masslogger | 226b7b506870441f3a2bfdce077edbbad4334b5bee2e5fffde263078a169f59a

Analysis

max time kernel
13s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
21-05-2022 00:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New_Order08042020.exe
Size

865KB
MD5

421f7936cf9984792c119c3602f2ac17
SHA1

8eca265739fce957205846992fee1abac60b4d56
SHA256

878e1a1b65cc05eb728bf4ce85b7ad87576bbc9c8465d1348c71cef4e8c098f2
SHA512

eab256280853a804a369acb75d9e43253eea65f2f05d30e098ab8c2fb5f27064977979b4fd0ab0a79119539b1306bb9e0efc6d2561504a01ef6c6227833b2a5e

Score

10^/10

masslogger spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2688-132-0x0000000000400000-0x00000000004B8000-memory.dmp	family_masslogger

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

New_Order08042020.exeNew_Order08042020.exeNew_Order08042020.exeNew_Order08042020.exeNew_Order08042020.exeNew_Order08042020.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	New_Order08042020.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	New_Order08042020.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	New_Order08042020.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	New_Order08042020.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	New_Order08042020.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	New_Order08042020.exe

Suspicious use of SetThreadContext 7 IoCs

Processes:

New_Order08042020.exeNew_Order08042020.exeNew_Order08042020.exeNew_Order08042020.exeNew_Order08042020.exeNew_Order08042020.exeNew_Order08042020.exe

description	pid	process	target process
PID 1928 set thread context of 2688	1928	New_Order08042020.exe	RegAsm.exe
PID 4364 set thread context of 4688	4364	New_Order08042020.exe	RegAsm.exe
PID 2528 set thread context of 4484	2528	New_Order08042020.exe	RegAsm.exe
PID 4552 set thread context of 4248	4552	New_Order08042020.exe	RegAsm.exe
PID 3504 set thread context of 4488	3504	New_Order08042020.exe	RegAsm.exe
PID 2492 set thread context of 112	2492	New_Order08042020.exe	RegAsm.exe
PID 3812 set thread context of 904	3812	New_Order08042020.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

New_Order08042020.exe

pid	process
1928	New_Order08042020.exe
1928	New_Order08042020.exe
1928	New_Order08042020.exe
1928	New_Order08042020.exe
1928	New_Order08042020.exe
1928	New_Order08042020.exe
1928	New_Order08042020.exe
1928	New_Order08042020.exe
1928	New_Order08042020.exe
1928	New_Order08042020.exe
1928	New_Order08042020.exe
1928	New_Order08042020.exe
1928	New_Order08042020.exe
1928	New_Order08042020.exe
1928	New_Order08042020.exe
1928	New_Order08042020.exe
1928	New_Order08042020.exe
1928	New_Order08042020.exe
1928	New_Order08042020.exe
1928	New_Order08042020.exe
1928	New_Order08042020.exe
1928	New_Order08042020.exe
1928	New_Order08042020.exe
1928	New_Order08042020.exe
1928	New_Order08042020.exe
1928	New_Order08042020.exe
1928	New_Order08042020.exe
1928	New_Order08042020.exe
1928	New_Order08042020.exe
1928	New_Order08042020.exe
1928	New_Order08042020.exe
1928	New_Order08042020.exe
1928	New_Order08042020.exe
1928	New_Order08042020.exe
1928	New_Order08042020.exe
1928	New_Order08042020.exe
1928	New_Order08042020.exe
1928	New_Order08042020.exe
1928	New_Order08042020.exe
1928	New_Order08042020.exe
1928	New_Order08042020.exe
1928	New_Order08042020.exe
1928	New_Order08042020.exe
1928	New_Order08042020.exe
1928	New_Order08042020.exe
1928	New_Order08042020.exe
1928	New_Order08042020.exe
1928	New_Order08042020.exe
1928	New_Order08042020.exe
1928	New_Order08042020.exe
1928	New_Order08042020.exe
1928	New_Order08042020.exe
1928	New_Order08042020.exe
1928	New_Order08042020.exe
1928	New_Order08042020.exe
1928	New_Order08042020.exe
1928	New_Order08042020.exe
1928	New_Order08042020.exe
1928	New_Order08042020.exe
1928	New_Order08042020.exe
1928	New_Order08042020.exe
1928	New_Order08042020.exe
1928	New_Order08042020.exe
1928	New_Order08042020.exe

Suspicious behavior: MapViewOfSection 10 IoCs

Processes:

New_Order08042020.exeNew_Order08042020.exeNew_Order08042020.exeNew_Order08042020.exeNew_Order08042020.exeNew_Order08042020.exeNew_Order08042020.exe

pid	process
1928	New_Order08042020.exe
4364	New_Order08042020.exe
2528	New_Order08042020.exe
4552	New_Order08042020.exe
4552	New_Order08042020.exe
4552	New_Order08042020.exe
4552	New_Order08042020.exe
3504	New_Order08042020.exe
2492	New_Order08042020.exe
3812	New_Order08042020.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

New_Order08042020.exeRegAsm.exeNew_Order08042020.exeRegAsm.exeNew_Order08042020.exeRegAsm.exeNew_Order08042020.exepowershell.exeNew_Order08042020.exeRegAsm.exeNew_Order08042020.exeRegAsm.exeNew_Order08042020.exeRegAsm.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1928	New_Order08042020.exe
Token: SeDebugPrivilege	2688	RegAsm.exe
Token: SeDebugPrivilege	4364	New_Order08042020.exe
Token: SeDebugPrivilege	4688	RegAsm.exe
Token: SeDebugPrivilege	2528	New_Order08042020.exe
Token: SeDebugPrivilege	4484	RegAsm.exe
Token: SeDebugPrivilege	4552	New_Order08042020.exe
Token: SeDebugPrivilege	4248	powershell.exe
Token: SeDebugPrivilege	3504	New_Order08042020.exe
Token: SeDebugPrivilege	4488	RegAsm.exe
Token: SeDebugPrivilege	2492	New_Order08042020.exe
Token: SeDebugPrivilege	112	RegAsm.exe
Token: SeDebugPrivilege	3812	New_Order08042020.exe
Token: SeDebugPrivilege	904	RegAsm.exe
Token: SeDebugPrivilege	4712	powershell.exe
Token: SeDebugPrivilege	3836	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

New_Order08042020.exeNew_Order08042020.exeNew_Order08042020.exeNew_Order08042020.exeNew_Order08042020.exeNew_Order08042020.exeRegAsm.exeRegAsm.exeNew_Order08042020.execmd.execmd.exeNew_Order08042020.exe

description	pid	process	target process
PID 1928 wrote to memory of 2688	1928	New_Order08042020.exe	RegAsm.exe
PID 1928 wrote to memory of 2688	1928	New_Order08042020.exe	RegAsm.exe
PID 1928 wrote to memory of 2688	1928	New_Order08042020.exe	RegAsm.exe
PID 1928 wrote to memory of 2688	1928	New_Order08042020.exe	RegAsm.exe
PID 1928 wrote to memory of 4364	1928	New_Order08042020.exe	New_Order08042020.exe
PID 1928 wrote to memory of 4364	1928	New_Order08042020.exe	New_Order08042020.exe
PID 1928 wrote to memory of 4364	1928	New_Order08042020.exe	New_Order08042020.exe
PID 4364 wrote to memory of 4688	4364	New_Order08042020.exe	RegAsm.exe
PID 4364 wrote to memory of 4688	4364	New_Order08042020.exe	RegAsm.exe
PID 4364 wrote to memory of 4688	4364	New_Order08042020.exe	RegAsm.exe
PID 4364 wrote to memory of 4688	4364	New_Order08042020.exe	RegAsm.exe
PID 4364 wrote to memory of 2528	4364	New_Order08042020.exe	New_Order08042020.exe
PID 4364 wrote to memory of 2528	4364	New_Order08042020.exe	New_Order08042020.exe
PID 4364 wrote to memory of 2528	4364	New_Order08042020.exe	New_Order08042020.exe
PID 2528 wrote to memory of 4484	2528	New_Order08042020.exe	RegAsm.exe
PID 2528 wrote to memory of 4484	2528	New_Order08042020.exe	RegAsm.exe
PID 2528 wrote to memory of 4484	2528	New_Order08042020.exe	RegAsm.exe
PID 2528 wrote to memory of 4484	2528	New_Order08042020.exe	RegAsm.exe
PID 2528 wrote to memory of 4552	2528	New_Order08042020.exe	New_Order08042020.exe
PID 2528 wrote to memory of 4552	2528	New_Order08042020.exe	New_Order08042020.exe
PID 2528 wrote to memory of 4552	2528	New_Order08042020.exe	New_Order08042020.exe
PID 4552 wrote to memory of 4176	4552	New_Order08042020.exe	RegAsm.exe
PID 4552 wrote to memory of 4176	4552	New_Order08042020.exe	RegAsm.exe
PID 4552 wrote to memory of 4176	4552	New_Order08042020.exe	RegAsm.exe
PID 4552 wrote to memory of 4372	4552	New_Order08042020.exe	RegAsm.exe
PID 4552 wrote to memory of 4372	4552	New_Order08042020.exe	RegAsm.exe
PID 4552 wrote to memory of 4372	4552	New_Order08042020.exe	RegAsm.exe
PID 4552 wrote to memory of 4232	4552	New_Order08042020.exe	RegAsm.exe
PID 4552 wrote to memory of 4232	4552	New_Order08042020.exe	RegAsm.exe
PID 4552 wrote to memory of 4232	4552	New_Order08042020.exe	RegAsm.exe
PID 4552 wrote to memory of 4248	4552	New_Order08042020.exe	RegAsm.exe
PID 4552 wrote to memory of 4248	4552	New_Order08042020.exe	RegAsm.exe
PID 4552 wrote to memory of 4248	4552	New_Order08042020.exe	RegAsm.exe
PID 4552 wrote to memory of 4248	4552	New_Order08042020.exe	RegAsm.exe
PID 4552 wrote to memory of 3504	4552	New_Order08042020.exe	New_Order08042020.exe
PID 4552 wrote to memory of 3504	4552	New_Order08042020.exe	New_Order08042020.exe
PID 4552 wrote to memory of 3504	4552	New_Order08042020.exe	New_Order08042020.exe
PID 3504 wrote to memory of 4488	3504	New_Order08042020.exe	RegAsm.exe
PID 3504 wrote to memory of 4488	3504	New_Order08042020.exe	RegAsm.exe
PID 3504 wrote to memory of 4488	3504	New_Order08042020.exe	RegAsm.exe
PID 3504 wrote to memory of 4488	3504	New_Order08042020.exe	RegAsm.exe
PID 3504 wrote to memory of 2492	3504	New_Order08042020.exe	New_Order08042020.exe
PID 3504 wrote to memory of 2492	3504	New_Order08042020.exe	New_Order08042020.exe
PID 3504 wrote to memory of 2492	3504	New_Order08042020.exe	New_Order08042020.exe
PID 2688 wrote to memory of 5016	2688	RegAsm.exe	cmd.exe
PID 2688 wrote to memory of 5016	2688	RegAsm.exe	cmd.exe
PID 2688 wrote to memory of 5016	2688	RegAsm.exe	cmd.exe
PID 4688 wrote to memory of 3464	4688	RegAsm.exe	cmd.exe
PID 4688 wrote to memory of 3464	4688	RegAsm.exe	cmd.exe
PID 4688 wrote to memory of 3464	4688	RegAsm.exe	cmd.exe
PID 2492 wrote to memory of 112	2492	New_Order08042020.exe	RegAsm.exe
PID 2492 wrote to memory of 112	2492	New_Order08042020.exe	RegAsm.exe
PID 2492 wrote to memory of 112	2492	New_Order08042020.exe	RegAsm.exe
PID 2492 wrote to memory of 112	2492	New_Order08042020.exe	RegAsm.exe
PID 5016 wrote to memory of 4712	5016	cmd.exe	powershell.exe
PID 5016 wrote to memory of 4712	5016	cmd.exe	powershell.exe
PID 5016 wrote to memory of 4712	5016	cmd.exe	powershell.exe
PID 2492 wrote to memory of 3812	2492	New_Order08042020.exe	New_Order08042020.exe
PID 2492 wrote to memory of 3812	2492	New_Order08042020.exe	New_Order08042020.exe
PID 2492 wrote to memory of 3812	2492	New_Order08042020.exe	New_Order08042020.exe
PID 3464 wrote to memory of 3836	3464	cmd.exe	powershell.exe
PID 3464 wrote to memory of 3836	3464	cmd.exe	powershell.exe
PID 3464 wrote to memory of 3836	3464	cmd.exe	powershell.exe
PID 3812 wrote to memory of 904	3812	New_Order08042020.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
"C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2688
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5016
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4712
- C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
  "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4364
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4688
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3464
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3836
- - C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
    "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2528
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4484
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
        5⤵
        
        PID:3016
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
        6⤵
        
        PID:3644
  - - C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
      "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
      4⤵
      Checks computer location settings
      Suspicious use of SetThreadContext
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4552
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:4248
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
        6⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
        7⤵
        
        PID:3000
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:4232
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:4372
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:4176
    - - C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        5⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3504
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4488
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
        7⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
        8⤵
        
        PID:4328
      - C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        6⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2492
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:112
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
        8⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
        9⤵
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        7⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3812
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:904
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
        9⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
        10⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        8⤵
        
        PID:1764
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        9⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
        10⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
        11⤵
        
        PID:4332
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        9⤵
        
        PID:1312
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        10⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
        11⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
        12⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4248
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        10⤵
        
        PID:4380
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        11⤵
        
        PID:2120
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        11⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
        12⤵
        
        PID:664
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
        13⤵
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        11⤵
        
        PID:4092
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        12⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
        13⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
        14⤵
        
        PID:4048
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        12⤵
        
        PID:4288
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
        14⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
        15⤵
        
        PID:3076
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        13⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        13⤵
        
        PID:2832
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        14⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
        15⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
        16⤵
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        14⤵
        
        PID:508
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        15⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
        16⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
        17⤵
        
        PID:4468
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        15⤵
        
        PID:4724
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        16⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
        17⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
        18⤵
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        16⤵
        
        PID:1100
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        17⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
        18⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
        19⤵
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        17⤵
        
        PID:5004
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        18⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
        19⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
        20⤵
        
        PID:3284
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        18⤵
        
        PID:2352
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        19⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
        20⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
        21⤵
        
        PID:4820
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        19⤵
        
        PID:1084
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        20⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
        21⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
        22⤵
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        20⤵
        
        PID:3792
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        21⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
        22⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
        23⤵
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        21⤵
        
        PID:456
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        22⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
        23⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
        24⤵
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        22⤵
        
        PID:1628
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        23⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
        24⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
        25⤵
        
        PID:3264
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        23⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        23⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:3504
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        24⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
        25⤵
        
        PID:444
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
        26⤵
        
        PID:3248
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        24⤵
        
        PID:2184
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        25⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
        26⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
        27⤵
        
        PID:4148
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        25⤵
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        25⤵
        
        PID:4436
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        26⤵
        
        PID:456
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
        27⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
        28⤵
        
        PID:4696
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        26⤵
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        26⤵
        
        PID:4676
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        27⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
        28⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
        29⤵
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        27⤵
        
        PID:4228
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        28⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
        29⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
        30⤵
        
        PID:2368
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        28⤵
        
        PID:4260
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        28⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        28⤵
        
        PID:5060
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        29⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
        30⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
        31⤵
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        29⤵
        
        PID:4844
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        30⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
        31⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
        32⤵
        
        PID:3340
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        30⤵
        
        PID:3348
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        31⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
        32⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
        33⤵
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        31⤵
        
        PID:2372
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        32⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
        33⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
        34⤵
        
        PID:3976
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        32⤵
        
        PID:1484
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        32⤵
        
        PID:668
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        32⤵
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        32⤵
        
        PID:4464
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        33⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
        34⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
        35⤵
        
        PID:4552
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        33⤵
        
        PID:2112
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        34⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
        35⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
        36⤵
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        34⤵
        
        PID:1488
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        35⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
        36⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
        37⤵
        
        PID:4040
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        35⤵
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        35⤵
        
        PID:4140
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        36⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
        37⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
        38⤵
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        36⤵
        
        PID:4796
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        37⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
        38⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
        39⤵
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        37⤵
        
        PID:1504
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        38⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
        39⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
        40⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        38⤵
        
        PID:2820
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        39⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
        40⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
        41⤵
        
        PID:4688
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        39⤵
        
        PID:2216
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        40⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
        41⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
        42⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        40⤵
        
        PID:2500
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        41⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
        42⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
        43⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        41⤵
        
        PID:1004
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        42⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
        43⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
        44⤵
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        42⤵
        
        PID:2396
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        43⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
        44⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
        45⤵
        
        PID:3016
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        43⤵
        
        PID:792
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        43⤵
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        43⤵
        
        PID:4484
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        44⤵
        
        PID:580
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
        45⤵
        
        PID:908
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
        46⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        44⤵
        
        PID:1548
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        45⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
        46⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
        47⤵
        
        PID:3868
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        45⤵
        
        PID:3320
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        45⤵
        
        PID:4308
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        46⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
        47⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
        48⤵
        
        PID:2384
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        46⤵
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        46⤵
        
        PID:1496
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        47⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
        48⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
        49⤵
        
        PID:4240
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        47⤵
        
        PID:2352
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        48⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
        49⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
        50⤵
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        48⤵
        
        PID:2224
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        49⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
        50⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
        51⤵
        
        PID:668
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        49⤵
        
        PID:4368
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        50⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
        51⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
        52⤵
        
        PID:4428
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        50⤵
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        50⤵
        
        PID:2300
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        51⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
        52⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
        53⤵
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        51⤵
        
        PID:3812
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        52⤵
        
        PID:424
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
        53⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
        54⤵
        
        PID:4268
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        52⤵
        
        PID:2464
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        53⤵
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        53⤵
        
        PID:3532
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        54⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        54⤵
        
        PID:1752
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        55⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe
        
        "C:\Users\Admin\AppData\Local\Temp\New_Order08042020.exe"
        55⤵
        
        PID:3528
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        56⤵
        
        PID:1936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

Filesize
994B

MD5
334ac3d2e55f80a9b69e02d1dbc44947

SHA1
dea2b26b13eca80ad781cfeeaf7082e0d0dc4f2e

SHA256
cfc8439b36fdd0455772cdb646d04b93858f9bc44fc94473bf73b253c2e4f25d

SHA512
83b5111afd7b24bf4bc193b01587ce590655d25ae9d0f333f6dbd1ddd2d93c2b22b48f5a52aa3c7d7d5833d774fcc729a7f6f9d1faf7277d1fc8deec16efd649

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
712a00a9d8164b3b6795c4e11800d2f1

SHA1
82952ef15a2e4e2b06cb149d3b206d11135128b5

SHA256
2a3b20384f9ce1100ea1c1d3fc24b874446506c627102da75ace1e7bcac4a052

SHA512
ab87d76996cf96e76f9182f72ffe16b1e014ac1ccbe2991a6cd85309622365fbf4a6e79023e616c529640f626cd3943bab9338816bf6ce6831cf5696d28ecd17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
d4d8cef58818612769a698c291ca3b37

SHA1
54e0a6e0c08723157829cea009ec4fe30bea5c50

SHA256
98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

SHA512
f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
d4d8cef58818612769a698c291ca3b37

SHA1
54e0a6e0c08723157829cea009ec4fe30bea5c50

SHA256
98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

SHA512
f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
d4d8cef58818612769a698c291ca3b37

SHA1
54e0a6e0c08723157829cea009ec4fe30bea5c50

SHA256
98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

SHA512
f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
d4d8cef58818612769a698c291ca3b37

SHA1
54e0a6e0c08723157829cea009ec4fe30bea5c50

SHA256
98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

SHA512
f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
d4d8cef58818612769a698c291ca3b37

SHA1
54e0a6e0c08723157829cea009ec4fe30bea5c50

SHA256
98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

SHA512
f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
d4d8cef58818612769a698c291ca3b37

SHA1
54e0a6e0c08723157829cea009ec4fe30bea5c50

SHA256
98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

SHA512
f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
d4d8cef58818612769a698c291ca3b37

SHA1
54e0a6e0c08723157829cea009ec4fe30bea5c50

SHA256
98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

SHA512
f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
57046171d1dc944fe523f2f0f50c6d38

SHA1
14602bcee753fc4b42d7dff8b4dd26822927b8cb

SHA256
539721b90a75a31b7d3e01805f358475ca678627b4c715fb0c05078a45ef5dc4

SHA512
2627c5c138a7228eec5c8b88ee86c14e08cb2b695769f286c9a5e95eaf182a4718cd2f642e8eed96892896d92b4187e4834e7384d8118b83dbe3aa282804bd9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
57046171d1dc944fe523f2f0f50c6d38

SHA1
14602bcee753fc4b42d7dff8b4dd26822927b8cb

SHA256
539721b90a75a31b7d3e01805f358475ca678627b4c715fb0c05078a45ef5dc4

SHA512
2627c5c138a7228eec5c8b88ee86c14e08cb2b695769f286c9a5e95eaf182a4718cd2f642e8eed96892896d92b4187e4834e7384d8118b83dbe3aa282804bd9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
fd51be1b551eda64f70dfe2255542179

SHA1
20c5348e0a44df1840f803c62bef769225c8a89a

SHA256
770973ecfb12a724b9623d58575af93609dabf30fae2f170b57ff41b729f37f0

SHA512
3b7b29a9440005f8d588dae6b766d2e67260cc2eb314f07a5deb3a1ad7970c3e9708da3655a9a4f72c49da32e55aadffbad8e836f7e618e22050d76de7d64490

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
8594d6a998362810a8eec9d341443359

SHA1
29ea571585caf0d91c269e9d994a390b68e98092

SHA256
fe4bf5b3bcffdb8346fcec2083c6ac699bdc96c9f8680e6272ef7468159c0b15

SHA512
20415b35436736b11bdf6e34213d7d96278b582ec555319a5400548b7f489bd1bad9ac012944f34f7f0251d17fc1080d9c9538156b1f4031f2b47bb630a55e38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
868049cf625f85d8ac76e6f919187e5f

SHA1
b05ac35f5a793b1681fe41fbaa662c92b7c38213

SHA256
f9cd43535b2e1b3b76a13ba2625eee834191744ef7f0de7e364b0403bb61ce2f

SHA512
8913b3f2b306b7cac02e118c20aab47cef76e563833fcf5af773239a65dfcad6aca8a9f03359183572b046bf8acfb35f3f502c6722b104c74bcc33e1ecb87489

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
868049cf625f85d8ac76e6f919187e5f

SHA1
b05ac35f5a793b1681fe41fbaa662c92b7c38213

SHA256
f9cd43535b2e1b3b76a13ba2625eee834191744ef7f0de7e364b0403bb61ce2f

SHA512
8913b3f2b306b7cac02e118c20aab47cef76e563833fcf5af773239a65dfcad6aca8a9f03359183572b046bf8acfb35f3f502c6722b104c74bcc33e1ecb87489

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
4e9244d87eb359002b98262e14646feb

SHA1
ea12145e720b3c3b7534a99223e6569423723163

SHA256
996266a4a23822e198216ad15eebde931853234a232f01145ed679298c55193f

SHA512
71831a437ce68236e0af519173ba9a362e086ebf8a4ae63f600597262c963e98b542353a78042fdfb02aad45e34093a722c64ab6a8f9311296ab39984936c58c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
429a1563ef4b1e4d217f81c7438ccb65

SHA1
cce47eb822b81d0aea5eaab7724bcb0bc2b80d76

SHA256
0f1d0826907ea2fed45cc99f2c8e01322f6e89b4fd2b330c41ecf7e58d06187b

SHA512
0f01d4a882bec87d12ff1c151144cd1056913ed6fae8fa88ff284b7d7b2223776f88fd78e9f7f25865dabcfd2f1342828d0c778e5f59f613870086de677627ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
285c0682281605cd48f1696602692f26

SHA1
fd3cb782e5b39c80106dcafc514c70bd36e6cbf4

SHA256
375f70967fdb6d13fe0e6027c7304db88bd5a402f011d59d084c0164493088ec

SHA512
fa053a179fb60d2006476f55d82f36be724d879e848436270453eac7120a477d14c90dfc1c7ae58424ebaa808c2ca4f07a34f47e953a1a514523a9370d9ba8f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
d89beceea844434d4dd3db720c58e0b5

SHA1
cb8105f2a95fcb22ce6ac21d32eb1e82d7eff4e5

SHA256
442289378ec0af45f8a666004b2c37fd08b60f80a11fce47280a969b270eae0b

SHA512
9c57106eab45dae2e316631335940d9772bbfb5cc50321d8a9bc0cf6b86a5af2fbe3dd28c90586e45a63dd41eb2acb20530c2ec4e478ba6a246cf9f8df3b2353

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
7b1b73f3a3bf4a194197f995bf5673ad

SHA1
6dc057388d944a4195fc5985ee9b2579621cd5aa

SHA256
4ed7143b9b14d49a865b0c98a973987da12882369180b58bb26c07b40e8c6ce8

SHA512
a4449a6dab376cd4ede160ea9ea195d01b2616d5f094d0c3f4a7e5f3a0a4de6ef70e39949a3db238bd00d3f534486bdf846df37d5a9314904d13463e120a78ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
2cd6b45519ecb68484e078a6420ed95b

SHA1
dcdfd52f3495c4dc2b1742baaf1070a38c354489

SHA256
bb74202f9a1f0ade056c3c2adcc2fe072d915862665477b34dac58c20444ac98

SHA512
6ffa087f683f2233e7c8b04b27bbda14b173171cd641cfa7f8e5dc2e951e41a3845356470f5b6791e956ba02fe1c0b34f0ae38d131ba48842c627359284ea515

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
2cd6b45519ecb68484e078a6420ed95b

SHA1
dcdfd52f3495c4dc2b1742baaf1070a38c354489

SHA256
bb74202f9a1f0ade056c3c2adcc2fe072d915862665477b34dac58c20444ac98

SHA512
6ffa087f683f2233e7c8b04b27bbda14b173171cd641cfa7f8e5dc2e951e41a3845356470f5b6791e956ba02fe1c0b34f0ae38d131ba48842c627359284ea515

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
258186e176058d326d231f8accb05d78

SHA1
aac2a4c7c8dcaec44b66b809100c4bdfb0eefcb8

SHA256
a964cc5b85c278f8a9357951e5a08163522483f4eaf82ae9a7d400f637ce82c5

SHA512
75a6074c697c504524a06f0918110bdd56af80522a84b9526da3341eb3fe6086770aee5d45757eb3423612b41087b2d0936020289fee74050f9774f4a6f92f32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
c336ac5d262e11bbc6ac0202b96c590c

SHA1
cda0eff16c34dda44f52b5d2111d385dd1dbab71

SHA256
598b0f9f3892c417a5084ed7fe7a95f58aa82f16afb7ca75da469dcf0f85c34c

SHA512
886b460c79214cb068f30d93b3949cd210e6937c62cb3fa79e3789c5cda85b047869db8f61789f12cab721a4f216d87be0cb86345fa2373eb8dafe1d9fc2496f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
c336ac5d262e11bbc6ac0202b96c590c

SHA1
cda0eff16c34dda44f52b5d2111d385dd1dbab71

SHA256
598b0f9f3892c417a5084ed7fe7a95f58aa82f16afb7ca75da469dcf0f85c34c

SHA512
886b460c79214cb068f30d93b3949cd210e6937c62cb3fa79e3789c5cda85b047869db8f61789f12cab721a4f216d87be0cb86345fa2373eb8dafe1d9fc2496f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
33a66cd55c53b690a235cfac3cabdd82

SHA1
66818b85ea5c70958794fc9855781f40201c7692

SHA256
850ffea249f99f7299401fb80f129c45454e17234a219b5bdffcfd9428d1c0e3

SHA512
d5763ee1c659b19a99d5dad0d8f7657a3d970b73408226f6629af0ea70a9560a1398ea37be0eb75978ae8e8ac62cc4ca51f2c16c13426afebc174752e09a3178

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
4906927fcf388ff7d2ab0c070bbfc3d5

SHA1
eafdaab4686190ca0c05533d5f07c709fe9e4e17

SHA256
aac33c7c3224ec5344f697931e4682df672a06010ead56d51ab70962575ce20c

SHA512
5adcc39a83b4f2214b10bcef6e07ace59750dc554e116870855e4f321745a3b275951f00931e72a494f79f4c7534c8d388001c789252f96dee1d6d9b30dbfaf6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
4906927fcf388ff7d2ab0c070bbfc3d5

SHA1
eafdaab4686190ca0c05533d5f07c709fe9e4e17

SHA256
aac33c7c3224ec5344f697931e4682df672a06010ead56d51ab70962575ce20c

SHA512
5adcc39a83b4f2214b10bcef6e07ace59750dc554e116870855e4f321745a3b275951f00931e72a494f79f4c7534c8d388001c789252f96dee1d6d9b30dbfaf6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
c1577294f8e4f53882117b0d05fdc847

SHA1
c99ac1a71d77ee39533ecc971bf49c5c9005c7b6

SHA256
820ef7941a2a85611aa6decf8ae0e7ac71b2b841471537a9fa2a1bb9dd48f4ce

SHA512
53e236129c84319e79f5b7fe9f40c709dff6099bcb725a5588e4821206e8af6d5437d24b7d334c93e95ecbc36bc022ffb0407c165d8391a1aa76fce1d7011ba6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
5945f0a9917f5e3a7718db9d8407d324

SHA1
65554100e2bbc9fc5022f75af57a49922dade966

SHA256
4c6d072215a7d2ea8ea9776d3d851396d02d56fefdaf41107300de82c8a3e778

SHA512
9d57d569f3a605207bd37aec285f1492a06249b0291e0d0c7ebcfb7aaa02c69b5ded631530e40866cb3b91e2c942ed8e9bdb07ac37e66d43542bfeee5ac1e43f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
2adef0e899da3a551e79cf8adcc56b36

SHA1
5c6979489e44d04f2d0f32d140ae0aa601c738bd

SHA256
f42e870598bdabce33aadef153fa816125fda695cb5ee2ac0cb723f9b73dd0bb

SHA512
7c5c29c29a7c240146c455534eaef1f28bab897d6add353e6ffddcf4eb923510ec1f3d7edd23254f8ff6c94be3cfbd74bdd5e554dba19102b9b8523beceaf312

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
23d368ed1a764a583d003cf145639451

SHA1
b095073a85ac2dc01acd5b8d4e4131840befcd21

SHA256
966dc3eef4bd21b4a12163b95d193601b49767dab157d6e2d24611bc4c3a1db4

SHA512
0c8ada83f11a45e086119e5b47bee7ed7afbc0b90a2f907903be6382126894ca3e531c5197b97713de04fb36dccd72aadf4343c1699a94b48e2872965a34027b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
38d123a7718343fe9f366d850e4d4ede

SHA1
c36e4485609966a37eebaf3e988df7d8c8df9874

SHA256
6da250f902908379e07eef2819f6010eba55fd9f86007731b6c7f13f20f10952

SHA512
c81e0e8bdddb91799775a0c34ed4650e65a2012317b9f32aaca382e84e8ad8a2bb0fb142cb1bfc78ab51dff01b435a6e1f6ff1abb79a1c0e272ab8721a87a0a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
8610bfc174d1868ef12199051260dc05

SHA1
fe2d3b081edc1a7ea37b00a8dab9387929ade0bc

SHA256
f805f1e9c37fff5b7d454f91f9408ae087816bfacc5a837f023124a1b45cd524

SHA512
e1dc917cab57892f0931a673f800ea79f432bb5c0d97dcc854181daae1fdf1be7eaf3874145843cb2ae11ecc9cda624d4ee747875dc976799dc603387098ee32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
8610bfc174d1868ef12199051260dc05

SHA1
fe2d3b081edc1a7ea37b00a8dab9387929ade0bc

SHA256
f805f1e9c37fff5b7d454f91f9408ae087816bfacc5a837f023124a1b45cd524

SHA512
e1dc917cab57892f0931a673f800ea79f432bb5c0d97dcc854181daae1fdf1be7eaf3874145843cb2ae11ecc9cda624d4ee747875dc976799dc603387098ee32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
77f82d8b9340931612a58ff6cbf4b35d

SHA1
b8234df304f7a66ab4248e73e2a59ec401d65801

SHA256
5be92ab7eef291688d87458ae53db8bb4da60c7b179118a2945bd783ff10d86f

SHA512
3277272bb9aa1f61591cae889f39e65c8ec4b34593c72603c17e8552eb611800b9d59b2ae5594a6281a68b1a1641bed7f45c164d28a913541bb6163b7948229b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
8049b5749c02d8fafb1a0e35e4d48240

SHA1
23cc701c9dbc3d594c0f41a85b503c87dff18d0a

SHA256
703d875debaf53d4561775544590c40b6b904fb845cbf0b7ceb6b46948ca25d0

SHA512
cc0c866bfb2386a9a73107390c93f6f3477d890fdf0a87423e118c6bd1b115c5e47087f84788afd7e908c0bc4a350bb599ad47248d60f53a05db5d562361531a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
0071ae6526fefda7c079c4f08bf56c17

SHA1
ce440746fa19a062c3dacead1799b4732d8fc9a1

SHA256
593814e9169a95636c6d335b3bcdcf8cf9453e4af71db527a565e3a3e520308f

SHA512
808ce2506ae2a6941b66821b1512a08353f45804a80e542ba8c5a4aa1061535035a2c151c391b2e71c935f58d16d8e37ea2ca2b81cfcb64eb28cbe4815023060

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
23ca6047df4ad5816e3fef573a19a5f8

SHA1
90ca945e7b076ba1057487badc1b5622504e9be7

SHA256
7ec34499e4082ff6140a77523c04266b7d05c0fee699eed435cd49779e3de4cf

SHA512
0c2d5c62e7c9f18b38113bd26fe380b1e07a58948517d3dc0cb150aeb2cfa6a5bb21518c52eb5b42e814478a69d76314cb69f9c2b755997a04bbae1324458542

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
4734c2e6bcce5825185fffdf532f933c

SHA1
4af8a4edf4d36d215c76e680581f43cb087714d1

SHA256
232c845ba8c00d050ddaa48ddec21ecbbdb0d0e4af2d4af436ab18788d5ff606

SHA512
22d884baf97cbe7d6f9c0931f12ab602ba9fa764b8fdf2f54a976f735df27e7655fb5414bec7ea7872bd99b2b8a1f7a1b0d361151d091a4319ef38994ba462c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
fbd6145f2ea9c38ba6fbcd585f61b130

SHA1
3a77b1aff5dc19d2088d75d2780c7461fc1f4f21

SHA256
1ff436d38abac433ca3fd7c17a5bd0e96bb65e99554572bb3f65af1b68af3c05

SHA512
cdeed45896657de7e42f149812433c70a8191c2ed7a67560ae423d2adf110494ac74b48256fdccc96cc3018616fbde2871ab2f87b1d15f62661959ce84c51a1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
0ced42097e85ef26fe8727fa2349662a

SHA1
8c7a38fe9e20460115a1c496f5aa0a3eff4006bc

SHA256
7ad23f6e8d0c47b9d42788f06e4e9504705f70c331087780922bb80551a81652

SHA512
9fcd6d4506d3b946af44f51d14b097f12f435a87d3c5dacac07e5a015b868abe7b1fb9afc92821ff939657939dc38ba7531825a379e152c04b003d63d17c560d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
f3c77d02bb95ccd446c55456196f3990

SHA1
3fbd5bc9928eb2467d57ca9981de6259b459063d

SHA256
b263bb989fed392130437395037427d23afeaf2cb833c8f02adfbb6966f22bf2

SHA512
5b15f6c809739f7a2aaa4e904aee103694d96f3cf1d6ffce4020f362a24916223753efe90c3cbb25ded22b03fdb5702e61837509a89c7cb2bcc7636e3c212458

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
efae72000635428a4475c51a7cbf0e05

SHA1
c9cfe3a9ee7ae980db08c595b49a5348962d59f6

SHA256
66777b6d552e92d42235e61ef7c57b263e290ca23da5a768e5ed828dbddb9715

SHA512
69851d848235f7f51f707ebe54ac123eed3a65edce0c785bbe022b4d6fb1a37cc9ccfff97757dc1bd8b24ed77e1be6255db6d8b6747841b43915529b90018b29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
8997d6e6870e936527cf1a778de31908

SHA1
b1a113c2443c472ee072b45b9d4747b746c6812d

SHA256
2a8e144db7806e82a95a3fb8c911fa638ebc1e2332d28f207c28f3c06f3d6fb9

SHA512
b2c7f5e3ebedafec90fac370a2546c6b77068d2d5aea99f8fa91ea3b24e9bf675b787a8f2e5ebb17de38fc06abbd988caacb2860336b4be469e003cd22708dc7

Download Submit
memory/112-150-0x0000000000000000-mapping.dmp

Download
memory/508-191-0x0000000000000000-mapping.dmp

Download
memory/664-190-0x0000000000000000-mapping.dmp

Download
memory/904-155-0x0000000000000000-mapping.dmp

Download
memory/1088-200-0x0000000000000000-mapping.dmp

Download
memory/1100-167-0x0000000000000000-mapping.dmp

Download
memory/1100-201-0x0000000000000000-mapping.dmp

Download
memory/1256-207-0x0000000000000000-mapping.dmp

Download
memory/1312-165-0x0000000000000000-mapping.dmp

Download
memory/1696-197-0x0000000000000000-mapping.dmp

Download
memory/1764-160-0x0000000000000000-mapping.dmp

Download
memory/1792-168-0x0000000000000000-mapping.dmp

Download
memory/1928-136-0x0000000005610000-0x0000000005613000-memory.dmp

Filesize
12KB

Download
memory/1928-130-0x0000000000B20000-0x0000000000BFE000-memory.dmp

Filesize
888KB

Download
memory/2108-194-0x0000000000000000-mapping.dmp

Download
memory/2116-208-0x0000000000000000-mapping.dmp

Download
memory/2352-210-0x0000000000000000-mapping.dmp

Download
memory/2448-169-0x0000000000000000-mapping.dmp

Download
memory/2492-146-0x0000000000000000-mapping.dmp

Download
memory/2528-139-0x0000000000000000-mapping.dmp

Download
memory/2688-135-0x0000000005170000-0x00000000051D6000-memory.dmp

Filesize
408KB

Download
memory/2688-133-0x00000000054F0000-0x0000000005A94000-memory.dmp

Filesize
5.6MB

Download
memory/2688-131-0x0000000000000000-mapping.dmp

Download
memory/2688-184-0x0000000000000000-mapping.dmp

Download
memory/2688-132-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2688-134-0x0000000004FE0000-0x000000000507C000-memory.dmp

Filesize
624KB

Download
memory/2688-142-0x0000000005D10000-0x0000000005DA2000-memory.dmp

Filesize
584KB

Download
memory/2832-187-0x0000000000000000-mapping.dmp

Download
memory/3000-164-0x0000000000000000-mapping.dmp

Download
memory/3016-158-0x0000000000000000-mapping.dmp

Download
memory/3076-204-0x0000000000000000-mapping.dmp

Download
memory/3092-161-0x0000000000000000-mapping.dmp

Download
memory/3248-212-0x0000000000000000-mapping.dmp

Download
memory/3428-209-0x0000000000000000-mapping.dmp

Download
memory/3464-148-0x0000000000000000-mapping.dmp

Download
memory/3504-144-0x0000000000000000-mapping.dmp

Download
memory/3528-203-0x0000000000000000-mapping.dmp

Download
memory/3604-192-0x0000000000000000-mapping.dmp

Download
memory/3644-163-0x0000000000000000-mapping.dmp

Download
memory/3692-193-0x0000000000000000-mapping.dmp

Download
memory/3812-152-0x0000000000000000-mapping.dmp

Download
memory/3836-176-0x0000000006100000-0x000000000611A000-memory.dmp

Filesize
104KB

Download
memory/3836-181-0x0000000006ED0000-0x0000000006F66000-memory.dmp

Filesize
600KB

Download
memory/3836-153-0x0000000000000000-mapping.dmp

Download
memory/3836-159-0x0000000005560000-0x00000000055C6000-memory.dmp

Filesize
408KB

Download
memory/3848-188-0x0000000000000000-mapping.dmp

Download
memory/3920-202-0x0000000000000000-mapping.dmp

Download
memory/4048-199-0x0000000000000000-mapping.dmp

Download
memory/4092-177-0x0000000000000000-mapping.dmp

Download
memory/4192-178-0x0000000000000000-mapping.dmp

Download
memory/4248-143-0x0000000000000000-mapping.dmp

Download
memory/4248-189-0x0000000000000000-mapping.dmp

Download
memory/4264-162-0x0000000000000000-mapping.dmp

Download
memory/4280-185-0x0000000000000000-mapping.dmp

Download
memory/4284-214-0x0000000000000000-mapping.dmp

Download
memory/4288-183-0x0000000000000000-mapping.dmp

Download
memory/4324-172-0x0000000000000000-mapping.dmp

Download
memory/4328-171-0x0000000000000000-mapping.dmp

Download
memory/4332-186-0x0000000000000000-mapping.dmp

Download
memory/4364-137-0x0000000000000000-mapping.dmp

Download
memory/4380-170-0x0000000000000000-mapping.dmp

Download
memory/4468-213-0x0000000000000000-mapping.dmp

Download
memory/4484-140-0x0000000000000000-mapping.dmp

Download
memory/4488-145-0x0000000000000000-mapping.dmp

Download
memory/4508-175-0x0000000000000000-mapping.dmp

Download
memory/4552-141-0x0000000000000000-mapping.dmp

Download
memory/4688-138-0x0000000000000000-mapping.dmp

Download
memory/4712-182-0x0000000007A60000-0x0000000007A82000-memory.dmp

Filesize
136KB

Download
memory/4712-157-0x0000000006000000-0x0000000006022000-memory.dmp

Filesize
136KB

Download
memory/4712-156-0x0000000005990000-0x0000000005FB8000-memory.dmp

Filesize
6.2MB

Download
memory/4712-154-0x0000000005320000-0x0000000005356000-memory.dmp

Filesize
216KB

Download
memory/4712-174-0x0000000007EB0000-0x000000000852A000-memory.dmp

Filesize
6.5MB

Download
memory/4712-166-0x00000000068B0000-0x00000000068CE000-memory.dmp

Filesize
120KB

Download
memory/4712-151-0x0000000000000000-mapping.dmp

Download
memory/4724-195-0x0000000000000000-mapping.dmp

Download
memory/4736-179-0x0000000000000000-mapping.dmp

Download
memory/4912-173-0x0000000000000000-mapping.dmp

Download
memory/5004-205-0x0000000000000000-mapping.dmp

Download
memory/5016-147-0x0000000000000000-mapping.dmp

Download
memory/5096-180-0x0000000000000000-mapping.dmp

Download