PID 2584 set thread context of 2628	2584	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 2704 set thread context of 2732	2704	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 2628 set thread context of 1324	2628	RegAsm.exe	Explorer.EXE
PID 2732 set thread context of 1324	2732	RegAsm.exe	Explorer.EXE
PID 2844 set thread context of 2872	2844	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 2948 set thread context of 2976	2948	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 2872 set thread context of 1324	2872	RegAsm.exe	Explorer.EXE
PID 3064 set thread context of 2296	3064	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 2976 set thread context of 1324	2976	RegAsm.exe	Explorer.EXE
PID 2296 set thread context of 1324	2296	RegAsm.exe	Explorer.EXE
PID 1052 set thread context of 1388	1052	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 1388 set thread context of 1324	1388	RegAsm.exe	Explorer.EXE
PID 2176 set thread context of 1324	2176	RegAsm.exe	Explorer.EXE
PID 1772 set thread context of 572	1772	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 2508 set thread context of 1324	2508	RegAsm.exe	Explorer.EXE
PID 572 set thread context of 1324	572	RegAsm.exe	Explorer.EXE
PID 1596 set thread context of 1568	1596	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 1568 set thread context of 1324	1568	RegAsm.exe	Explorer.EXE
PID 2004 set thread context of 1992	2004	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 1992 set thread context of 1324	1992	RegAsm.exe	Explorer.EXE
PID 1580 set thread context of 2072	1580	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 2296 set thread context of 1324	2296	RegAsm.exe	Explorer.EXE
PID 2072 set thread context of 1324	2072	RegAsm.exe	Explorer.EXE
PID 2300 set thread context of 1412	2300	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 2412 set thread context of 2472	2412	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 1412 set thread context of 1324	1412	RegAsm.exe	Explorer.EXE
PID 2796 set thread context of 2556	2796	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 2472 set thread context of 1324	2472	RegAsm.exe	Explorer.EXE
PID 2416 set thread context of 1324	2416	NETSTAT.EXE	Explorer.EXE
PID 2208 set thread context of 2888	2208	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 2556 set thread context of 1324	2556	RegAsm.exe	Explorer.EXE
PID 2888 set thread context of 1324	2888	RegAsm.exe	Explorer.EXE
PID 572 set thread context of 1324	572	RegAsm.exe	Explorer.EXE
PID 2432 set thread context of 2404	2432	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 1568 set thread context of 1324	1568	RegAsm.exe	Explorer.EXE
PID 2404 set thread context of 1324	2404	RegAsm.exe	Explorer.EXE
PID 1848 set thread context of 2268	1848	MFC PROJECT DETAILS.exe	RegAsm.exe
PID 2268 set thread context of 1324	2268	RegAsm.exe	Explorer.EXE
PID 2404 set thread context of 1324	2404	RegAsm.exe	Explorer.EXE
PID 2268 set thread context of 1324	2268	RegAsm.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Checks whether UAC is enabled
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1324

C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe
"C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"
2⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
PID:1360

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1480

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:324

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1616

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:336

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:820

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1520

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1496

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1228

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1796

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1820

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1836

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:520

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:796

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:296

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:592

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1220

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1308

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1304

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1636

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1608

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1744

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1560

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1892

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1872

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1976

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:2004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1936

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:2032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1096

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:816

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:2016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:300

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:2044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1492

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:2056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:2064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:2072

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:2080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:2088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:2096

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:2104

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:2112

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:2120

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:2128

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:2136

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:2144

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:2152

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:2160

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:2168

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
PID:2176

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
- Enumerates system info in registry
PID:2832

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"
3⤵
PID:2208

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:2240

C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe
"C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
PID:2260

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
PID:2288

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"
4⤵
PID:2312

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
5⤵
PID:2352

C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe
"C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
PID:2364

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
PID:2392

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"
5⤵
PID:2428

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
6⤵
PID:2460

C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe
"C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"
5⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
PID:2480

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
PID:2508

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"
6⤵
PID:2544

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
7⤵
PID:2596

C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe
"C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"
6⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
PID:2584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
7⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
PID:2628

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"
7⤵
PID:2652

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
8⤵
PID:2692

C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe
"C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"
7⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
PID:2704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
8⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
PID:2732

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"
8⤵
PID:2772

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
9⤵
PID:2816

C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe
"C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"
8⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
PID:2844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
9⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
PID:2872

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"
9⤵
PID:2896

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
10⤵
PID:2936

C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe
"C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"
9⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
PID:2948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
10⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
PID:2976

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"
10⤵
PID:3012

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
11⤵
PID:3044

C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe
"C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"
10⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
PID:3064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
11⤵
PID:2268

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
11⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
PID:2296

C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
12⤵
- Suspicious use of AdjustPrivilegeToken
PID:2948

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"
11⤵
PID:324

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
12⤵
PID:740

C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe
"C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"
11⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
PID:1052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
12⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
PID:1388

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"
12⤵
PID:1792

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
13⤵
PID:1852

C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe
"C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"
12⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
PID:1772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
PID:572

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"
13⤵
PID:1316

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
14⤵
PID:1624

C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe
"C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"
13⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
PID:1596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
14⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
PID:1568

C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
15⤵
- Suspicious use of AdjustPrivilegeToken
PID:1088

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"
14⤵
PID:1916

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
15⤵
PID:1968

C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe
"C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"
14⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
PID:2004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
15⤵
PID:1676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
15⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
PID:1992

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"
15⤵
PID:1096

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
16⤵
PID:1488

C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe
"C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"
15⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
PID:1580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
16⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
PID:2072

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"
16⤵
PID:2104

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
17⤵
PID:2160

C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe
"C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"
16⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
PID:2300

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
17⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
PID:1412

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"
17⤵
PID:2204

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
18⤵
PID:2516

C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe
"C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"
17⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
PID:2412

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
18⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
PID:2472

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"
18⤵
PID:2388

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
19⤵
PID:2780

C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe
"C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"
18⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
PID:2796

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
19⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
PID:2556

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"
19⤵
PID:2240

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
20⤵
PID:2932

C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe
"C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"
19⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
PID:2208

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
20⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
PID:2888

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"
20⤵
PID:2344

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
21⤵
PID:2844

C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe
"C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"
20⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
PID:2432

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
21⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
PID:2404

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"
21⤵
PID:2656

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
22⤵
PID:2744

C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe
"C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"
21⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
PID:1848

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
22⤵
PID:2792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
22⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
PID:2268

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"
22⤵
PID:3008

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
23⤵
PID:668

C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe
"C:\Users\Admin\AppData\Local\Temp\MFC PROJECT DETAILS.exe"
22⤵
PID:3036

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Drops file in Program Files directory
- Adds Run entry to start application
- Suspicious use of AdjustPrivilegeToken
- Modifies Internet Explorer settings
- Suspicious use of SetThreadContext
PID:2416

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1528

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1420

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2532

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2760

C:\Windows\SysWOW64\wuapp.exe
"C:\Windows\SysWOW64\wuapp.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2836

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3000

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1004

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1824

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1864

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:2100

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2124

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\SysWOW64\wscript.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2136

C:\Windows\SysWOW64\NAPSTAT.EXE
"C:\Windows\SysWOW64\NAPSTAT.EXE"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2252

C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2668

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\SysWOW64\cscript.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2756

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2728

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:328

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2460

C:\Windows\SysWOW64\wininit.exe
"C:\Windows\SysWOW64\wininit.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2848

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2188

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1508

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:3064

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1120

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1584

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1604

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1880

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1364

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1780

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1852

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1892

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1804

C:\Windows\SysWOW64\wuapp.exe
"C:\Windows\SysWOW64\wuapp.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1812

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\N6LB7Q7Q\N6Llogim.jpeg

Download Submit
C:\Users\Admin\AppData\Roaming\N6LB7Q7Q\N6Llogrf.ini

Download Submit
C:\Users\Admin\AppData\Roaming\N6LB7Q7Q\N6Llogri.ini

Download Submit
C:\Users\Admin\AppData\Roaming\N6LB7Q7Q\N6Llogrv.ini

Download Submit
memory/324-45-0x0000000000000000-mapping.dmp

Download
memory/572-67-0x000000000041E2B0-mapping.dmp

Download
memory/668-138-0x0000000000000000-mapping.dmp

Download
memory/740-49-0x0000000000000000-mapping.dmp

Download
memory/1004-68-0x0000000000850000-0x000000000085E000-memory.dmp

Filesize
56KB

Download
memory/1004-65-0x0000000000000000-mapping.dmp

Download
memory/1052-50-0x0000000000000000-mapping.dmp

Download
memory/1088-142-0x0000000000000000-mapping.dmp

Download
memory/1088-143-0x0000000000140000-0x000000000015F000-memory.dmp

Filesize
124KB

Download
memory/1096-82-0x0000000000000000-mapping.dmp

Download
memory/1316-69-0x0000000000000000-mapping.dmp

Download
memory/1324-144-0x0000000004A80000-0x0000000004B39000-memory.dmp

Filesize
740KB

Download
memory/1324-44-0x0000000006D60000-0x0000000006E85000-memory.dmp

Filesize
1.1MB

Download
memory/1324-29-0x0000000007770000-0x000000000786D000-memory.dmp

Filesize
1012KB

Download
memory/1324-57-0x0000000007BA0000-0x0000000007CD7000-memory.dmp

Filesize
1.2MB

Download
memory/1324-70-0x0000000007E30000-0x0000000007F8C000-memory.dmp

Filesize
1.4MB

Download
memory/1324-85-0x0000000008AB0000-0x0000000008C15000-memory.dmp

Filesize
1.4MB

Download
memory/1324-27-0x0000000007620000-0x000000000776D000-memory.dmp

Filesize
1.3MB

Download
memory/1388-54-0x000000000041E2B0-mapping.dmp

Download
memory/1412-92-0x000000000041E2B0-mapping.dmp

Download
memory/1420-153-0x000000013F8B0000-0x000000013F943000-memory.dmp

Filesize
588KB

Download
memory/1420-152-0x0000000000000000-mapping.dmp

Download
memory/1488-83-0x0000000000000000-mapping.dmp

Download
memory/1528-51-0x0000000000000000-mapping.dmp

Download
memory/1568-75-0x000000000041E2B0-mapping.dmp

Download
memory/1580-84-0x0000000000000000-mapping.dmp

Download
memory/1596-72-0x0000000000000000-mapping.dmp

Download
memory/1624-71-0x0000000000000000-mapping.dmp

Download
memory/1772-62-0x0000000000000000-mapping.dmp

Download
memory/1792-55-0x0000000000000000-mapping.dmp

Download
memory/1812-145-0x0000000000000000-mapping.dmp

Download
memory/1812-146-0x0000000001230000-0x000000000123B000-memory.dmp

Filesize
44KB

Download
memory/1824-76-0x0000000000E80000-0x0000000000E94000-memory.dmp

Filesize
80KB

Download
memory/1824-74-0x0000000000000000-mapping.dmp

Download
memory/1848-126-0x0000000000000000-mapping.dmp

Download
memory/1852-60-0x0000000000000000-mapping.dmp

Download
memory/1864-97-0x00000000003D0000-0x00000000003D8000-memory.dmp

Filesize
32KB

Download
memory/1864-96-0x0000000000000000-mapping.dmp

Download
memory/1916-77-0x0000000000000000-mapping.dmp

Download
memory/1968-79-0x0000000000000000-mapping.dmp

Download
memory/1992-81-0x000000000041E2B0-mapping.dmp

Download
memory/2004-78-0x0000000000000000-mapping.dmp

Download
memory/2072-87-0x000000000041E2B0-mapping.dmp

Download
memory/2104-88-0x0000000000000000-mapping.dmp

Download
memory/2136-112-0x00000000004D0000-0x00000000004F6000-memory.dmp

Filesize
152KB

Download
memory/2136-111-0x0000000000000000-mapping.dmp

Download
memory/2160-89-0x0000000000000000-mapping.dmp

Download
memory/2176-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2176-1-0x000000000041E2B0-mapping.dmp

Download
memory/2204-93-0x0000000000000000-mapping.dmp

Download
memory/2208-109-0x0000000000000000-mapping.dmp

Download
memory/2208-2-0x0000000000000000-mapping.dmp

Download
memory/2240-3-0x0000000000000000-mapping.dmp

Download
memory/2240-106-0x0000000000000000-mapping.dmp

Download
memory/2252-116-0x0000000000BB0000-0x0000000000BF6000-memory.dmp

Filesize
280KB

Download
memory/2252-115-0x0000000000000000-mapping.dmp

Download
memory/2260-4-0x0000000000000000-mapping.dmp

Download
memory/2268-128-0x000000000041E2B0-mapping.dmp

Download
memory/2288-6-0x000000000041E2B0-mapping.dmp

Download
memory/2296-43-0x000000000041E2B0-mapping.dmp

Download
memory/2300-90-0x0000000000000000-mapping.dmp

Download
memory/2312-7-0x0000000000000000-mapping.dmp

Download
memory/2344-117-0x0000000000000000-mapping.dmp

Download
memory/2352-8-0x0000000000000000-mapping.dmp

Download
memory/2364-9-0x0000000000000000-mapping.dmp

Download
memory/2388-100-0x0000000000000000-mapping.dmp

Download
memory/2392-11-0x000000000041E2B0-mapping.dmp

Download
memory/2404-123-0x000000000041E2B0-mapping.dmp

Download
memory/2412-95-0x0000000000000000-mapping.dmp

Download
memory/2416-108-0x0000000003240000-0x0000000003358000-memory.dmp

Filesize
1.1MB

Download
memory/2416-46-0x0000000000000000-mapping.dmp

Download
memory/2416-151-0x0000000003420000-0x0000000003538000-memory.dmp

Filesize
1.1MB

Download
memory/2416-150-0x0000000075B20000-0x0000000075C7C000-memory.dmp

Filesize
1.4MB

Download
memory/2416-148-0x0000000076910000-0x0000000076A2D000-memory.dmp

Filesize
1.1MB

Download
memory/2416-147-0x0000000075870000-0x000000007587C000-memory.dmp

Filesize
48KB

Download
memory/2416-47-0x0000000000BC0000-0x0000000000BC9000-memory.dmp

Filesize
36KB

Download
memory/2428-12-0x0000000000000000-mapping.dmp

Download
memory/2432-119-0x0000000000000000-mapping.dmp

Download
memory/2460-135-0x0000000000810000-0x0000000000828000-memory.dmp

Filesize
96KB

Download
memory/2460-13-0x0000000000000000-mapping.dmp

Download
memory/2460-134-0x0000000000000000-mapping.dmp

Download
memory/2472-99-0x000000000041E2B0-mapping.dmp

Download
memory/2480-14-0x0000000000000000-mapping.dmp

Download
memory/2508-16-0x000000000041E2B0-mapping.dmp

Download
memory/2516-94-0x0000000000000000-mapping.dmp

Download
memory/2532-48-0x0000000000000000-mapping.dmp

Download
memory/2532-52-0x0000000000E80000-0x0000000000E94000-memory.dmp

Filesize
80KB

Download
memory/2544-17-0x0000000000000000-mapping.dmp

Download
memory/2556-104-0x000000000041E2B0-mapping.dmp

Download
memory/2584-18-0x0000000000000000-mapping.dmp

Download
memory/2596-19-0x0000000000000000-mapping.dmp

Download
memory/2628-21-0x000000000041E2B0-mapping.dmp

Download
memory/2652-22-0x0000000000000000-mapping.dmp

Download
memory/2656-124-0x0000000000000000-mapping.dmp

Download
memory/2668-120-0x0000000000F50000-0x0000000000F6F000-memory.dmp

Filesize
124KB

Download
memory/2668-118-0x0000000000000000-mapping.dmp

Download
memory/2692-23-0x0000000000000000-mapping.dmp

Download
memory/2704-24-0x0000000000000000-mapping.dmp

Download
memory/2728-131-0x0000000000E40000-0x0000000000E5C000-memory.dmp

Filesize
112KB

Download
memory/2728-129-0x0000000000000000-mapping.dmp

Download
memory/2732-26-0x000000000041E2B0-mapping.dmp

Download
memory/2744-125-0x0000000000000000-mapping.dmp

Download
memory/2756-140-0x0000000000000000-mapping.dmp

Download
memory/2756-141-0x00000000001E0000-0x0000000000202000-memory.dmp

Filesize
136KB

Download
memory/2760-56-0x0000000000000000-mapping.dmp

Download
memory/2772-28-0x0000000000000000-mapping.dmp

Download
memory/2780-102-0x0000000000000000-mapping.dmp

Download
memory/2796-101-0x0000000000000000-mapping.dmp

Download
memory/2816-30-0x0000000000000000-mapping.dmp

Download
memory/2832-107-0x0000000000620000-0x0000000000627000-memory.dmp

Filesize
28KB

Download
memory/2832-105-0x0000000000000000-mapping.dmp

Download
memory/2836-61-0x0000000000C20000-0x0000000000C2B000-memory.dmp

Filesize
44KB

Download
memory/2836-59-0x0000000000000000-mapping.dmp

Download
memory/2844-121-0x0000000000000000-mapping.dmp

Download
memory/2844-31-0x0000000000000000-mapping.dmp

Download
memory/2848-137-0x0000000000000000-mapping.dmp

Download
memory/2848-139-0x00000000005B0000-0x00000000005CA000-memory.dmp

Filesize
104KB

Download
memory/2872-33-0x000000000041E2B0-mapping.dmp

Download
memory/2888-114-0x000000000041E2B0-mapping.dmp

Download
memory/2896-34-0x0000000000000000-mapping.dmp

Download
memory/2932-110-0x0000000000000000-mapping.dmp

Download
memory/2936-35-0x0000000000000000-mapping.dmp

Download
memory/2948-130-0x0000000000000000-mapping.dmp

Download
memory/2948-133-0x0000000000150000-0x0000000000244000-memory.dmp

Filesize
976KB

Download
memory/2948-36-0x0000000000000000-mapping.dmp

Download
memory/2976-38-0x000000000041E2B0-mapping.dmp

Download
memory/3000-63-0x0000000000000000-mapping.dmp

Download
memory/3000-64-0x000000004A240000-0x000000004A28C000-memory.dmp

Filesize
304KB

Download
memory/3008-132-0x0000000000000000-mapping.dmp

Download
memory/3012-39-0x0000000000000000-mapping.dmp

Download
memory/3036-136-0x0000000000000000-mapping.dmp

Download
memory/3044-40-0x0000000000000000-mapping.dmp

Download
memory/3064-41-0x0000000000000000-mapping.dmp

Download