masslogger | 226b7b506870441f3a2bfdce077edbbad4334b5bee2e5fffde263078a169f59a

Analysis

max time kernel
13s
max time network
156s
platform
windows7_x64
resource
win7-20220414-en
submitted
21-05-2022 00:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New_Order08042020.exe
Size

865KB
MD5

421f7936cf9984792c119c3602f2ac17
SHA1

8eca265739fce957205846992fee1abac60b4d56
SHA256

878e1a1b65cc05eb728bf4ce85b7ad87576bbc9c8465d1348c71cef4e8c098f2
SHA512

eab256280853a804a369acb75d9e43253eea65f2f05d30e098ab8c2fb5f27064977979b4fd0ab0a79119539b1306bb9e0efc6d2561504a01ef6c6227833b2a5e

Score

10^/10

masslogger ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\79FE0CC911\Log.txt

Family

masslogger

Ransom Note

Extracted

Path

C:\Users\Admin\AppData\Local\79FE0CC911\Log.txt

Family

masslogger

Ransom Note

<|| v2.4.0.0 ||> User Name: Admin IP: 154.61.71.51 Location: United States Windows OS: Microsoft Windows 7 Ultimate 64bit Windows Serial Key: D4F6K-QK3RD-TMVMJ-BBMRX-3MBMV CPU: Intel Core Processor (Broadwell) GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 1:05:18 AM MassLogger Started: 5/21/2022 1:05:00 AM Interval: 1 hour MassLogger Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes: Name:WerFault, Title:Microsoft .NET Assembly Registration Utility Name:WerFault, Title:Microsoft .NET Assembly Registration Utility Name:WerFault, Title:Microsoft .NET Assembly Registration Utility Name:WerFault, Title:Microsoft .NET Assembly Registration Utility Name:WerFault, Title:Microsoft .NET Assembly Registration Utility Name:WerFault, Title:Microsoft .NET Assembly Registration Utility Name:WerFault, Title:Microsoft .NET Assembly Registration Utility Name:WerFault, Title:Microsoft .NET Assembly Registration Utility <|| WD Exclusion ||> Disabled <|| Binder ||> Disabled <|| Downloader ||> Disabled <|| Window Searcher ||> Disabled <|| Bot Killer ||> Disabled <|| Search And Upload ||> Disabled <|| Telegram Desktop ||> Not Installed <|| Pidgin ||> Not Installed <|| FileZilla ||> Not Installed <|| Discord Tokken ||> Not Installed <|| NordVPN ||> Not Installed <|| Outlook ||> Not Installed <|| FoxMail ||> Not Installed <|| Thunderbird ||> Not Installed <|| FireFox ||> Not Found <|| QQ Browser ||> Not Installed <|| Chromium Recovery ||> Not Installed or Not Found <|| Keylogger And Clipboard ||> Disabled

Extracted

Path

C:\Users\Admin\AppData\Local\79FE0CC911\Log.txt

Family

masslogger

Ransom Note

<|| v2.4.0.0 ||> User Name: Admin IP: 154.61.71.51 Location: United States Windows OS: Microsoft Windows 7 Ultimate 64bit Windows Serial Key: D4F6K-QK3RD-TMVMJ-BBMRX-3MBMV CPU: Intel Core Processor (Broadwell) GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 1:05:35 AM MassLogger Started: 5/21/2022 1:05:17 AM Interval: 1 hour MassLogger Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes: Name:WerFault, Title:Microsoft .NET Assembly Registration Utility Name:WerFault, Title:Microsoft .NET Assembly Registration Utility Name:WerFault, Title:Microsoft .NET Assembly Registration Utility Name:WerFault, Title:Microsoft .NET Assembly Registration Utility Name:WerFault, Title:Microsoft .NET Assembly Registration Utility Name:WerFault, Title:Microsoft .NET Assembly Registration Utility Name:WerFault, Title:Microsoft .NET Assembly Registration Utility Name:WerFault, Title:Microsoft .NET Assembly Registration Utility <|| WD Exclusion ||> Disabled <|| Binder ||> Disabled <|| Downloader ||> Disabled <|| Window Searcher ||> Disabled <|| Bot Killer ||> Disabled <|| Search And Upload ||> Disabled <|| Telegram Desktop ||> Not Installed <|| Pidgin ||> Not Installed <|| FileZilla ||> Not Installed <|| Discord Tokken ||> Not Installed <|| NordVPN ||> Not Installed <|| Outlook ||> Not Installed <|| FoxMail ||> Not Installed <|| Thunderbird ||> Not Installed <|| FireFox ||> Not Found <|| QQ Browser ||> Not Installed <|| Chromium Recovery ||> Not Installed or Not Found <|| Keylogger And Clipboard ||> Disabled

Extracted

Path

C:\Users\Admin\AppData\Local\79FE0CC911\Log.txt

Family

masslogger

Ransom Note

<|| v2.4.0.0 ||> User Name: Admin IP: 154.61.71.51 Location: United States Windows OS: Microsoft Windows 7 Ultimate 64bit Windows Serial Key: D4F6K-QK3RD-TMVMJ-BBMRX-3MBMV CPU: Intel Core Processor (Broadwell) GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 1:05:35 AM MassLogger Started: 5/21/2022 1:05:18 AM Interval: 1 hour MassLogger Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes: Name:WerFault, Title:Microsoft .NET Assembly Registration Utility Name:WerFault, Title:Microsoft .NET Assembly Registration Utility Name:WerFault, Title:Microsoft .NET Assembly Registration Utility Name:WerFault, Title:Microsoft .NET Assembly Registration Utility Name:WerFault, Title:Microsoft .NET Assembly Registration Utility Name:WerFault, Title:Microsoft .NET Assembly Registration Utility Name:WerFault, Title:Microsoft .NET Assembly Registration Utility Name:WerFault, Title:Microsoft .NET Assembly Registration Utility <|| WD Exclusion ||> Disabled <|| Binder ||> Disabled <|| Downloader ||> Disabled <|| Window Searcher ||> Disabled <|| Bot Killer ||> Disabled <|| Search And Upload ||> Disabled <|| Telegram Desktop ||> Not Installed <|| Pidgin ||> Not Installed <|| FileZilla ||> Not Installed <|| Discord Tokken ||> Not Installed <|| NordVPN ||> Not Installed <|| Outlook ||> Not Installed <|| FoxMail ||> Not Installed <|| Thunderbird ||> Not Installed <|| FireFox ||> Not Found <|| QQ Browser ||> Not Installed <|| Chromium Recovery ||> Not Installed or Not Found <|| Keylogger And Clipboard ||> Disabled

Extracted

Path

C:\Users\Admin\AppData\Local\79FE0CC911\Log.txt

Family

masslogger

Ransom Note

<|| v2.4.0.0 ||> User Name: Admin IP: 154.61.71.51 Location: United States Windows OS: Microsoft Windows 7 Ultimate 64bit Windows Serial Key: D4F6K-QK3RD-TMVMJ-BBMRX-3MBMV CPU: Intel Core Processor (Broadwell) GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 1:05:35 AM MassLogger Started: 5/21/2022 1:05:24 AM Interval: 1 hour MassLogger Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes: Name:WerFault, Title:Microsoft .NET Assembly Registration Utility Name:WerFault, Title:Microsoft .NET Assembly Registration Utility Name:WerFault, Title:Microsoft .NET Assembly Registration Utility Name:WerFault, Title:Microsoft .NET Assembly Registration Utility Name:WerFault, Title:Microsoft .NET Assembly Registration Utility Name:WerFault, Title:Microsoft .NET Assembly Registration Utility Name:WerFault, Title:Microsoft .NET Assembly Registration Utility Name:WerFault, Title:Microsoft .NET Assembly Registration Utility <|| WD Exclusion ||> Disabled <|| Binder ||> Disabled <|| Downloader ||> Disabled <|| Window Searcher ||> Disabled <|| Bot Killer ||> Disabled <|| Search And Upload ||> Disabled <|| Telegram Desktop ||> Not Installed <|| Pidgin ||> Not Installed <|| FileZilla ||> Not Installed <|| Discord Tokken ||> Not Installed <|| NordVPN ||> Not Installed <|| Outlook ||> Not Installed <|| FoxMail ||> Not Installed <|| Thunderbird ||> Not Installed <|| FireFox ||> Not Found <|| QQ Browser ||> Not Installed <|| Chromium Recovery ||> Not Installed or Not Found <|| Keylogger And Clipboard ||> Disabled

Extracted

Path

C:\Users\Admin\AppData\Local\79FE0CC911\Log.txt

Family

masslogger

Ransom Note

<|| v2.4.0.0 ||> User Name: Admin IP: 127.0.0.1 Location: United States Windows OS: Microsoft Windows 7 Ultimate 64bit Windows Serial Key: D4F6K-QK3RD-TMVMJ-BBMRX-3MBMV CPU: Intel Core Processor (Broadwell) GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 1:05:35 AM MassLogger Started: 5/21/2022 1:05:08 AM Interval: 1 hour MassLogger Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes: Name:WerFault, Title:Microsoft .NET Assembly Registration Utility Name:WerFault, Title:Microsoft .NET Assembly Registration Utility Name:WerFault, Title:Microsoft .NET Assembly Registration Utility Name:WerFault, Title:Microsoft .NET Assembly Registration Utility Name:WerFault, Title:Microsoft .NET Assembly Registration Utility Name:WerFault, Title:Microsoft .NET Assembly Registration Utility Name:WerFault, Title:Microsoft .NET Assembly Registration Utility Name:WerFault, Title:Microsoft .NET Assembly Registration Utility <|| WD Exclusion ||> Disabled <|| Binder ||> Disabled <|| Downloader ||> Disabled <|| Window Searcher ||> Disabled <|| Bot Killer ||> Disabled <|| Search And Upload ||> Disabled <|| Telegram Desktop ||> Not Installed <|| Pidgin ||> Not Installed <|| FileZilla ||> Not Installed <|| Discord Tokken ||> Not Installed <|| NordVPN ||> Not Installed <|| Outlook ||> Not Installed <|| FoxMail ||> Not Installed <|| Thunderbird ||> Not Installed <|| FireFox ||> Not Found <|| QQ Browser ||> Not Installed <|| Chromium Recovery ||> Not Installed or Not Found <|| Keylogger And Clipboard ||> Disabled

Extracted

Path

C:\Users\Admin\AppData\Local\79FE0CC911\Log.txt

Family

masslogger

Ransom Note

<|| v2.4.0.0 ||> User Name: Admin IP: 154.61.71.51 Location: United States Windows OS: Microsoft Windows 7 Ultimate 64bit Windows Serial Key: D4F6K-QK3RD-TMVMJ-BBMRX-3MBMV CPU: Intel Core Processor (Broadwell) GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 1:05:44 AM MassLogger Started: 5/21/2022 1:05:29 AM Interval: 1 hour MassLogger Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes: Name:WerFault, Title:Microsoft .NET Assembly Registration Utility Name:WerFault, Title:Microsoft .NET Assembly Registration Utility Name:WerFault, Title:Microsoft .NET Assembly Registration Utility Name:WerFault, Title:Microsoft .NET Assembly Registration Utility Name:WerFault, Title:Microsoft .NET Assembly Registration Utility Name:WerFault, Title:Microsoft .NET Assembly Registration Utility Name:WerFault, Title:Microsoft .NET Assembly Registration Utility Name:WerFault, Title:Microsoft .NET Assembly Registration Utility Name:WerFault, Title:Microsoft .NET Assembly Registration Utility Name:WerFault, Title:Microsoft .NET Assembly Registration Utility <|| WD Exclusion ||> Disabled <|| Binder ||> Disabled <|| Downloader ||> Disabled <|| Window Searcher ||> Disabled <|| Bot Killer ||> Disabled <|| Search And Upload ||> Disabled <|| Telegram Desktop ||> Not Installed <|| Pidgin ||> Not Installed <|| FileZilla ||> Not Installed <|| Discord Tokken ||> Not Installed <|| NordVPN ||> Not Installed <|| Outlook ||> Not Installed <|| FoxMail ||> Not Installed <|| Thunderbird ||> Not Installed <|| FireFox ||> Not Found <|| QQ Browser ||> Not Installed <|| Chromium Recovery ||> Not Installed or Not Found <|| Keylogger And Clipboard ||> Disabled

Extracted

Path

C:\Users\Admin\AppData\Local\79FE0CC911\Log.txt

Family

masslogger

Ransom Note

<|| v2.4.0.0 ||> User Name: Admin IP: 154.61.71.51 Location: United States Windows OS: Microsoft Windows 7 Ultimate 64bit Windows Serial Key: D4F6K-QK3RD-TMVMJ-BBMRX-3MBMV CPU: Intel Core Processor (Broadwell) GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 1:06:09 AM MassLogger Started: 5/21/2022 1:05:38 AM Interval: 1 hour MassLogger Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes: Name:WerFault, Title:Microsoft .NET Assembly Registration Utility Name:WerFault, Title:Microsoft .NET Assembly Registration Utility Name:WerFault, Title:Microsoft .NET Assembly Registration Utility Name:WerFault, Title:Microsoft .NET Assembly Registration Utility Name:WerFault, Title:Microsoft .NET Assembly Registration Utility Name:WerFault, Title:Microsoft .NET Assembly Registration Utility Name:WerFault, Title:Microsoft .NET Assembly Registration Utility Name:WerFault, Title:Microsoft .NET Assembly Registration Utility Name:WerFault, Title:Microsoft .NET Assembly Registration Utility Name:WerFault, Title:Microsoft .NET Assembly Registration Utility Name:WerFault, Title:Microsoft .NET Assembly Registration Utility Name:WerFault, Title:Microsoft .NET Assembly Registration Utility <|| WD Exclusion ||> Disabled <|| Binder ||> Disabled <|| Downloader ||> Disabled <|| Window Searcher ||> Disabled <|| Bot Killer ||> Disabled <|| Search And Upload ||> Disabled <|| Telegram Desktop ||> Not Installed <|| Pidgin ||> Not Installed <|| FileZilla ||> Not Installed <|| Discord Tokken ||> Not Installed <|| NordVPN ||> Not Installed <|| Outlook ||> Not Installed <|| FoxMail ||> Not Installed <|| Thunderbird ||> Not Installed <|| FireFox ||> Not Found <|| QQ Browser ||> Not Installed <|| Chromium Recovery ||> Not Installed or Not Found <|| Keylogger And Clipboard ||> Disabled

Extracted

Path

C:\Users\Admin\AppData\Local\79FE0CC911\Log.txt

Family

masslogger

Ransom Note

<|| v2.4.0.0 ||> User Name: Admin IP: 154.61.71.51 Location: United States Windows OS: Microsoft Windows 7 Ultimate 64bit Windows Serial Key: D4F6K-QK3RD-TMVMJ-BBMRX-3MBMV CPU: Intel Core Processor (Broadwell) GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 1:06:09 AM MassLogger Started: 5/21/2022 1:05:34 AM Interval: 1 hour MassLogger Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes: Name:WerFault, Title:Microsoft .NET Assembly Registration Utility Name:WerFault, Title:Microsoft .NET Assembly Registration Utility Name:WerFault, Title:Microsoft .NET Assembly Registration Utility Name:WerFault, Title:Microsoft .NET Assembly Registration Utility Name:WerFault, Title:Microsoft .NET Assembly Registration Utility Name:WerFault, Title:Microsoft .NET Assembly Registration Utility Name:WerFault, Title:Microsoft .NET Assembly Registration Utility Name:WerFault, Title:Microsoft .NET Assembly Registration Utility Name:WerFault, Title:Microsoft .NET Assembly Registration Utility Name:WerFault, Title:Microsoft .NET Assembly Registration Utility Name:WerFault, Title:Microsoft .NET Assembly Registration Utility Name:WerFault, Title:Microsoft .NET Assembly Registration Utility <|| WD Exclusion ||> Disabled <|| Binder ||> Disabled <|| Downloader ||> Disabled <|| Window Searcher ||> Disabled <|| Bot Killer ||> Disabled <|| Search And Upload ||> Disabled <|| Telegram Desktop ||> Not Installed <|| Pidgin ||> Not Installed <|| FileZilla ||> Not Installed <|| Discord Tokken ||> Not Installed <|| NordVPN ||> Not Installed <|| Outlook ||> Not Installed <|| FoxMail ||> Not Installed <|| Thunderbird ||> Not Installed <|| FireFox ||> Not Found <|| QQ Browser ||> Not Installed <|| Chromium Recovery ||> Not Installed or Not Found <|| Keylogger And Clipboard ||> Disabled

Extracted

Path

C:\Users\Admin\AppData\Local\79FE0CC911\Log.txt

Family

masslogger

Ransom Note

<|| v2.4.0.0 ||> User Name: Admin IP: 154.61.71.51 Location: United States Windows OS: Microsoft Windows 7 Ultimate 64bit Windows Serial Key: D4F6K-QK3RD-TMVMJ-BBMRX-3MBMV CPU: Intel Core Processor (Broadwell) GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 1:06:12 AM MassLogger Started: 5/21/2022 1:05:37 AM Interval: 1 hour MassLogger Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes: Name:WerFault, Title:Microsoft .NET Assembly Registration Utility Name:WerFault, Title:Microsoft .NET Assembly Registration Utility Name:WerFault, Title:Microsoft .NET Assembly Registration Utility Name:WerFault, Title:Microsoft .NET Assembly Registration Utility Name:WerFault, Title:Microsoft .NET Assembly Registration Utility Name:WerFault, Title:Microsoft .NET Assembly Registration Utility Name:WerFault, Title:Microsoft .NET Assembly Registration Utility Name:WerFault, Title:Microsoft .NET Assembly Registration Utility Name:WerFault, Title:Microsoft .NET Assembly Registration Utility Name:WerFault, Title:Microsoft .NET Assembly Registration Utility Name:WerFault, Title:Microsoft .NET Assembly Registration Utility Name:WerFault, Title:Microsoft .NET Assembly Registration Utility <|| WD Exclusion ||> Disabled <|| Binder ||> Disabled <|| Downloader ||> Disabled <|| Window Searcher ||> Disabled <|| Bot Killer ||> Disabled <|| Search And Upload ||> Disabled <|| Telegram Desktop ||> Not Installed <|| Pidgin ||> Not Installed <|| FileZilla ||> Not Installed <|| Discord Tokken ||> Not Installed <|| NordVPN ||> Not Installed <|| Outlook ||> Not Installed <|| FoxMail ||> Not Installed <|| Thunderbird ||> Not Installed <|| FireFox ||> Not Found <|| QQ Browser ||> Not Installed <|| Chromium Recovery ||> Not Installed or Not Found <|| Keylogger And Clipboard ||> Disabled

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/820-59-0x0000000000400000-0x00000000004B8000-memory.dmp	family_masslogger

MassLogger log file 23 IoCs

Detects a log file produced by MassLogger.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\79FE0CC911\Log.txt	masslogger_log_file
C:\Users\Admin\AppData\Local\79FE0CC911\Log.txt	masslogger_log_file
C:\Users\Admin\AppData\Local\79FE0CC911\Log.txt	masslogger_log_file
C:\Users\Admin\AppData\Local\79FE0CC911\Log.txt	masslogger_log_file
C:\Users\Admin\AppData\Local\79FE0CC911\Log.txt	masslogger_log_file
C:\Users\Admin\AppData\Local\79FE0CC911\Log.txt	masslogger_log_file
C:\Users\Admin\AppData\Local\79FE0CC911\Log.txt	masslogger_log_file
C:\Users\Admin\AppData\Local\79FE0CC911\Log.txt	masslogger_log_file
C:\Users\Admin\AppData\Local\79FE0CC911\Log.txt	masslogger_log_file
C:\Users\Admin\AppData\Local\79FE0CC911\Log.txt	masslogger_log_file
C:\Users\Admin\AppData\Local\79FE0CC911\Log.txt	masslogger_log_file
C:\Users\Admin\AppData\Local\79FE0CC911\Log.txt	masslogger_log_file
C:\Users\Admin\AppData\Local\79FE0CC911\Log.txt	masslogger_log_file
C:\Users\Admin\AppData\Local\79FE0CC911\Log.txt	masslogger_log_file
C:\Users\Admin\AppData\Local\79FE0CC911\Log.txt	masslogger_log_file
C:\Users\Admin\AppData\Local\79FE0CC911\Log.txt	masslogger_log_file
C:\Users\Admin\AppData\Local\79FE0CC911\Log.txt	masslogger_log_file
C:\Users\Admin\AppData\Local\79FE0CC911\Log.txt	masslogger_log_file
C:\Users\Admin\AppData\Local\79FE0CC911\Log.txt	masslogger_log_file
C:\Users\Admin\AppData\Local\79FE0CC911\Log.txt	masslogger_log_file
C:\Users\Admin\AppData\Local\79FE0CC911\Log.txt	masslogger_log_file
C:\Users\Admin\AppData\Local\79FE0CC911\Log.txt	masslogger_log_file
C:\Users\Admin\AppData\Local\79FE0CC911\Log.txt	masslogger_log_file

Looks up external IP address via web service 19 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
74	api.ipify.org
87	api.ipify.org
98	api.ipify.org
11	api.ipify.org
27	api.ipify.org
58	api.ipify.org
48	api.ipify.org
112	api.ipify.org
115	api.ipify.org
21	api.ipify.org
66	api.ipify.org
107	api.ipify.org
59	api.ipify.org
84	api.ipify.org
101	api.ipify.org
102	api.ipify.org
12	api.ipify.org
37	api.ipify.org
46	api.ipify.org

Suspicious use of SetThreadContext 10 IoCs

Processes:

New_Order08042020.exeNew_Order08042020.exeNew_Order08042020.exeNew_Order08042020.exeNew_Order08042020.exeNew_Order08042020.exeNew_Order08042020.exeNew_Order08042020.exeNew_Order08042020.exeNew_Order08042020.exe

description	pid	process	target process
PID 1944 set thread context of 820	1944	New_Order08042020.exe	RegAsm.exe
PID 2044 set thread context of 980	2044	New_Order08042020.exe	RegAsm.exe
PID 1760 set thread context of 1836	1760	New_Order08042020.exe	RegAsm.exe
PID 1312 set thread context of 1672	1312	New_Order08042020.exe	RegAsm.exe
PID 1932 set thread context of 1456	1932	New_Order08042020.exe	RegAsm.exe
PID 1952 set thread context of 952	1952	New_Order08042020.exe	RegAsm.exe
PID 1616 set thread context of 996	1616	New_Order08042020.exe	RegAsm.exe
PID 1080 set thread context of 2040	1080	New_Order08042020.exe	RegAsm.exe
PID 1004 set thread context of 572	1004	New_Order08042020.exe	RegAsm.exe
PID 1428 set thread context of 1724	1428	New_Order08042020.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 18 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2488	1672	WerFault.exe	RegAsm.exe
2476	1836	WerFault.exe	RegAsm.exe
2824	820	WerFault.exe	RegAsm.exe
3048	2040	WerFault.exe	RegAsm.exe
3080	996	WerFault.exe	RegAsm.exe
3100	1724	WerFault.exe	RegAsm.exe
2404	952	WerFault.exe	RegAsm.exe
1556	572	WerFault.exe	RegAsm.exe
4324	2284	WerFault.exe	RegAsm.exe
4420	2620	WerFault.exe	RegAsm.exe
4408	3040	WerFault.exe	RegAsm.exe
4848	3056	WerFault.exe	RegAsm.exe
4180	2672	WerFault.exe	RegAsm.exe
4816	3660	WerFault.exe	RegAsm.exe
5032	3492	WerFault.exe	RegAsm.exe
4704	4040	WerFault.exe	RegAsm.exe
2096	3132	WerFault.exe	RegAsm.exe
5228	4264	WerFault.exe	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

New_Order08042020.exe

pid	process
1944	New_Order08042020.exe
1944	New_Order08042020.exe
1944	New_Order08042020.exe
1944	New_Order08042020.exe
1944	New_Order08042020.exe
1944	New_Order08042020.exe
1944	New_Order08042020.exe
1944	New_Order08042020.exe
1944	New_Order08042020.exe
1944	New_Order08042020.exe
1944	New_Order08042020.exe
1944	New_Order08042020.exe
1944	New_Order08042020.exe
1944	New_Order08042020.exe
1944	New_Order08042020.exe
1944	New_Order08042020.exe
1944	New_Order08042020.exe
1944	New_Order08042020.exe
1944	New_Order08042020.exe
1944	New_Order08042020.exe
1944	New_Order08042020.exe
1944	New_Order08042020.exe
1944	New_Order08042020.exe
1944	New_Order08042020.exe
1944	New_Order08042020.exe
1944	New_Order08042020.exe
1944	New_Order08042020.exe
1944	New_Order08042020.exe
1944	New_Order08042020.exe
1944	New_Order08042020.exe
1944	New_Order08042020.exe
1944	New_Order08042020.exe
1944	New_Order08042020.exe
1944	New_Order08042020.exe
1944	New_Order08042020.exe
1944	New_Order08042020.exe
1944	New_Order08042020.exe
1944	New_Order08042020.exe
1944	New_Order08042020.exe
1944	New_Order08042020.exe
1944	New_Order08042020.exe
1944	New_Order08042020.exe
1944	New_Order08042020.exe
1944	New_Order08042020.exe
1944	New_Order08042020.exe
1944	New_Order08042020.exe
1944	New_Order08042020.exe
1944	New_Order08042020.exe
1944	New_Order08042020.exe
1944	New_Order08042020.exe
1944	New_Order08042020.exe
1944	New_Order08042020.exe
1944	New_Order08042020.exe
1944	New_Order08042020.exe
1944	New_Order08042020.exe
1944	New_Order08042020.exe
1944	New_Order08042020.exe
1944	New_Order08042020.exe
1944	New_Order08042020.exe
1944	New_Order08042020.exe
1944	New_Order08042020.exe
1944	New_Order08042020.exe
1944	New_Order08042020.exe
1944	New_Order08042020.exe

Suspicious behavior: MapViewOfSection 10 IoCs

Processes:

pid	process
1944	New_Order08042020.exe
2044	New_Order08042020.exe
1760	New_Order08042020.exe
1312	New_Order08042020.exe
1932	New_Order08042020.exe
1952	New_Order08042020.exe
1616	New_Order08042020.exe
1080	New_Order08042020.exe
1004	New_Order08042020.exe
1428	New_Order08042020.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

New_Order08042020.exeRegAsm.exeNew_Order08042020.exeRegAsm.exeNew_Order08042020.exeRegAsm.exeNew_Order08042020.exeRegAsm.exeNew_Order08042020.exeRegAsm.exeNew_Order08042020.exeRegAsm.exeNew_Order08042020.exeRegAsm.exeNew_Order08042020.exeRegAsm.exeNew_Order08042020.exeRegAsm.exeNew_Order08042020.exe

description	pid	process
Token: SeDebugPrivilege	1944	New_Order08042020.exe
Token: SeDebugPrivilege	820	RegAsm.exe
Token: SeDebugPrivilege	2044	New_Order08042020.exe
Token: SeDebugPrivilege	980	RegAsm.exe
Token: SeDebugPrivilege	1760	New_Order08042020.exe
Token: SeDebugPrivilege	1836	RegAsm.exe
Token: SeDebugPrivilege	1312	New_Order08042020.exe
Token: SeDebugPrivilege	1672	RegAsm.exe
Token: SeDebugPrivilege	1932	New_Order08042020.exe
Token: SeDebugPrivilege	1456	RegAsm.exe
Token: SeDebugPrivilege	1952	New_Order08042020.exe
Token: SeDebugPrivilege	952	RegAsm.exe
Token: SeDebugPrivilege	1616	New_Order08042020.exe
Token: SeDebugPrivilege	996	RegAsm.exe
Token: SeDebugPrivilege	1080	New_Order08042020.exe
Token: SeDebugPrivilege	2040	RegAsm.exe
Token: SeDebugPrivilege	1004	New_Order08042020.exe
Token: SeDebugPrivilege	572	RegAsm.exe
Token: SeDebugPrivilege	1428	New_Order08042020.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

New_Order08042020.exeNew_Order08042020.exeNew_Order08042020.exeNew_Order08042020.exeNew_Order08042020.exeNew_Order08042020.exe

description	pid	process	target process
PID 1944 wrote to memory of 820	1944	New_Order08042020.exe	RegAsm.exe
PID 1944 wrote to memory of 820	1944	New_Order08042020.exe	RegAsm.exe
PID 1944 wrote to memory of 820	1944	New_Order08042020.exe	RegAsm.exe
PID 1944 wrote to memory of 820	1944	New_Order08042020.exe	RegAsm.exe
PID 1944 wrote to memory of 820	1944	New_Order08042020.exe	RegAsm.exe
PID 1944 wrote to memory of 820	1944	New_Order08042020.exe	RegAsm.exe
PID 1944 wrote to memory of 820	1944	New_Order08042020.exe	RegAsm.exe
PID 1944 wrote to memory of 820	1944	New_Order08042020.exe	RegAsm.exe
PID 1944 wrote to memory of 2044	1944	New_Order08042020.exe	New_Order08042020.exe
PID 1944 wrote to memory of 2044	1944	New_Order08042020.exe	New_Order08042020.exe
PID 1944 wrote to memory of 2044	1944	New_Order08042020.exe	New_Order08042020.exe
PID 1944 wrote to memory of 2044	1944	New_Order08042020.exe	New_Order08042020.exe
PID 2044 wrote to memory of 980	2044	New_Order08042020.exe	RegAsm.exe
PID 2044 wrote to memory of 980	2044	New_Order08042020.exe	RegAsm.exe
PID 2044 wrote to memory of 980	2044	New_Order08042020.exe	RegAsm.exe
PID 2044 wrote to memory of 980	2044	New_Order08042020.exe	RegAsm.exe
PID 2044 wrote to memory of 980	2044	New_Order08042020.exe	RegAsm.exe
PID 2044 wrote to memory of 980	2044	New_Order08042020.exe	RegAsm.exe
PID 2044 wrote to memory of 980	2044	New_Order08042020.exe	RegAsm.exe
PID 2044 wrote to memory of 980	2044	New_Order08042020.exe	RegAsm.exe
PID 2044 wrote to memory of 1760	2044	New_Order08042020.exe	New_Order08042020.exe
PID 2044 wrote to memory of 1760	2044	New_Order08042020.exe	New_Order08042020.exe
PID 2044 wrote to memory of 1760	2044	New_Order08042020.exe	New_Order08042020.exe
PID 2044 wrote to memory of 1760	2044	New_Order08042020.exe	New_Order08042020.exe
PID 1760 wrote to memory of 1836	1760	New_Order08042020.exe	RegAsm.exe
PID 1760 wrote to memory of 1836	1760	New_Order08042020.exe	RegAsm.exe
PID 1760 wrote to memory of 1836	1760	New_Order08042020.exe	RegAsm.exe
PID 1760 wrote to memory of 1836	1760	New_Order08042020.exe	RegAsm.exe
PID 1760 wrote to memory of 1836	1760	New_Order08042020.exe	RegAsm.exe
PID 1760 wrote to memory of 1836	1760	New_Order08042020.exe	RegAsm.exe
PID 1760 wrote to memory of 1836	1760	New_Order08042020.exe	RegAsm.exe
PID 1760 wrote to memory of 1836	1760	New_Order08042020.exe	RegAsm.exe
PID 1760 wrote to memory of 1312	1760	New_Order08042020.exe	New_Order08042020.exe
PID 1760 wrote to memory of 1312	1760	New_Order08042020.exe	New_Order08042020.exe
PID 1760 wrote to memory of 1312	1760	New_Order08042020.exe	New_Order08042020.exe
PID 1760 wrote to memory of 1312	1760	New_Order08042020.exe	New_Order08042020.exe
PID 1312 wrote to memory of 1672	1312	New_Order08042020.exe	RegAsm.exe
PID 1312 wrote to memory of 1672	1312	New_Order08042020.exe	RegAsm.exe
PID 1312 wrote to memory of 1672	1312	New_Order08042020.exe	RegAsm.exe
PID 1312 wrote to memory of 1672	1312	New_Order08042020.exe	RegAsm.exe
PID 1312 wrote to memory of 1672	1312	New_Order08042020.exe	RegAsm.exe
PID 1312 wrote to memory of 1672	1312	New_Order08042020.exe	RegAsm.exe
PID 1312 wrote to memory of 1672	1312	New_Order08042020.exe	RegAsm.exe
PID 1312 wrote to memory of 1672	1312	New_Order08042020.exe	RegAsm.exe
PID 1312 wrote to memory of 1932	1312	New_Order08042020.exe	New_Order08042020.exe
PID 1312 wrote to memory of 1932	1312	New_Order08042020.exe	New_Order08042020.exe
PID 1312 wrote to memory of 1932	1312	New_Order08042020.exe	New_Order08042020.exe
PID 1312 wrote to memory of 1932	1312	New_Order08042020.exe	New_Order08042020.exe
PID 1932 wrote to memory of 1456	1932	New_Order08042020.exe	RegAsm.exe
PID 1932 wrote to memory of 1456	1932	New_Order08042020.exe	RegAsm.exe
PID 1932 wrote to memory of 1456	1932	New_Order08042020.exe	RegAsm.exe
PID 1932 wrote to memory of 1456	1932	New_Order08042020.exe	RegAsm.exe
PID 1932 wrote to memory of 1456	1932	New_Order08042020.exe	RegAsm.exe
PID 1932 wrote to memory of 1456	1932	New_Order08042020.exe	RegAsm.exe
PID 1932 wrote to memory of 1456	1932	New_Order08042020.exe	RegAsm.exe
PID 1932 wrote to memory of 1456	1932	New_Order08042020.exe	RegAsm.exe
PID 1932 wrote to memory of 1952	1932	New_Order08042020.exe	New_Order08042020.exe
PID 1932 wrote to memory of 1952	1932	New_Order08042020.exe	New_Order08042020.exe
PID 1932 wrote to memory of 1952	1932	New_Order08042020.exe	New_Order08042020.exe
PID 1932 wrote to memory of 1952	1932	New_Order08042020.exe	New_Order08042020.exe
PID 1952 wrote to memory of 952	1952	New_Order08042020.exe	RegAsm.exe
PID 1952 wrote to memory of 952	1952	New_Order08042020.exe	RegAsm.exe
PID 1952 wrote to memory of 952	1952	New_Order08042020.exe	RegAsm.exe
PID 1952 wrote to memory of 952	1952	New_Order08042020.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
"C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:820
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 1392
    3⤵
    - Program crash
    PID:2824
- C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
  "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:980
- - C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
    "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1760
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1836
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 1392
        5⤵
        Program crash
        
        PID:2476
  - - C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
      "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1312
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1672
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 1392
        6⤵
        Program crash
        
        PID:2488
    - - C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        5⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1932
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1456
      - C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        6⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:952
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 952 -s 1392
        8⤵
        Program crash
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        7⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1616
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:996
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 996 -s 1396
        9⤵
        Program crash
        
        PID:3080
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        8⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1080
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 1392
        10⤵
        Program crash
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        9⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1004
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        10⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:572
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 572 -s 1396
        11⤵
        Program crash
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        10⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1428
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        11⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 1396
        12⤵
        Program crash
        
        PID:3100
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        11⤵
        
        PID:1036
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        12⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        12⤵
        
        PID:1392
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        13⤵
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        13⤵
        
        PID:2140
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        14⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        14⤵
        
        PID:2244
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        15⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 1440
        16⤵
        Program crash
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        15⤵
        
        PID:2352
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        16⤵
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        16⤵
        
        PID:2460
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        17⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        17⤵
        
        PID:2576
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        18⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 1244
        19⤵
        Program crash
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        18⤵
        
        PID:2692
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        19⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        19⤵
        
        PID:2908
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        20⤵
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        20⤵
        
        PID:2988
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        21⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 1244
        22⤵
        Program crash
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        21⤵
        
        PID:1268
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        22⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        22⤵
        
        PID:428
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        23⤵
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        23⤵
        
        PID:2632
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        24⤵
        
        PID:2872
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        24⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        24⤵
        
        PID:2996
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        25⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 1436
        26⤵
        Program crash
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        25⤵
        
        PID:2548
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        26⤵
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        26⤵
        
        PID:3092
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        27⤵
        
        PID:3188
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        27⤵
        
        PID:3336
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        28⤵
        
        PID:3368
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        28⤵
        
        PID:3456
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        29⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 1428
        30⤵
        Program crash
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        29⤵
        
        PID:3616
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        30⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 1396
        31⤵
        Program crash
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        30⤵
        
        PID:3736
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        31⤵
        
        PID:3804
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        31⤵
        
        PID:3876
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        32⤵
        
        PID:3920
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        32⤵
        
        PID:3988
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        33⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 1388
        34⤵
        Program crash
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        33⤵
        
        PID:2684
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        34⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 1428
        35⤵
        Program crash
        
        PID:2096
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        34⤵
        
        PID:3140
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        34⤵
        
        PID:3076
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        34⤵
        
        PID:3284
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        35⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2672 -s 1388
        36⤵
        Program crash
        
        PID:4180
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        35⤵
        
        PID:3124
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        36⤵
        
        PID:3348
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        36⤵
        
        PID:2756
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        37⤵
        
        PID:3648
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        37⤵
        
        PID:3916
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        38⤵
        
        PID:3868
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        38⤵
        
        PID:3424
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        39⤵
        
        PID:4108
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        39⤵
        
        PID:4220
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        40⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 1412
        41⤵
        Program crash
        
        PID:5228
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        40⤵
        
        PID:4376
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        41⤵
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        41⤵
        
        PID:4696
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        42⤵
        
        PID:4784
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        42⤵
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        42⤵
        
        PID:4904
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        43⤵
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        43⤵
        
        PID:4996
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        44⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        44⤵
        
        PID:5104
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        45⤵
        
        PID:3460
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        45⤵
        
        PID:3672
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        46⤵
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        46⤵
        
        PID:3176
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        47⤵
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        47⤵
        
        PID:3912
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        48⤵
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        48⤵
        
        PID:4560
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        49⤵
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        49⤵
        
        PID:4808
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        50⤵
        
        PID:4384
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        50⤵
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        50⤵
        
        PID:5012
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        51⤵
        
        PID:4724
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        51⤵
        
        PID:3052
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        52⤵
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        52⤵
        
        PID:3784
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        53⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        53⤵
        
        PID:4716
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        54⤵
        
        PID:3128
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        54⤵
        
        PID:5416
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        55⤵
        
        PID:5488
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        55⤵
        
        PID:5560
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        56⤵
        
        PID:5628
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        56⤵
        
        PID:5676
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        57⤵
        
        PID:5708
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        57⤵
        
        PID:5768
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        58⤵
        
        PID:5812
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        58⤵
        
        PID:5876
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        59⤵
        
        PID:5916
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        59⤵
        
        PID:5972
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        60⤵
        
        PID:6020
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        60⤵
        
        PID:6068
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        61⤵
        
        PID:6116
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        61⤵
        
        PID:2628
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        62⤵
        
        PID:5136
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        62⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        62⤵
        
        PID:5060
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        63⤵
        
        PID:2800
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        63⤵
        
        PID:5284
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        63⤵
        
        PID:5372
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        64⤵
        
        PID:3820
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        64⤵
        
        PID:5532
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        65⤵
        
        PID:5556
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        65⤵
        
        PID:5584
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        66⤵
        
        PID:5700
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        66⤵
        
        PID:5688
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        66⤵
        
        PID:5780
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        67⤵
        
        PID:6056
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        67⤵
        
        PID:6140
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        68⤵
        
        PID:6088
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        68⤵
        
        PID:4172

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\79FE0CC911\Log.txt

Filesize
1KB

MD5
fa11b5132430d1413694010534058f3b

SHA1
14512b97079cdfd3caa8f14ed6fb3c401cbcd470

SHA256
5675a4506893c2e3fa057698ce4ab2c24a7c7000f6c75848da75ef778d8f22f0

SHA512
1d696d1490ac5c860a3bd4c0c3ee4ff7fd34f004bac9b8d183d4c5dfd9997dce2f96822b240a34a0a06de7109b4ba66e7b81902e80e056ec9926f2931b0cdbef

Download Submit
C:\Users\Admin\AppData\Local\79FE0CC911\Log.txt

Filesize
1KB

MD5
fa11b5132430d1413694010534058f3b

SHA1
14512b97079cdfd3caa8f14ed6fb3c401cbcd470

SHA256
5675a4506893c2e3fa057698ce4ab2c24a7c7000f6c75848da75ef778d8f22f0

SHA512
1d696d1490ac5c860a3bd4c0c3ee4ff7fd34f004bac9b8d183d4c5dfd9997dce2f96822b240a34a0a06de7109b4ba66e7b81902e80e056ec9926f2931b0cdbef

Download Submit
C:\Users\Admin\AppData\Local\79FE0CC911\Log.txt

Filesize
1KB

MD5
c7d267015c2b68fe6e115ff77d7f6b8d

SHA1
66bd87c70585f73f875ae4ad39062cb8b3540b41

SHA256
fc058c65122da4f6e855e72b1de92b9cff968c044b47d318a4e9e2b67726aa09

SHA512
40da14196a46899bc3342de917c5fb287efe20ce14fefc0e935402472a6bf9e69e45f03b91a5406116f86ad3630028b57cda8487b791805e7fbfd911d7499d2b

Download Submit
C:\Users\Admin\AppData\Local\79FE0CC911\Log.txt

Filesize
1KB

MD5
c7d267015c2b68fe6e115ff77d7f6b8d

SHA1
66bd87c70585f73f875ae4ad39062cb8b3540b41

SHA256
fc058c65122da4f6e855e72b1de92b9cff968c044b47d318a4e9e2b67726aa09

SHA512
40da14196a46899bc3342de917c5fb287efe20ce14fefc0e935402472a6bf9e69e45f03b91a5406116f86ad3630028b57cda8487b791805e7fbfd911d7499d2b

Download Submit
C:\Users\Admin\AppData\Local\79FE0CC911\Log.txt

Filesize
1KB

MD5
525f655005203259b4a4193c491e6124

SHA1
7235329e73c8a39efde5d91d8c8ec773be7ba3e5

SHA256
ae49af26904341f29170c829017f0c186aab7925e8c736441317feb0b2423629

SHA512
4d78ef6c6204cd812fb650951ce0544b2e64ee6927c1ad3a7220a161278a67968026a291e96d2c89dabcddf59b1c12be779bc9ba76f4d50e84ea54359764472a

Download Submit
C:\Users\Admin\AppData\Local\79FE0CC911\Log.txt

Filesize
1KB

MD5
525f655005203259b4a4193c491e6124

SHA1
7235329e73c8a39efde5d91d8c8ec773be7ba3e5

SHA256
ae49af26904341f29170c829017f0c186aab7925e8c736441317feb0b2423629

SHA512
4d78ef6c6204cd812fb650951ce0544b2e64ee6927c1ad3a7220a161278a67968026a291e96d2c89dabcddf59b1c12be779bc9ba76f4d50e84ea54359764472a

Download Submit
C:\Users\Admin\AppData\Local\79FE0CC911\Log.txt

Filesize
1KB

MD5
525f655005203259b4a4193c491e6124

SHA1
7235329e73c8a39efde5d91d8c8ec773be7ba3e5

SHA256
ae49af26904341f29170c829017f0c186aab7925e8c736441317feb0b2423629

SHA512
4d78ef6c6204cd812fb650951ce0544b2e64ee6927c1ad3a7220a161278a67968026a291e96d2c89dabcddf59b1c12be779bc9ba76f4d50e84ea54359764472a

Download Submit
C:\Users\Admin\AppData\Local\79FE0CC911\Log.txt

Filesize
1KB

MD5
cf3b89a5a0c4a0a92e626d8cc18cde18

SHA1
361a84c973078a7b5c8ff5e498701f68cdd1480a

SHA256
e3a51a5287e2bc7feb1a6a1286e84fd485b0b1de2727e6740a4fe90c884c3f41

SHA512
e3aa7d133967834f5acdec5ee331313a1f303eec61a7efc4616aae67dabd617ddc0c64221a382db62cc4986306c2729130f69927e04ba353a3c6c0ad7fcff29f

Download Submit
C:\Users\Admin\AppData\Local\79FE0CC911\Log.txt

Filesize
1KB

MD5
cf3b89a5a0c4a0a92e626d8cc18cde18

SHA1
361a84c973078a7b5c8ff5e498701f68cdd1480a

SHA256
e3a51a5287e2bc7feb1a6a1286e84fd485b0b1de2727e6740a4fe90c884c3f41

SHA512
e3aa7d133967834f5acdec5ee331313a1f303eec61a7efc4616aae67dabd617ddc0c64221a382db62cc4986306c2729130f69927e04ba353a3c6c0ad7fcff29f

Download Submit
C:\Users\Admin\AppData\Local\79FE0CC911\Log.txt

Filesize
1KB

MD5
e4d6554a4839e0fef4460fcff86fab7d

SHA1
3b53bcf68f94811d5b3fb44ba9f4ce7f6828a55e

SHA256
1eadd53d417bab99faf96b36ca2f9c81ed252dbeda6934563c3ef6e7ca445d77

SHA512
5c92411783d22d29876b665cd196e5d13ae65397f9196592478da7dfe1601b1aedebe79554ca7d5d47f40edaf7324bd88444e11ae92527cd9796a5f395e29db9

Download Submit
C:\Users\Admin\AppData\Local\79FE0CC911\Log.txt

Filesize
1KB

MD5
10e78ef109db80401dc571c801bbf6fc

SHA1
47df182e05a6d1224f1c71bc2816a734befc0c53

SHA256
efd6bccc9461c1c11e89d18dc4c8cd00d07843a03c76033eb21ecea5565ae4ae

SHA512
ce33626f8547b8f4a814a0f84f97c1c5a61911bbb5b33bd83f846f72a6e95d7da2f255f5b358c0bf1cfaf7af6de43992f2fe74068e5867e4885e98365a503d02

Download Submit
C:\Users\Admin\AppData\Local\79FE0CC911\Log.txt

Filesize
1KB

MD5
e4d6554a4839e0fef4460fcff86fab7d

SHA1
3b53bcf68f94811d5b3fb44ba9f4ce7f6828a55e

SHA256
1eadd53d417bab99faf96b36ca2f9c81ed252dbeda6934563c3ef6e7ca445d77

SHA512
5c92411783d22d29876b665cd196e5d13ae65397f9196592478da7dfe1601b1aedebe79554ca7d5d47f40edaf7324bd88444e11ae92527cd9796a5f395e29db9

Download Submit
C:\Users\Admin\AppData\Local\79FE0CC911\Log.txt

Filesize
1KB

MD5
e4d6554a4839e0fef4460fcff86fab7d

SHA1
3b53bcf68f94811d5b3fb44ba9f4ce7f6828a55e

SHA256
1eadd53d417bab99faf96b36ca2f9c81ed252dbeda6934563c3ef6e7ca445d77

SHA512
5c92411783d22d29876b665cd196e5d13ae65397f9196592478da7dfe1601b1aedebe79554ca7d5d47f40edaf7324bd88444e11ae92527cd9796a5f395e29db9

Download Submit
C:\Users\Admin\AppData\Local\79FE0CC911\Log.txt

Filesize
1KB

MD5
cf3b89a5a0c4a0a92e626d8cc18cde18

SHA1
361a84c973078a7b5c8ff5e498701f68cdd1480a

SHA256
e3a51a5287e2bc7feb1a6a1286e84fd485b0b1de2727e6740a4fe90c884c3f41

SHA512
e3aa7d133967834f5acdec5ee331313a1f303eec61a7efc4616aae67dabd617ddc0c64221a382db62cc4986306c2729130f69927e04ba353a3c6c0ad7fcff29f

Download Submit
C:\Users\Admin\AppData\Local\79FE0CC911\Log.txt

Filesize
1KB

MD5
6b090e063700bdaecd836575f65b24cb

SHA1
30a19ea34ccdd48ce6878d09172df3eef5b49f9c

SHA256
87b43e73ac17d2f96feb965f422896aef44ae8054d161b2600dc08796dfed46c

SHA512
c7b6bbe4a835c896ee0003f5b4bf55b6db17cdcec79c736d583c5462d777952681a62177cc110e9da85f9f70f4cc675c85c4154f4e2f68abcb9ef0a92df9c74d

Download Submit
C:\Users\Admin\AppData\Local\79FE0CC911\Log.txt

Filesize
1KB

MD5
6b090e063700bdaecd836575f65b24cb

SHA1
30a19ea34ccdd48ce6878d09172df3eef5b49f9c

SHA256
87b43e73ac17d2f96feb965f422896aef44ae8054d161b2600dc08796dfed46c

SHA512
c7b6bbe4a835c896ee0003f5b4bf55b6db17cdcec79c736d583c5462d777952681a62177cc110e9da85f9f70f4cc675c85c4154f4e2f68abcb9ef0a92df9c74d

Download Submit
C:\Users\Admin\AppData\Local\79FE0CC911\Log.txt

Filesize
1KB

MD5
534a0c773d7847112471e200850b35e8

SHA1
4ade70bef6d9125b7a0129323d723bc204785c1c

SHA256
b81117ff93fac94409c4cddcc011e1a086c7cdffb413b618d951ce46895d451f

SHA512
0c06ebcf35f5f3f42a86be2fd80e4382fa39588fe2749078772562a096991cf7e21b2c1d588d2092521bde24ddca140e1fae9adaf8c1a752bb3316c9737a97e0

Download Submit
C:\Users\Admin\AppData\Local\79FE0CC911\Log.txt

Filesize
1KB

MD5
21032851b23c15a3cb046e7aba3046bb

SHA1
e8422a8f41435a91020c53a8e3f0ba4260cb03c1

SHA256
1b8641f218389f61ae2050ce8e4be3f31d546a4c055e5d725211368900ed2a06

SHA512
ff6b235b23cf3e3b6fc8f7ab8c4f4b74ca9987c47d1b36b30b8e1c9b61d7c70f6bac2c722af3fd6505545ba88d75f46b2dc3bd75259d09ce2f0d6b94929a5526

Download Submit
C:\Users\Admin\AppData\Local\79FE0CC911\Log.txt

Filesize
1KB

MD5
21032851b23c15a3cb046e7aba3046bb

SHA1
e8422a8f41435a91020c53a8e3f0ba4260cb03c1

SHA256
1b8641f218389f61ae2050ce8e4be3f31d546a4c055e5d725211368900ed2a06

SHA512
ff6b235b23cf3e3b6fc8f7ab8c4f4b74ca9987c47d1b36b30b8e1c9b61d7c70f6bac2c722af3fd6505545ba88d75f46b2dc3bd75259d09ce2f0d6b94929a5526

Download Submit
C:\Users\Admin\AppData\Local\79FE0CC911\Log.txt

Filesize
1KB

MD5
ad9ece825f7ca961aeb36b40331b5b1d

SHA1
eba21cd646a14d4fb8f2a0c67c0eed34e115128a

SHA256
502f0c05e175e47273793700f97906b06402e61d1b3198d644972d9e34714594

SHA512
0cbffb4ed8891dec837bbbb47f9be6f3fd0cc0e7ec81ffa7a47702efda2d459635668f5f3df109a4589ed1710407ce89fba4da25db12a0893123502cd6899cf0

Download Submit
C:\Users\Admin\AppData\Local\79FE0CC911\Log.txt

Filesize
2KB

MD5
6c9a978342a22f5f6f579c9623da34d7

SHA1
fc3e557851c74879b40edc4e3fa26590b078e7fc

SHA256
aca5b4b5a5a20032fa17193deb6cf35cf5a4560e71559ab507b99af21a0aac8d

SHA512
8582518b025a65e5513f62fbe50a853aad664ad0c31f3d3a6f929c1d47ced18625bdb82b224fd3f727c0a299b7a0c4908730f1a86782de35dfe913254b4df6ba

Download Submit
C:\Users\Admin\AppData\Local\79FE0CC911\Log.txt

Filesize
2KB

MD5
6c9a978342a22f5f6f579c9623da34d7

SHA1
fc3e557851c74879b40edc4e3fa26590b078e7fc

SHA256
aca5b4b5a5a20032fa17193deb6cf35cf5a4560e71559ab507b99af21a0aac8d

SHA512
8582518b025a65e5513f62fbe50a853aad664ad0c31f3d3a6f929c1d47ced18625bdb82b224fd3f727c0a299b7a0c4908730f1a86782de35dfe913254b4df6ba

Download Submit
C:\Users\Admin\AppData\Local\79FE0CC911\Log.txt

Filesize
2KB

MD5
6c9a978342a22f5f6f579c9623da34d7

SHA1
fc3e557851c74879b40edc4e3fa26590b078e7fc

SHA256
aca5b4b5a5a20032fa17193deb6cf35cf5a4560e71559ab507b99af21a0aac8d

SHA512
8582518b025a65e5513f62fbe50a853aad664ad0c31f3d3a6f929c1d47ced18625bdb82b224fd3f727c0a299b7a0c4908730f1a86782de35dfe913254b4df6ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin_United States_79FE0CC911_05-21-2022 1.5.11.zip

Filesize
1KB

MD5
fdc618b5dd5bfda43e8d9cdf1ed9ea45

SHA1
1cfa08e6c96c6071dbbc6fb88455a9f21ce5910d

SHA256
2a7a13f7e464a43d0bb185a34df79d072a3ecf1935be76d6321e20d61589a128

SHA512
c6d454a1c9a222f2c5c44d4da4ddb083e8c74d9bf2d36a98204e20c1493961cbb1e31385776e538a3b07f278f3600ca9f4d9d4e92573fd79b5260d094122982c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin_United States_79FE0CC911_05-21-2022 1.5.11.zip

Filesize
1KB

MD5
080585862b8bfe95edac5221addafa25

SHA1
5f899d5fdf0c77133503b083ef265a021668dc4c

SHA256
e817a2a611b6e29a6c06b913e2109bbd0132252ec2dcb8a3594ff1b8734f542c

SHA512
68a7f45bf4bbc7c2c4b3b8f1abf3bc7a29b68dc403fa10e7b1cb8f25568ad081fd6c349992a96a5580eed97869e08af582311a10488b12472d7acc9249f3068a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin_United States_79FE0CC911_05-21-2022 1.5.21.zip

Filesize
1KB

MD5
20996d515d774ae7de739d7d8e8454ed

SHA1
7a9eef3ea0dc7b8fb21455783a97ff0eac5d4aab

SHA256
6d147ab2fcf8edec212aaee550a3dc243bf81b89da513077a1f90b17bc72261c

SHA512
ba2fdd69b2963c3d177fbfa20d51613e6807c7d9b7a53d3edc73d2774ecb70cf4d7b3ba3b365826be49a1d5e2472db063c5941a3116d1978c2c3bff2985f1d93

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin_United States_79FE0CC911_05-21-2022 1.5.21.zip

Filesize
1KB

MD5
6b12af87da1da94cd02ca45d15d6756f

SHA1
37537dabad51be05b79653f61a0891c35ee62533

SHA256
4b6365650f6dc59f86433cef56011f0483009a8e1494d5e55af3f731caeb361f

SHA512
ac9a27984d60190ecbe5c7e9761d4cfed08ad7776f25a3cb30a8f2018bbfdcdc1e132bfdb8be939898e4d3ffafdd42207e692b286ce45badfb3c6faf6786f854

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin_United States_79FE0CC911_05-21-2022 1.5.38.zip

Filesize
1KB

MD5
6e0fd97a964acece5b637ee70c891eb1

SHA1
70e048cd936b02b5a393e0c74c9b20e926ecc13f

SHA256
43904cce7edfa0e6abdcd5a9ab08d1a13acdc69d2c5a20c40a80cf64128988c0

SHA512
4105bb54fb1e8af70d722868bb1beaf61d20d7dbb35127c64c15ab801e5ea4c0f8d169c681a21cf64e1abc0a725dd9cddcce935e4455b3208f6f844c6837d1e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin_United States_79FE0CC911_05-21-2022 1.5.38.zip

Filesize
1KB

MD5
f62a0296e6afbf5c3934571c693e3fe5

SHA1
2a42a58e1102e51dfdaa85234c7f468aeb838c20

SHA256
27a1d034c3901333ef5bf2f6f19c2fcd40a13edf754ccca07032c0e2efa0bd75

SHA512
9a776cb6a407298df9bad251efa47e5ce363eae319c3edd3fbdd07dedaee7d3b3d440852704e8fc27203791a1e51af82633cbaebb8a987abbd3584f6be5c58ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin_United States_79FE0CC911_05-21-2022 1.5.39.zip

Filesize
1KB

MD5
aca1c686eda533867b550c42975f8b1c

SHA1
8523a884699c3feab374fa05808f3359d096b53d

SHA256
2c8d798a30de8c5127b34107066068796a9c78383a9a30b0c37d8d4decd48b03

SHA512
26b92ace56a9d39167587e575091762c71fcc23be179a2d52c7ca7e6062939c316cc4ff8aa99bd780bd4510754631c02f0658881e542afb9a3d47b6ed49c65a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin_United States_79FE0CC911_05-21-2022 1.5.39.zip

Filesize
1KB

MD5
2b9c80a613057a2bbe811a8882425ed1

SHA1
292b0c3e52a5011a511b8d21afe990198baa92ff

SHA256
ee1d54a7a8eb9676eb0236f4426c7cc86f0c315e5c7d270780dbf8a78ebeca9a

SHA512
761dd7d9331d2acf96baa29fb96e7ae12cef8869443959439b9e67f78be4af64536d6575624fc913355f26338d0acb46bd32c44c09f7d49336977033d6efb46e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin_United States_79FE0CC911_05-21-2022 1.5.39.zip

Filesize
1KB

MD5
c93a22195187851ab3b1fa4680d66f26

SHA1
8c5dce27b727054888fd9ba3ba08b539c2c39236

SHA256
edf3d09fc41fe0fcbc20522d6c56123dcc7c53b0af2e21dcb561e1b1efc8e140

SHA512
a3c371f1dc10d80eb423e3079b190d70a4f1ae882124e0384b6afa3471b7d5af2e1598828096c7814a32e33c3d9503774a97b59f56bcf9121c036c827c354afa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin_United States_79FE0CC911_05-21-2022 1.5.39.zip

Filesize
1KB

MD5
2b9c80a613057a2bbe811a8882425ed1

SHA1
292b0c3e52a5011a511b8d21afe990198baa92ff

SHA256
ee1d54a7a8eb9676eb0236f4426c7cc86f0c315e5c7d270780dbf8a78ebeca9a

SHA512
761dd7d9331d2acf96baa29fb96e7ae12cef8869443959439b9e67f78be4af64536d6575624fc913355f26338d0acb46bd32c44c09f7d49336977033d6efb46e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin_United States_79FE0CC911_05-21-2022 1.5.47.zip

Filesize
1KB

MD5
fb78e82a6053b8784761f7910a7c00fd

SHA1
81ead2fc842765ff7ed8343dd6edd2b0203d2e61

SHA256
62d9464966d54e8e13386a64d2fa101b18815feeeb58f97baecd3b32c8e67e57

SHA512
d10debc36d25a39cbf0f0ee513092e44d60a2cff376d68ab64bc075d4337cbe59635bee12cd6e43bd7f7470e97b3a9c6fa75bda80135e14dc3f95e9099760dfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin_United States_79FE0CC911_05-21-2022 1.5.47.zip

Filesize
1KB

MD5
1a29080e7001a605ba9a18a04258a41f

SHA1
8b7bd9e289fe544cbf73872e15b2d56e68048b98

SHA256
84f7b6b6f0f3204c506f609e8504d15741ee5962b1edda25a2a4d99965a21d15

SHA512
2590b97a99cb08817e14ee21cac38c3c66f243be831f161d572f56919b0d75e7eb6c96799657bfbe640e3a5e37efa6285df242883a6ede5524e38e7652ff988a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin_United States_79FE0CC911_05-21-2022 1.6.15.zip

Filesize
1KB

MD5
c14fbeb0e5ce17fd0512e5a66b648bef

SHA1
d53b8be8a832b7a165cd949ef47e832f36eafa83

SHA256
1f97efa9c902f8844c93e203e6e048fbac32fdf2847a4a692c7f3eb85d345578

SHA512
53e9c1783430023f0c131ed162e502739b54b58c19b7ee5d0577ea73158f5ee804e0644edc8bb326e8a2d78cbc4dd1df0682e67afb4280750022a81bdd0d641e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin_United States_79FE0CC911_05-21-2022 1.6.15.zip

Filesize
1KB

MD5
edf002ff679e3530af5289a9432f7ad2

SHA1
b3977a02bbf3195c0d69a02d2012d1f7011845a8

SHA256
fd969eeb8da698a67bd06c8428c8f4ee547dcced32efa1f047814f01b3af7ff4

SHA512
ebb233be465ed86c7ddc59acb61401ba989d0f1e3887cf20c8b5dbb72eaf611dae637d87dc338fffbc2dc1b2b96b7b961ebbd1390bd24e83f419d3f7290763a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin_United States_79FE0CC911_05-21-2022 1.6.15.zip

Filesize
1KB

MD5
e0c9ba7285aa65966ed8f8473c98397b

SHA1
7e647ef3bc34190aca7e2441604f291579bddbae

SHA256
3b590a51bc1dafa2deb41b18142445a6c459e45ee86cf6de744bfcdc3c744cd3

SHA512
e134a96958d86bbb2f57ea1a6cf24e13b73d2947e9f28a37e9021e43b955e3b5b9292204c70538341409e213fcf931e020f204d5e18f751ccb7b4d5e78e73e15

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin_United States_79FE0CC911_05-21-2022 1.6.24.zip

Filesize
1KB

MD5
b1e42d2d5b68fafd0af7bf5b8e2f07e2

SHA1
d22ef915dc5b91c4f5ed4002bc965a79461579a0

SHA256
16356890ea0c0e680857108c60a91ce7754acffde02ab4515ab6c214ca1c2d57

SHA512
e51bc36259d36eb7a05eaab0d6d1ed3391069fa0249a1855f4fda732c5a9585278c7bea31e6ee047f3a7da7f7ee493c1acb8faece9e039ed206ffe34d393f69f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin_United States_79FE0CC911_05-21-2022 1.6.24.zip

Filesize
1KB

MD5
1ad7b759c1ad769e710caf8c1261c201

SHA1
f07296eb6b6bf5482221da22010bf5c3b43a5981

SHA256
2946140b60a09eb8f0cb3e32441bbdf5256b9ca8ef5790e24ded93dbaad0bf77

SHA512
2c2a0c195ae27f157853605bf2fe0a3363a33a40adf2f918326f64902aac6834a5afea0fb1dadd669460fd76a8e9e93452f1a2137001c92dca0f4714ee444a19

Download Submit
memory/428-142-0x0000000000000000-mapping.dmp

Download
memory/572-92-0x00000000004B342E-mapping.dmp

Download
memory/572-176-0x0000000004D95000-0x0000000004DA6000-memory.dmp

Filesize
68KB

Download
memory/820-150-0x00000000010F5000-0x0000000001106000-memory.dmp

Filesize
68KB

Download
memory/820-57-0x00000000004B342E-mapping.dmp

Download
memory/820-59-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/820-61-0x0000000000990000-0x0000000000A08000-memory.dmp

Filesize
480KB

Download
memory/952-80-0x00000000004B342E-mapping.dmp

Download
memory/952-174-0x0000000000800000-0x0000000000840000-memory.dmp

Filesize
256KB

Download
memory/980-64-0x00000000004B342E-mapping.dmp

Download
memory/980-151-0x0000000004E05000-0x0000000004E16000-memory.dmp

Filesize
68KB

Download
memory/996-84-0x00000000004B342E-mapping.dmp

Download
memory/996-168-0x0000000000F25000-0x0000000000F36000-memory.dmp

Filesize
68KB

Download
memory/1004-90-0x0000000000000000-mapping.dmp

Download
memory/1036-98-0x0000000000000000-mapping.dmp

Download
memory/1080-86-0x0000000000000000-mapping.dmp

Download
memory/1268-138-0x0000000000000000-mapping.dmp

Download
memory/1312-70-0x0000000000000000-mapping.dmp

Download
memory/1392-102-0x0000000000000000-mapping.dmp

Download
memory/1428-94-0x0000000000000000-mapping.dmp

Download
memory/1456-76-0x00000000004B342E-mapping.dmp

Download
memory/1456-147-0x0000000004E25000-0x0000000004E36000-memory.dmp

Filesize
68KB

Download
memory/1472-164-0x00000000004B342E-mapping.dmp

Download
memory/1472-251-0x0000000004D85000-0x0000000004D96000-memory.dmp

Filesize
68KB

Download
memory/1556-172-0x0000000000000000-mapping.dmp

Download
memory/1616-82-0x0000000000000000-mapping.dmp

Download
memory/1664-224-0x0000000004E25000-0x0000000004E36000-memory.dmp

Filesize
68KB

Download
memory/1664-140-0x00000000004B342E-mapping.dmp

Download
memory/1672-72-0x00000000004B342E-mapping.dmp

Download
memory/1672-149-0x0000000004F25000-0x0000000004F36000-memory.dmp

Filesize
68KB

Download
memory/1724-96-0x00000000004B342E-mapping.dmp

Download
memory/1724-170-0x0000000001265000-0x0000000001276000-memory.dmp

Filesize
68KB

Download
memory/1760-66-0x0000000000000000-mapping.dmp

Download
memory/1836-68-0x00000000004B342E-mapping.dmp

Download
memory/1836-148-0x00000000011E5000-0x00000000011F6000-memory.dmp

Filesize
68KB

Download
memory/1924-195-0x0000000001245000-0x0000000001256000-memory.dmp

Filesize
68KB

Download
memory/1924-100-0x00000000004B342E-mapping.dmp

Download
memory/1932-74-0x0000000000000000-mapping.dmp

Download
memory/1944-56-0x00000000753C1000-0x00000000753C3000-memory.dmp

Filesize
8KB

Download
memory/1944-55-0x0000000000B30000-0x0000000000BF0000-memory.dmp

Filesize
768KB

Download
memory/1944-60-0x0000000000380000-0x0000000000383000-memory.dmp

Filesize
12KB

Download
memory/1944-54-0x0000000000BF0000-0x0000000000CCE000-memory.dmp

Filesize
888KB

Download
memory/1952-78-0x0000000000000000-mapping.dmp

Download
memory/2040-88-0x00000000004B342E-mapping.dmp

Download
memory/2040-171-0x0000000004E45000-0x0000000004E56000-memory.dmp

Filesize
68KB

Download
memory/2044-62-0x0000000000000000-mapping.dmp

Download
memory/2064-196-0x0000000000A65000-0x0000000000A76000-memory.dmp

Filesize
68KB

Download
memory/2064-104-0x00000000004B342E-mapping.dmp

Download
memory/2140-106-0x0000000000000000-mapping.dmp

Download
memory/2176-108-0x00000000004B342E-mapping.dmp

Download
memory/2176-222-0x0000000000A75000-0x0000000000A86000-memory.dmp

Filesize
68KB

Download
memory/2244-110-0x0000000000000000-mapping.dmp

Download
memory/2264-144-0x00000000004B342E-mapping.dmp

Download
memory/2264-225-0x0000000004E65000-0x0000000004E76000-memory.dmp

Filesize
68KB

Download
memory/2284-219-0x0000000005065000-0x0000000005076000-memory.dmp

Filesize
68KB

Download
memory/2284-112-0x00000000004B342E-mapping.dmp

Download
memory/2352-114-0x0000000000000000-mapping.dmp

Download
memory/2392-116-0x00000000004B342E-mapping.dmp

Download
memory/2392-223-0x0000000004F05000-0x0000000004F16000-memory.dmp

Filesize
68KB

Download
memory/2404-173-0x0000000000000000-mapping.dmp

Download
memory/2460-118-0x0000000000000000-mapping.dmp

Download
memory/2476-154-0x0000000000000000-mapping.dmp

Download
memory/2488-152-0x0000000000000000-mapping.dmp

Download
memory/2512-120-0x00000000004B342E-mapping.dmp

Download
memory/2548-162-0x0000000000000000-mapping.dmp

Download
memory/2576-122-0x0000000000000000-mapping.dmp

Download
memory/2620-124-0x00000000004B342E-mapping.dmp

Download
memory/2620-221-0x0000000004D75000-0x0000000004D86000-memory.dmp

Filesize
68KB

Download
memory/2632-146-0x0000000000000000-mapping.dmp

Download
memory/2692-126-0x0000000000000000-mapping.dmp

Download
memory/2824-153-0x0000000000000000-mapping.dmp

Download
memory/2828-220-0x00000000011E5000-0x00000000011F6000-memory.dmp

Filesize
68KB

Download
memory/2828-128-0x00000000004B342E-mapping.dmp

Download
memory/2872-227-0x0000000000925000-0x0000000000936000-memory.dmp

Filesize
68KB

Download
memory/2872-156-0x00000000004B342E-mapping.dmp

Download
memory/2908-130-0x0000000000000000-mapping.dmp

Download
memory/2948-217-0x0000000004E25000-0x0000000004E36000-memory.dmp

Filesize
68KB

Download
memory/2948-132-0x00000000004B342E-mapping.dmp

Download
memory/2988-134-0x0000000000000000-mapping.dmp

Download
memory/2996-158-0x0000000000000000-mapping.dmp

Download
memory/3040-136-0x00000000004B342E-mapping.dmp

Download
memory/3040-218-0x0000000001195000-0x00000000011A6000-memory.dmp

Filesize
68KB

Download
memory/3048-175-0x0000000000000000-mapping.dmp

Download
memory/3056-249-0x00000000005D5000-0x00000000005E6000-memory.dmp

Filesize
68KB

Download
memory/3056-160-0x00000000004B342E-mapping.dmp

Download
memory/3080-177-0x0000000000000000-mapping.dmp

Download
memory/3092-179-0x0000000000000000-mapping.dmp

Download
memory/3100-178-0x0000000000000000-mapping.dmp

Download
memory/3132-278-0x0000000000CC5000-0x0000000000CD6000-memory.dmp

Filesize
68KB

Download
memory/3188-250-0x00000000011F5000-0x0000000001206000-memory.dmp

Filesize
68KB

Download
memory/3188-181-0x00000000004B342E-mapping.dmp

Download
memory/3336-184-0x0000000000000000-mapping.dmp

Download
memory/3368-186-0x00000000004B342E-mapping.dmp

Download
memory/3456-188-0x0000000000000000-mapping.dmp

Download
memory/3492-279-0x0000000004D95000-0x0000000004DA6000-memory.dmp

Filesize
68KB

Download
memory/3492-190-0x00000000004B342E-mapping.dmp

Download
memory/3616-192-0x0000000000000000-mapping.dmp

Download