hawkeye_reborn | 1660cbe9bd7e85ed0a2ad4ca9f793e0ef8b5f889946844e2184b1a8d2fd89ba8

Analysis

max time kernel
150s
max time network
155s
platform
windows10_x64
resource
win10v20201028
submitted
09-11-2020 19:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

order no. #7962011665 20200504 ,xlsx.exe
Size

806KB
MD5

1b4f6d2739f85c2235a6368484b9ec0a
SHA1

794a94714a57bc1c22cfaa2b8fd796142681baf6
SHA256

1660cbe9bd7e85ed0a2ad4ca9f793e0ef8b5f889946844e2184b1a8d2fd89ba8
SHA512

c2e05ebf2addb5578962f2ae07ca29941c4cfbb6de3b6107027fb7c1655f1e16c1579f10d7ee773d20e8946a3b4b8d082afaaa1b04ccaa0250804fe8c5f017e6

Score

10^/10

hawkeye_reborn m00nd3v_logger keylogger spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
moneymustdrop

Extracted

Family

hawkeye_reborn

Version

10.1.2.2

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
moneymustdrop

Mutex

576d486f-5a38-4268-af87-f88f88c4f208

Attributes

fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:moneymustdrop _EmailPort:587 _EmailSSL:true _EmailServer:smtp.gmail.com _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:false _LogInterval:10 _MeltFile:false _Mutex:576d486f-5a38-4268-af87-f88f88c4f208 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.1.2.2 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
name
HawkEye Keylogger - RebornX, Version=10.1.2.2, Culture=neutral, PublicKeyToken=null

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger Payload 63 IoCs

Detects M00nD3v Logger payload in memory.

Processes:

resource	yara_rule
behavioral2/memory/2268-5-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral2/memory/2268-6-0x000000000048A1DE-mapping.dmp	m00nd3v_logger
behavioral2/memory/796-21-0x000000000048A1DE-mapping.dmp	m00nd3v_logger
behavioral2/memory/1884-35-0x000000000048A1DE-mapping.dmp	m00nd3v_logger
behavioral2/memory/4052-51-0x000000000048A1DE-mapping.dmp	m00nd3v_logger
behavioral2/memory/4648-65-0x000000000048A1DE-mapping.dmp	m00nd3v_logger
behavioral2/memory/2160-81-0x000000000048A1DE-mapping.dmp	m00nd3v_logger
behavioral2/memory/4172-96-0x000000000048A1DE-mapping.dmp	m00nd3v_logger
behavioral2/memory/1920-113-0x000000000048A1DE-mapping.dmp	m00nd3v_logger
behavioral2/memory/4512-133-0x000000000048A1DE-mapping.dmp	m00nd3v_logger
behavioral2/memory/4072-151-0x000000000048A1DE-mapping.dmp	m00nd3v_logger
behavioral2/memory/3832-171-0x000000000048A1DE-mapping.dmp	m00nd3v_logger
behavioral2/memory/2272-191-0x000000000048A1DE-mapping.dmp	m00nd3v_logger
behavioral2/memory/5056-208-0x000000000048A1DE-mapping.dmp	m00nd3v_logger
behavioral2/memory/1356-229-0x000000000048A1DE-mapping.dmp	m00nd3v_logger
behavioral2/memory/492-244-0x000000000048A1DE-mapping.dmp	m00nd3v_logger
behavioral2/memory/3716-262-0x000000000048A1DE-mapping.dmp	m00nd3v_logger
behavioral2/memory/4464-280-0x000000000048A1DE-mapping.dmp	m00nd3v_logger
behavioral2/memory/5404-299-0x000000000048A1DE-mapping.dmp	m00nd3v_logger
behavioral2/memory/5684-318-0x000000000048A1DE-mapping.dmp	m00nd3v_logger
behavioral2/memory/5968-337-0x000000000048A1DE-mapping.dmp	m00nd3v_logger
behavioral2/memory/3096-355-0x000000000048A1DE-mapping.dmp	m00nd3v_logger
behavioral2/memory/5208-373-0x000000000048A1DE-mapping.dmp	m00nd3v_logger
behavioral2/memory/5544-392-0x000000000048A1DE-mapping.dmp	m00nd3v_logger
behavioral2/memory/5204-412-0x000000000048A1DE-mapping.dmp	m00nd3v_logger
behavioral2/memory/5548-429-0x000000000048A1DE-mapping.dmp	m00nd3v_logger
behavioral2/memory/4452-448-0x000000000048A1DE-mapping.dmp	m00nd3v_logger
behavioral2/memory/5808-466-0x000000000048A1DE-mapping.dmp	m00nd3v_logger
behavioral2/memory/5692-485-0x000000000048A1DE-mapping.dmp	m00nd3v_logger
behavioral2/memory/6288-502-0x000000000048A1DE-mapping.dmp	m00nd3v_logger
behavioral2/memory/6544-519-0x000000000048A1DE-mapping.dmp	m00nd3v_logger
behavioral2/memory/6836-538-0x000000000048A1DE-mapping.dmp	m00nd3v_logger
behavioral2/memory/7104-556-0x000000000048A1DE-mapping.dmp	m00nd3v_logger
behavioral2/memory/5848-574-0x000000000048A1DE-mapping.dmp	m00nd3v_logger
behavioral2/memory/6908-592-0x000000000048A1DE-mapping.dmp	m00nd3v_logger
behavioral2/memory/5996-610-0x000000000048A1DE-mapping.dmp	m00nd3v_logger
behavioral2/memory/6448-629-0x000000000048A1DE-mapping.dmp	m00nd3v_logger
behavioral2/memory/6668-647-0x000000000048A1DE-mapping.dmp	m00nd3v_logger
behavioral2/memory/5952-665-0x000000000048A1DE-mapping.dmp	m00nd3v_logger
behavioral2/memory/6636-684-0x000000000048A1DE-mapping.dmp	m00nd3v_logger
behavioral2/memory/6196-702-0x000000000048A1DE-mapping.dmp	m00nd3v_logger
behavioral2/memory/7320-722-0x000000000048A1DE-mapping.dmp	m00nd3v_logger
behavioral2/memory/7604-741-0x000000000048A1DE-mapping.dmp	m00nd3v_logger
behavioral2/memory/7884-759-0x000000000048A1DE-mapping.dmp	m00nd3v_logger
behavioral2/memory/8184-779-0x000000000048A1DE-mapping.dmp	m00nd3v_logger
behavioral2/memory/7500-797-0x000000000048A1DE-mapping.dmp	m00nd3v_logger
behavioral2/memory/7440-814-0x000000000048A1DE-mapping.dmp	m00nd3v_logger
behavioral2/memory/7520-832-0x000000000048A1DE-mapping.dmp	m00nd3v_logger
behavioral2/memory/7632-851-0x000000000048A1DE-mapping.dmp	m00nd3v_logger
behavioral2/memory/6992-869-0x000000000048A1DE-mapping.dmp	m00nd3v_logger
behavioral2/memory/8076-885-0x000000000048A1DE-mapping.dmp	m00nd3v_logger
behavioral2/memory/6248-906-0x000000000048A1DE-mapping.dmp	m00nd3v_logger
behavioral2/memory/7540-925-0x000000000048A1DE-mapping.dmp	m00nd3v_logger
behavioral2/memory/4012-943-0x000000000048A1DE-mapping.dmp	m00nd3v_logger
behavioral2/memory/8452-962-0x000000000048A1DE-mapping.dmp	m00nd3v_logger
behavioral2/memory/8764-983-0x000000000048A1DE-mapping.dmp	m00nd3v_logger
behavioral2/memory/9048-1001-0x000000000048A1DE-mapping.dmp	m00nd3v_logger
behavioral2/memory/5988-1019-0x000000000048A1DE-mapping.dmp	m00nd3v_logger
behavioral2/memory/8760-1035-0x000000000048A1DE-mapping.dmp	m00nd3v_logger
behavioral2/memory/8328-1055-0x000000000048A1DE-mapping.dmp	m00nd3v_logger
behavioral2/memory/1436-1073-0x000000000048A1DE-mapping.dmp	m00nd3v_logger
behavioral2/memory/8512-1091-0x000000000048A1DE-mapping.dmp	m00nd3v_logger
behavioral2/memory/8964-1107-0x000000000048A1DE-mapping.dmp	m00nd3v_logger

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

18 bot.whatismyipaddress.com

flow	ioc
18	bot.whatismyipaddress.com

Suspicious use of SetThreadContext 61 IoCs

Processes:

order no. #7962011665 20200504 ,xlsx.exeorder no. #7962011665 20200504 ,xlsx.exeorder no. #7962011665 20200504 ,xlsx.exeorder no. #7962011665 20200504 ,xlsx.exeorder no. #7962011665 20200504 ,xlsx.exeorder no. #7962011665 20200504 ,xlsx.exeorder no. #7962011665 20200504 ,xlsx.exeorder no. #7962011665 20200504 ,xlsx.exeorder no. #7962011665 20200504 ,xlsx.exeorder no. #7962011665 20200504 ,xlsx.exeorder no. #7962011665 20200504 ,xlsx.exeorder no. #7962011665 20200504 ,xlsx.exeorder no. #7962011665 20200504 ,xlsx.exeorder no. #7962011665 20200504 ,xlsx.exeorder no. #7962011665 20200504 ,xlsx.exeorder no. #7962011665 20200504 ,xlsx.exeorder no. #7962011665 20200504 ,xlsx.exeorder no. #7962011665 20200504 ,xlsx.exeorder no. #7962011665 20200504 ,xlsx.exeorder no. #7962011665 20200504 ,xlsx.exeorder no. #7962011665 20200504 ,xlsx.exeorder no. #7962011665 20200504 ,xlsx.exeorder no. #7962011665 20200504 ,xlsx.exeorder no. #7962011665 20200504 ,xlsx.exeorder no. #7962011665 20200504 ,xlsx.exeorder no. #7962011665 20200504 ,xlsx.exeorder no. #7962011665 20200504 ,xlsx.exeorder no. #7962011665 20200504 ,xlsx.exeorder no. #7962011665 20200504 ,xlsx.exeorder no. #7962011665 20200504 ,xlsx.exeorder no. #7962011665 20200504 ,xlsx.exeorder no. #7962011665 20200504 ,xlsx.exeorder no. #7962011665 20200504 ,xlsx.exeorder no. #7962011665 20200504 ,xlsx.exeorder no. #7962011665 20200504 ,xlsx.exeorder no. #7962011665 20200504 ,xlsx.exeorder no. #7962011665 20200504 ,xlsx.exeorder no. #7962011665 20200504 ,xlsx.exeorder no. #7962011665 20200504 ,xlsx.exeorder no. #7962011665 20200504 ,xlsx.exeorder no. #7962011665 20200504 ,xlsx.exeorder no. #7962011665 20200504 ,xlsx.exeorder no. #7962011665 20200504 ,xlsx.exeorder no. #7962011665 20200504 ,xlsx.exeorder no. #7962011665 20200504 ,xlsx.exeorder no. #7962011665 20200504 ,xlsx.exeorder no. #7962011665 20200504 ,xlsx.exeorder no. #7962011665 20200504 ,xlsx.exeorder no. #7962011665 20200504 ,xlsx.exeorder no. #7962011665 20200504 ,xlsx.exeorder no. #7962011665 20200504 ,xlsx.exeorder no. #7962011665 20200504 ,xlsx.exeorder no. #7962011665 20200504 ,xlsx.exeorder no. #7962011665 20200504 ,xlsx.exeorder no. #7962011665 20200504 ,xlsx.exeorder no. #7962011665 20200504 ,xlsx.exeorder no. #7962011665 20200504 ,xlsx.exeorder no. #7962011665 20200504 ,xlsx.exeorder no. #7962011665 20200504 ,xlsx.exeorder no. #7962011665 20200504 ,xlsx.exeorder no. #7962011665 20200504 ,xlsx.exe

description	pid	process	target process
PID 4680 set thread context of 2268	4680	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 3168 set thread context of 796	3168	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 1548 set thread context of 1884	1548	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 2792 set thread context of 4052	2792	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 1612 set thread context of 4648	1612	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 2772 set thread context of 2160	2772	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 4152 set thread context of 4172	4152	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 760 set thread context of 1920	760	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 1316 set thread context of 4512	1316	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 4532 set thread context of 4072	4532	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 3164 set thread context of 3832	3164	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 2252 set thread context of 2272	2252	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 4488 set thread context of 5056	4488	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 632 set thread context of 1356	632	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 1068 set thread context of 492	1068	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 3588 set thread context of 3716	3588	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 1264 set thread context of 4464	1264	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 5284 set thread context of 5404	5284	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 5568 set thread context of 5684	5568	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 5844 set thread context of 5968	5844	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 6140 set thread context of 3096	6140	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 3012 set thread context of 5208	3012	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 6028 set thread context of 5544	6028	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 5784 set thread context of 5204	5784	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 5700 set thread context of 5548	5700	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 5908 set thread context of 4452	5908	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 5916 set thread context of 5808	5916	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 4976 set thread context of 5692	4976	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 6180 set thread context of 6288	6180	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 6456 set thread context of 6544	6456	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 6732 set thread context of 6836	6732	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 7020 set thread context of 7104	7020	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 5532 set thread context of 5848	5532	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 6168 set thread context of 6908	6168	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 5744 set thread context of 5996	5744	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 6996 set thread context of 6448	6996	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 2064 set thread context of 6668	2064	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 6920 set thread context of 5952	6920	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 6788 set thread context of 6636	6788	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 4688 set thread context of 6196	4688	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 7216 set thread context of 7320	7216	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 7504 set thread context of 7604	7504	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 7772 set thread context of 7884	7772	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 8052 set thread context of 8184	8052	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 7004 set thread context of 7500	7004	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 6216 set thread context of 7440	6216	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 7740 set thread context of 7520	7740	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 7532 set thread context of 7632	7532	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 7744 set thread context of 6992	7744	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 4036 set thread context of 8076	4036	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 7336 set thread context of 6248	7336	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 8092 set thread context of 7540	8092	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 8056 set thread context of 4012	8056	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 8308 set thread context of 8452	8308	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 8644 set thread context of 8764	8644	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 8956 set thread context of 9048	8956	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 7568 set thread context of 5988	7568	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 7724 set thread context of 8760	7724	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 8576 set thread context of 8328	8576	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 8808 set thread context of 1436	8808	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 7756 set thread context of 8512	7756	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 25002 IoCs

Processes:

order no. #7962011665 20200504 ,xlsx.exe

pid	process
4680	order no. #7962011665 20200504 ,xlsx.exe
4680	order no. #7962011665 20200504 ,xlsx.exe
4680	order no. #7962011665 20200504 ,xlsx.exe
4680	order no. #7962011665 20200504 ,xlsx.exe
4680	order no. #7962011665 20200504 ,xlsx.exe
4680	order no. #7962011665 20200504 ,xlsx.exe
4680	order no. #7962011665 20200504 ,xlsx.exe
4680	order no. #7962011665 20200504 ,xlsx.exe
4680	order no. #7962011665 20200504 ,xlsx.exe
4680	order no. #7962011665 20200504 ,xlsx.exe
4680	order no. #7962011665 20200504 ,xlsx.exe
4680	order no. #7962011665 20200504 ,xlsx.exe
4680	order no. #7962011665 20200504 ,xlsx.exe
4680	order no. #7962011665 20200504 ,xlsx.exe
4680	order no. #7962011665 20200504 ,xlsx.exe
4680	order no. #7962011665 20200504 ,xlsx.exe
4680	order no. #7962011665 20200504 ,xlsx.exe
4680	order no. #7962011665 20200504 ,xlsx.exe
4680	order no. #7962011665 20200504 ,xlsx.exe
4680	order no. #7962011665 20200504 ,xlsx.exe
4680	order no. #7962011665 20200504 ,xlsx.exe
4680	order no. #7962011665 20200504 ,xlsx.exe
4680	order no. #7962011665 20200504 ,xlsx.exe
4680	order no. #7962011665 20200504 ,xlsx.exe
4680	order no. #7962011665 20200504 ,xlsx.exe
4680	order no. #7962011665 20200504 ,xlsx.exe
4680	order no. #7962011665 20200504 ,xlsx.exe
4680	order no. #7962011665 20200504 ,xlsx.exe
4680	order no. #7962011665 20200504 ,xlsx.exe
4680	order no. #7962011665 20200504 ,xlsx.exe
4680	order no. #7962011665 20200504 ,xlsx.exe
4680	order no. #7962011665 20200504 ,xlsx.exe
4680	order no. #7962011665 20200504 ,xlsx.exe
4680	order no. #7962011665 20200504 ,xlsx.exe
4680	order no. #7962011665 20200504 ,xlsx.exe
4680	order no. #7962011665 20200504 ,xlsx.exe
4680	order no. #7962011665 20200504 ,xlsx.exe
4680	order no. #7962011665 20200504 ,xlsx.exe
4680	order no. #7962011665 20200504 ,xlsx.exe
4680	order no. #7962011665 20200504 ,xlsx.exe
4680	order no. #7962011665 20200504 ,xlsx.exe
4680	order no. #7962011665 20200504 ,xlsx.exe
4680	order no. #7962011665 20200504 ,xlsx.exe
4680	order no. #7962011665 20200504 ,xlsx.exe
4680	order no. #7962011665 20200504 ,xlsx.exe
4680	order no. #7962011665 20200504 ,xlsx.exe
4680	order no. #7962011665 20200504 ,xlsx.exe
4680	order no. #7962011665 20200504 ,xlsx.exe
4680	order no. #7962011665 20200504 ,xlsx.exe
4680	order no. #7962011665 20200504 ,xlsx.exe
4680	order no. #7962011665 20200504 ,xlsx.exe
4680	order no. #7962011665 20200504 ,xlsx.exe
4680	order no. #7962011665 20200504 ,xlsx.exe
4680	order no. #7962011665 20200504 ,xlsx.exe
4680	order no. #7962011665 20200504 ,xlsx.exe
4680	order no. #7962011665 20200504 ,xlsx.exe
4680	order no. #7962011665 20200504 ,xlsx.exe
4680	order no. #7962011665 20200504 ,xlsx.exe
4680	order no. #7962011665 20200504 ,xlsx.exe
4680	order no. #7962011665 20200504 ,xlsx.exe
4680	order no. #7962011665 20200504 ,xlsx.exe
4680	order no. #7962011665 20200504 ,xlsx.exe
4680	order no. #7962011665 20200504 ,xlsx.exe
4680	order no. #7962011665 20200504 ,xlsx.exe

Suspicious behavior: MapViewOfSection 85 IoCs

Processes:

pid	process
4680	order no. #7962011665 20200504 ,xlsx.exe
4680	order no. #7962011665 20200504 ,xlsx.exe
3168	order no. #7962011665 20200504 ,xlsx.exe
3168	order no. #7962011665 20200504 ,xlsx.exe
1548	order no. #7962011665 20200504 ,xlsx.exe
2792	order no. #7962011665 20200504 ,xlsx.exe
2792	order no. #7962011665 20200504 ,xlsx.exe
2792	order no. #7962011665 20200504 ,xlsx.exe
1612	order no. #7962011665 20200504 ,xlsx.exe
2772	order no. #7962011665 20200504 ,xlsx.exe
2772	order no. #7962011665 20200504 ,xlsx.exe
4152	order no. #7962011665 20200504 ,xlsx.exe
760	order no. #7962011665 20200504 ,xlsx.exe
760	order no. #7962011665 20200504 ,xlsx.exe
1316	order no. #7962011665 20200504 ,xlsx.exe
4532	order no. #7962011665 20200504 ,xlsx.exe
3164	order no. #7962011665 20200504 ,xlsx.exe
2252	order no. #7962011665 20200504 ,xlsx.exe
2252	order no. #7962011665 20200504 ,xlsx.exe
4488	order no. #7962011665 20200504 ,xlsx.exe
632	order no. #7962011665 20200504 ,xlsx.exe
632	order no. #7962011665 20200504 ,xlsx.exe
632	order no. #7962011665 20200504 ,xlsx.exe
1068	order no. #7962011665 20200504 ,xlsx.exe
3588	order no. #7962011665 20200504 ,xlsx.exe
1264	order no. #7962011665 20200504 ,xlsx.exe
5284	order no. #7962011665 20200504 ,xlsx.exe
5568	order no. #7962011665 20200504 ,xlsx.exe
5844	order no. #7962011665 20200504 ,xlsx.exe
5844	order no. #7962011665 20200504 ,xlsx.exe
5844	order no. #7962011665 20200504 ,xlsx.exe
6140	order no. #7962011665 20200504 ,xlsx.exe
3012	order no. #7962011665 20200504 ,xlsx.exe
6028	order no. #7962011665 20200504 ,xlsx.exe
5784	order no. #7962011665 20200504 ,xlsx.exe
5700	order no. #7962011665 20200504 ,xlsx.exe
5908	order no. #7962011665 20200504 ,xlsx.exe
5916	order no. #7962011665 20200504 ,xlsx.exe
4976	order no. #7962011665 20200504 ,xlsx.exe
4976	order no. #7962011665 20200504 ,xlsx.exe
6180	order no. #7962011665 20200504 ,xlsx.exe
6456	order no. #7962011665 20200504 ,xlsx.exe
6456	order no. #7962011665 20200504 ,xlsx.exe
6732	order no. #7962011665 20200504 ,xlsx.exe
6732	order no. #7962011665 20200504 ,xlsx.exe
7020	order no. #7962011665 20200504 ,xlsx.exe
7020	order no. #7962011665 20200504 ,xlsx.exe
5532	order no. #7962011665 20200504 ,xlsx.exe
6168	order no. #7962011665 20200504 ,xlsx.exe
5744	order no. #7962011665 20200504 ,xlsx.exe
6996	order no. #7962011665 20200504 ,xlsx.exe
2064	order no. #7962011665 20200504 ,xlsx.exe
6920	order no. #7962011665 20200504 ,xlsx.exe
6788	order no. #7962011665 20200504 ,xlsx.exe
6788	order no. #7962011665 20200504 ,xlsx.exe
4688	order no. #7962011665 20200504 ,xlsx.exe
7216	order no. #7962011665 20200504 ,xlsx.exe
7504	order no. #7962011665 20200504 ,xlsx.exe
7772	order no. #7962011665 20200504 ,xlsx.exe
8052	order no. #7962011665 20200504 ,xlsx.exe
8052	order no. #7962011665 20200504 ,xlsx.exe
8052	order no. #7962011665 20200504 ,xlsx.exe
7004	order no. #7962011665 20200504 ,xlsx.exe
6216	order no. #7962011665 20200504 ,xlsx.exe

Suspicious behavior: SetClipboardViewer 54 IoCs

Processes:

RegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exe

pid	process
796	RegAsm.exe
1884	RegAsm.exe
4052	RegAsm.exe
4648	RegAsm.exe
2160	RegAsm.exe
4172	RegAsm.exe
1920	RegAsm.exe
4512	RegAsm.exe
4072	RegAsm.exe
3832	RegAsm.exe
2272	RegAsm.exe
5056	RegAsm.exe
1356	RegAsm.exe
492	RegAsm.exe
3716	RegAsm.exe
4464	RegAsm.exe
5404	RegAsm.exe
5684	RegAsm.exe
5968	RegAsm.exe
3096	RegAsm.exe
5208	RegAsm.exe
5544	RegAsm.exe
5204	RegAsm.exe
5548	RegAsm.exe
4452	RegAsm.exe
5808	RegAsm.exe
5692	RegAsm.exe
6288	RegAsm.exe
6544	RegAsm.exe
6836	RegAsm.exe
7104	RegAsm.exe
5848	RegAsm.exe
6908	RegAsm.exe
5996	RegAsm.exe
6448	RegAsm.exe
6668	RegAsm.exe
5952	RegAsm.exe
6636	RegAsm.exe
6196	RegAsm.exe
7320	RegAsm.exe
7604	RegAsm.exe
7884	RegAsm.exe
8184	RegAsm.exe
7500	RegAsm.exe
7440	RegAsm.exe
7520	RegAsm.exe
7632	RegAsm.exe
6992	RegAsm.exe
8076	RegAsm.exe
6248	RegAsm.exe
7540	RegAsm.exe
4012	RegAsm.exe
8452	RegAsm.exe
8764	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 117 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	4680	order no. #7962011665 20200504 ,xlsx.exe
Token: SeDebugPrivilege	3168	order no. #7962011665 20200504 ,xlsx.exe
Token: SeDebugPrivilege	1548	order no. #7962011665 20200504 ,xlsx.exe
Token: SeDebugPrivilege	2792	order no. #7962011665 20200504 ,xlsx.exe
Token: SeDebugPrivilege	1612	order no. #7962011665 20200504 ,xlsx.exe
Token: SeDebugPrivilege	2772	order no. #7962011665 20200504 ,xlsx.exe
Token: SeDebugPrivilege	4152	order no. #7962011665 20200504 ,xlsx.exe
Token: SeDebugPrivilege	2268	RegAsm.exe
Token: SeDebugPrivilege	796	RegAsm.exe
Token: SeDebugPrivilege	760	order no. #7962011665 20200504 ,xlsx.exe
Token: SeDebugPrivilege	1884	RegAsm.exe
Token: SeDebugPrivilege	1316	order no. #7962011665 20200504 ,xlsx.exe
Token: SeDebugPrivilege	4052	RegAsm.exe
Token: SeDebugPrivilege	4532	order no. #7962011665 20200504 ,xlsx.exe
Token: SeDebugPrivilege	4648	RegAsm.exe
Token: SeDebugPrivilege	3164	order no. #7962011665 20200504 ,xlsx.exe
Token: SeDebugPrivilege	2160	RegAsm.exe
Token: SeDebugPrivilege	2252	order no. #7962011665 20200504 ,xlsx.exe
Token: SeDebugPrivilege	4172	RegAsm.exe
Token: SeDebugPrivilege	4488	order no. #7962011665 20200504 ,xlsx.exe
Token: SeDebugPrivilege	1920	RegAsm.exe
Token: SeDebugPrivilege	632	order no. #7962011665 20200504 ,xlsx.exe
Token: SeDebugPrivilege	4512	RegAsm.exe
Token: SeDebugPrivilege	1068	order no. #7962011665 20200504 ,xlsx.exe
Token: SeDebugPrivilege	4072	RegAsm.exe
Token: SeDebugPrivilege	3588	order no. #7962011665 20200504 ,xlsx.exe
Token: SeDebugPrivilege	3832	RegAsm.exe
Token: SeDebugPrivilege	1264	order no. #7962011665 20200504 ,xlsx.exe
Token: SeDebugPrivilege	2272	RegAsm.exe
Token: SeDebugPrivilege	5284	order no. #7962011665 20200504 ,xlsx.exe
Token: SeDebugPrivilege	5056	RegAsm.exe
Token: SeDebugPrivilege	5568	order no. #7962011665 20200504 ,xlsx.exe
Token: SeDebugPrivilege	1356	RegAsm.exe
Token: SeDebugPrivilege	5844	order no. #7962011665 20200504 ,xlsx.exe
Token: SeDebugPrivilege	492	RegAsm.exe
Token: SeDebugPrivilege	6140	order no. #7962011665 20200504 ,xlsx.exe
Token: SeDebugPrivilege	3716	RegAsm.exe
Token: SeDebugPrivilege	3012	order no. #7962011665 20200504 ,xlsx.exe
Token: SeDebugPrivilege	4464	RegAsm.exe
Token: SeDebugPrivilege	6028	order no. #7962011665 20200504 ,xlsx.exe
Token: SeDebugPrivilege	5404	RegAsm.exe
Token: SeDebugPrivilege	5684	RegAsm.exe
Token: SeDebugPrivilege	5784	order no. #7962011665 20200504 ,xlsx.exe
Token: SeDebugPrivilege	5700	order no. #7962011665 20200504 ,xlsx.exe
Token: SeDebugPrivilege	5968	RegAsm.exe
Token: SeDebugPrivilege	3096	RegAsm.exe
Token: SeDebugPrivilege	5908	order no. #7962011665 20200504 ,xlsx.exe
Token: SeDebugPrivilege	5208	RegAsm.exe
Token: SeDebugPrivilege	5916	order no. #7962011665 20200504 ,xlsx.exe
Token: SeDebugPrivilege	5544	RegAsm.exe
Token: SeDebugPrivilege	4976	order no. #7962011665 20200504 ,xlsx.exe
Token: SeDebugPrivilege	6180	order no. #7962011665 20200504 ,xlsx.exe
Token: SeDebugPrivilege	5204	RegAsm.exe
Token: SeDebugPrivilege	6456	order no. #7962011665 20200504 ,xlsx.exe
Token: SeDebugPrivilege	5548	RegAsm.exe
Token: SeDebugPrivilege	6732	order no. #7962011665 20200504 ,xlsx.exe
Token: SeDebugPrivilege	4452	RegAsm.exe
Token: SeDebugPrivilege	7020	order no. #7962011665 20200504 ,xlsx.exe
Token: SeDebugPrivilege	5808	RegAsm.exe
Token: SeDebugPrivilege	5532	order no. #7962011665 20200504 ,xlsx.exe
Token: SeDebugPrivilege	5692	RegAsm.exe
Token: SeDebugPrivilege	6168	order no. #7962011665 20200504 ,xlsx.exe
Token: SeDebugPrivilege	6288	RegAsm.exe
Token: SeDebugPrivilege	5744	order no. #7962011665 20200504 ,xlsx.exe

Suspicious use of WriteProcessMemory 859 IoCs

Processes:

order no. #7962011665 20200504 ,xlsx.execmd.exeorder no. #7962011665 20200504 ,xlsx.execmd.exeorder no. #7962011665 20200504 ,xlsx.execmd.exeorder no. #7962011665 20200504 ,xlsx.execmd.exe

description	pid	process	target process
PID 4680 wrote to memory of 756	4680	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 4680 wrote to memory of 756	4680	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 4680 wrote to memory of 756	4680	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 4680 wrote to memory of 2268	4680	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 4680 wrote to memory of 2268	4680	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 4680 wrote to memory of 2268	4680	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 4680 wrote to memory of 2268	4680	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 4680 wrote to memory of 3848	4680	order no. #7962011665 20200504 ,xlsx.exe	cmd.exe
PID 4680 wrote to memory of 3848	4680	order no. #7962011665 20200504 ,xlsx.exe	cmd.exe
PID 4680 wrote to memory of 3848	4680	order no. #7962011665 20200504 ,xlsx.exe	cmd.exe
PID 3848 wrote to memory of 4240	3848	cmd.exe	choice.exe
PID 3848 wrote to memory of 4240	3848	cmd.exe	choice.exe
PID 3848 wrote to memory of 4240	3848	cmd.exe	choice.exe
PID 4680 wrote to memory of 3168	4680	order no. #7962011665 20200504 ,xlsx.exe	order no. #7962011665 20200504 ,xlsx.exe
PID 4680 wrote to memory of 3168	4680	order no. #7962011665 20200504 ,xlsx.exe	order no. #7962011665 20200504 ,xlsx.exe
PID 4680 wrote to memory of 3168	4680	order no. #7962011665 20200504 ,xlsx.exe	order no. #7962011665 20200504 ,xlsx.exe
PID 3168 wrote to memory of 752	3168	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 3168 wrote to memory of 752	3168	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 3168 wrote to memory of 752	3168	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 3168 wrote to memory of 796	3168	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 3168 wrote to memory of 796	3168	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 3168 wrote to memory of 796	3168	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 3168 wrote to memory of 796	3168	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 3168 wrote to memory of 1108	3168	order no. #7962011665 20200504 ,xlsx.exe	cmd.exe
PID 3168 wrote to memory of 1108	3168	order no. #7962011665 20200504 ,xlsx.exe	cmd.exe
PID 3168 wrote to memory of 1108	3168	order no. #7962011665 20200504 ,xlsx.exe	cmd.exe
PID 3168 wrote to memory of 1548	3168	order no. #7962011665 20200504 ,xlsx.exe	order no. #7962011665 20200504 ,xlsx.exe
PID 3168 wrote to memory of 1548	3168	order no. #7962011665 20200504 ,xlsx.exe	order no. #7962011665 20200504 ,xlsx.exe
PID 3168 wrote to memory of 1548	3168	order no. #7962011665 20200504 ,xlsx.exe	order no. #7962011665 20200504 ,xlsx.exe
PID 1108 wrote to memory of 1560	1108	cmd.exe	choice.exe
PID 1108 wrote to memory of 1560	1108	cmd.exe	choice.exe
PID 1108 wrote to memory of 1560	1108	cmd.exe	choice.exe
PID 1548 wrote to memory of 1884	1548	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 1548 wrote to memory of 1884	1548	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 1548 wrote to memory of 1884	1548	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 1548 wrote to memory of 1884	1548	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 1548 wrote to memory of 2228	1548	order no. #7962011665 20200504 ,xlsx.exe	cmd.exe
PID 1548 wrote to memory of 2228	1548	order no. #7962011665 20200504 ,xlsx.exe	cmd.exe
PID 1548 wrote to memory of 2228	1548	order no. #7962011665 20200504 ,xlsx.exe	cmd.exe
PID 1548 wrote to memory of 2792	1548	order no. #7962011665 20200504 ,xlsx.exe	order no. #7962011665 20200504 ,xlsx.exe
PID 1548 wrote to memory of 2792	1548	order no. #7962011665 20200504 ,xlsx.exe	order no. #7962011665 20200504 ,xlsx.exe
PID 1548 wrote to memory of 2792	1548	order no. #7962011665 20200504 ,xlsx.exe	order no. #7962011665 20200504 ,xlsx.exe
PID 2228 wrote to memory of 2832	2228	cmd.exe	choice.exe
PID 2228 wrote to memory of 2832	2228	cmd.exe	choice.exe
PID 2228 wrote to memory of 2832	2228	cmd.exe	choice.exe
PID 2792 wrote to memory of 3916	2792	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 2792 wrote to memory of 3916	2792	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 2792 wrote to memory of 3916	2792	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 2792 wrote to memory of 4032	2792	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 2792 wrote to memory of 4032	2792	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 2792 wrote to memory of 4032	2792	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 2792 wrote to memory of 4052	2792	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 2792 wrote to memory of 4052	2792	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 2792 wrote to memory of 4052	2792	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 2792 wrote to memory of 4052	2792	order no. #7962011665 20200504 ,xlsx.exe	RegAsm.exe
PID 2792 wrote to memory of 3956	2792	order no. #7962011665 20200504 ,xlsx.exe	cmd.exe
PID 2792 wrote to memory of 3956	2792	order no. #7962011665 20200504 ,xlsx.exe	cmd.exe
PID 2792 wrote to memory of 3956	2792	order no. #7962011665 20200504 ,xlsx.exe	cmd.exe
PID 3956 wrote to memory of 4416	3956	cmd.exe	choice.exe
PID 3956 wrote to memory of 4416	3956	cmd.exe	choice.exe
PID 3956 wrote to memory of 4416	3956	cmd.exe	choice.exe
PID 2792 wrote to memory of 1612	2792	order no. #7962011665 20200504 ,xlsx.exe	order no. #7962011665 20200504 ,xlsx.exe
PID 2792 wrote to memory of 1612	2792	order no. #7962011665 20200504 ,xlsx.exe	order no. #7962011665 20200504 ,xlsx.exe
PID 2792 wrote to memory of 1612	2792	order no. #7962011665 20200504 ,xlsx.exe	order no. #7962011665 20200504 ,xlsx.exe

C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2268

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3848

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
3⤵
PID:4240

C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3168

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:796

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1108

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:1560

C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:1884

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:2228

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
5⤵
PID:2832

C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
PID:3916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
PID:4032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:4052

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:3956

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
6⤵
PID:4416

C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:4648

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
6⤵
PID:188

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
7⤵
PID:4676

C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
7⤵
PID:4572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
7⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:2160

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
7⤵
PID:2320

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
8⤵
PID:3600

C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
7⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4152

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
8⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:4172

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
8⤵
PID:3328

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
9⤵
PID:412

C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
8⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
9⤵
PID:3424

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
9⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:1920

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
9⤵
PID:3756

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
10⤵
PID:1156

C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
9⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
10⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:4512

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
10⤵
PID:1596

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
11⤵
PID:2220

C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
10⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
11⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:4072

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
11⤵
PID:3340

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
12⤵
PID:2524

C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
11⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
12⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:3832

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
12⤵
PID:1696

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
13⤵
PID:3136

C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
12⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2252

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
PID:4592

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:2272

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
13⤵
PID:4388

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
14⤵
PID:3144

C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
13⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
14⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:5056

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
14⤵
PID:2952

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
15⤵
PID:3568

C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
14⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
15⤵
PID:4428

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
15⤵
PID:4608

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
15⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:1356

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
15⤵
PID:1832

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
16⤵
PID:1320

C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
15⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
16⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:492

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
16⤵
PID:4092

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
17⤵
PID:2244

C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
16⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
17⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:3716

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
17⤵
PID:1772

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
18⤵
PID:3912

C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
17⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1264

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
18⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:4464

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
18⤵
PID:5188

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
19⤵
PID:5252

C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
18⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5284

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
19⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:5404

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
19⤵
PID:5496

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
20⤵
PID:5624

C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
19⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
20⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:5684

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
20⤵
PID:5780

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
21⤵
PID:5856

C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
20⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
21⤵
PID:5944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
21⤵
PID:5956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
21⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:5968

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
21⤵
PID:6060

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
22⤵
PID:4588

C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
21⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:6140

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
22⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:3096

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
22⤵
PID:5116

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
23⤵
PID:5516

C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
22⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3012

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
23⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:5208

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
23⤵
PID:5144

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
24⤵
PID:4180

C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
23⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:6028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
24⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:5544

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
24⤵
PID:1272

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
25⤵
PID:5756

C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
24⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
25⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:5204

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
25⤵
PID:5864

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
26⤵
PID:4808

C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
25⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
26⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:5548

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
26⤵
PID:4904

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
27⤵
PID:5892

C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
26⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
27⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:4452

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
27⤵
PID:5484

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
28⤵
PID:5308

C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
27⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
28⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:5808

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
28⤵
PID:4044

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
29⤵
PID:416

C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
28⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4976

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
29⤵
PID:5704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
29⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:5692

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
29⤵
PID:4108

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
30⤵
PID:6192

C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
29⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:6180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
30⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:6288

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
30⤵
PID:6368

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
31⤵
PID:6444

C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
30⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:6456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
31⤵
PID:6532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
31⤵
- Suspicious behavior: SetClipboardViewer
PID:6544

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
31⤵
PID:6628

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
32⤵
PID:6780

C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
31⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:6732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
32⤵
PID:6812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
32⤵
- Suspicious behavior: SetClipboardViewer
PID:6836

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
32⤵
PID:6948

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
33⤵
PID:7036

C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
32⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:7020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
33⤵
PID:7088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
33⤵
- Suspicious behavior: SetClipboardViewer
PID:7104

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
33⤵
PID:5632

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
34⤵
PID:5460

C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
33⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
34⤵
- Suspicious behavior: SetClipboardViewer
PID:5848

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
34⤵
PID:6244

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
35⤵
PID:6720

C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
34⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:6168

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
35⤵
- Suspicious behavior: SetClipboardViewer
PID:6908

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
35⤵
PID:6344

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
36⤵
PID:4008

C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
35⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5744

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
36⤵
- Suspicious behavior: SetClipboardViewer
PID:5996

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
36⤵
PID:7080

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
37⤵
PID:6904

C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
36⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:6996

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
37⤵
- Suspicious behavior: SetClipboardViewer
PID:6448

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
37⤵
PID:7024

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
38⤵
PID:6492

C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
37⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
38⤵
- Suspicious behavior: SetClipboardViewer
PID:6668

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
38⤵
PID:6924

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
39⤵
PID:6184

C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
38⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:6920

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
39⤵
- Suspicious behavior: SetClipboardViewer
PID:5952

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
39⤵
PID:4484

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
40⤵
PID:7096

C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
39⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:6788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
40⤵
PID:7152

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
40⤵
- Suspicious behavior: SetClipboardViewer
PID:6636

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
40⤵
PID:6396

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
41⤵
PID:6460

C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
40⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
41⤵
- Suspicious behavior: SetClipboardViewer
PID:6196

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
41⤵
PID:6176

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
42⤵
PID:7188

C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
41⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:7216

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
42⤵
- Suspicious behavior: SetClipboardViewer
PID:7320

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
42⤵
PID:7416

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
43⤵
PID:7476

C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
42⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:7504

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
43⤵
- Suspicious behavior: SetClipboardViewer
PID:7604

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
43⤵
PID:7688

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
44⤵
PID:7752

C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
43⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:7772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
44⤵
- Suspicious behavior: SetClipboardViewer
PID:7884

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
44⤵
PID:7972

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
45⤵
PID:8032

C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
44⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:8052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
45⤵
PID:8156

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
45⤵
PID:8172

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
45⤵
- Suspicious behavior: SetClipboardViewer
PID:8184

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
45⤵
PID:7212

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
46⤵
PID:900

C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
45⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:7004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
46⤵
- Suspicious behavior: SetClipboardViewer
PID:7500

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
46⤵
PID:3232

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
47⤵
PID:6504

C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
46⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:6216

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
47⤵
- Suspicious behavior: SetClipboardViewer
PID:7440

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
47⤵
PID:7232

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
48⤵
PID:8112

C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
47⤵
- Suspicious use of SetThreadContext
PID:7740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
48⤵
- Suspicious behavior: SetClipboardViewer
PID:7520

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
48⤵
PID:5236

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
49⤵
PID:6764

C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
48⤵
- Suspicious use of SetThreadContext
PID:7532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
49⤵
- Suspicious behavior: SetClipboardViewer
PID:7632

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
49⤵
PID:7396

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
50⤵
PID:4752

C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
49⤵
- Suspicious use of SetThreadContext
PID:7744

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
50⤵
PID:6576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
50⤵
- Suspicious behavior: SetClipboardViewer
PID:6992

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
50⤵
PID:7548

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
51⤵
PID:7388

C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
50⤵
- Suspicious use of SetThreadContext
PID:4036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
51⤵
- Suspicious behavior: SetClipboardViewer
PID:8076

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
51⤵
PID:7732

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
52⤵
PID:7648

C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
51⤵
- Suspicious use of SetThreadContext
PID:7336

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
52⤵
- Suspicious behavior: SetClipboardViewer
PID:6248

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
52⤵
PID:1844

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
53⤵
PID:4148

C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
52⤵
- Suspicious use of SetThreadContext
PID:8092

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
53⤵
PID:7180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
53⤵
- Suspicious behavior: SetClipboardViewer
PID:7540

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
53⤵
PID:5832

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
54⤵
PID:8124

C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
53⤵
- Suspicious use of SetThreadContext
PID:8056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
54⤵
- Suspicious behavior: SetClipboardViewer
PID:4012

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
54⤵
PID:8224

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
55⤵
PID:8280

C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
54⤵
- Suspicious use of SetThreadContext
PID:8308

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
55⤵
PID:8440

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
55⤵
- Suspicious behavior: SetClipboardViewer
PID:8452

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
55⤵
PID:8532

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
56⤵
PID:8608

C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
55⤵
- Suspicious use of SetThreadContext
PID:8644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
56⤵
PID:8728

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
56⤵
PID:8740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
56⤵
PID:8752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
56⤵
- Suspicious behavior: SetClipboardViewer
PID:8764

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
56⤵
PID:8852

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
57⤵
PID:8928

C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
56⤵
- Suspicious use of SetThreadContext
PID:8956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
57⤵
PID:9048

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
57⤵
PID:9140

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
58⤵
PID:9212

C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
57⤵
- Suspicious use of SetThreadContext
PID:7568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
58⤵
PID:5988

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
58⤵
PID:8556

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
59⤵
PID:8260

C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
58⤵
- Suspicious use of SetThreadContext
PID:7724

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
59⤵
PID:8760

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
59⤵
PID:8196

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
60⤵
PID:9156

C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
59⤵
- Suspicious use of SetThreadContext
PID:8576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
60⤵
PID:8328

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
60⤵
PID:8920

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
61⤵
PID:2720

C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
60⤵
- Suspicious use of SetThreadContext
PID:8808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
61⤵
PID:1436

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
61⤵
PID:9112

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
62⤵
PID:800

C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
61⤵
- Suspicious use of SetThreadContext
PID:7756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
62⤵
PID:8512

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\order no. #7962011665 20200504 ,xlsx.exe"
62⤵
PID:8268

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/188-67-0x0000000000000000-mapping.dmp

Download
memory/412-104-0x0000000000000000-mapping.dmp

Download
memory/416-476-0x0000000000000000-mapping.dmp

Download
memory/492-246-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/492-244-0x000000000048A1DE-mapping.dmp

Download
memory/632-217-0x0000000000000000-mapping.dmp

Download
memory/632-219-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/760-105-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/760-103-0x0000000000000000-mapping.dmp

Download
memory/796-21-0x000000000048A1DE-mapping.dmp

Download
memory/796-22-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/796-130-0x000000000C760000-0x000000000C761000-memory.dmp

Filesize
4KB

Download
memory/800-1083-0x0000000000000000-mapping.dmp

Download
memory/900-787-0x0000000000000000-mapping.dmp

Download
memory/1068-238-0x0000000000000000-mapping.dmp

Download
memory/1068-239-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/1108-25-0x0000000000000000-mapping.dmp

Download
memory/1156-120-0x0000000000000000-mapping.dmp

Download
memory/1264-273-0x0000000000000000-mapping.dmp

Download
memory/1264-274-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/1272-397-0x0000000000000000-mapping.dmp

Download
memory/1316-122-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/1316-121-0x0000000000000000-mapping.dmp

Download
memory/1320-236-0x0000000000000000-mapping.dmp

Download
memory/1356-230-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/1356-229-0x000000000048A1DE-mapping.dmp

Download
memory/1436-1075-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/1436-1073-0x000000000048A1DE-mapping.dmp

Download
memory/1548-28-0x0000000000000000-mapping.dmp

Download
memory/1548-30-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/1560-29-0x0000000000000000-mapping.dmp

Download
memory/1596-138-0x0000000000000000-mapping.dmp

Download
memory/1612-59-0x0000000000000000-mapping.dmp

Download
memory/1612-60-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/1696-176-0x0000000000000000-mapping.dmp

Download
memory/1772-269-0x0000000000000000-mapping.dmp

Download
memory/1832-233-0x0000000000000000-mapping.dmp

Download
memory/1844-910-0x0000000000000000-mapping.dmp

Download
memory/1884-36-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/1884-35-0x000000000048A1DE-mapping.dmp

Download
memory/1920-113-0x000000000048A1DE-mapping.dmp

Download
memory/1920-114-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/2064-639-0x0000000000000000-mapping.dmp

Download
memory/2064-641-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/2160-81-0x000000000048A1DE-mapping.dmp

Download
memory/2160-82-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/2220-146-0x0000000000000000-mapping.dmp

Download
memory/2228-38-0x0000000000000000-mapping.dmp

Download
memory/2244-256-0x0000000000000000-mapping.dmp

Download
memory/2252-180-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/2252-179-0x0000000000000000-mapping.dmp

Download
memory/2268-127-0x000000000BF60000-0x000000000BF61000-memory.dmp

Filesize
4KB

Download
memory/2268-7-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/2268-10-0x0000000005120000-0x0000000005121000-memory.dmp

Filesize
4KB

Download
memory/2268-78-0x000000000A8B0000-0x000000000A8B1000-memory.dmp

Filesize
4KB

Download
memory/2268-94-0x000000000B580000-0x000000000B581000-memory.dmp

Filesize
4KB

Download
memory/2268-5-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2268-11-0x000000000A810000-0x000000000A811000-memory.dmp

Filesize
4KB

Download
memory/2268-6-0x000000000048A1DE-mapping.dmp

Download
memory/2272-192-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/2272-191-0x000000000048A1DE-mapping.dmp

Download
memory/2320-86-0x0000000000000000-mapping.dmp

Download
memory/2524-160-0x0000000000000000-mapping.dmp

Download
memory/2720-1063-0x0000000000000000-mapping.dmp

Download
memory/2772-74-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/2772-73-0x0000000000000000-mapping.dmp

Download
memory/2792-42-0x0000000000000000-mapping.dmp

Download
memory/2792-44-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/2832-43-0x0000000000000000-mapping.dmp

Download
memory/2952-213-0x0000000000000000-mapping.dmp

Download
memory/3012-365-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/3012-363-0x0000000000000000-mapping.dmp

Download
memory/3096-355-0x000000000048A1DE-mapping.dmp

Download
memory/3096-356-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/3136-184-0x0000000000000000-mapping.dmp

Download
memory/3144-204-0x0000000000000000-mapping.dmp

Download
memory/3164-161-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/3164-159-0x0000000000000000-mapping.dmp

Download
memory/3168-14-0x0000000000000000-mapping.dmp

Download
memory/3168-15-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/3232-801-0x0000000000000000-mapping.dmp

Download
memory/3328-98-0x0000000000000000-mapping.dmp

Download
memory/3340-156-0x0000000000000000-mapping.dmp

Download
memory/3568-218-0x0000000000000000-mapping.dmp

Download
memory/3588-255-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/3588-254-0x0000000000000000-mapping.dmp

Download
memory/3600-88-0x0000000000000000-mapping.dmp

Download
memory/3716-264-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/3716-262-0x000000000048A1DE-mapping.dmp

Download
memory/3756-117-0x0000000000000000-mapping.dmp

Download
memory/3832-173-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/3832-171-0x000000000048A1DE-mapping.dmp

Download
memory/3848-12-0x0000000000000000-mapping.dmp

Download
memory/3912-272-0x0000000000000000-mapping.dmp

Download
memory/3956-56-0x0000000000000000-mapping.dmp

Download
memory/4008-602-0x0000000000000000-mapping.dmp

Download
memory/4012-943-0x000000000048A1DE-mapping.dmp

Download
memory/4012-944-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/4036-877-0x0000000000000000-mapping.dmp

Download
memory/4036-879-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/4044-468-0x0000000000000000-mapping.dmp

Download
memory/4052-52-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/4052-51-0x000000000048A1DE-mapping.dmp

Download
memory/4072-151-0x000000000048A1DE-mapping.dmp

Download
memory/4072-152-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/4092-251-0x0000000000000000-mapping.dmp

Download
memory/4108-488-0x0000000000000000-mapping.dmp

Download
memory/4148-913-0x0000000000000000-mapping.dmp

Download
memory/4152-89-0x0000000000000000-mapping.dmp

Download
memory/4152-90-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/4172-97-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/4172-96-0x000000000048A1DE-mapping.dmp

Download
memory/4180-380-0x0000000000000000-mapping.dmp

Download
memory/4240-13-0x0000000000000000-mapping.dmp

Download
memory/4388-194-0x0000000000000000-mapping.dmp

Download
memory/4416-58-0x0000000000000000-mapping.dmp

Download
memory/4452-448-0x000000000048A1DE-mapping.dmp

Download
memory/4452-449-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/4464-281-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/4464-280-0x000000000048A1DE-mapping.dmp

Download
memory/4484-670-0x0000000000000000-mapping.dmp

Download
memory/4488-199-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/4488-198-0x0000000000000000-mapping.dmp

Download
memory/4512-133-0x000000000048A1DE-mapping.dmp

Download
memory/4512-134-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/4532-141-0x0000000000000000-mapping.dmp

Download
memory/4532-142-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/4588-351-0x0000000000000000-mapping.dmp

Download
memory/4648-65-0x000000000048A1DE-mapping.dmp

Download
memory/4648-66-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/4676-72-0x0000000000000000-mapping.dmp

Download
memory/4680-4-0x00000000057F0000-0x0000000005880000-memory.dmp

Filesize
576KB

Download
memory/4680-3-0x0000000005210000-0x00000000052A2000-memory.dmp

Filesize
584KB

Download
memory/4680-1-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/4680-0-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/4688-694-0x0000000000000000-mapping.dmp

Download
memory/4688-695-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/4752-858-0x0000000000000000-mapping.dmp

Download
memory/4808-422-0x0000000000000000-mapping.dmp

Download
memory/4904-434-0x0000000000000000-mapping.dmp

Download
memory/4976-475-0x0000000000000000-mapping.dmp

Download
memory/4976-477-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/5056-209-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/5056-208-0x000000000048A1DE-mapping.dmp

Download
memory/5116-360-0x0000000000000000-mapping.dmp

Download
memory/5144-378-0x0000000000000000-mapping.dmp

Download
memory/5188-286-0x0000000000000000-mapping.dmp

Download
memory/5204-412-0x000000000048A1DE-mapping.dmp

Download
memory/5204-413-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/5208-374-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/5208-373-0x000000000048A1DE-mapping.dmp

Download
memory/5236-836-0x0000000000000000-mapping.dmp

Download
memory/5252-288-0x0000000000000000-mapping.dmp

Download
memory/5284-290-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/5284-289-0x0000000000000000-mapping.dmp

Download
memory/5308-455-0x0000000000000000-mapping.dmp

Download
memory/5404-299-0x000000000048A1DE-mapping.dmp

Download
memory/5404-300-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/5460-568-0x0000000000000000-mapping.dmp

Download
memory/5484-453-0x0000000000000000-mapping.dmp

Download
memory/5496-305-0x0000000000000000-mapping.dmp

Download
memory/5516-362-0x0000000000000000-mapping.dmp

Download
memory/5532-564-0x0000000000000000-mapping.dmp

Download
memory/5532-565-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/5544-392-0x000000000048A1DE-mapping.dmp

Download
memory/5544-394-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/5548-429-0x000000000048A1DE-mapping.dmp

Download
memory/5548-430-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/5568-310-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/5568-309-0x0000000000000000-mapping.dmp

Download
memory/5624-314-0x0000000000000000-mapping.dmp

Download
memory/5632-558-0x0000000000000000-mapping.dmp

Download
memory/5684-320-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/5684-318-0x000000000048A1DE-mapping.dmp

Download
memory/5692-485-0x000000000048A1DE-mapping.dmp

Download
memory/5692-486-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/5700-423-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/5700-421-0x0000000000000000-mapping.dmp

Download
memory/5744-603-0x0000000000000000-mapping.dmp

Download
memory/5744-604-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/5756-400-0x0000000000000000-mapping.dmp

Download
memory/5780-324-0x0000000000000000-mapping.dmp

Download
memory/5784-402-0x0000000000000000-mapping.dmp

Download
memory/5784-403-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/5808-467-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/5808-466-0x000000000048A1DE-mapping.dmp

Download
memory/5832-929-0x0000000000000000-mapping.dmp

Download
memory/5844-327-0x0000000000000000-mapping.dmp

Download
memory/5844-329-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/5848-574-0x000000000048A1DE-mapping.dmp

Download
memory/5848-575-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/5856-328-0x0000000000000000-mapping.dmp

Download
memory/5864-415-0x0000000000000000-mapping.dmp

Download
memory/5892-437-0x0000000000000000-mapping.dmp

Download
memory/5908-439-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/5908-438-0x0000000000000000-mapping.dmp

Download
memory/5916-456-0x0000000000000000-mapping.dmp

Download
memory/5916-457-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/5952-666-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/5952-665-0x000000000048A1DE-mapping.dmp

Download
memory/5968-338-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/5968-337-0x000000000048A1DE-mapping.dmp

Download
memory/5988-1019-0x000000000048A1DE-mapping.dmp

Download
memory/5988-1020-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/5996-611-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/5996-610-0x000000000048A1DE-mapping.dmp

Download
memory/6028-383-0x0000000000000000-mapping.dmp

Download
memory/6028-384-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/6060-342-0x0000000000000000-mapping.dmp

Download
memory/6140-346-0x0000000000000000-mapping.dmp

Download
memory/6140-347-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/6168-584-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/6168-583-0x0000000000000000-mapping.dmp

Download
memory/6176-708-0x0000000000000000-mapping.dmp

Download
memory/6180-492-0x0000000000000000-mapping.dmp

Download
memory/6180-494-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/6184-662-0x0000000000000000-mapping.dmp

Download
memory/6192-493-0x0000000000000000-mapping.dmp

Download
memory/6196-702-0x000000000048A1DE-mapping.dmp

Download
memory/6196-703-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/6216-805-0x0000000000000000-mapping.dmp

Download
memory/6216-806-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/6244-578-0x0000000000000000-mapping.dmp

Download
memory/6248-906-0x000000000048A1DE-mapping.dmp

Download
memory/6248-907-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/6288-503-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/6288-502-0x000000000048A1DE-mapping.dmp

Download
memory/6344-596-0x0000000000000000-mapping.dmp

Download
memory/6368-506-0x0000000000000000-mapping.dmp

Download
memory/6396-686-0x0000000000000000-mapping.dmp

Download
memory/6444-509-0x0000000000000000-mapping.dmp

Download
memory/6448-629-0x000000000048A1DE-mapping.dmp

Download
memory/6448-630-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/6456-510-0x0000000000000000-mapping.dmp

Download
memory/6456-512-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/6460-699-0x0000000000000000-mapping.dmp

Download
memory/6492-638-0x0000000000000000-mapping.dmp

Download
memory/6504-804-0x0000000000000000-mapping.dmp

Download
memory/6544-519-0x000000000048A1DE-mapping.dmp

Download
memory/6544-520-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/6628-521-0x0000000000000000-mapping.dmp

Download
memory/6636-684-0x000000000048A1DE-mapping.dmp

Download
memory/6636-685-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/6668-648-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/6668-647-0x000000000048A1DE-mapping.dmp

Download
memory/6672-1114-0x0000000000000000-mapping.dmp

Download
memory/6720-582-0x0000000000000000-mapping.dmp

Download
memory/6732-528-0x0000000000000000-mapping.dmp

Download
memory/6732-529-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/6764-840-0x0000000000000000-mapping.dmp

Download
memory/6780-534-0x0000000000000000-mapping.dmp

Download
memory/6788-677-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/6788-676-0x0000000000000000-mapping.dmp

Download
memory/6836-538-0x000000000048A1DE-mapping.dmp

Download
memory/6836-539-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/6904-620-0x0000000000000000-mapping.dmp

Download
memory/6908-593-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/6908-592-0x000000000048A1DE-mapping.dmp

Download
memory/6920-657-0x0000000000000000-mapping.dmp

Download
memory/6920-658-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/6924-650-0x0000000000000000-mapping.dmp

Download
memory/6948-544-0x0000000000000000-mapping.dmp

Download
memory/6992-870-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/6992-869-0x000000000048A1DE-mapping.dmp

Download
memory/6996-622-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/6996-621-0x0000000000000000-mapping.dmp

Download
memory/7004-786-0x0000000000000000-mapping.dmp

Download
memory/7004-788-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/7020-549-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/7020-547-0x0000000000000000-mapping.dmp

Download
memory/7024-636-0x0000000000000000-mapping.dmp

Download
memory/7036-548-0x0000000000000000-mapping.dmp

Download
memory/7080-615-0x0000000000000000-mapping.dmp

Download
memory/7096-675-0x0000000000000000-mapping.dmp

Download
memory/7104-557-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/7104-556-0x000000000048A1DE-mapping.dmp

Download
memory/7188-712-0x0000000000000000-mapping.dmp

Download
memory/7212-781-0x0000000000000000-mapping.dmp

Download
memory/7216-714-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/7216-713-0x0000000000000000-mapping.dmp

Download
memory/7232-818-0x0000000000000000-mapping.dmp

Download
memory/7320-724-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/7320-722-0x000000000048A1DE-mapping.dmp

Download
memory/7336-896-0x0000000000000000-mapping.dmp

Download
memory/7336-897-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/7388-878-0x0000000000000000-mapping.dmp

Download
memory/7396-855-0x0000000000000000-mapping.dmp

Download
memory/7416-727-0x0000000000000000-mapping.dmp

Download
memory/7440-814-0x000000000048A1DE-mapping.dmp

Download
memory/7440-815-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/7476-730-0x0000000000000000-mapping.dmp

Download
memory/7500-797-0x000000000048A1DE-mapping.dmp

Download
memory/7500-798-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/7504-732-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/7504-731-0x0000000000000000-mapping.dmp

Download
memory/7520-832-0x000000000048A1DE-mapping.dmp

Download
memory/7520-833-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/7532-842-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/7532-841-0x0000000000000000-mapping.dmp

Download
memory/7540-925-0x000000000048A1DE-mapping.dmp

Download
memory/7540-926-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/7548-873-0x0000000000000000-mapping.dmp

Download
memory/7568-1011-0x0000000000000000-mapping.dmp

Download
memory/7568-1013-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/7604-742-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/7604-741-0x000000000048A1DE-mapping.dmp

Download
memory/7632-852-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/7632-851-0x000000000048A1DE-mapping.dmp

Download
memory/7648-895-0x0000000000000000-mapping.dmp

Download
memory/7688-745-0x0000000000000000-mapping.dmp

Download
memory/7724-1028-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/7724-1026-0x0000000000000000-mapping.dmp

Download
memory/7732-892-0x0000000000000000-mapping.dmp

Download
memory/7740-823-0x0000000000000000-mapping.dmp

Download
memory/7740-824-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/7744-859-0x0000000000000000-mapping.dmp

Download
memory/7744-860-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/7752-748-0x0000000000000000-mapping.dmp

Download
memory/7756-1085-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/7756-1084-0x0000000000000000-mapping.dmp

Download
memory/7772-749-0x0000000000000000-mapping.dmp

Download
memory/7772-750-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/7884-759-0x000000000048A1DE-mapping.dmp

Download
memory/7884-760-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/7948-1115-0x0000000000000000-mapping.dmp

Download
memory/7948-1116-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/7972-764-0x0000000000000000-mapping.dmp

Download
memory/8032-766-0x0000000000000000-mapping.dmp

Download
memory/8052-768-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/8052-767-0x0000000000000000-mapping.dmp

Download
memory/8056-936-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/8056-935-0x0000000000000000-mapping.dmp

Download
memory/8076-885-0x000000000048A1DE-mapping.dmp

Download
memory/8076-886-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/8092-916-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/8092-914-0x0000000000000000-mapping.dmp

Download
memory/8112-822-0x0000000000000000-mapping.dmp

Download
memory/8124-934-0x0000000000000000-mapping.dmp

Download
memory/8184-780-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/8184-779-0x000000000048A1DE-mapping.dmp

Download
memory/8196-1040-0x0000000000000000-mapping.dmp

Download
memory/8224-948-0x0000000000000000-mapping.dmp

Download
memory/8260-1031-0x0000000000000000-mapping.dmp

Download
memory/8268-1095-0x0000000000000000-mapping.dmp

Download
memory/8280-950-0x0000000000000000-mapping.dmp

Download
memory/8308-951-0x0000000000000000-mapping.dmp

Download
memory/8308-952-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/8328-1056-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/8328-1055-0x000000000048A1DE-mapping.dmp

Download
memory/8452-963-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/8452-962-0x000000000048A1DE-mapping.dmp

Download
memory/8512-1091-0x000000000048A1DE-mapping.dmp

Download
memory/8512-1092-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/8532-966-0x0000000000000000-mapping.dmp

Download
memory/8556-1024-0x0000000000000000-mapping.dmp

Download
memory/8576-1043-0x0000000000000000-mapping.dmp

Download
memory/8576-1044-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/8608-971-0x0000000000000000-mapping.dmp

Download
memory/8644-973-0x0000000000000000-mapping.dmp

Download
memory/8644-974-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/8760-1035-0x000000000048A1DE-mapping.dmp

Download
memory/8760-1036-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/8764-983-0x000000000048A1DE-mapping.dmp

Download
memory/8764-984-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/8808-1064-0x0000000000000000-mapping.dmp

Download
memory/8808-1065-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/8820-1110-0x0000000000000000-mapping.dmp

Download
memory/8852-988-0x0000000000000000-mapping.dmp

Download
memory/8920-1060-0x0000000000000000-mapping.dmp

Download
memory/8928-992-0x0000000000000000-mapping.dmp

Download
memory/8956-993-0x0000000000000000-mapping.dmp

Download
memory/8956-994-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/8964-1107-0x000000000048A1DE-mapping.dmp

Download
memory/8964-1108-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/9048-1001-0x000000000048A1DE-mapping.dmp

Download
memory/9048-1002-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/9112-1080-0x0000000000000000-mapping.dmp

Download
memory/9120-1101-0x0000000000000000-mapping.dmp

Download
memory/9120-1102-0x0000000073430000-0x0000000073B1E000-memory.dmp

Filesize
6.9MB

Download
memory/9140-1006-0x0000000000000000-mapping.dmp

Download
memory/9156-1050-0x0000000000000000-mapping.dmp

Download
memory/9196-1100-0x0000000000000000-mapping.dmp

Download
memory/9212-1010-0x0000000000000000-mapping.dmp

Download