agenttesla | 7341780b5a914f5cf26fee6fecfa59380432fe6da8ad4aeb5bc9e83836991b1a

Analysis

max time kernel
151s
max time network
6s
platform
windows7_x64
resource
win7
submitted
15-07-2020 14:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Order152020.exe
Size

439KB
MD5

bdad7cf32c55233a29a52feba81f140e
SHA1

464219a09f61e119e532fbacba58259ee7b06299
SHA256

7341780b5a914f5cf26fee6fecfa59380432fe6da8ad4aeb5bc9e83836991b1a
SHA512

32a56224e62319eeaa1f2467a8f502ee0b764912c55a24d1cc114f7dbc8ec9a7738eb737c362e641e3eb1b4988332d49b3b81ea981507a24cfc07f44296f6c73

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
us2.smtp.mailhostbox.com
Port:
587
Username:
[email protected]
Password:
anyanwu3116

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 42 IoCs

resource	yara_rule
behavioral1/memory/1604-0-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/1604-1-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral1/memory/1604-2-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/1604-3-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/1752-8-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral1/memory/1812-15-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral1/memory/1996-22-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral1/memory/1412-29-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral1/memory/1756-36-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral1/memory/1936-43-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral1/memory/1472-50-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral1/memory/1832-57-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral1/memory/1496-64-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral1/memory/764-71-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral1/memory/1852-78-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral1/memory/320-85-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral1/memory/1328-92-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral1/memory/1480-99-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral1/memory/1928-106-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral1/memory/1288-113-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral1/memory/2112-120-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral1/memory/2236-127-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral1/memory/2364-134-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral1/memory/2492-141-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral1/memory/2616-148-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral1/memory/2740-155-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral1/memory/2868-162-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral1/memory/2992-169-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral1/memory/1780-176-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral1/memory/1728-183-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral1/memory/1640-190-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral1/memory/2516-197-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral1/memory/2340-204-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral1/memory/820-211-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral1/memory/2764-218-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral1/memory/2000-225-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral1/memory/2440-232-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral1/memory/2564-239-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral1/memory/3032-246-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral1/memory/1468-253-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral1/memory/2400-260-0x0000000000446EFE-mapping.dmp	family_agenttesla
behavioral1/memory/2036-267-0x0000000000446EFE-mapping.dmp	family_agenttesla

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\YYtJku = "C:\\Users\\Admin\\AppData\\Roaming\\YYtJku\\YYtJku.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\YYtJku = "C:\\Users\\Admin\\AppData\\Roaming\\YYtJku\\YYtJku.exe"	RegAsm.exe

Suspicious use of SetThreadContext 39 IoCs

description	pid	Process	procid_target
PID 1544 set thread context of 1604	1544	Order152020.exe	24
PID 1496 set thread context of 1752	1496	Order152020.exe	31
PID 1308 set thread context of 1812	1308	Order152020.exe	36
PID 1560 set thread context of 1996	1560	Order152020.exe	41
PID 1124 set thread context of 1412	1124	Order152020.exe	46
PID 1504 set thread context of 1756	1504	Order152020.exe	52
PID 1556 set thread context of 1936	1556	Order152020.exe	57
PID 1960 set thread context of 1472	1960	Order152020.exe	62
PID 1888 set thread context of 1832	1888	Order152020.exe	67
PID 1776 set thread context of 1496	1776	Order152020.exe	72
PID 1088 set thread context of 764	1088	Order152020.exe	77
PID 1504 set thread context of 1852	1504	Order152020.exe	82
PID 1108 set thread context of 320	1108	Order152020.exe	87
PID 1124 set thread context of 1328	1124	Order152020.exe	92
PID 1780 set thread context of 1480	1780	Order152020.exe	97
PID 1804 set thread context of 1928	1804	Order152020.exe	102
PID 1600 set thread context of 1288	1600	Order152020.exe	107
PID 2084 set thread context of 2112	2084	Order152020.exe	112
PID 2208 set thread context of 2236	2208	Order152020.exe	117
PID 2336 set thread context of 2364	2336	Order152020.exe	122
PID 2464 set thread context of 2492	2464	Order152020.exe	127
PID 2588 set thread context of 2616	2588	Order152020.exe	132
PID 2712 set thread context of 2740	2712	Order152020.exe	137
PID 2840 set thread context of 2868	2840	Order152020.exe	142
PID 2964 set thread context of 2992	2964	Order152020.exe	147
PID 1476 set thread context of 1780	1476	Order152020.exe	152
PID 1572 set thread context of 1728	1572	Order152020.exe	158
PID 2344 set thread context of 1640	2344	Order152020.exe	163
PID 2028 set thread context of 2516	2028	Order152020.exe	168
PID 472 set thread context of 2340	472	Order152020.exe	174
PID 2520 set thread context of 820	2520	Order152020.exe	180
PID 2056 set thread context of 2764	2056	Order152020.exe	185
PID 2860 set thread context of 2000	2860	Order152020.exe	190
PID 3028 set thread context of 2440	3028	Order152020.exe	195
PID 880 set thread context of 2564	880	Order152020.exe	200
PID 2744 set thread context of 3032	2744	Order152020.exe	205
PID 1060 set thread context of 1468	1060	Order152020.exe	210
PID 276 set thread context of 2400	276	Order152020.exe	217
PID 1640 set thread context of 2036	1640	Order152020.exe	222

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1544	Order152020.exe
1544	Order152020.exe
1544	Order152020.exe
1544	Order152020.exe
1544	Order152020.exe
1544	Order152020.exe
1544	Order152020.exe
1544	Order152020.exe
1544	Order152020.exe
1544	Order152020.exe
1544	Order152020.exe
1544	Order152020.exe
1544	Order152020.exe
1544	Order152020.exe
1544	Order152020.exe
1544	Order152020.exe
1544	Order152020.exe
1544	Order152020.exe
1544	Order152020.exe
1544	Order152020.exe
1544	Order152020.exe
1544	Order152020.exe
1544	Order152020.exe
1544	Order152020.exe
1544	Order152020.exe
1544	Order152020.exe
1544	Order152020.exe
1544	Order152020.exe
1544	Order152020.exe
1544	Order152020.exe
1544	Order152020.exe
1544	Order152020.exe
1544	Order152020.exe
1544	Order152020.exe
1544	Order152020.exe
1544	Order152020.exe
1544	Order152020.exe
1544	Order152020.exe
1544	Order152020.exe
1544	Order152020.exe
1544	Order152020.exe
1544	Order152020.exe
1544	Order152020.exe
1544	Order152020.exe
1544	Order152020.exe
1544	Order152020.exe
1544	Order152020.exe
1544	Order152020.exe
1544	Order152020.exe
1544	Order152020.exe
1544	Order152020.exe
1544	Order152020.exe
1544	Order152020.exe
1544	Order152020.exe
1544	Order152020.exe
1544	Order152020.exe
1544	Order152020.exe
1544	Order152020.exe
1544	Order152020.exe
1544	Order152020.exe
1544	Order152020.exe
1544	Order152020.exe
1544	Order152020.exe
1544	Order152020.exe

Suspicious behavior: MapViewOfSection 46 IoCs

pid	Process
1544	Order152020.exe
1496	Order152020.exe
1496	Order152020.exe
1496	Order152020.exe
1308	Order152020.exe
1560	Order152020.exe
1124	Order152020.exe
1504	Order152020.exe
1504	Order152020.exe
1556	Order152020.exe
1960	Order152020.exe
1888	Order152020.exe
1776	Order152020.exe
1088	Order152020.exe
1504	Order152020.exe
1108	Order152020.exe
1124	Order152020.exe
1780	Order152020.exe
1804	Order152020.exe
1600	Order152020.exe
2084	Order152020.exe
2208	Order152020.exe
2336	Order152020.exe
2464	Order152020.exe
2588	Order152020.exe
2712	Order152020.exe
2840	Order152020.exe
2964	Order152020.exe
1476	Order152020.exe
1572	Order152020.exe
1572	Order152020.exe
2344	Order152020.exe
2028	Order152020.exe
472	Order152020.exe
472	Order152020.exe
2520	Order152020.exe
2056	Order152020.exe
2860	Order152020.exe
3028	Order152020.exe
880	Order152020.exe
2744	Order152020.exe
1060	Order152020.exe
276	Order152020.exe
276	Order152020.exe
276	Order152020.exe
1640	Order152020.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeDebugPrivilege	1544	Order152020.exe
Token: SeDebugPrivilege	1496	Order152020.exe
Token: SeDebugPrivilege	1308	Order152020.exe
Token: SeDebugPrivilege	1560	Order152020.exe
Token: SeDebugPrivilege	1124	Order152020.exe
Token: SeDebugPrivilege	1504	Order152020.exe
Token: SeDebugPrivilege	1556	Order152020.exe
Token: SeDebugPrivilege	1960	Order152020.exe
Token: SeDebugPrivilege	1888	Order152020.exe
Token: SeDebugPrivilege	1776	Order152020.exe
Token: SeDebugPrivilege	1088	Order152020.exe
Token: SeDebugPrivilege	1504	Order152020.exe
Token: SeDebugPrivilege	1108	Order152020.exe
Token: SeDebugPrivilege	1124	Order152020.exe
Token: SeDebugPrivilege	1780	Order152020.exe
Token: SeDebugPrivilege	1804	Order152020.exe
Token: SeDebugPrivilege	1600	Order152020.exe
Token: SeDebugPrivilege	2084	Order152020.exe
Token: SeDebugPrivilege	2208	Order152020.exe
Token: SeDebugPrivilege	2336	Order152020.exe
Token: SeDebugPrivilege	2464	Order152020.exe
Token: SeDebugPrivilege	2588	Order152020.exe
Token: SeDebugPrivilege	2712	Order152020.exe
Token: SeDebugPrivilege	2840	Order152020.exe
Token: SeDebugPrivilege	2964	Order152020.exe
Token: SeDebugPrivilege	1476	Order152020.exe
Token: SeDebugPrivilege	1572	Order152020.exe
Token: SeDebugPrivilege	2344	Order152020.exe
Token: SeDebugPrivilege	2028	Order152020.exe
Token: SeDebugPrivilege	1604	RegAsm.exe
Token: SeDebugPrivilege	472	Order152020.exe
Token: SeDebugPrivilege	2520	Order152020.exe
Token: SeDebugPrivilege	2056	Order152020.exe
Token: SeDebugPrivilege	2860	Order152020.exe
Token: SeDebugPrivilege	3028	Order152020.exe
Token: SeDebugPrivilege	880	Order152020.exe
Token: SeDebugPrivilege	2744	Order152020.exe
Token: SeDebugPrivilege	1060	Order152020.exe
Token: SeDebugPrivilege	276	Order152020.exe
Token: SeDebugPrivilege	2340	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1544 wrote to memory of 1604	1544	Order152020.exe	24
PID 1544 wrote to memory of 1604	1544	Order152020.exe	24
PID 1544 wrote to memory of 1604	1544	Order152020.exe	24
PID 1544 wrote to memory of 1604	1544	Order152020.exe	24
PID 1544 wrote to memory of 1604	1544	Order152020.exe	24
PID 1544 wrote to memory of 1604	1544	Order152020.exe	24
PID 1544 wrote to memory of 1604	1544	Order152020.exe	24
PID 1544 wrote to memory of 1604	1544	Order152020.exe	24
PID 1544 wrote to memory of 1056	1544	Order152020.exe	25
PID 1544 wrote to memory of 1056	1544	Order152020.exe	25
PID 1544 wrote to memory of 1056	1544	Order152020.exe	25
PID 1544 wrote to memory of 1056	1544	Order152020.exe	25
PID 1056 wrote to memory of 1028	1056	cmd.exe	27
PID 1056 wrote to memory of 1028	1056	cmd.exe	27
PID 1056 wrote to memory of 1028	1056	cmd.exe	27
PID 1056 wrote to memory of 1028	1056	cmd.exe	27
PID 1544 wrote to memory of 1496	1544	Order152020.exe	28
PID 1544 wrote to memory of 1496	1544	Order152020.exe	28
PID 1544 wrote to memory of 1496	1544	Order152020.exe	28
PID 1544 wrote to memory of 1496	1544	Order152020.exe	28
PID 1496 wrote to memory of 1780	1496	Order152020.exe	29
PID 1496 wrote to memory of 1780	1496	Order152020.exe	29
PID 1496 wrote to memory of 1780	1496	Order152020.exe	29
PID 1496 wrote to memory of 1780	1496	Order152020.exe	29
PID 1496 wrote to memory of 1780	1496	Order152020.exe	29
PID 1496 wrote to memory of 1780	1496	Order152020.exe	29
PID 1496 wrote to memory of 1780	1496	Order152020.exe	29
PID 1496 wrote to memory of 1772	1496	Order152020.exe	30
PID 1496 wrote to memory of 1772	1496	Order152020.exe	30
PID 1496 wrote to memory of 1772	1496	Order152020.exe	30
PID 1496 wrote to memory of 1772	1496	Order152020.exe	30
PID 1496 wrote to memory of 1772	1496	Order152020.exe	30
PID 1496 wrote to memory of 1772	1496	Order152020.exe	30
PID 1496 wrote to memory of 1772	1496	Order152020.exe	30
PID 1496 wrote to memory of 1752	1496	Order152020.exe	31
PID 1496 wrote to memory of 1752	1496	Order152020.exe	31
PID 1496 wrote to memory of 1752	1496	Order152020.exe	31
PID 1496 wrote to memory of 1752	1496	Order152020.exe	31
PID 1496 wrote to memory of 1752	1496	Order152020.exe	31
PID 1496 wrote to memory of 1752	1496	Order152020.exe	31
PID 1496 wrote to memory of 1752	1496	Order152020.exe	31
PID 1496 wrote to memory of 1752	1496	Order152020.exe	31
PID 1496 wrote to memory of 1876	1496	Order152020.exe	32
PID 1496 wrote to memory of 1876	1496	Order152020.exe	32
PID 1496 wrote to memory of 1876	1496	Order152020.exe	32
PID 1496 wrote to memory of 1876	1496	Order152020.exe	32
PID 1876 wrote to memory of 1912	1876	cmd.exe	34
PID 1876 wrote to memory of 1912	1876	cmd.exe	34
PID 1876 wrote to memory of 1912	1876	cmd.exe	34
PID 1876 wrote to memory of 1912	1876	cmd.exe	34
PID 1496 wrote to memory of 1308	1496	Order152020.exe	35
PID 1496 wrote to memory of 1308	1496	Order152020.exe	35
PID 1496 wrote to memory of 1308	1496	Order152020.exe	35
PID 1496 wrote to memory of 1308	1496	Order152020.exe	35
PID 1308 wrote to memory of 1812	1308	Order152020.exe	36
PID 1308 wrote to memory of 1812	1308	Order152020.exe	36
PID 1308 wrote to memory of 1812	1308	Order152020.exe	36
PID 1308 wrote to memory of 1812	1308	Order152020.exe	36
PID 1308 wrote to memory of 1812	1308	Order152020.exe	36
PID 1308 wrote to memory of 1812	1308	Order152020.exe	36
PID 1308 wrote to memory of 1812	1308	Order152020.exe	36
PID 1308 wrote to memory of 1812	1308	Order152020.exe	36
PID 1308 wrote to memory of 1636	1308	Order152020.exe	37
PID 1308 wrote to memory of 1636	1308	Order152020.exe	37

C:\Users\Admin\AppData\Local\Temp\Order152020.exe
"C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:1604
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1056
- - C:\Windows\SysWOW64\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:1028
- C:\Users\Admin\AppData\Local\Temp\Order152020.exe
  "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1496
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:1780
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:1772
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:1752
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1876
  - - C:\Windows\SysWOW64\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:1912
- - C:\Users\Admin\AppData\Local\Temp\Order152020.exe
    "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1308
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:1812
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
      4⤵
      PID:1636
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:1640
  - - C:\Users\Admin\AppData\Local\Temp\Order152020.exe
      "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:1560
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:1996
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        5⤵
        
        PID:2012
      - C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        6⤵
        
        PID:2004
    - - C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        5⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1124
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:1412
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        6⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        7⤵
        
        PID:792
      - C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        6⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1504
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:1508
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        7⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        8⤵
        
        PID:324
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        7⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1556
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        8⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        8⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        9⤵
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        8⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1960
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        9⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        9⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        10⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        9⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1888
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        10⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        10⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        11⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        10⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1776
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        11⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        11⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        12⤵
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        11⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1088
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        12⤵
        
        PID:764
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        12⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        13⤵
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        12⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1504
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        13⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        13⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        14⤵
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        13⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1108
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        14⤵
        
        PID:320
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        14⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        15⤵
        
        PID:800
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        14⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1124
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        15⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        15⤵
        
        PID:472
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        16⤵
        
        PID:324
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        15⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1780
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        16⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        16⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        17⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        16⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1804
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        17⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        17⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        18⤵
        
        PID:820
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        17⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1600
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        18⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        18⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        19⤵
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        18⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2084
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        19⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        19⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        20⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        19⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2208
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        20⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        20⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        21⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        20⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2336
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        21⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        21⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        22⤵
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        21⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2464
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        22⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        22⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        23⤵
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        22⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2588
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        23⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        23⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        24⤵
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        23⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2712
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        24⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        24⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        25⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        24⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2840
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        25⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        25⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        26⤵
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        25⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2964
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        26⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        26⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        27⤵
        
        PID:1324
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        26⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1476
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        27⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        27⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        28⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        27⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1572
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        28⤵
        
        PID:1912
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        28⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        28⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        29⤵
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        28⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2344
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        29⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        29⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        30⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        29⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2028
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        30⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        30⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        31⤵
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        30⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:472
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        31⤵
        
        PID:2352
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        31⤵
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        31⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        32⤵
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        31⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2520
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        32⤵
        
        PID:820
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        32⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        33⤵
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        32⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        33⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        33⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        34⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        33⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2860
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        34⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        34⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        35⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        34⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:3028
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        35⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        35⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        36⤵
        
        PID:272
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        35⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:880
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        36⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        36⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        37⤵
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        36⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2744
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        37⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        37⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        38⤵
        
        PID:280
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        37⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1060
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        38⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        38⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        39⤵
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        38⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:276
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        39⤵
        
        PID:1984
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        39⤵
        
        PID:1772
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        39⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        39⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        40⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\Order152020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        39⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1640
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        40⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Order152020.exe"
        40⤵
        
        PID:2112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1604-0-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1604-2-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1604-3-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download