agenttesla | 322246ebcd55123f8d11816a45dde9ef1b0b041ab306fce78af896a04052e6c8

Analysis

max time kernel
150s
max time network
117s
platform
windows10_x64
resource
win10
submitted
31-07-2020 11:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5660db4d39e1c2a7887c2b26c2f70f9b.exe
Size

349KB
MD5

5660db4d39e1c2a7887c2b26c2f70f9b
SHA1

656e494c33580a04d6ad08749a3f90fb7d4bb131
SHA256

322246ebcd55123f8d11816a45dde9ef1b0b041ab306fce78af896a04052e6c8
SHA512

66b4d49a740ea69f7a19cebcbad81d9851e0750aff4b18da23726555bcf605082ae25edbee251ca4401049e9759ffe5997b86ad290cba1ba7a9ec2b04dd93d3a

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
us2.smtp.mailhostbox.com
Port:
587
Username:
safaa.bishara@santemoraegypt.com
Password:
chimaroke2020

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3008-0-0x0000000000400000-0x000000000044A000-memory.dmp	family_agenttesla
behavioral2/memory/3008-1-0x0000000000445C1E-mapping.dmp	family_agenttesla
behavioral2/memory/3176-4-0x0000000000445C1E-mapping.dmp	family_agenttesla
behavioral2/memory/3028-8-0x0000000000445C1E-mapping.dmp	family_agenttesla
behavioral2/memory/2516-11-0x0000000000445C1E-mapping.dmp	family_agenttesla
behavioral2/memory/632-14-0x0000000000445C1E-mapping.dmp	family_agenttesla
behavioral2/memory/1120-17-0x0000000000445C1E-mapping.dmp	family_agenttesla
behavioral2/memory/1536-20-0x0000000000445C1E-mapping.dmp	family_agenttesla
behavioral2/memory/2432-23-0x0000000000445C1E-mapping.dmp	family_agenttesla
behavioral2/memory/2832-26-0x0000000000445C1E-mapping.dmp	family_agenttesla
behavioral2/memory/3760-29-0x0000000000445C1E-mapping.dmp	family_agenttesla
behavioral2/memory/2496-32-0x0000000000445C1E-mapping.dmp	family_agenttesla
behavioral2/memory/2140-35-0x0000000000445C1E-mapping.dmp	family_agenttesla
behavioral2/memory/2152-38-0x0000000000445C1E-mapping.dmp	family_agenttesla
behavioral2/memory/1548-41-0x0000000000445C1E-mapping.dmp	family_agenttesla
behavioral2/memory/2356-44-0x0000000000445C1E-mapping.dmp	family_agenttesla
behavioral2/memory/2680-47-0x0000000000445C1E-mapping.dmp	family_agenttesla
behavioral2/memory/648-50-0x0000000000445C1E-mapping.dmp	family_agenttesla
behavioral2/memory/512-53-0x0000000000445C1E-mapping.dmp	family_agenttesla
behavioral2/memory/996-56-0x0000000000445C1E-mapping.dmp	family_agenttesla
behavioral2/memory/1180-59-0x0000000000445C1E-mapping.dmp	family_agenttesla
behavioral2/memory/2768-62-0x0000000000445C1E-mapping.dmp	family_agenttesla
behavioral2/memory/376-65-0x0000000000445C1E-mapping.dmp	family_agenttesla
behavioral2/memory/2356-68-0x0000000000445C1E-mapping.dmp	family_agenttesla
behavioral2/memory/640-71-0x0000000000445C1E-mapping.dmp	family_agenttesla
behavioral2/memory/2296-74-0x0000000000445C1E-mapping.dmp	family_agenttesla
behavioral2/memory/3964-77-0x0000000000445C1E-mapping.dmp	family_agenttesla
behavioral2/memory/1120-80-0x0000000000445C1E-mapping.dmp	family_agenttesla
behavioral2/memory/2756-83-0x0000000000445C1E-mapping.dmp	family_agenttesla
behavioral2/memory/1340-86-0x0000000000445C1E-mapping.dmp	family_agenttesla
behavioral2/memory/3000-89-0x0000000000445C1E-mapping.dmp	family_agenttesla
behavioral2/memory/556-92-0x0000000000445C1E-mapping.dmp	family_agenttesla
behavioral2/memory/1316-95-0x0000000000445C1E-mapping.dmp	family_agenttesla
behavioral2/memory/1564-98-0x0000000000445C1E-mapping.dmp	family_agenttesla
behavioral2/memory/2244-101-0x0000000000445C1E-mapping.dmp	family_agenttesla
behavioral2/memory/500-104-0x0000000000445C1E-mapping.dmp	family_agenttesla
behavioral2/memory/1904-107-0x0000000000445C1E-mapping.dmp	family_agenttesla
behavioral2/memory/996-110-0x0000000000445C1E-mapping.dmp	family_agenttesla
behavioral2/memory/1252-113-0x0000000000445C1E-mapping.dmp	family_agenttesla
behavioral2/memory/2728-116-0x0000000000445C1E-mapping.dmp	family_agenttesla
behavioral2/memory/2564-119-0x0000000000445C1E-mapping.dmp	family_agenttesla
behavioral2/memory/2140-122-0x0000000000445C1E-mapping.dmp	family_agenttesla
behavioral2/memory/2076-125-0x0000000000445C1E-mapping.dmp	family_agenttesla
behavioral2/memory/2772-128-0x0000000000445C1E-mapping.dmp	family_agenttesla
behavioral2/memory/1452-131-0x0000000000445C1E-mapping.dmp	family_agenttesla
behavioral2/memory/1184-134-0x0000000000445C1E-mapping.dmp	family_agenttesla
behavioral2/memory/1460-137-0x0000000000445C1E-mapping.dmp	family_agenttesla
behavioral2/memory/1340-140-0x0000000000445C1E-mapping.dmp	family_agenttesla
behavioral2/memory/3492-143-0x0000000000445C1E-mapping.dmp	family_agenttesla
behavioral2/memory/2772-146-0x0000000000445C1E-mapping.dmp	family_agenttesla
behavioral2/memory/2768-149-0x0000000000445C1E-mapping.dmp	family_agenttesla
behavioral2/memory/412-152-0x0000000000445C1E-mapping.dmp	family_agenttesla
behavioral2/memory/3968-155-0x0000000000445C1E-mapping.dmp	family_agenttesla
behavioral2/memory/3208-158-0x0000000000445C1E-mapping.dmp	family_agenttesla
behavioral2/memory/1896-161-0x0000000000445C1E-mapping.dmp	family_agenttesla
behavioral2/memory/3008-164-0x0000000000445C1E-mapping.dmp	family_agenttesla
behavioral2/memory/2564-167-0x0000000000445C1E-mapping.dmp	family_agenttesla
behavioral2/memory/848-170-0x0000000000445C1E-mapping.dmp	family_agenttesla
behavioral2/memory/1032-173-0x0000000000445C1E-mapping.dmp	family_agenttesla
behavioral2/memory/3144-176-0x0000000000445C1E-mapping.dmp	family_agenttesla
behavioral2/memory/2184-179-0x0000000000445C1E-mapping.dmp	family_agenttesla
behavioral2/memory/1184-182-0x0000000000445C1E-mapping.dmp	family_agenttesla
behavioral2/memory/1732-185-0x0000000000445C1E-mapping.dmp	family_agenttesla
behavioral2/memory/904-189-0x0000000000445C1E-mapping.dmp	family_agenttesla

Drops startup file 2 IoCs

Processes:

5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe	5660db4d39e1c2a7887c2b26c2f70f9b.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe	5660db4d39e1c2a7887c2b26c2f70f9b.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\HBWELB = "C:\\Users\\Admin\\AppData\\Roaming\\HBWELB\\HBWELB.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\HBWELB = "C:\\Users\\Admin\\AppData\\Roaming\\HBWELB\\HBWELB.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\HBWELB = "C:\\Users\\Admin\\AppData\\Roaming\\HBWELB\\HBWELB.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\HBWELB = "C:\\Users\\Admin\\AppData\\Roaming\\HBWELB\\HBWELB.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\HBWELB = "C:\\Users\\Admin\\AppData\\Roaming\\HBWELB\\HBWELB.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\HBWELB = "C:\\Users\\Admin\\AppData\\Roaming\\HBWELB\\HBWELB.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\HBWELB = "C:\\Users\\Admin\\AppData\\Roaming\\HBWELB\\HBWELB.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\HBWELB = "C:\\Users\\Admin\\AppData\\Roaming\\HBWELB\\HBWELB.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\HBWELB = "C:\\Users\\Admin\\AppData\\Roaming\\HBWELB\\HBWELB.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\HBWELB = "C:\\Users\\Admin\\AppData\\Roaming\\HBWELB\\HBWELB.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\HBWELB = "C:\\Users\\Admin\\AppData\\Roaming\\HBWELB\\HBWELB.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\HBWELB = "C:\\Users\\Admin\\AppData\\Roaming\\HBWELB\\HBWELB.exe"	RegAsm.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe

description	pid	process	target process
PID 3920 set thread context of 3008	3920	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 3848 set thread context of 3176	3848	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 3640 set thread context of 3028	3640	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 2140 set thread context of 2516	2140	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 3376 set thread context of 632	3376	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 360 set thread context of 1120	360	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 3956 set thread context of 1536	3956	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 1972 set thread context of 2432	1972	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 2680 set thread context of 2832	2680	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 3968 set thread context of 3760	3968	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 3936 set thread context of 2496	3936	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 2120 set thread context of 2140	2120	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 996 set thread context of 2152	996	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 2244 set thread context of 1548	2244	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 2860 set thread context of 2356	2860	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 2772 set thread context of 2680	2772	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 784 set thread context of 648	784	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 1840 set thread context of 512	1840	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 1856 set thread context of 996	1856	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 736 set thread context of 1180	736	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 560 set thread context of 2768	560	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 3848 set thread context of 376	3848	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 3916 set thread context of 2356	3916	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 1308 set thread context of 640	1308	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 3760 set thread context of 2296	3760	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 2008 set thread context of 3964	2008	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 800 set thread context of 1120	800	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 2768 set thread context of 2756	2768	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 3796 set thread context of 1340	3796	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 3212 set thread context of 3000	3212	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 3916 set thread context of 556	3916	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 776 set thread context of 1316	776	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 1968 set thread context of 1564	1968	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 3800 set thread context of 2244	3800	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 780 set thread context of 500	780	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 3792 set thread context of 1904	3792	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 2432 set thread context of 996	2432	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 2896 set thread context of 1252	2896	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 360 set thread context of 2728	360	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 3540 set thread context of 2564	3540	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 2592 set thread context of 2140	2592	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 3852 set thread context of 2076	3852	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 1532 set thread context of 2772	1532	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 3664 set thread context of 1452	3664	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 800 set thread context of 1184	800	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 3448 set thread context of 1460	3448	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 888 set thread context of 1340	888	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 676 set thread context of 3492	676	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 3872 set thread context of 2772	3872	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 1732 set thread context of 2768	1732	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 3516 set thread context of 412	3516	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 2860 set thread context of 3968	2860	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 640 set thread context of 3208	640	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 3004 set thread context of 1896	3004	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 3328 set thread context of 3008	3328	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 4044 set thread context of 2564	4044	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 3028 set thread context of 848	3028	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 772 set thread context of 1032	772	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 784 set thread context of 3144	784	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 3448 set thread context of 2184	3448	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 1164 set thread context of 1184	1164	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 2140 set thread context of 1732	2140	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 632 set thread context of 904	632	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 3500 set thread context of 2324	3500	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

5660db4d39e1c2a7887c2b26c2f70f9b.exe

pid	process
3920	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3920	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3920	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3920	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3920	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3920	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3920	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3920	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3920	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3920	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3920	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3920	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3920	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3920	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3920	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3920	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3920	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3920	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3920	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3920	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3920	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3920	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3920	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3920	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3920	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3920	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3920	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3920	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3920	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3920	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3920	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3920	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3920	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3920	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3920	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3920	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3920	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3920	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3920	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3920	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3920	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3920	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3920	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3920	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3920	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3920	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3920	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3920	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3920	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3920	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3920	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3920	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3920	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3920	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3920	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3920	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3920	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3920	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3920	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3920	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3920	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3920	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3920	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3920	5660db4d39e1c2a7887c2b26c2f70f9b.exe

Suspicious behavior: MapViewOfSection 64 IoCs

Processes:

pid	process
3920	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3848	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3848	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3640	5660db4d39e1c2a7887c2b26c2f70f9b.exe
2140	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3376	5660db4d39e1c2a7887c2b26c2f70f9b.exe
360	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3956	5660db4d39e1c2a7887c2b26c2f70f9b.exe
1972	5660db4d39e1c2a7887c2b26c2f70f9b.exe
2680	5660db4d39e1c2a7887c2b26c2f70f9b.exe
2680	5660db4d39e1c2a7887c2b26c2f70f9b.exe
2680	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3968	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3936	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3936	5660db4d39e1c2a7887c2b26c2f70f9b.exe
2120	5660db4d39e1c2a7887c2b26c2f70f9b.exe
2120	5660db4d39e1c2a7887c2b26c2f70f9b.exe
2120	5660db4d39e1c2a7887c2b26c2f70f9b.exe
996	5660db4d39e1c2a7887c2b26c2f70f9b.exe
2244	5660db4d39e1c2a7887c2b26c2f70f9b.exe
2860	5660db4d39e1c2a7887c2b26c2f70f9b.exe
2772	5660db4d39e1c2a7887c2b26c2f70f9b.exe
784	5660db4d39e1c2a7887c2b26c2f70f9b.exe
784	5660db4d39e1c2a7887c2b26c2f70f9b.exe
784	5660db4d39e1c2a7887c2b26c2f70f9b.exe
784	5660db4d39e1c2a7887c2b26c2f70f9b.exe
1840	5660db4d39e1c2a7887c2b26c2f70f9b.exe
1856	5660db4d39e1c2a7887c2b26c2f70f9b.exe
736	5660db4d39e1c2a7887c2b26c2f70f9b.exe
560	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3848	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3916	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3916	5660db4d39e1c2a7887c2b26c2f70f9b.exe
1308	5660db4d39e1c2a7887c2b26c2f70f9b.exe
1308	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3760	5660db4d39e1c2a7887c2b26c2f70f9b.exe
2008	5660db4d39e1c2a7887c2b26c2f70f9b.exe
800	5660db4d39e1c2a7887c2b26c2f70f9b.exe
800	5660db4d39e1c2a7887c2b26c2f70f9b.exe
800	5660db4d39e1c2a7887c2b26c2f70f9b.exe
2768	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3796	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3212	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3916	5660db4d39e1c2a7887c2b26c2f70f9b.exe
776	5660db4d39e1c2a7887c2b26c2f70f9b.exe
1968	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3800	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3800	5660db4d39e1c2a7887c2b26c2f70f9b.exe
780	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3792	5660db4d39e1c2a7887c2b26c2f70f9b.exe
2432	5660db4d39e1c2a7887c2b26c2f70f9b.exe
2896	5660db4d39e1c2a7887c2b26c2f70f9b.exe
360	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3540	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3540	5660db4d39e1c2a7887c2b26c2f70f9b.exe
2592	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3852	5660db4d39e1c2a7887c2b26c2f70f9b.exe
1532	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3664	5660db4d39e1c2a7887c2b26c2f70f9b.exe
800	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3448	5660db4d39e1c2a7887c2b26c2f70f9b.exe
888	5660db4d39e1c2a7887c2b26c2f70f9b.exe
676	5660db4d39e1c2a7887c2b26c2f70f9b.exe
3872	5660db4d39e1c2a7887c2b26c2f70f9b.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exeRegAsm.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exeRegAsm.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe5660db4d39e1c2a7887c2b26c2f70f9b.exe

description	pid	process
Token: SeDebugPrivilege	3920	5660db4d39e1c2a7887c2b26c2f70f9b.exe
Token: SeDebugPrivilege	3848	5660db4d39e1c2a7887c2b26c2f70f9b.exe
Token: SeDebugPrivilege	3640	5660db4d39e1c2a7887c2b26c2f70f9b.exe
Token: SeDebugPrivilege	2140	5660db4d39e1c2a7887c2b26c2f70f9b.exe
Token: SeDebugPrivilege	3376	5660db4d39e1c2a7887c2b26c2f70f9b.exe
Token: SeDebugPrivilege	360	5660db4d39e1c2a7887c2b26c2f70f9b.exe
Token: SeDebugPrivilege	3956	5660db4d39e1c2a7887c2b26c2f70f9b.exe
Token: SeDebugPrivilege	1972	5660db4d39e1c2a7887c2b26c2f70f9b.exe
Token: SeDebugPrivilege	2680	5660db4d39e1c2a7887c2b26c2f70f9b.exe
Token: SeDebugPrivilege	3968	5660db4d39e1c2a7887c2b26c2f70f9b.exe
Token: SeDebugPrivilege	3936	5660db4d39e1c2a7887c2b26c2f70f9b.exe
Token: SeDebugPrivilege	2120	5660db4d39e1c2a7887c2b26c2f70f9b.exe
Token: SeDebugPrivilege	996	5660db4d39e1c2a7887c2b26c2f70f9b.exe
Token: SeDebugPrivilege	2244	5660db4d39e1c2a7887c2b26c2f70f9b.exe
Token: SeDebugPrivilege	2860	5660db4d39e1c2a7887c2b26c2f70f9b.exe
Token: SeDebugPrivilege	2772	5660db4d39e1c2a7887c2b26c2f70f9b.exe
Token: SeDebugPrivilege	784	5660db4d39e1c2a7887c2b26c2f70f9b.exe
Token: SeDebugPrivilege	1840	5660db4d39e1c2a7887c2b26c2f70f9b.exe
Token: SeDebugPrivilege	1856	5660db4d39e1c2a7887c2b26c2f70f9b.exe
Token: SeDebugPrivilege	736	5660db4d39e1c2a7887c2b26c2f70f9b.exe
Token: SeDebugPrivilege	560	5660db4d39e1c2a7887c2b26c2f70f9b.exe
Token: SeDebugPrivilege	3008	RegAsm.exe
Token: SeDebugPrivilege	3848	5660db4d39e1c2a7887c2b26c2f70f9b.exe
Token: SeDebugPrivilege	3916	5660db4d39e1c2a7887c2b26c2f70f9b.exe
Token: SeDebugPrivilege	1308	5660db4d39e1c2a7887c2b26c2f70f9b.exe
Token: SeDebugPrivilege	3760	5660db4d39e1c2a7887c2b26c2f70f9b.exe
Token: SeDebugPrivilege	2008	5660db4d39e1c2a7887c2b26c2f70f9b.exe
Token: SeDebugPrivilege	800	5660db4d39e1c2a7887c2b26c2f70f9b.exe
Token: SeDebugPrivilege	2768	5660db4d39e1c2a7887c2b26c2f70f9b.exe
Token: SeDebugPrivilege	3796	5660db4d39e1c2a7887c2b26c2f70f9b.exe
Token: SeDebugPrivilege	3212	5660db4d39e1c2a7887c2b26c2f70f9b.exe
Token: SeDebugPrivilege	3916	5660db4d39e1c2a7887c2b26c2f70f9b.exe
Token: SeDebugPrivilege	776	5660db4d39e1c2a7887c2b26c2f70f9b.exe
Token: SeDebugPrivilege	1968	5660db4d39e1c2a7887c2b26c2f70f9b.exe
Token: SeDebugPrivilege	3800	5660db4d39e1c2a7887c2b26c2f70f9b.exe
Token: SeDebugPrivilege	780	5660db4d39e1c2a7887c2b26c2f70f9b.exe
Token: SeDebugPrivilege	3792	5660db4d39e1c2a7887c2b26c2f70f9b.exe
Token: SeDebugPrivilege	2432	5660db4d39e1c2a7887c2b26c2f70f9b.exe
Token: SeDebugPrivilege	2896	5660db4d39e1c2a7887c2b26c2f70f9b.exe
Token: SeDebugPrivilege	360	5660db4d39e1c2a7887c2b26c2f70f9b.exe
Token: SeDebugPrivilege	3540	5660db4d39e1c2a7887c2b26c2f70f9b.exe
Token: SeDebugPrivilege	2592	5660db4d39e1c2a7887c2b26c2f70f9b.exe
Token: SeDebugPrivilege	3852	5660db4d39e1c2a7887c2b26c2f70f9b.exe
Token: SeDebugPrivilege	1532	5660db4d39e1c2a7887c2b26c2f70f9b.exe
Token: SeDebugPrivilege	3664	5660db4d39e1c2a7887c2b26c2f70f9b.exe
Token: SeDebugPrivilege	800	5660db4d39e1c2a7887c2b26c2f70f9b.exe
Token: SeDebugPrivilege	376	RegAsm.exe
Token: SeDebugPrivilege	3448	5660db4d39e1c2a7887c2b26c2f70f9b.exe
Token: SeDebugPrivilege	888	5660db4d39e1c2a7887c2b26c2f70f9b.exe
Token: SeDebugPrivilege	676	5660db4d39e1c2a7887c2b26c2f70f9b.exe
Token: SeDebugPrivilege	3872	5660db4d39e1c2a7887c2b26c2f70f9b.exe
Token: SeDebugPrivilege	1732	5660db4d39e1c2a7887c2b26c2f70f9b.exe
Token: SeDebugPrivilege	3516	5660db4d39e1c2a7887c2b26c2f70f9b.exe
Token: SeDebugPrivilege	2860	5660db4d39e1c2a7887c2b26c2f70f9b.exe
Token: SeDebugPrivilege	640	5660db4d39e1c2a7887c2b26c2f70f9b.exe
Token: SeDebugPrivilege	3004	5660db4d39e1c2a7887c2b26c2f70f9b.exe
Token: SeDebugPrivilege	3328	5660db4d39e1c2a7887c2b26c2f70f9b.exe
Token: SeDebugPrivilege	4044	5660db4d39e1c2a7887c2b26c2f70f9b.exe
Token: SeDebugPrivilege	3028	5660db4d39e1c2a7887c2b26c2f70f9b.exe
Token: SeDebugPrivilege	772	5660db4d39e1c2a7887c2b26c2f70f9b.exe
Token: SeDebugPrivilege	784	5660db4d39e1c2a7887c2b26c2f70f9b.exe
Token: SeDebugPrivilege	3448	5660db4d39e1c2a7887c2b26c2f70f9b.exe
Token: SeDebugPrivilege	1164	5660db4d39e1c2a7887c2b26c2f70f9b.exe
Token: SeDebugPrivilege	2140	5660db4d39e1c2a7887c2b26c2f70f9b.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 3920 wrote to memory of 3008	3920	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 3920 wrote to memory of 3008	3920	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 3920 wrote to memory of 3008	3920	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 3920 wrote to memory of 3008	3920	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 3920 wrote to memory of 3848	3920	5660db4d39e1c2a7887c2b26c2f70f9b.exe	5660db4d39e1c2a7887c2b26c2f70f9b.exe
PID 3920 wrote to memory of 3848	3920	5660db4d39e1c2a7887c2b26c2f70f9b.exe	5660db4d39e1c2a7887c2b26c2f70f9b.exe
PID 3920 wrote to memory of 3848	3920	5660db4d39e1c2a7887c2b26c2f70f9b.exe	5660db4d39e1c2a7887c2b26c2f70f9b.exe
PID 3848 wrote to memory of 3520	3848	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 3848 wrote to memory of 3520	3848	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 3848 wrote to memory of 3520	3848	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 3848 wrote to memory of 3176	3848	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 3848 wrote to memory of 3176	3848	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 3848 wrote to memory of 3176	3848	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 3848 wrote to memory of 3176	3848	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 3848 wrote to memory of 3640	3848	5660db4d39e1c2a7887c2b26c2f70f9b.exe	5660db4d39e1c2a7887c2b26c2f70f9b.exe
PID 3848 wrote to memory of 3640	3848	5660db4d39e1c2a7887c2b26c2f70f9b.exe	5660db4d39e1c2a7887c2b26c2f70f9b.exe
PID 3848 wrote to memory of 3640	3848	5660db4d39e1c2a7887c2b26c2f70f9b.exe	5660db4d39e1c2a7887c2b26c2f70f9b.exe
PID 3640 wrote to memory of 3028	3640	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 3640 wrote to memory of 3028	3640	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 3640 wrote to memory of 3028	3640	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 3640 wrote to memory of 3028	3640	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 3640 wrote to memory of 2140	3640	5660db4d39e1c2a7887c2b26c2f70f9b.exe	5660db4d39e1c2a7887c2b26c2f70f9b.exe
PID 3640 wrote to memory of 2140	3640	5660db4d39e1c2a7887c2b26c2f70f9b.exe	5660db4d39e1c2a7887c2b26c2f70f9b.exe
PID 3640 wrote to memory of 2140	3640	5660db4d39e1c2a7887c2b26c2f70f9b.exe	5660db4d39e1c2a7887c2b26c2f70f9b.exe
PID 2140 wrote to memory of 2516	2140	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 2140 wrote to memory of 2516	2140	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 2140 wrote to memory of 2516	2140	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 2140 wrote to memory of 2516	2140	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 2140 wrote to memory of 3376	2140	5660db4d39e1c2a7887c2b26c2f70f9b.exe	5660db4d39e1c2a7887c2b26c2f70f9b.exe
PID 2140 wrote to memory of 3376	2140	5660db4d39e1c2a7887c2b26c2f70f9b.exe	5660db4d39e1c2a7887c2b26c2f70f9b.exe
PID 2140 wrote to memory of 3376	2140	5660db4d39e1c2a7887c2b26c2f70f9b.exe	5660db4d39e1c2a7887c2b26c2f70f9b.exe
PID 3376 wrote to memory of 632	3376	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 3376 wrote to memory of 632	3376	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 3376 wrote to memory of 632	3376	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 3376 wrote to memory of 632	3376	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 3376 wrote to memory of 360	3376	5660db4d39e1c2a7887c2b26c2f70f9b.exe	5660db4d39e1c2a7887c2b26c2f70f9b.exe
PID 3376 wrote to memory of 360	3376	5660db4d39e1c2a7887c2b26c2f70f9b.exe	5660db4d39e1c2a7887c2b26c2f70f9b.exe
PID 3376 wrote to memory of 360	3376	5660db4d39e1c2a7887c2b26c2f70f9b.exe	5660db4d39e1c2a7887c2b26c2f70f9b.exe
PID 360 wrote to memory of 1120	360	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 360 wrote to memory of 1120	360	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 360 wrote to memory of 1120	360	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 360 wrote to memory of 1120	360	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 360 wrote to memory of 3956	360	5660db4d39e1c2a7887c2b26c2f70f9b.exe	5660db4d39e1c2a7887c2b26c2f70f9b.exe
PID 360 wrote to memory of 3956	360	5660db4d39e1c2a7887c2b26c2f70f9b.exe	5660db4d39e1c2a7887c2b26c2f70f9b.exe
PID 360 wrote to memory of 3956	360	5660db4d39e1c2a7887c2b26c2f70f9b.exe	5660db4d39e1c2a7887c2b26c2f70f9b.exe
PID 3956 wrote to memory of 1536	3956	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 3956 wrote to memory of 1536	3956	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 3956 wrote to memory of 1536	3956	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 3956 wrote to memory of 1536	3956	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 3956 wrote to memory of 1972	3956	5660db4d39e1c2a7887c2b26c2f70f9b.exe	5660db4d39e1c2a7887c2b26c2f70f9b.exe
PID 3956 wrote to memory of 1972	3956	5660db4d39e1c2a7887c2b26c2f70f9b.exe	5660db4d39e1c2a7887c2b26c2f70f9b.exe
PID 3956 wrote to memory of 1972	3956	5660db4d39e1c2a7887c2b26c2f70f9b.exe	5660db4d39e1c2a7887c2b26c2f70f9b.exe
PID 1972 wrote to memory of 2432	1972	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 1972 wrote to memory of 2432	1972	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 1972 wrote to memory of 2432	1972	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 1972 wrote to memory of 2432	1972	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 1972 wrote to memory of 2680	1972	5660db4d39e1c2a7887c2b26c2f70f9b.exe	5660db4d39e1c2a7887c2b26c2f70f9b.exe
PID 1972 wrote to memory of 2680	1972	5660db4d39e1c2a7887c2b26c2f70f9b.exe	5660db4d39e1c2a7887c2b26c2f70f9b.exe
PID 1972 wrote to memory of 2680	1972	5660db4d39e1c2a7887c2b26c2f70f9b.exe	5660db4d39e1c2a7887c2b26c2f70f9b.exe
PID 2680 wrote to memory of 2800	2680	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 2680 wrote to memory of 2800	2680	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 2680 wrote to memory of 2800	2680	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 2680 wrote to memory of 2860	2680	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe
PID 2680 wrote to memory of 2860	2680	5660db4d39e1c2a7887c2b26c2f70f9b.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3920

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3008

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
2⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3848

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:3520

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:3176

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:3028

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2140

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
PID:2516

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3376

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
PID:632

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:360

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
7⤵
PID:1120

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
7⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
8⤵
PID:1536

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
8⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
9⤵
PID:2432

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
9⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
10⤵
PID:2800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
10⤵
PID:2860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
10⤵
PID:2832

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
10⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
11⤵
PID:3760

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
11⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3936

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
12⤵
PID:1936

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
12⤵
PID:2496

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
12⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2120

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
PID:3780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
PID:3208

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
PID:2140

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
13⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:996

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
14⤵
PID:2152

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
14⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2244

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
15⤵
PID:1548

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
15⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
16⤵
PID:2356

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
16⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
17⤵
PID:2680

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
17⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
18⤵
PID:408

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
18⤵
PID:3780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
18⤵
PID:3208

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
18⤵
PID:648

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
18⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1840

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
19⤵
PID:512

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
19⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1856

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
20⤵
PID:996

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
20⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
21⤵
PID:1180

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
21⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:560

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
22⤵
PID:2768

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
22⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3848

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
23⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:376

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
23⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
24⤵
PID:3520

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
24⤵
PID:2356

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
24⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1308

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
25⤵
PID:676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
25⤵
PID:640

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
25⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
26⤵
PID:2296

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
26⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
27⤵
PID:3964

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
27⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
28⤵
PID:2680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
28⤵
PID:1148

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
28⤵
PID:1120

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
28⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
29⤵
PID:2756

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
29⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3796

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
30⤵
PID:1340

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
30⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
31⤵
PID:3000

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
31⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
32⤵
PID:556

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
32⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
33⤵
PID:1316

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
33⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
34⤵
PID:1564

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
34⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
35⤵
PID:3692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
35⤵
PID:2244

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
35⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
36⤵
PID:500

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
36⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
37⤵
PID:1904

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
37⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2432

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
38⤵
PID:996

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
38⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2896

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
39⤵
PID:1252

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
39⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:360

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
40⤵
PID:2728

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
40⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3540

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
41⤵
PID:2568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
41⤵
PID:2564

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
41⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2592

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
42⤵
PID:2140

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
42⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
43⤵
PID:2076

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
43⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
44⤵
PID:2772

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
44⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3664

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
45⤵
PID:1452

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
45⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
46⤵
PID:1184

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
46⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3448

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
47⤵
- Adds Run key to start application
PID:1460

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
47⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:888

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
48⤵
PID:1340

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
48⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
49⤵
PID:3492

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
49⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3872

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
50⤵
PID:2076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
50⤵
PID:2772

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
50⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
51⤵
PID:2768

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
51⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3516

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
52⤵
PID:1524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
52⤵
PID:412

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
52⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
53⤵
PID:3968

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
53⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
54⤵
PID:1116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
54⤵
PID:4072

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
54⤵
PID:3208

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
54⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
55⤵
PID:1896

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
55⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3328

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
56⤵
PID:3008

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
56⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
57⤵
PID:2564

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
57⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
58⤵
PID:2864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
58⤵
PID:848

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
58⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
59⤵
PID:1032

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
59⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
60⤵
PID:3144

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
60⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3448

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
61⤵
PID:2184

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
61⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
62⤵
PID:2356

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
62⤵
PID:1184

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
62⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2140

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
63⤵
PID:1732

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
63⤵
- Suspicious use of SetThreadContext
PID:632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
64⤵
PID:904

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
64⤵
- Suspicious use of SetThreadContext
PID:3500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
65⤵
PID:2324

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
65⤵
PID:676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
66⤵
PID:3952

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
66⤵
PID:1236

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
67⤵
PID:3496

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
67⤵
PID:4012

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
68⤵
PID:3344

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
68⤵
PID:632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
69⤵
PID:1252

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
69⤵
PID:1948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
70⤵
- Adds Run key to start application
PID:2192

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
70⤵
PID:3876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
71⤵
PID:2568

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
71⤵
PID:2188

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
72⤵
PID:1504

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
72⤵
PID:3792

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
72⤵
PID:1896

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
73⤵
PID:3176

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
73⤵
PID:2644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
74⤵
PID:3344

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
74⤵
PID:3872

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
75⤵
PID:1872

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
75⤵
PID:1032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
76⤵
PID:2432

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
76⤵
PID:2864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
77⤵
PID:4016

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
77⤵
PID:1972

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
78⤵
PID:4024

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
78⤵
PID:2296

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
79⤵
PID:1336

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
79⤵
PID:3496

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
80⤵
PID:2340

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
80⤵
PID:3492

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
80⤵
PID:904

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
81⤵
PID:1896

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
81⤵
PID:1236

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
82⤵
PID:3244

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
82⤵
PID:1180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
83⤵
PID:3692

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
83⤵
PID:1252

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
84⤵
PID:1728

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
84⤵
PID:732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
85⤵
PID:3524

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
85⤵
PID:560

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
86⤵
PID:3916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
86⤵
PID:2608

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
86⤵
PID:3964

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
86⤵
PID:3672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
87⤵
PID:1304

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
87⤵
PID:3688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
88⤵
PID:2496

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
88⤵
PID:3900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
89⤵
PID:3796

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
89⤵
PID:3972

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
90⤵
PID:3004

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
90⤵
PID:3892

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
91⤵
PID:3212

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
91⤵
PID:3672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
92⤵
PID:2332

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
92⤵
PID:1568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
93⤵
- Adds Run key to start application
PID:2608

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
93⤵
PID:348

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
94⤵
PID:3520

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
94⤵
PID:8

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
94⤵
PID:2084

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
95⤵
PID:1068

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
95⤵
PID:936

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
96⤵
PID:3364

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
96⤵
PID:3940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
97⤵
PID:2152

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
97⤵
PID:2888

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
97⤵
PID:500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
98⤵
PID:3796

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
98⤵
PID:3328

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
99⤵
PID:3176

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
99⤵
PID:556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
100⤵
PID:560

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
100⤵
PID:2296

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
101⤵
PID:4020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
101⤵
PID:2800

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
101⤵
PID:2120

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
102⤵
PID:3208

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
102⤵
PID:632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
103⤵
PID:2592

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
103⤵
PID:1336

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
104⤵
PID:1872

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
104⤵
PID:3512

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
104⤵
PID:416

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
105⤵
PID:1252

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
105⤵
PID:648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
106⤵
PID:2256

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
106⤵
PID:1116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
107⤵
PID:2672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
107⤵
PID:2968

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
107⤵
PID:992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
108⤵
PID:1568

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
108⤵
PID:3996

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
109⤵
PID:636

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
109⤵
PID:3144

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
110⤵
PID:3248

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
110⤵
PID:2896

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
111⤵
PID:512

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
111⤵
PID:3536

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
112⤵
PID:1308

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
112⤵
PID:1340

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
112⤵
PID:412

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
113⤵
PID:3212

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
113⤵
PID:776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
114⤵
PID:2324

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
114⤵
PID:2140

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
114⤵
PID:2164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
115⤵
PID:3240

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
115⤵
PID:4224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
116⤵
- Adds Run key to start application
PID:4272

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
116⤵
PID:4336

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
117⤵
PID:4368

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
117⤵
PID:4432

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
118⤵
PID:4464

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
118⤵
PID:4528

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
119⤵
PID:4560

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
119⤵
PID:4568

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
119⤵
PID:4648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
120⤵
PID:4688

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
120⤵
PID:4752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
121⤵
PID:4788

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
121⤵
PID:4852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
122⤵
PID:4884

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
122⤵
PID:4948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
123⤵
PID:4980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
123⤵
PID:4988

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
123⤵
PID:5072

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
124⤵
PID:5112

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
124⤵
PID:3932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
125⤵
PID:2496

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
125⤵
PID:3924

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
125⤵
PID:4120

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
126⤵
PID:3936

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
126⤵
PID:4012

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
127⤵
PID:1180

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
127⤵
PID:3444

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
128⤵
PID:1896

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
128⤵
PID:2008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
129⤵
PID:3968

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
129⤵
PID:4280

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
130⤵
PID:3500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
130⤵
PID:2356

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
130⤵
PID:3788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
131⤵
PID:2164

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
131⤵
PID:4332

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
132⤵
PID:4356

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
132⤵
PID:4560

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
133⤵
PID:4508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
133⤵
PID:4516

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
133⤵
PID:4524

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
133⤵
PID:4612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
134⤵
PID:4860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
134⤵
PID:4896

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
134⤵
PID:3360

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
135⤵
PID:4768

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
135⤵
PID:1232

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
136⤵
PID:4856

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
136⤵
PID:412

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
137⤵
- Adds Run key to start application
PID:5028

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
137⤵
PID:5100

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
138⤵
PID:1844

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
138⤵
PID:3448

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
139⤵
PID:3364

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
139⤵
PID:2264

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
139⤵
PID:2680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
140⤵
PID:4044

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
140⤵
PID:4012

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
141⤵
PID:2592

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
141⤵
PID:1116

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
141⤵
PID:1504

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
142⤵
PID:1564

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
142⤵
PID:2968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
143⤵
PID:4408

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
143⤵
PID:4284

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
143⤵
PID:3880

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
143⤵
PID:2980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
144⤵
PID:4316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
144⤵
PID:4324

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
144⤵
PID:4576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
145⤵
PID:4332

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
145⤵
PID:4548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
146⤵
PID:4848

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
146⤵
PID:4612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
147⤵
PID:500

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
147⤵
PID:2356

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
148⤵
PID:4704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
148⤵
PID:4712

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
148⤵
PID:4688

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
148⤵
PID:4808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
149⤵
PID:5116

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
149⤵
PID:888

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
150⤵
PID:2800

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
150⤵
PID:2644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
151⤵
PID:2340

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
151⤵
PID:4212

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
151⤵
PID:3804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
152⤵
PID:4472

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
152⤵
PID:4752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
153⤵
PID:2756

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
153⤵
PID:1568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
154⤵
PID:4964

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
154⤵
PID:3364

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
155⤵
PID:1524

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
155⤵
PID:3224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
156⤵
PID:784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
156⤵
PID:3448

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
156⤵
PID:736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
157⤵
PID:3996

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
157⤵
PID:3712

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
158⤵
PID:2076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
158⤵
- Adds Run key to start application
PID:800

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
158⤵
PID:4280

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
159⤵
PID:4088

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
159⤵
PID:4536

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
160⤵
PID:4604

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
160⤵
PID:4904

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
161⤵
PID:4740

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
161⤵
PID:2208

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
162⤵
PID:776

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
162⤵
PID:4992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
163⤵
PID:4492

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
163⤵
PID:4256

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
163⤵
PID:4524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
164⤵
PID:4592

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
164⤵
PID:1896

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
165⤵
PID:4464

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
165⤵
PID:4856

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
166⤵
PID:5088

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
166⤵
PID:4752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
167⤵
PID:2380

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
167⤵
PID:2192

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
168⤵
PID:3780

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
168⤵
PID:1872

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
169⤵
PID:4908

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
169⤵
PID:4472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
170⤵
PID:3920

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
170⤵
PID:1844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
171⤵
PID:4652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
171⤵
PID:4324

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
171⤵
PID:2612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
172⤵
PID:4784

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
172⤵
PID:4984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
173⤵
PID:2656

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
173⤵
PID:3240

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
174⤵
PID:2152

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
174⤵
PID:1452

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
175⤵
PID:1536

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
175⤵
PID:512

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
176⤵
PID:4208

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
176⤵
PID:4280

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
177⤵
PID:4824

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
177⤵
PID:2832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
178⤵
PID:4708

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
178⤵
PID:4176

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
179⤵
PID:5012

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
179⤵
PID:4880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
180⤵
PID:3328

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
180⤵
PID:4488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
181⤵
- Adds Run key to start application
PID:1896

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
181⤵
PID:4108

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
182⤵
PID:4912

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
182⤵
PID:2996

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
183⤵
PID:1552

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
183⤵
PID:3992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
184⤵
PID:4768

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
184⤵
PID:1116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
185⤵
PID:4288

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
185⤵
PID:1844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
186⤵
PID:2408

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
186⤵
PID:1104

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
187⤵
PID:4952

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
187⤵
PID:4032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
188⤵
PID:4436

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
188⤵
PID:4008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
189⤵
PID:4180

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
189⤵
PID:1684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
190⤵
PID:4536

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
190⤵
PID:1468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
191⤵
PID:2832

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
191⤵
PID:1088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
192⤵
PID:4424

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
192⤵
PID:4928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
193⤵
PID:4324

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
193⤵
PID:4584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
194⤵
PID:2324

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
194⤵
PID:4268

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
195⤵
PID:4548

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
195⤵
PID:1108

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
196⤵
PID:4656

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
196⤵
PID:2244

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
197⤵
PID:4708

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
197⤵
PID:3244

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
198⤵
PID:3900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
198⤵
PID:4760

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
198⤵
PID:804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
199⤵
PID:4980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
199⤵
PID:4852

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
199⤵
PID:348

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
200⤵
PID:5068

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
200⤵
PID:4620

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
201⤵
PID:2164

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
201⤵
PID:1924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
202⤵
PID:3028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
202⤵
PID:4968

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
202⤵
PID:3788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
203⤵
PID:4104

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
203⤵
PID:4444

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
204⤵
- Adds Run key to start application
PID:4516

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
204⤵
PID:904

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
205⤵
PID:1968

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
205⤵
PID:4140

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
206⤵
PID:4188

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
206⤵
PID:556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
207⤵
PID:3856

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
207⤵
PID:3892

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
208⤵
PID:5088

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
208⤵
PID:3032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
209⤵
PID:1688

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
209⤵
PID:4452

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
210⤵
PID:1108

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
210⤵
PID:4716

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
211⤵
PID:4368

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
211⤵
PID:5112

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
212⤵
PID:4432

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
212⤵
PID:4316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
213⤵
PID:3500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
213⤵
PID:2996

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
213⤵
PID:5040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
214⤵
PID:892

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
214⤵
PID:3916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
214⤵
PID:1188

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
214⤵
PID:5028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
215⤵
PID:3364

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
215⤵
PID:3520

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
216⤵
PID:4524

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
216⤵
PID:4732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
217⤵
PID:3436

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
217⤵
PID:4724

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
218⤵
PID:3516

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
218⤵
PID:4984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
219⤵
PID:4180

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
219⤵
PID:4852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
220⤵
PID:5072

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
220⤵
PID:2356

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
221⤵
PID:4400

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
221⤵
PID:1336

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
221⤵
PID:3692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
221⤵
PID:4396

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
221⤵
PID:512

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
222⤵
PID:4720

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
222⤵
PID:4908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
223⤵
PID:4256

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
223⤵
PID:2800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
224⤵
PID:3024

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
224⤵
PID:4464

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
225⤵
PID:4960

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
225⤵
PID:2084

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
226⤵
PID:4404

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
226⤵
PID:2244

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
227⤵
PID:4372

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
227⤵
PID:4884

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
227⤵
PID:5112

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
228⤵
PID:4328

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
228⤵
- Adds Run key to start application
PID:4624

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
228⤵
PID:2516

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
229⤵
PID:4336

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
229⤵
PID:4800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
229⤵
PID:4576

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
229⤵
PID:5028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
230⤵
PID:4292

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
230⤵
PID:888

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
231⤵
PID:5116

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
231⤵
PID:3212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
232⤵
PID:4952

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
232⤵
PID:2256

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
233⤵
PID:1336

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
233⤵
PID:2076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
234⤵
PID:2432

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
234⤵
PID:1452

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
234⤵
PID:4560

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
235⤵
PID:2592

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
235⤵
PID:5052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
236⤵
PID:3920

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
236⤵
PID:8

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
237⤵
PID:4924

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
237⤵
PID:1564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
238⤵
PID:2612

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
238⤵
PID:1468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
239⤵
PID:4188

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
239⤵
PID:4304

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
240⤵
PID:5000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
240⤵
PID:4960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
240⤵
PID:4980

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
240⤵
PID:3956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
241⤵
PID:4236

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
241⤵
PID:4284

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
242⤵
PID:4296

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
242⤵
PID:3004

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
242⤵
PID:4840

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
243⤵
PID:4760

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
243⤵
PID:4240

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
244⤵
PID:348

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
244⤵
PID:1304

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
245⤵
PID:4708

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
245⤵
PID:3960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
246⤵
PID:4496

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
246⤵
PID:376

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
247⤵
PID:2980

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
247⤵
PID:5020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
248⤵
PID:3964

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
248⤵
PID:2408

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
249⤵
PID:4984

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
249⤵
PID:4012

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
250⤵
PID:4492

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
250⤵
PID:4184

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
251⤵
- Adds Run key to start application
PID:4540

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
251⤵
PID:4456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
252⤵
PID:4600

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
252⤵
PID:4628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
253⤵
PID:848

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
253⤵
PID:4140

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
253⤵
PID:5000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
254⤵
PID:4088

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
254⤵
PID:4180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
255⤵
PID:4120

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
255⤵
PID:4304

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
255⤵
PID:3860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
256⤵
PID:4860

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
256⤵
PID:4720

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
257⤵
PID:4192

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
257⤵
PID:4544

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
257⤵
PID:3664

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
258⤵
PID:4880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
258⤵
PID:4240

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
258⤵
PID:892

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
259⤵
PID:4964

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
259⤵
PID:4104

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
260⤵
PID:3712

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
260⤵
PID:4648

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
260⤵
PID:4832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
261⤵
PID:2264

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
261⤵
PID:4688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
262⤵
PID:3344

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
262⤵
PID:4900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
263⤵
PID:1336

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
263⤵
PID:5004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
264⤵
PID:5032

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
264⤵
PID:4008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
265⤵
PID:4768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
265⤵
PID:936

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
265⤵
PID:3924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
266⤵
PID:4476

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
266⤵
PID:4824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
267⤵
PID:2136

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
267⤵
PID:4496

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
267⤵
PID:4356

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
267⤵
PID:904

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
268⤵
PID:4852

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
268⤵
PID:4460

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
269⤵
PID:3800

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
269⤵
PID:5052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
270⤵
PID:8

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
270⤵
PID:4772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
271⤵
PID:424

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
271⤵
PID:4120

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
271⤵
PID:4200

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
271⤵
PID:780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
272⤵
PID:4392

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
272⤵
PID:4408

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
273⤵
PID:4284

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
273⤵
PID:684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
274⤵
PID:3852

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
274⤵
PID:2152

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
275⤵
PID:3960

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
275⤵
PID:4816

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
276⤵
PID:3900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
276⤵
PID:2340

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
276⤵
PID:4836

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
276⤵
PID:3492

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
277⤵
PID:2728

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
277⤵
PID:4376

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
278⤵
PID:3892

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
278⤵
PID:4700

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
278⤵
PID:4452

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
279⤵
PID:3788

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
279⤵
PID:5012

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
280⤵
PID:3328

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
280⤵
PID:1308

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
281⤵
PID:632

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
281⤵
PID:4712

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
282⤵
PID:4960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
282⤵
PID:4628

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
282⤵
PID:4692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
283⤵
PID:4120

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
283⤵
PID:3844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
284⤵
PID:5076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
284⤵
PID:1688

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
284⤵
PID:4332

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
285⤵
PID:780

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
285⤵
PID:5108

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
286⤵
PID:2264

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
286⤵
PID:4108

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
287⤵
PID:5008

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
287⤵
PID:4176

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
288⤵
PID:4788

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
288⤵
PID:4476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
289⤵
PID:5080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
289⤵
PID:2160

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
289⤵
PID:4352

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
290⤵
PID:2880

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
290⤵
PID:2256

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
291⤵
PID:1116

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
291⤵
PID:4388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
292⤵
PID:2180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
292⤵
PID:4588

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
292⤵
PID:4436

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
293⤵
PID:3796

C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe
"C:\Users\Admin\AppData\Local\Temp\5660db4d39e1c2a7887c2b26c2f70f9b.exe"
293⤵
PID:1456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
294⤵
PID:1552

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\HBWELB\HBWELB.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Roaming\HBWELB\HBWELB.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Roaming\HBWELB\HBWELB.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Roaming\HBWELB\HBWELB.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Roaming\HBWELB\HBWELB.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Roaming\HBWELB\HBWELB.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe
MD5
b8df682398f191102fd61a53c5fa350a

SHA1
8743f511998153de674bfbab9e23301411470076

SHA256
62d6192543381696165a638b33ccaae8ae4d19442df61138b536f26ceaa7e17c

SHA512
697e486c03e622866171edd7ccb9331602b20a4b40fb56c16d3eeccacdc9aa1715170b50fc19308152349c0fa3b7da3f432439f11c51dad9aa0ef68ce0c3e7d6

Download Submit
memory/8-709-0x0000000000000000-mapping.dmp

Download
memory/8-279-0x0000000000445C1E-mapping.dmp

Download
memory/8-811-0x0000000000445C1E-mapping.dmp

Download
memory/348-598-0x0000000000000000-mapping.dmp

Download
memory/348-277-0x0000000000000000-mapping.dmp

Download
memory/348-732-0x0000000000445C1E-mapping.dmp

Download
memory/360-15-0x0000000000000000-mapping.dmp

Download
memory/360-114-0x0000000000000000-mapping.dmp

Download
memory/376-740-0x0000000000000000-mapping.dmp

Download
memory/376-65-0x0000000000445C1E-mapping.dmp

Download
memory/412-335-0x0000000000000000-mapping.dmp

Download
memory/412-407-0x0000000000000000-mapping.dmp

Download
memory/412-152-0x0000000000445C1E-mapping.dmp

Download
memory/416-310-0x0000000000000000-mapping.dmp

Download
memory/500-289-0x0000000000000000-mapping.dmp

Download
memory/500-439-0x0000000000445C1E-mapping.dmp

Download
memory/500-104-0x0000000000445C1E-mapping.dmp

Download
memory/512-331-0x0000000000445C1E-mapping.dmp

Download
memory/512-53-0x0000000000445C1E-mapping.dmp

Download
memory/512-664-0x0000000000000000-mapping.dmp

Download
memory/512-525-0x0000000000000000-mapping.dmp

Download
memory/556-295-0x0000000000000000-mapping.dmp

Download
memory/556-92-0x0000000000445C1E-mapping.dmp

Download
memory/556-619-0x0000000000000000-mapping.dmp

Download
memory/560-60-0x0000000000000000-mapping.dmp

Download
memory/560-253-0x0000000000000000-mapping.dmp

Download
memory/560-297-0x0000000000445C1E-mapping.dmp

Download
memory/632-304-0x0000000000000000-mapping.dmp

Download
memory/632-844-0x0000000000445C1E-mapping.dmp

Download
memory/632-187-0x0000000000000000-mapping.dmp

Download
memory/632-202-0x0000000000000000-mapping.dmp

Download
memory/632-14-0x0000000000445C1E-mapping.dmp

Download
memory/636-324-0x0000000000445C1E-mapping.dmp

Download
memory/640-156-0x0000000000000000-mapping.dmp

Download
memory/640-71-0x0000000000445C1E-mapping.dmp

Download
memory/648-313-0x0000000000000000-mapping.dmp

Download
memory/648-50-0x0000000000445C1E-mapping.dmp

Download
memory/676-141-0x0000000000000000-mapping.dmp

Download
memory/676-193-0x0000000000000000-mapping.dmp

Download
memory/684-821-0x0000000000000000-mapping.dmp

Download
memory/732-250-0x0000000000000000-mapping.dmp

Download
memory/736-468-0x0000000000000000-mapping.dmp

Download
memory/736-57-0x0000000000000000-mapping.dmp

Download
memory/772-171-0x0000000000000000-mapping.dmp

Download
memory/776-485-0x0000000000445C1E-mapping.dmp

Download
memory/776-338-0x0000000000000000-mapping.dmp

Download
memory/776-93-0x0000000000000000-mapping.dmp

Download
memory/780-856-0x0000000000445C1E-mapping.dmp

Download
memory/780-102-0x0000000000000000-mapping.dmp

Download
memory/780-815-0x0000000000000000-mapping.dmp

Download
memory/784-48-0x0000000000000000-mapping.dmp

Download
memory/784-174-0x0000000000000000-mapping.dmp

Download
memory/800-132-0x0000000000000000-mapping.dmp

Download
memory/800-78-0x0000000000000000-mapping.dmp

Download
memory/800-473-0x0000000000445C1E-mapping.dmp

Download
memory/804-595-0x0000000000000000-mapping.dmp

Download
memory/848-170-0x0000000000445C1E-mapping.dmp

Download
memory/888-691-0x0000000000000000-mapping.dmp

Download
memory/888-138-0x0000000000000000-mapping.dmp

Download
memory/888-446-0x0000000000000000-mapping.dmp

Download
memory/892-776-0x0000000000000000-mapping.dmp

Download
memory/904-189-0x0000000000445C1E-mapping.dmp

Download
memory/904-803-0x0000000000000000-mapping.dmp

Download
memory/904-238-0x0000000000000000-mapping.dmp

Download
memory/904-613-0x0000000000000000-mapping.dmp

Download
memory/936-283-0x0000000000000000-mapping.dmp

Download
memory/936-796-0x0000000000445C1E-mapping.dmp

Download
memory/992-319-0x0000000000000000-mapping.dmp

Download
memory/996-36-0x0000000000000000-mapping.dmp

Download
memory/996-110-0x0000000000445C1E-mapping.dmp

Download
memory/996-56-0x0000000000445C1E-mapping.dmp

Download
memory/1032-173-0x0000000000445C1E-mapping.dmp

Download
memory/1032-223-0x0000000000000000-mapping.dmp

Download
memory/1068-282-0x0000000000445C1E-mapping.dmp

Download
memory/1088-573-0x0000000000000000-mapping.dmp

Download
memory/1104-558-0x0000000000000000-mapping.dmp

Download
memory/1108-630-0x0000000000445C1E-mapping.dmp

Download
memory/1108-585-0x0000000000000000-mapping.dmp

Download
memory/1116-316-0x0000000000000000-mapping.dmp

Download
memory/1116-421-0x0000000000445C1E-mapping.dmp

Download
memory/1116-874-0x0000000000445C1E-mapping.dmp

Download
memory/1116-552-0x0000000000000000-mapping.dmp

Download
memory/1120-17-0x0000000000445C1E-mapping.dmp

Download
memory/1120-80-0x0000000000445C1E-mapping.dmp

Download
memory/1164-180-0x0000000000000000-mapping.dmp

Download
memory/1180-59-0x0000000000445C1E-mapping.dmp

Download
memory/1180-244-0x0000000000000000-mapping.dmp

Download
memory/1180-379-0x0000000000445C1E-mapping.dmp

Download
memory/1184-134-0x0000000000445C1E-mapping.dmp

Download
memory/1184-182-0x0000000000445C1E-mapping.dmp

Download
memory/1188-642-0x0000000000445C1E-mapping.dmp

Download
memory/1232-404-0x0000000000000000-mapping.dmp

Download
memory/1236-196-0x0000000000000000-mapping.dmp

Download
memory/1236-241-0x0000000000000000-mapping.dmp

Download
memory/1252-247-0x0000000000000000-mapping.dmp

Download
memory/1252-113-0x0000000000445C1E-mapping.dmp

Download
memory/1252-312-0x0000000000445C1E-mapping.dmp

Download
memory/1252-204-0x0000000000445C1E-mapping.dmp

Download
memory/1304-733-0x0000000000000000-mapping.dmp

Download
memory/1304-258-0x0000000000445C1E-mapping.dmp

Download
memory/1308-69-0x0000000000000000-mapping.dmp

Download
memory/1308-842-0x0000000000000000-mapping.dmp

Download
memory/1316-95-0x0000000000445C1E-mapping.dmp

Download
memory/1336-699-0x0000000000445C1E-mapping.dmp

Download
memory/1336-234-0x0000000000445C1E-mapping.dmp

Download
memory/1336-790-0x0000000000445C1E-mapping.dmp

Download
memory/1336-307-0x0000000000000000-mapping.dmp

Download
memory/1340-140-0x0000000000445C1E-mapping.dmp

Download
memory/1340-86-0x0000000000445C1E-mapping.dmp

Download
memory/1340-334-0x0000000000445C1E-mapping.dmp

Download
memory/1452-702-0x0000000000445C1E-mapping.dmp

Download
memory/1452-131-0x0000000000445C1E-mapping.dmp

Download
memory/1452-522-0x0000000000000000-mapping.dmp

Download
memory/1456-882-0x0000000000000000-mapping.dmp

Download
memory/1460-137-0x0000000000445C1E-mapping.dmp

Download
memory/1468-570-0x0000000000000000-mapping.dmp

Download
memory/1468-715-0x0000000000000000-mapping.dmp

Download
memory/1504-422-0x0000000000000000-mapping.dmp

Download
memory/1524-464-0x0000000000445C1E-mapping.dmp

Download
memory/1532-126-0x0000000000000000-mapping.dmp

Download
memory/1536-20-0x0000000000445C1E-mapping.dmp

Download
memory/1536-524-0x0000000000445C1E-mapping.dmp

Download
memory/1548-41-0x0000000000445C1E-mapping.dmp

Download
memory/1552-548-0x0000000000445C1E-mapping.dmp

Download
memory/1552-884-0x0000000000445C1E-mapping.dmp

Download
memory/1564-712-0x0000000000000000-mapping.dmp

Download
memory/1564-98-0x0000000000445C1E-mapping.dmp

Download
memory/1564-424-0x0000000000445C1E-mapping.dmp

Download
memory/1568-321-0x0000000000445C1E-mapping.dmp

Download
memory/1568-274-0x0000000000000000-mapping.dmp

Download
memory/1568-459-0x0000000000000000-mapping.dmp

Download
memory/1684-567-0x0000000000000000-mapping.dmp

Download
memory/1688-627-0x0000000000445C1E-mapping.dmp

Download
memory/1688-853-0x0000000000445C1E-mapping.dmp

Download
memory/1728-249-0x0000000000445C1E-mapping.dmp

Download
memory/1732-147-0x0000000000000000-mapping.dmp

Download
memory/1732-185-0x0000000000445C1E-mapping.dmp

Download
memory/1840-51-0x0000000000000000-mapping.dmp

Download
memory/1844-510-0x0000000000000000-mapping.dmp

Download
memory/1844-412-0x0000000000445C1E-mapping.dmp

Download
memory/1844-555-0x0000000000000000-mapping.dmp

Download
memory/1856-54-0x0000000000000000-mapping.dmp

Download
memory/1872-222-0x0000000000445C1E-mapping.dmp

Download
memory/1872-504-0x0000000000000000-mapping.dmp

Download
memory/1896-240-0x0000000000445C1E-mapping.dmp

Download
memory/1896-382-0x0000000000445C1E-mapping.dmp

Download
memory/1896-214-0x0000000000000000-mapping.dmp

Download
memory/1896-161-0x0000000000445C1E-mapping.dmp

Download
memory/1896-492-0x0000000000000000-mapping.dmp

Download
memory/1896-542-0x0000000000445C1E-mapping.dmp

Download
memory/1904-107-0x0000000000445C1E-mapping.dmp

Download
memory/1924-604-0x0000000000000000-mapping.dmp

Download
memory/1948-205-0x0000000000000000-mapping.dmp

Download
memory/1968-96-0x0000000000000000-mapping.dmp

Download
memory/1968-615-0x0000000000445C1E-mapping.dmp

Download
memory/1972-21-0x0000000000000000-mapping.dmp

Download
memory/1972-229-0x0000000000000000-mapping.dmp

Download
memory/2008-383-0x0000000000000000-mapping.dmp

Download
memory/2008-75-0x0000000000000000-mapping.dmp

Download
memory/2076-700-0x0000000000000000-mapping.dmp

Download
memory/2076-125-0x0000000000445C1E-mapping.dmp

Download
memory/2084-280-0x0000000000000000-mapping.dmp

Download
memory/2084-676-0x0000000000000000-mapping.dmp

Download
memory/2120-33-0x0000000000000000-mapping.dmp

Download
memory/2120-301-0x0000000000000000-mapping.dmp

Download
memory/2140-183-0x0000000000000000-mapping.dmp

Download
memory/2140-9-0x0000000000000000-mapping.dmp

Download
memory/2140-122-0x0000000000445C1E-mapping.dmp

Download
memory/2140-340-0x0000000000445C1E-mapping.dmp

Download
memory/2140-35-0x0000000000445C1E-mapping.dmp

Download
memory/2152-521-0x0000000000445C1E-mapping.dmp

Download
memory/2152-38-0x0000000000445C1E-mapping.dmp

Download
memory/2152-824-0x0000000000000000-mapping.dmp

Download
memory/2160-868-0x0000000000445C1E-mapping.dmp

Download
memory/2164-391-0x0000000000445C1E-mapping.dmp

Download
memory/2164-603-0x0000000000445C1E-mapping.dmp

Download
memory/2164-341-0x0000000000000000-mapping.dmp

Download
memory/2184-179-0x0000000000445C1E-mapping.dmp

Download
memory/2188-211-0x0000000000000000-mapping.dmp

Download
memory/2192-207-0x0000000000445C1E-mapping.dmp

Download
memory/2192-501-0x0000000000000000-mapping.dmp

Download
memory/2208-483-0x0000000000000000-mapping.dmp

Download
memory/2244-679-0x0000000000000000-mapping.dmp

Download
memory/2244-101-0x0000000000445C1E-mapping.dmp

Download
memory/2244-588-0x0000000000000000-mapping.dmp

Download
memory/2244-39-0x0000000000000000-mapping.dmp

Download
memory/2256-872-0x0000000000000000-mapping.dmp

Download
memory/2256-697-0x0000000000000000-mapping.dmp

Download
memory/2256-315-0x0000000000445C1E-mapping.dmp

Download
memory/2264-859-0x0000000000445C1E-mapping.dmp

Download
memory/2264-784-0x0000000000445C1E-mapping.dmp

Download
memory/2264-415-0x0000000000445C1E-mapping.dmp

Download
memory/2296-232-0x0000000000000000-mapping.dmp

Download
memory/2296-74-0x0000000000445C1E-mapping.dmp

Download
memory/2296-298-0x0000000000000000-mapping.dmp

Download
memory/2324-581-0x0000000000445C1E-mapping.dmp

Download
memory/2324-192-0x0000000000445C1E-mapping.dmp

Download
memory/2332-273-0x0000000000445C1E-mapping.dmp

Download
memory/2356-68-0x0000000000445C1E-mapping.dmp

Download
memory/2356-44-0x0000000000445C1E-mapping.dmp

Download
memory/2356-388-0x0000000000445C1E-mapping.dmp

Download
memory/2356-661-0x0000000000000000-mapping.dmp

Download
memory/2356-440-0x0000000000000000-mapping.dmp

Download
memory/2380-500-0x0000000000445C1E-mapping.dmp

Download
memory/2408-746-0x0000000000000000-mapping.dmp

Download
memory/2408-557-0x0000000000445C1E-mapping.dmp

Download
memory/2432-108-0x0000000000000000-mapping.dmp

Download
memory/2432-23-0x0000000000445C1E-mapping.dmp

Download
memory/2432-225-0x0000000000445C1E-mapping.dmp

Download
memory/2496-261-0x0000000000445C1E-mapping.dmp

Download
memory/2496-32-0x0000000000445C1E-mapping.dmp

Download
memory/2516-11-0x0000000000445C1E-mapping.dmp

Download
memory/2516-685-0x0000000000000000-mapping.dmp

Download
memory/2564-119-0x0000000000445C1E-mapping.dmp

Download
memory/2564-167-0x0000000000445C1E-mapping.dmp

Download
memory/2568-210-0x0000000000445C1E-mapping.dmp

Download
memory/2592-705-0x0000000000445C1E-mapping.dmp

Download
memory/2592-306-0x0000000000445C1E-mapping.dmp

Download
memory/2592-120-0x0000000000000000-mapping.dmp

Download
memory/2608-276-0x0000000000445C1E-mapping.dmp

Download
memory/2612-714-0x0000000000445C1E-mapping.dmp

Download
memory/2612-513-0x0000000000000000-mapping.dmp

Download
memory/2644-449-0x0000000000000000-mapping.dmp

Download
memory/2644-217-0x0000000000000000-mapping.dmp

Download
memory/2656-518-0x0000000000445C1E-mapping.dmp

Download
memory/2680-24-0x0000000000000000-mapping.dmp

Download
memory/2680-47-0x0000000000445C1E-mapping.dmp

Download
memory/2680-416-0x0000000000000000-mapping.dmp

Download
memory/2728-116-0x0000000000445C1E-mapping.dmp

Download
memory/2728-832-0x0000000000445C1E-mapping.dmp

Download
memory/2756-83-0x0000000000445C1E-mapping.dmp

Download
memory/2756-458-0x0000000000445C1E-mapping.dmp

Download
memory/2768-81-0x0000000000000000-mapping.dmp

Download
memory/2768-149-0x0000000000445C1E-mapping.dmp

Download
memory/2768-62-0x0000000000445C1E-mapping.dmp

Download
memory/2772-45-0x0000000000000000-mapping.dmp

Download
memory/2772-146-0x0000000000445C1E-mapping.dmp

Download
memory/2772-128-0x0000000000445C1E-mapping.dmp

Download
memory/2800-300-0x0000000000445C1E-mapping.dmp

Download
memory/2800-670-0x0000000000000000-mapping.dmp

Download
memory/2800-448-0x0000000000445C1E-mapping.dmp

Download
memory/2832-572-0x0000000000445C1E-mapping.dmp

Download
memory/2832-531-0x0000000000000000-mapping.dmp

Download
memory/2832-26-0x0000000000445C1E-mapping.dmp

Download
memory/2860-42-0x0000000000000000-mapping.dmp

Download
memory/2860-153-0x0000000000000000-mapping.dmp

Download
memory/2864-226-0x0000000000000000-mapping.dmp

Download
memory/2880-871-0x0000000000445C1E-mapping.dmp

Download
memory/2888-288-0x0000000000445C1E-mapping.dmp

Download
memory/2896-329-0x0000000000000000-mapping.dmp

Download
memory/2896-111-0x0000000000000000-mapping.dmp

Download
memory/2968-318-0x0000000000445C1E-mapping.dmp

Download
memory/2968-425-0x0000000000000000-mapping.dmp

Download
memory/2980-742-0x0000000000445C1E-mapping.dmp

Download
memory/2980-428-0x0000000000000000-mapping.dmp

Download
memory/2996-639-0x0000000000445C1E-mapping.dmp

Download
memory/2996-546-0x0000000000000000-mapping.dmp

Download
memory/3000-89-0x0000000000445C1E-mapping.dmp

Download
memory/3004-267-0x0000000000445C1E-mapping.dmp

Download
memory/3004-726-0x0000000000445C1E-mapping.dmp

Download
memory/3004-159-0x0000000000000000-mapping.dmp

Download
memory/3008-0-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/3008-164-0x0000000000445C1E-mapping.dmp

Download
memory/3008-1-0x0000000000445C1E-mapping.dmp

Download
memory/3024-672-0x0000000000445C1E-mapping.dmp

Download
memory/3028-8-0x0000000000445C1E-mapping.dmp

Download
memory/3028-168-0x0000000000000000-mapping.dmp

Download
memory/3032-625-0x0000000000000000-mapping.dmp

Download
memory/3144-325-0x0000000000000000-mapping.dmp

Download
memory/3144-176-0x0000000000445C1E-mapping.dmp

Download
memory/3176-4-0x0000000000445C1E-mapping.dmp

Download
memory/3176-294-0x0000000000445C1E-mapping.dmp

Download
memory/3176-216-0x0000000000445C1E-mapping.dmp

Download
memory/3208-303-0x0000000000445C1E-mapping.dmp

Download
memory/3208-158-0x0000000000445C1E-mapping.dmp

Download
memory/3212-270-0x0000000000445C1E-mapping.dmp

Download
memory/3212-87-0x0000000000000000-mapping.dmp

Download
memory/3212-694-0x0000000000000000-mapping.dmp

Download
memory/3212-337-0x0000000000445C1E-mapping.dmp

Download
memory/3224-465-0x0000000000000000-mapping.dmp

Download
memory/3240-519-0x0000000000000000-mapping.dmp

Download
memory/3240-343-0x0000000000445C1E-mapping.dmp

Download
memory/3244-591-0x0000000000000000-mapping.dmp

Download
memory/3244-243-0x0000000000445C1E-mapping.dmp

Download
memory/3248-327-0x0000000000445C1E-mapping.dmp

Download
memory/3328-292-0x0000000000000000-mapping.dmp

Download
memory/3328-539-0x0000000000445C1E-mapping.dmp

Download
memory/3328-162-0x0000000000000000-mapping.dmp

Download
memory/3328-841-0x0000000000445C1E-mapping.dmp

Download
memory/3344-219-0x0000000000445C1E-mapping.dmp

Download
memory/3344-787-0x0000000000445C1E-mapping.dmp

Download
memory/3344-201-0x0000000000445C1E-mapping.dmp

Download
memory/3360-401-0x0000000000000000-mapping.dmp

Download
memory/3364-285-0x0000000000445C1E-mapping.dmp

Download
memory/3364-645-0x0000000000445C1E-mapping.dmp

Download
memory/3364-462-0x0000000000000000-mapping.dmp

Download
memory/3376-12-0x0000000000000000-mapping.dmp

Download
memory/3436-651-0x0000000000445C1E-mapping.dmp

Download
memory/3444-380-0x0000000000000000-mapping.dmp

Download
memory/3448-413-0x0000000000000000-mapping.dmp

Download
memory/3448-177-0x0000000000000000-mapping.dmp

Download
memory/3448-135-0x0000000000000000-mapping.dmp

Download
memory/3448-467-0x0000000000445C1E-mapping.dmp

Download
memory/3492-237-0x0000000000445C1E-mapping.dmp

Download
memory/3492-143-0x0000000000445C1E-mapping.dmp

Download
memory/3492-830-0x0000000000000000-mapping.dmp

Download
memory/3496-198-0x0000000000445C1E-mapping.dmp

Download
memory/3496-235-0x0000000000000000-mapping.dmp

Download
memory/3500-190-0x0000000000000000-mapping.dmp

Download
memory/3512-309-0x0000000000445C1E-mapping.dmp

Download
memory/3516-654-0x0000000000445C1E-mapping.dmp

Download
memory/3516-150-0x0000000000000000-mapping.dmp

Download
memory/3520-646-0x0000000000000000-mapping.dmp

Download
memory/3524-252-0x0000000000445C1E-mapping.dmp

Download
memory/3536-332-0x0000000000000000-mapping.dmp

Download
memory/3540-117-0x0000000000000000-mapping.dmp

Download
memory/3640-5-0x0000000000000000-mapping.dmp

Download
memory/3664-129-0x0000000000000000-mapping.dmp

Download
memory/3664-773-0x0000000000000000-mapping.dmp

Download
memory/3672-256-0x0000000000000000-mapping.dmp

Download
memory/3672-271-0x0000000000000000-mapping.dmp

Download
memory/3688-259-0x0000000000000000-mapping.dmp

Download
memory/3692-246-0x0000000000445C1E-mapping.dmp

Download
memory/3712-471-0x0000000000000000-mapping.dmp

Download
memory/3760-72-0x0000000000000000-mapping.dmp

Download
memory/3760-29-0x0000000000445C1E-mapping.dmp

Download
memory/3780-503-0x0000000000445C1E-mapping.dmp

Download
memory/3788-838-0x0000000000445C1E-mapping.dmp

Download
memory/3788-607-0x0000000000000000-mapping.dmp

Download
memory/3788-389-0x0000000000000000-mapping.dmp

Download
memory/3792-213-0x0000000000445C1E-mapping.dmp

Download
memory/3792-105-0x0000000000000000-mapping.dmp

Download
memory/3796-84-0x0000000000000000-mapping.dmp

Download
memory/3796-264-0x0000000000445C1E-mapping.dmp

Download
memory/3796-881-0x0000000000445C1E-mapping.dmp

Download
memory/3796-291-0x0000000000445C1E-mapping.dmp

Download
memory/3800-99-0x0000000000000000-mapping.dmp

Download
memory/3800-808-0x0000000000445C1E-mapping.dmp

Download
memory/3804-452-0x0000000000000000-mapping.dmp

Download
memory/3844-851-0x0000000000000000-mapping.dmp

Download
memory/3848-2-0x0000000000000000-mapping.dmp

Download
memory/3848-63-0x0000000000000000-mapping.dmp

Download
memory/3852-823-0x0000000000445C1E-mapping.dmp

Download
memory/3852-123-0x0000000000000000-mapping.dmp

Download
memory/3856-621-0x0000000000445C1E-mapping.dmp

Download
memory/3860-767-0x0000000000000000-mapping.dmp

Download
memory/3872-220-0x0000000000000000-mapping.dmp

Download
memory/3872-144-0x0000000000000000-mapping.dmp

Download
memory/3876-208-0x0000000000000000-mapping.dmp

Download
memory/3880-427-0x0000000000445C1E-mapping.dmp

Download
memory/3892-622-0x0000000000000000-mapping.dmp

Download
memory/3892-268-0x0000000000000000-mapping.dmp

Download
memory/3900-262-0x0000000000000000-mapping.dmp

Download
memory/3916-90-0x0000000000000000-mapping.dmp

Download
memory/3916-66-0x0000000000000000-mapping.dmp

Download
memory/3920-708-0x0000000000445C1E-mapping.dmp

Download
memory/3920-509-0x0000000000445C1E-mapping.dmp

Download
memory/3924-373-0x0000000000445C1E-mapping.dmp

Download
memory/3924-797-0x0000000000000000-mapping.dmp

Download
memory/3932-371-0x0000000000000000-mapping.dmp

Download
memory/3936-30-0x0000000000000000-mapping.dmp

Download
memory/3936-376-0x0000000000445C1E-mapping.dmp

Download
memory/3940-286-0x0000000000000000-mapping.dmp

Download
memory/3952-195-0x0000000000445C1E-mapping.dmp

Download
memory/3956-18-0x0000000000000000-mapping.dmp

Download
memory/3956-721-0x0000000000000000-mapping.dmp

Download
memory/3960-826-0x0000000000445C1E-mapping.dmp

Download
memory/3960-737-0x0000000000000000-mapping.dmp

Download
memory/3964-77-0x0000000000445C1E-mapping.dmp

Download
memory/3964-255-0x0000000000445C1E-mapping.dmp

Download
memory/3964-745-0x0000000000445C1E-mapping.dmp

Download
memory/3968-155-0x0000000000445C1E-mapping.dmp

Download
memory/3968-385-0x0000000000445C1E-mapping.dmp

Download
memory/3968-27-0x0000000000000000-mapping.dmp

Download
memory/3972-265-0x0000000000000000-mapping.dmp

Download
memory/3992-549-0x0000000000000000-mapping.dmp

Download
memory/3996-322-0x0000000000000000-mapping.dmp

Download
memory/3996-470-0x0000000000445C1E-mapping.dmp

Download
memory/4008-794-0x0000000000000000-mapping.dmp

Download
memory/4008-564-0x0000000000000000-mapping.dmp

Download
memory/4012-419-0x0000000000000000-mapping.dmp

Download
memory/4012-749-0x0000000000000000-mapping.dmp

Download
memory/4012-377-0x0000000000000000-mapping.dmp

Download
memory/4012-199-0x0000000000000000-mapping.dmp

Download
memory/4016-228-0x0000000000445C1E-mapping.dmp

Download
memory/4024-231-0x0000000000445C1E-mapping.dmp

Download
memory/4032-561-0x0000000000000000-mapping.dmp

Download
memory/4044-418-0x0000000000445C1E-mapping.dmp

Download
memory/4044-165-0x0000000000000000-mapping.dmp

Download
memory/4088-763-0x0000000000445C1E-mapping.dmp

Download
memory/4088-476-0x0000000000445C1E-mapping.dmp

Download
memory/4104-609-0x0000000000445C1E-mapping.dmp

Download
memory/4104-779-0x0000000000000000-mapping.dmp

Download
memory/4108-860-0x0000000000000000-mapping.dmp

Download
memory/4108-543-0x0000000000000000-mapping.dmp

Download
memory/4120-850-0x0000000000445C1E-mapping.dmp

Download
memory/4120-374-0x0000000000000000-mapping.dmp

Download
memory/4140-616-0x0000000000000000-mapping.dmp

Download
memory/4140-760-0x0000000000445C1E-mapping.dmp

Download
memory/4176-534-0x0000000000000000-mapping.dmp

Download
memory/4176-863-0x0000000000000000-mapping.dmp

Download
memory/4180-566-0x0000000000445C1E-mapping.dmp

Download
memory/4180-657-0x0000000000445C1E-mapping.dmp

Download
memory/4180-764-0x0000000000000000-mapping.dmp

Download
memory/4184-752-0x0000000000000000-mapping.dmp

Download
memory/4188-717-0x0000000000445C1E-mapping.dmp

Download
memory/4188-618-0x0000000000445C1E-mapping.dmp

Download
memory/4200-814-0x0000000000445C1E-mapping.dmp

Download
memory/4208-527-0x0000000000445C1E-mapping.dmp

Download
memory/4212-451-0x0000000000445C1E-mapping.dmp

Download
memory/4224-344-0x0000000000000000-mapping.dmp

Download
memory/4236-723-0x0000000000445C1E-mapping.dmp

Download
memory/4240-775-0x0000000000445C1E-mapping.dmp

Download
memory/4240-730-0x0000000000000000-mapping.dmp

Download
memory/4256-669-0x0000000000445C1E-mapping.dmp

Download
memory/4256-488-0x0000000000445C1E-mapping.dmp

Download
memory/4268-582-0x0000000000000000-mapping.dmp

Download
memory/4272-346-0x0000000000445C1E-mapping.dmp

Download
memory/4280-474-0x0000000000000000-mapping.dmp

Download
memory/4280-386-0x0000000000000000-mapping.dmp

Download
memory/4280-528-0x0000000000000000-mapping.dmp

Download
memory/4284-820-0x0000000000445C1E-mapping.dmp

Download
memory/4284-724-0x0000000000000000-mapping.dmp

Download
memory/4288-554-0x0000000000445C1E-mapping.dmp

Download
memory/4292-690-0x0000000000445C1E-mapping.dmp

Download
memory/4304-766-0x0000000000445C1E-mapping.dmp

Download
memory/4304-718-0x0000000000000000-mapping.dmp

Download
memory/4316-637-0x0000000000000000-mapping.dmp

Download
memory/4324-578-0x0000000000445C1E-mapping.dmp

Download
memory/4324-512-0x0000000000445C1E-mapping.dmp

Download
memory/4324-430-0x0000000000445C1E-mapping.dmp

Download
memory/4332-392-0x0000000000000000-mapping.dmp

Download
memory/4332-433-0x0000000000445C1E-mapping.dmp

Download
memory/4332-854-0x0000000000000000-mapping.dmp

Download
memory/4336-347-0x0000000000000000-mapping.dmp

Download
memory/4352-869-0x0000000000000000-mapping.dmp

Download
memory/4356-394-0x0000000000445C1E-mapping.dmp

Download
memory/4356-802-0x0000000000445C1E-mapping.dmp

Download
memory/4368-349-0x0000000000445C1E-mapping.dmp

Download
memory/4368-633-0x0000000000445C1E-mapping.dmp

Download
memory/4376-833-0x0000000000000000-mapping.dmp

Download
memory/4388-875-0x0000000000000000-mapping.dmp

Download
memory/4392-817-0x0000000000445C1E-mapping.dmp

Download
memory/4396-663-0x0000000000445C1E-mapping.dmp

Download
memory/4404-678-0x0000000000445C1E-mapping.dmp

Download
memory/4408-818-0x0000000000000000-mapping.dmp

Download
memory/4424-575-0x0000000000445C1E-mapping.dmp

Download
memory/4432-350-0x0000000000000000-mapping.dmp

Download
memory/4432-636-0x0000000000445C1E-mapping.dmp

Download
memory/4436-879-0x0000000000000000-mapping.dmp

Download
memory/4436-563-0x0000000000445C1E-mapping.dmp

Download
memory/4444-610-0x0000000000000000-mapping.dmp

Download
memory/4452-836-0x0000000000000000-mapping.dmp

Download
memory/4452-628-0x0000000000000000-mapping.dmp

Download
memory/4456-755-0x0000000000000000-mapping.dmp

Download
memory/4460-806-0x0000000000000000-mapping.dmp

Download
memory/4464-352-0x0000000000445C1E-mapping.dmp

Download
memory/4464-494-0x0000000000445C1E-mapping.dmp

Download
memory/4464-673-0x0000000000000000-mapping.dmp

Download
memory/4472-507-0x0000000000000000-mapping.dmp

Download
memory/4472-454-0x0000000000445C1E-mapping.dmp

Download
memory/4476-799-0x0000000000445C1E-mapping.dmp

Download
memory/4476-866-0x0000000000000000-mapping.dmp

Download
memory/4488-540-0x0000000000000000-mapping.dmp

Download
memory/4492-751-0x0000000000445C1E-mapping.dmp

Download
memory/4496-739-0x0000000000445C1E-mapping.dmp

Download
memory/4516-612-0x0000000000445C1E-mapping.dmp

Download
memory/4524-489-0x0000000000000000-mapping.dmp

Download
memory/4524-648-0x0000000000445C1E-mapping.dmp

Download
memory/4524-397-0x0000000000445C1E-mapping.dmp

Download
memory/4528-353-0x0000000000000000-mapping.dmp

Download
memory/4536-477-0x0000000000000000-mapping.dmp

Download
memory/4536-569-0x0000000000445C1E-mapping.dmp

Download
memory/4540-754-0x0000000000445C1E-mapping.dmp

Download
memory/4544-772-0x0000000000445C1E-mapping.dmp

Download
memory/4548-584-0x0000000000445C1E-mapping.dmp

Download
memory/4548-434-0x0000000000000000-mapping.dmp

Download
memory/4560-395-0x0000000000000000-mapping.dmp

Download
memory/4560-703-0x0000000000000000-mapping.dmp

Download
memory/4568-355-0x0000000000445C1E-mapping.dmp

Download
memory/4576-431-0x0000000000000000-mapping.dmp

Download
memory/4576-687-0x0000000000445C1E-mapping.dmp

Download
memory/4584-579-0x0000000000000000-mapping.dmp

Download
memory/4588-878-0x0000000000445C1E-mapping.dmp

Download
memory/4592-491-0x0000000000445C1E-mapping.dmp

Download
memory/4600-757-0x0000000000445C1E-mapping.dmp

Download
memory/4604-479-0x0000000000445C1E-mapping.dmp

Download
memory/4612-398-0x0000000000000000-mapping.dmp

Download
memory/4612-437-0x0000000000000000-mapping.dmp

Download
memory/4620-601-0x0000000000000000-mapping.dmp

Download
memory/4624-684-0x0000000000445C1E-mapping.dmp

Download
memory/4628-847-0x0000000000445C1E-mapping.dmp

Download
memory/4628-758-0x0000000000000000-mapping.dmp

Download
memory/4648-781-0x0000000000445C1E-mapping.dmp

Download
memory/4648-356-0x0000000000000000-mapping.dmp

Download
memory/4656-587-0x0000000000445C1E-mapping.dmp

Download
memory/4688-358-0x0000000000445C1E-mapping.dmp

Download
memory/4688-442-0x0000000000445C1E-mapping.dmp

Download
memory/4688-785-0x0000000000000000-mapping.dmp

Download
memory/4692-848-0x0000000000000000-mapping.dmp

Download
memory/4700-835-0x0000000000445C1E-mapping.dmp

Download
memory/4708-533-0x0000000000445C1E-mapping.dmp

Download
memory/4708-590-0x0000000000445C1E-mapping.dmp

Download
memory/4708-736-0x0000000000445C1E-mapping.dmp

Download
memory/4712-845-0x0000000000000000-mapping.dmp

Download
memory/4716-631-0x0000000000000000-mapping.dmp

Download
memory/4720-666-0x0000000000445C1E-mapping.dmp

Download
memory/4720-770-0x0000000000000000-mapping.dmp

Download
memory/4724-652-0x0000000000000000-mapping.dmp

Download
memory/4732-649-0x0000000000000000-mapping.dmp

Download
memory/4740-482-0x0000000000445C1E-mapping.dmp

Download
memory/4752-359-0x0000000000000000-mapping.dmp

Download
memory/4752-498-0x0000000000000000-mapping.dmp

Download
memory/4752-456-0x0000000000000000-mapping.dmp

Download
memory/4760-594-0x0000000000445C1E-mapping.dmp

Download
memory/4760-729-0x0000000000445C1E-mapping.dmp

Download
memory/4768-551-0x0000000000445C1E-mapping.dmp

Download
memory/4768-403-0x0000000000445C1E-mapping.dmp

Download
memory/4772-812-0x0000000000000000-mapping.dmp

Download
memory/4784-515-0x0000000000445C1E-mapping.dmp

Download
memory/4788-865-0x0000000000445C1E-mapping.dmp

Download
memory/4788-361-0x0000000000445C1E-mapping.dmp

Download
memory/4808-443-0x0000000000000000-mapping.dmp

Download
memory/4816-827-0x0000000000000000-mapping.dmp

Download
memory/4824-800-0x0000000000000000-mapping.dmp

Download
memory/4824-530-0x0000000000445C1E-mapping.dmp

Download
memory/4832-782-0x0000000000000000-mapping.dmp

Download
memory/4836-829-0x0000000000445C1E-mapping.dmp

Download
memory/4840-727-0x0000000000000000-mapping.dmp

Download
memory/4848-436-0x0000000000445C1E-mapping.dmp

Download
memory/4852-658-0x0000000000000000-mapping.dmp

Download
memory/4852-362-0x0000000000000000-mapping.dmp

Download
memory/4852-597-0x0000000000445C1E-mapping.dmp

Download
memory/4852-805-0x0000000000445C1E-mapping.dmp

Download
memory/4856-406-0x0000000000445C1E-mapping.dmp

Download
memory/4856-495-0x0000000000000000-mapping.dmp

Download
memory/4860-769-0x0000000000445C1E-mapping.dmp

Download
memory/4880-537-0x0000000000000000-mapping.dmp

Download
memory/4884-364-0x0000000000445C1E-mapping.dmp

Download
memory/4884-681-0x0000000000445C1E-mapping.dmp

Download
memory/4896-400-0x0000000000445C1E-mapping.dmp

Download
memory/4900-788-0x0000000000000000-mapping.dmp

Download
memory/4904-480-0x0000000000000000-mapping.dmp

Download
memory/4908-506-0x0000000000445C1E-mapping.dmp

Download
memory/4908-667-0x0000000000000000-mapping.dmp

Download
memory/4912-545-0x0000000000445C1E-mapping.dmp

Download
memory/4924-711-0x0000000000445C1E-mapping.dmp

Download
memory/4928-576-0x0000000000000000-mapping.dmp

Download
memory/4948-365-0x0000000000000000-mapping.dmp

Download
memory/4952-560-0x0000000000445C1E-mapping.dmp

Download
memory/4952-696-0x0000000000445C1E-mapping.dmp

Download
memory/4960-675-0x0000000000445C1E-mapping.dmp

Download
memory/4964-461-0x0000000000445C1E-mapping.dmp

Download
memory/4964-778-0x0000000000445C1E-mapping.dmp

Download
memory/4968-606-0x0000000000445C1E-mapping.dmp

Download
memory/4980-720-0x0000000000445C1E-mapping.dmp

Download
memory/4984-748-0x0000000000445C1E-mapping.dmp

Download
memory/4984-516-0x0000000000000000-mapping.dmp

Download
memory/4984-655-0x0000000000000000-mapping.dmp

Download
memory/4988-367-0x0000000000445C1E-mapping.dmp

Download
memory/4992-486-0x0000000000000000-mapping.dmp

Download
memory/5000-761-0x0000000000000000-mapping.dmp

Download
memory/5004-791-0x0000000000000000-mapping.dmp

Download
memory/5008-862-0x0000000000445C1E-mapping.dmp

Download
memory/5012-536-0x0000000000445C1E-mapping.dmp

Download
memory/5012-839-0x0000000000000000-mapping.dmp

Download
memory/5020-743-0x0000000000000000-mapping.dmp

Download
memory/5028-688-0x0000000000000000-mapping.dmp

Download
memory/5028-409-0x0000000000445C1E-mapping.dmp

Download
memory/5028-643-0x0000000000000000-mapping.dmp

Download
memory/5032-793-0x0000000000445C1E-mapping.dmp

Download
memory/5040-640-0x0000000000000000-mapping.dmp

Download
memory/5052-809-0x0000000000000000-mapping.dmp

Download
memory/5052-706-0x0000000000000000-mapping.dmp

Download
memory/5068-600-0x0000000000445C1E-mapping.dmp

Download
memory/5072-368-0x0000000000000000-mapping.dmp

Download
memory/5072-660-0x0000000000445C1E-mapping.dmp

Download
memory/5088-497-0x0000000000445C1E-mapping.dmp

Download
memory/5088-624-0x0000000000445C1E-mapping.dmp

Download
memory/5100-410-0x0000000000000000-mapping.dmp

Download
memory/5108-857-0x0000000000000000-mapping.dmp

Download
memory/5112-634-0x0000000000000000-mapping.dmp

Download
memory/5112-370-0x0000000000445C1E-mapping.dmp

Download
memory/5112-682-0x0000000000000000-mapping.dmp

Download
memory/5116-693-0x0000000000445C1E-mapping.dmp

Download
memory/5116-445-0x0000000000445C1E-mapping.dmp

Download