masslogger | 4ec753e5cafab6f687a4cda65a4509d3ecf15d4ea1bbd990e671ed00d66cbb8f

Analysis

max time kernel
64s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
21-05-2022 00:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DHL Shipment 7348255141.exe
Size

1.0MB
MD5

ec1721ef86c0f91cb52081731624f00b
SHA1

3e7900979980b88607b51f0a39faaaab5778eb6f
SHA256

c3678d87151b21e6a29ded035522c1c22950f97787e45b3df2dba52a4e688c97
SHA512

2fc3b09e286e427bd11ea822c3a55fce71c161b9cd1c8ab268eaa4214fcde3cfd73e54659c9fb3ea76d28145099811a9a30fcbf32f28e5cb6172afa0709d9f5b

Score

10^/10

masslogger spyware stealer

Malware Config

Signatures

MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
stealer spyware masslogger

MassLogger Main Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3536-133-0x0000000000400000-0x00000000004B8000-memory.dmp	family_masslogger

Checks computer location settings 2 TTPs 30 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

DHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.execmd.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	DHL Shipment 7348255141.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	DHL Shipment 7348255141.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	DHL Shipment 7348255141.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	DHL Shipment 7348255141.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	DHL Shipment 7348255141.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	DHL Shipment 7348255141.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	DHL Shipment 7348255141.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	DHL Shipment 7348255141.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	DHL Shipment 7348255141.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	DHL Shipment 7348255141.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	DHL Shipment 7348255141.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	DHL Shipment 7348255141.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	DHL Shipment 7348255141.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	DHL Shipment 7348255141.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	DHL Shipment 7348255141.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	DHL Shipment 7348255141.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	DHL Shipment 7348255141.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	DHL Shipment 7348255141.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	DHL Shipment 7348255141.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	DHL Shipment 7348255141.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	DHL Shipment 7348255141.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	DHL Shipment 7348255141.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	DHL Shipment 7348255141.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	DHL Shipment 7348255141.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	DHL Shipment 7348255141.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	DHL Shipment 7348255141.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	DHL Shipment 7348255141.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	DHL Shipment 7348255141.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	DHL Shipment 7348255141.exe

Suspicious use of SetThreadContext 31 IoCs

Processes:

DHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.execmd.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exe

description	pid	process	target process
PID 1888 set thread context of 3536	1888	DHL Shipment 7348255141.exe	RegAsm.exe
PID 4760 set thread context of 3884	4760	DHL Shipment 7348255141.exe	RegAsm.exe
PID 4272 set thread context of 4424	4272	DHL Shipment 7348255141.exe	RegAsm.exe
PID 3460 set thread context of 4820	3460	DHL Shipment 7348255141.exe	RegAsm.exe
PID 1440 set thread context of 1996	1440	DHL Shipment 7348255141.exe	RegAsm.exe
PID 548 set thread context of 1404	548	DHL Shipment 7348255141.exe	RegAsm.exe
PID 1240 set thread context of 3224	1240	DHL Shipment 7348255141.exe	RegAsm.exe
PID 1120 set thread context of 3008	1120	DHL Shipment 7348255141.exe	RegAsm.exe
PID 2188 set thread context of 2120	2188	DHL Shipment 7348255141.exe	RegAsm.exe
PID 1472 set thread context of 1836	1472	DHL Shipment 7348255141.exe	RegAsm.exe
PID 1056 set thread context of 620	1056	DHL Shipment 7348255141.exe	RegAsm.exe
PID 4272 set thread context of 1964	4272	DHL Shipment 7348255141.exe	RegAsm.exe
PID 3536 set thread context of 1972	3536	DHL Shipment 7348255141.exe	RegAsm.exe
PID 4740 set thread context of 4856	4740	DHL Shipment 7348255141.exe	DHL Shipment 7348255141.exe
PID 1088 set thread context of 4824	1088	DHL Shipment 7348255141.exe	RegAsm.exe
PID 1872 set thread context of 3192	1872	DHL Shipment 7348255141.exe	RegAsm.exe
PID 5072 set thread context of 4876	5072	DHL Shipment 7348255141.exe	RegAsm.exe
PID 228 set thread context of 1364	228	DHL Shipment 7348255141.exe	RegAsm.exe
PID 4856 set thread context of 3704	4856	DHL Shipment 7348255141.exe	RegAsm.exe
PID 1724 set thread context of 2288	1724	DHL Shipment 7348255141.exe	Conhost.exe
PID 1160 set thread context of 4360	1160	DHL Shipment 7348255141.exe	RegAsm.exe
PID 3588 set thread context of 4736	3588	DHL Shipment 7348255141.exe	RegAsm.exe
PID 3612 set thread context of 4908	3612	DHL Shipment 7348255141.exe	RegAsm.exe
PID 5280 set thread context of 5320	5280	DHL Shipment 7348255141.exe	RegAsm.exe
PID 5512 set thread context of 5576	5512	DHL Shipment 7348255141.exe	RegAsm.exe
PID 5788 set thread context of 5828	5788	DHL Shipment 7348255141.exe	RegAsm.exe
PID 6096 set thread context of 1820	6096	DHL Shipment 7348255141.exe	RegAsm.exe
PID 116 set thread context of 3092	116	cmd.exe	RegAsm.exe
PID 2388 set thread context of 1916	2388	DHL Shipment 7348255141.exe	RegAsm.exe
PID 3880 set thread context of 4228	3880	DHL Shipment 7348255141.exe	RegAsm.exe
PID 908 set thread context of 3920	908	DHL Shipment 7348255141.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

DHL Shipment 7348255141.exe

pid	process
1888	DHL Shipment 7348255141.exe
1888	DHL Shipment 7348255141.exe
1888	DHL Shipment 7348255141.exe
1888	DHL Shipment 7348255141.exe
1888	DHL Shipment 7348255141.exe
1888	DHL Shipment 7348255141.exe
1888	DHL Shipment 7348255141.exe
1888	DHL Shipment 7348255141.exe
1888	DHL Shipment 7348255141.exe
1888	DHL Shipment 7348255141.exe
1888	DHL Shipment 7348255141.exe
1888	DHL Shipment 7348255141.exe
1888	DHL Shipment 7348255141.exe
1888	DHL Shipment 7348255141.exe
1888	DHL Shipment 7348255141.exe
1888	DHL Shipment 7348255141.exe
1888	DHL Shipment 7348255141.exe
1888	DHL Shipment 7348255141.exe
1888	DHL Shipment 7348255141.exe
1888	DHL Shipment 7348255141.exe
1888	DHL Shipment 7348255141.exe
1888	DHL Shipment 7348255141.exe
1888	DHL Shipment 7348255141.exe
1888	DHL Shipment 7348255141.exe
1888	DHL Shipment 7348255141.exe
1888	DHL Shipment 7348255141.exe
1888	DHL Shipment 7348255141.exe
1888	DHL Shipment 7348255141.exe
1888	DHL Shipment 7348255141.exe
1888	DHL Shipment 7348255141.exe
1888	DHL Shipment 7348255141.exe
1888	DHL Shipment 7348255141.exe
1888	DHL Shipment 7348255141.exe
1888	DHL Shipment 7348255141.exe
1888	DHL Shipment 7348255141.exe
1888	DHL Shipment 7348255141.exe
1888	DHL Shipment 7348255141.exe
1888	DHL Shipment 7348255141.exe
1888	DHL Shipment 7348255141.exe
1888	DHL Shipment 7348255141.exe
1888	DHL Shipment 7348255141.exe
1888	DHL Shipment 7348255141.exe
1888	DHL Shipment 7348255141.exe
1888	DHL Shipment 7348255141.exe
1888	DHL Shipment 7348255141.exe
1888	DHL Shipment 7348255141.exe
1888	DHL Shipment 7348255141.exe
1888	DHL Shipment 7348255141.exe
1888	DHL Shipment 7348255141.exe
1888	DHL Shipment 7348255141.exe
1888	DHL Shipment 7348255141.exe
1888	DHL Shipment 7348255141.exe
1888	DHL Shipment 7348255141.exe
1888	DHL Shipment 7348255141.exe
1888	DHL Shipment 7348255141.exe
1888	DHL Shipment 7348255141.exe
1888	DHL Shipment 7348255141.exe
1888	DHL Shipment 7348255141.exe
1888	DHL Shipment 7348255141.exe
1888	DHL Shipment 7348255141.exe
1888	DHL Shipment 7348255141.exe
1888	DHL Shipment 7348255141.exe
1888	DHL Shipment 7348255141.exe
1888	DHL Shipment 7348255141.exe

Suspicious behavior: MapViewOfSection 54 IoCs

Processes:

DHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.execmd.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exe

pid	process
1888	DHL Shipment 7348255141.exe
1888	DHL Shipment 7348255141.exe
1888	DHL Shipment 7348255141.exe
1888	DHL Shipment 7348255141.exe
4760	DHL Shipment 7348255141.exe
4272	DHL Shipment 7348255141.exe
3460	DHL Shipment 7348255141.exe
3460	DHL Shipment 7348255141.exe
1440	DHL Shipment 7348255141.exe
1440	DHL Shipment 7348255141.exe
1440	DHL Shipment 7348255141.exe
548	DHL Shipment 7348255141.exe
548	DHL Shipment 7348255141.exe
1240	DHL Shipment 7348255141.exe
1120	DHL Shipment 7348255141.exe
2188	DHL Shipment 7348255141.exe
2188	DHL Shipment 7348255141.exe
2188	DHL Shipment 7348255141.exe
2188	DHL Shipment 7348255141.exe
1472	DHL Shipment 7348255141.exe
1056	DHL Shipment 7348255141.exe
4272	DHL Shipment 7348255141.exe
4272	DHL Shipment 7348255141.exe
4272	DHL Shipment 7348255141.exe
4272	DHL Shipment 7348255141.exe
4272	DHL Shipment 7348255141.exe
3536	DHL Shipment 7348255141.exe
4740	DHL Shipment 7348255141.exe
1088	DHL Shipment 7348255141.exe
1872	DHL Shipment 7348255141.exe
1872	DHL Shipment 7348255141.exe
5072	DHL Shipment 7348255141.exe
5072	DHL Shipment 7348255141.exe
228	DHL Shipment 7348255141.exe
228	DHL Shipment 7348255141.exe
4856	DHL Shipment 7348255141.exe
1724	DHL Shipment 7348255141.exe
1160	DHL Shipment 7348255141.exe
3588	DHL Shipment 7348255141.exe
3612	DHL Shipment 7348255141.exe
5280	DHL Shipment 7348255141.exe
5512	DHL Shipment 7348255141.exe
5512	DHL Shipment 7348255141.exe
5512	DHL Shipment 7348255141.exe
5788	DHL Shipment 7348255141.exe
6096	DHL Shipment 7348255141.exe
6096	DHL Shipment 7348255141.exe
116	cmd.exe
2388	DHL Shipment 7348255141.exe
2388	DHL Shipment 7348255141.exe
2388	DHL Shipment 7348255141.exe
3880	DHL Shipment 7348255141.exe
3880	DHL Shipment 7348255141.exe
908	DHL Shipment 7348255141.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

DHL Shipment 7348255141.exeRegAsm.exeDHL Shipment 7348255141.exeRegAsm.exeDHL Shipment 7348255141.exeRegAsm.exeDHL Shipment 7348255141.exeRegAsm.exeDHL Shipment 7348255141.exeRegAsm.exeDHL Shipment 7348255141.exeRegAsm.exeDHL Shipment 7348255141.exeRegAsm.exeDHL Shipment 7348255141.exeRegAsm.exeDHL Shipment 7348255141.exeRegAsm.exepowershell.exepowershell.exepowershell.exepowershell.exeDHL Shipment 7348255141.exepowershell.exepowershell.exeRegAsm.exeDHL Shipment 7348255141.exeRegAsm.exepowershell.exepowershell.exeDHL Shipment 7348255141.exeRegAsm.exeDHL Shipment 7348255141.exeRegAsm.exepowershell.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exepowershell.exeDHL Shipment 7348255141.exeRegAsm.exepowershell.exeDHL Shipment 7348255141.exeRegAsm.exepowershell.exeDHL Shipment 7348255141.exeRegAsm.exepowershell.exepowershell.exeDHL Shipment 7348255141.exeRegAsm.exeRegAsm.exeDHL Shipment 7348255141.exeConhost.exepowershell.exeDHL Shipment 7348255141.exeRegAsm.exepowershell.exeDHL Shipment 7348255141.exeRegAsm.exepowershell.exeDHL Shipment 7348255141.exeRegAsm.exeDHL Shipment 7348255141.exe

description	pid	process
Token: SeDebugPrivilege	1888	DHL Shipment 7348255141.exe
Token: SeDebugPrivilege	3536	RegAsm.exe
Token: SeDebugPrivilege	4760	DHL Shipment 7348255141.exe
Token: SeDebugPrivilege	3884	RegAsm.exe
Token: SeDebugPrivilege	4272	DHL Shipment 7348255141.exe
Token: SeDebugPrivilege	4424	RegAsm.exe
Token: SeDebugPrivilege	3460	DHL Shipment 7348255141.exe
Token: SeDebugPrivilege	4820	RegAsm.exe
Token: SeDebugPrivilege	1440	DHL Shipment 7348255141.exe
Token: SeDebugPrivilege	1996	RegAsm.exe
Token: SeDebugPrivilege	548	DHL Shipment 7348255141.exe
Token: SeDebugPrivilege	1404	RegAsm.exe
Token: SeDebugPrivilege	1240	DHL Shipment 7348255141.exe
Token: SeDebugPrivilege	3224	RegAsm.exe
Token: SeDebugPrivilege	1120	DHL Shipment 7348255141.exe
Token: SeDebugPrivilege	3008	RegAsm.exe
Token: SeDebugPrivilege	2188	DHL Shipment 7348255141.exe
Token: SeDebugPrivilege	2120	RegAsm.exe
Token: SeDebugPrivilege	3748	powershell.exe
Token: SeDebugPrivilege	3152	powershell.exe
Token: SeDebugPrivilege	908	powershell.exe
Token: SeDebugPrivilege	2560	powershell.exe
Token: SeDebugPrivilege	1472	DHL Shipment 7348255141.exe
Token: SeDebugPrivilege	3812	powershell.exe
Token: SeDebugPrivilege	3312	powershell.exe
Token: SeDebugPrivilege	1836	RegAsm.exe
Token: SeDebugPrivilege	1056	DHL Shipment 7348255141.exe
Token: SeDebugPrivilege	620	RegAsm.exe
Token: SeDebugPrivilege	1356	powershell.exe
Token: SeDebugPrivilege	4176	powershell.exe
Token: SeDebugPrivilege	4272	DHL Shipment 7348255141.exe
Token: SeDebugPrivilege	1964	RegAsm.exe
Token: SeDebugPrivilege	3536	DHL Shipment 7348255141.exe
Token: SeDebugPrivilege	1972	RegAsm.exe
Token: SeDebugPrivilege	4352	powershell.exe
Token: SeDebugPrivilege	4740	DHL Shipment 7348255141.exe
Token: SeDebugPrivilege	4856	DHL Shipment 7348255141.exe
Token: SeDebugPrivilege	3168	powershell.exe
Token: SeDebugPrivilege	1088	DHL Shipment 7348255141.exe
Token: SeDebugPrivilege	4824	RegAsm.exe
Token: SeDebugPrivilege	1108	powershell.exe
Token: SeDebugPrivilege	1872	DHL Shipment 7348255141.exe
Token: SeDebugPrivilege	3192	RegAsm.exe
Token: SeDebugPrivilege	4964	powershell.exe
Token: SeDebugPrivilege	5072	DHL Shipment 7348255141.exe
Token: SeDebugPrivilege	4876	RegAsm.exe
Token: SeDebugPrivilege	3596	powershell.exe
Token: SeDebugPrivilege	4556	powershell.exe
Token: SeDebugPrivilege	228	DHL Shipment 7348255141.exe
Token: SeDebugPrivilege	1364	RegAsm.exe
Token: SeDebugPrivilege	4856	DHL Shipment 7348255141.exe
Token: SeDebugPrivilege	3704	RegAsm.exe
Token: SeDebugPrivilege	1724	DHL Shipment 7348255141.exe
Token: SeDebugPrivilege	2288	Conhost.exe
Token: SeDebugPrivilege	2524	powershell.exe
Token: SeDebugPrivilege	1160	DHL Shipment 7348255141.exe
Token: SeDebugPrivilege	4360	RegAsm.exe
Token: SeDebugPrivilege	4720	powershell.exe
Token: SeDebugPrivilege	3588	DHL Shipment 7348255141.exe
Token: SeDebugPrivilege	4736	RegAsm.exe
Token: SeDebugPrivilege	1368	powershell.exe
Token: SeDebugPrivilege	3612	DHL Shipment 7348255141.exe
Token: SeDebugPrivilege	4908	RegAsm.exe
Token: SeDebugPrivilege	5280	DHL Shipment 7348255141.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

DHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exeDHL Shipment 7348255141.exe

description	pid	process	target process
PID 1888 wrote to memory of 3360	1888	DHL Shipment 7348255141.exe	RegAsm.exe
PID 1888 wrote to memory of 3360	1888	DHL Shipment 7348255141.exe	RegAsm.exe
PID 1888 wrote to memory of 3360	1888	DHL Shipment 7348255141.exe	RegAsm.exe
PID 1888 wrote to memory of 3612	1888	DHL Shipment 7348255141.exe	RegAsm.exe
PID 1888 wrote to memory of 3612	1888	DHL Shipment 7348255141.exe	RegAsm.exe
PID 1888 wrote to memory of 3612	1888	DHL Shipment 7348255141.exe	RegAsm.exe
PID 1888 wrote to memory of 3688	1888	DHL Shipment 7348255141.exe	RegAsm.exe
PID 1888 wrote to memory of 3688	1888	DHL Shipment 7348255141.exe	RegAsm.exe
PID 1888 wrote to memory of 3688	1888	DHL Shipment 7348255141.exe	RegAsm.exe
PID 1888 wrote to memory of 3536	1888	DHL Shipment 7348255141.exe	RegAsm.exe
PID 1888 wrote to memory of 3536	1888	DHL Shipment 7348255141.exe	RegAsm.exe
PID 1888 wrote to memory of 3536	1888	DHL Shipment 7348255141.exe	RegAsm.exe
PID 1888 wrote to memory of 3536	1888	DHL Shipment 7348255141.exe	RegAsm.exe
PID 1888 wrote to memory of 4760	1888	DHL Shipment 7348255141.exe	DHL Shipment 7348255141.exe
PID 1888 wrote to memory of 4760	1888	DHL Shipment 7348255141.exe	DHL Shipment 7348255141.exe
PID 1888 wrote to memory of 4760	1888	DHL Shipment 7348255141.exe	DHL Shipment 7348255141.exe
PID 4760 wrote to memory of 3884	4760	DHL Shipment 7348255141.exe	RegAsm.exe
PID 4760 wrote to memory of 3884	4760	DHL Shipment 7348255141.exe	RegAsm.exe
PID 4760 wrote to memory of 3884	4760	DHL Shipment 7348255141.exe	RegAsm.exe
PID 4760 wrote to memory of 3884	4760	DHL Shipment 7348255141.exe	RegAsm.exe
PID 4760 wrote to memory of 4272	4760	DHL Shipment 7348255141.exe	DHL Shipment 7348255141.exe
PID 4760 wrote to memory of 4272	4760	DHL Shipment 7348255141.exe	DHL Shipment 7348255141.exe
PID 4760 wrote to memory of 4272	4760	DHL Shipment 7348255141.exe	DHL Shipment 7348255141.exe
PID 4272 wrote to memory of 4424	4272	DHL Shipment 7348255141.exe	RegAsm.exe
PID 4272 wrote to memory of 4424	4272	DHL Shipment 7348255141.exe	RegAsm.exe
PID 4272 wrote to memory of 4424	4272	DHL Shipment 7348255141.exe	RegAsm.exe
PID 4272 wrote to memory of 4424	4272	DHL Shipment 7348255141.exe	RegAsm.exe
PID 4272 wrote to memory of 3460	4272	DHL Shipment 7348255141.exe	DHL Shipment 7348255141.exe
PID 4272 wrote to memory of 3460	4272	DHL Shipment 7348255141.exe	DHL Shipment 7348255141.exe
PID 4272 wrote to memory of 3460	4272	DHL Shipment 7348255141.exe	DHL Shipment 7348255141.exe
PID 3460 wrote to memory of 4812	3460	DHL Shipment 7348255141.exe	RegAsm.exe
PID 3460 wrote to memory of 4812	3460	DHL Shipment 7348255141.exe	RegAsm.exe
PID 3460 wrote to memory of 4812	3460	DHL Shipment 7348255141.exe	RegAsm.exe
PID 3460 wrote to memory of 4820	3460	DHL Shipment 7348255141.exe	RegAsm.exe
PID 3460 wrote to memory of 4820	3460	DHL Shipment 7348255141.exe	RegAsm.exe
PID 3460 wrote to memory of 4820	3460	DHL Shipment 7348255141.exe	RegAsm.exe
PID 3460 wrote to memory of 4820	3460	DHL Shipment 7348255141.exe	RegAsm.exe
PID 3460 wrote to memory of 1440	3460	DHL Shipment 7348255141.exe	DHL Shipment 7348255141.exe
PID 3460 wrote to memory of 1440	3460	DHL Shipment 7348255141.exe	DHL Shipment 7348255141.exe
PID 3460 wrote to memory of 1440	3460	DHL Shipment 7348255141.exe	DHL Shipment 7348255141.exe
PID 1440 wrote to memory of 4316	1440	DHL Shipment 7348255141.exe	RegAsm.exe
PID 1440 wrote to memory of 4316	1440	DHL Shipment 7348255141.exe	RegAsm.exe
PID 1440 wrote to memory of 4316	1440	DHL Shipment 7348255141.exe	RegAsm.exe
PID 1440 wrote to memory of 456	1440	DHL Shipment 7348255141.exe	RegAsm.exe
PID 1440 wrote to memory of 456	1440	DHL Shipment 7348255141.exe	RegAsm.exe
PID 1440 wrote to memory of 456	1440	DHL Shipment 7348255141.exe	RegAsm.exe
PID 1440 wrote to memory of 1996	1440	DHL Shipment 7348255141.exe	RegAsm.exe
PID 1440 wrote to memory of 1996	1440	DHL Shipment 7348255141.exe	RegAsm.exe
PID 1440 wrote to memory of 1996	1440	DHL Shipment 7348255141.exe	RegAsm.exe
PID 1440 wrote to memory of 1996	1440	DHL Shipment 7348255141.exe	RegAsm.exe
PID 1440 wrote to memory of 548	1440	DHL Shipment 7348255141.exe	DHL Shipment 7348255141.exe
PID 1440 wrote to memory of 548	1440	DHL Shipment 7348255141.exe	DHL Shipment 7348255141.exe
PID 1440 wrote to memory of 548	1440	DHL Shipment 7348255141.exe	DHL Shipment 7348255141.exe
PID 548 wrote to memory of 2124	548	DHL Shipment 7348255141.exe	RegAsm.exe
PID 548 wrote to memory of 2124	548	DHL Shipment 7348255141.exe	RegAsm.exe
PID 548 wrote to memory of 2124	548	DHL Shipment 7348255141.exe	RegAsm.exe
PID 548 wrote to memory of 1404	548	DHL Shipment 7348255141.exe	RegAsm.exe
PID 548 wrote to memory of 1404	548	DHL Shipment 7348255141.exe	RegAsm.exe
PID 548 wrote to memory of 1404	548	DHL Shipment 7348255141.exe	RegAsm.exe
PID 548 wrote to memory of 1404	548	DHL Shipment 7348255141.exe	RegAsm.exe
PID 548 wrote to memory of 1240	548	DHL Shipment 7348255141.exe	DHL Shipment 7348255141.exe
PID 548 wrote to memory of 1240	548	DHL Shipment 7348255141.exe	DHL Shipment 7348255141.exe
PID 548 wrote to memory of 1240	548	DHL Shipment 7348255141.exe	DHL Shipment 7348255141.exe
PID 1240 wrote to memory of 3224	1240	DHL Shipment 7348255141.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1888

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:3360

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:3612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:3688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3536

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
3⤵
PID:360

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3152

C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"
2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3884

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
4⤵
PID:1716

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:908

C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"
3⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4272

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4424

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
5⤵
PID:4892

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:3748

C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"
4⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3460

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4820

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
6⤵
PID:3228

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:3812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
PID:4812

C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"
5⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1440

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1996

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
7⤵
PID:3160

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:2560

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
PID:456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
PID:4316

C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"
6⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
7⤵
PID:2124

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:1404

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
8⤵
PID:1672

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
9⤵
- Suspicious use of AdjustPrivilegeToken
PID:3312

C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"
7⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1240

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:3224

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
9⤵
PID:2700

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
10⤵
- Suspicious use of AdjustPrivilegeToken
PID:1356

C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"
8⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1120

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
9⤵
- Suspicious use of AdjustPrivilegeToken
PID:3008

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
10⤵
PID:1732

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
11⤵
- Suspicious use of AdjustPrivilegeToken
PID:4176

C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"
9⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2188

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
10⤵
- Suspicious use of AdjustPrivilegeToken
PID:2120

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
11⤵
PID:4296

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
12⤵
- Suspicious use of AdjustPrivilegeToken
PID:4352

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
10⤵
PID:2516

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
10⤵
PID:1108

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
10⤵
PID:2344

C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"
10⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
11⤵
- Suspicious use of AdjustPrivilegeToken
PID:1836

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
12⤵
PID:4224

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
13⤵
- Suspicious use of AdjustPrivilegeToken
PID:3168

C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"
11⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
12⤵
- Suspicious use of AdjustPrivilegeToken
PID:620

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
13⤵
PID:3580

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
14⤵
- Suspicious use of AdjustPrivilegeToken
PID:1108

C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"
12⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4272

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
- Suspicious use of AdjustPrivilegeToken
PID:1964

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
14⤵
PID:2260

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
15⤵
- Suspicious use of AdjustPrivilegeToken
PID:4964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
PID:964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
PID:4792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
PID:1720

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
PID:3460

C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"
13⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3536

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
14⤵
- Suspicious use of AdjustPrivilegeToken
PID:1972

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
15⤵
PID:2180

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
16⤵
- Suspicious use of AdjustPrivilegeToken
PID:3596

C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"
14⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
15⤵
PID:4856

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
16⤵
PID:412

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
17⤵
- Suspicious use of AdjustPrivilegeToken
PID:4556

C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"
15⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
16⤵
- Suspicious use of AdjustPrivilegeToken
PID:4824

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
17⤵
PID:4368

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
18⤵
- Suspicious use of AdjustPrivilegeToken
PID:2524

C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"
16⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1872

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
17⤵
- Suspicious use of AdjustPrivilegeToken
PID:3192

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
18⤵
PID:3236

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
19⤵
- Suspicious use of AdjustPrivilegeToken
PID:4720

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
17⤵
PID:3440

C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"
17⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5072

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
18⤵
PID:3528

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
18⤵
- Suspicious use of AdjustPrivilegeToken
PID:4876

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
19⤵
PID:2552

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
20⤵
- Suspicious use of AdjustPrivilegeToken
PID:1368

C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"
18⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:228

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
19⤵
PID:3008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
19⤵
- Suspicious use of AdjustPrivilegeToken
PID:1364

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
20⤵
PID:988

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
21⤵
PID:5240

C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"
19⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4856

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
20⤵
- Suspicious use of AdjustPrivilegeToken
PID:3704

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
21⤵
PID:5156

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
22⤵
PID:5396

C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"
20⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1724

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
21⤵
PID:2288

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
22⤵
PID:5376

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
23⤵
PID:5672

C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"
21⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1160

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
22⤵
- Suspicious use of AdjustPrivilegeToken
PID:4360

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
23⤵
PID:5604

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
24⤵
PID:5868

C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"
22⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
23⤵
- Suspicious use of AdjustPrivilegeToken
PID:4736

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
24⤵
PID:5856

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
25⤵
PID:552

C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"
23⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
24⤵
- Suspicious use of AdjustPrivilegeToken
PID:4908

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
25⤵
PID:6072

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
26⤵
PID:864

C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"
24⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5280

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
25⤵
PID:5320

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
26⤵
PID:396

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
27⤵
PID:5440

C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"
25⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:5512

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
26⤵
PID:5576

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
27⤵
PID:5224

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
28⤵
PID:4936

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
26⤵
PID:5568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
26⤵
PID:5560

C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"
26⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:5788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
27⤵
PID:5828

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
28⤵
PID:1808

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
29⤵
PID:392

C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"
27⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:6096

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
28⤵
PID:1820

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
29⤵
PID:4072

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
30⤵
PID:5772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
28⤵
PID:5000

C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"
28⤵
PID:116

C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"
29⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
30⤵
PID:1916

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
31⤵
PID:6048

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
32⤵
- Suspicious use of AdjustPrivilegeToken
PID:2288

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
32⤵
PID:3128

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
30⤵
PID:5436

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
30⤵
PID:4372

C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"
30⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:3880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
31⤵
PID:4228

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
32⤵
PID:1792

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
33⤵
PID:5300

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
31⤵
PID:2628

C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"
31⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
32⤵
PID:3920

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
33⤵
PID:6040

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
34⤵
PID:4548

C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"
32⤵
PID:2316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
33⤵
PID:4740

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
34⤵
PID:3536

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
35⤵
PID:3796

C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"
33⤵
PID:5188

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
34⤵
PID:4020

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
35⤵
PID:3116

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
36⤵
PID:532

C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"
34⤵
PID:5844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
35⤵
PID:3868

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
36⤵
PID:3264

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
37⤵
PID:3876

C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"
35⤵
PID:2020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
36⤵
PID:1704

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
37⤵
PID:1004

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
38⤵
PID:4992

C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"
36⤵
PID:4472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
37⤵
PID:3756

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
38⤵
PID:1056

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
39⤵
PID:2188

C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"
37⤵
PID:1752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
38⤵
PID:5784

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
39⤵
PID:6056

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
40⤵
PID:2640

C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"
38⤵
PID:3856

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
39⤵
PID:1884

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
40⤵
PID:4736

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
41⤵
PID:3656

C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"
39⤵
PID:4968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
40⤵
PID:3084

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
41⤵
PID:2672

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
42⤵
PID:4860

C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"
40⤵
PID:5332

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
41⤵
PID:5088

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
42⤵
PID:5508

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
43⤵
PID:4320

C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"
41⤵
PID:4840

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
42⤵
PID:5168

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
43⤵
PID:4876

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
44⤵
PID:2712

C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"
42⤵
PID:5888

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
43⤵
PID:552

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
44⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:116

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
45⤵
PID:4916

C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"
43⤵
PID:1016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
44⤵
PID:3840

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
45⤵
PID:2348

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
46⤵
PID:2780

C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"
44⤵
PID:2932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
45⤵
PID:5716

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
46⤵
PID:3352

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
47⤵
PID:3360

C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"
45⤵
PID:456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
46⤵
PID:5468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
46⤵
PID:4220

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
47⤵
PID:5016

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
48⤵
PID:620

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
46⤵
PID:6136

C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"
46⤵
PID:5280

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
47⤵
PID:3496

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
48⤵
PID:5504

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
49⤵
PID:5132

C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"
47⤵
PID:5520

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
48⤵
PID:5136

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
49⤵
PID:6068

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
50⤵
PID:5732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
48⤵
PID:5844

C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"
48⤵
PID:1052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
49⤵
PID:5796

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
50⤵
PID:5736

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
51⤵
PID:4844

C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"
49⤵
PID:3460

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
50⤵
PID:5784

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
51⤵
PID:3800

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
52⤵
PID:5620

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
50⤵
PID:5724

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
50⤵
PID:5892

C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"
50⤵
PID:6008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
51⤵
PID:3284

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
52⤵
PID:1388

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
53⤵
PID:1360

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
51⤵
PID:3204

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
51⤵
PID:3776

C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"
51⤵
PID:2932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
52⤵
PID:5336

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
53⤵
PID:5264

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
54⤵
PID:5144

C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"
52⤵
PID:6064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
53⤵
PID:5612

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
54⤵
PID:1844

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
55⤵
PID:1252

C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"
53⤵
PID:548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
54⤵
PID:5380

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
55⤵
PID:3028

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
56⤵
PID:204

C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"
54⤵
PID:4956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
55⤵
PID:3104

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
56⤵
PID:2344

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
57⤵
PID:1656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
55⤵
PID:3244

C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"
55⤵
PID:388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
56⤵
PID:5364

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
57⤵
PID:6124

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
58⤵
PID:3776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
56⤵
PID:3272

C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"
56⤵
PID:4160

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
57⤵
PID:4360

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
58⤵
PID:3840

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
59⤵
PID:4700

C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"
57⤵
PID:4540

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
58⤵
PID:1484

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
59⤵
PID:4704

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
60⤵
PID:4960

C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"
58⤵
PID:4668

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
59⤵
PID:1088

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
60⤵
PID:3272

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
61⤵
PID:5576

C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"
59⤵
PID:4272

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
60⤵
PID:2620

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
61⤵
PID:5944

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
62⤵
PID:412

C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"
60⤵
PID:5372

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
61⤵
PID:2160

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
62⤵
PID:388

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
63⤵
PID:4292

C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"
61⤵
PID:5552

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
62⤵
PID:1552

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
63⤵
PID:4824

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
64⤵
PID:2464

C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"
62⤵
PID:864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
63⤵
PID:5912

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
64⤵
PID:1616

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
65⤵
PID:3004

C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"
63⤵
PID:4612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
64⤵
PID:4792

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
65⤵
PID:4840

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
66⤵
PID:5256

C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"
64⤵
PID:1632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
65⤵
PID:1004

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
66⤵
PID:4132

C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"
65⤵
PID:5492

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
66⤵
PID:2172

C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"
66⤵
PID:3136

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
67⤵
PID:2884

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
67⤵
PID:4568

C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"
67⤵
PID:1172

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
68⤵
PID:4992

C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Shipment 7348255141.exe"
68⤵
PID:6096

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
69⤵
PID:4804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
1⤵
PID:3092

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' & exit
2⤵
PID:5972

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
3⤵
PID:1644

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe a85abe294c8443883f264824412b2322 NQ/kNNTifUySBzKTKfTDmg.0.1.0.0.0
1⤵
PID:5568

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log
Filesize
994B

MD5
334ac3d2e55f80a9b69e02d1dbc44947

SHA1
dea2b26b13eca80ad781cfeeaf7082e0d0dc4f2e

SHA256
cfc8439b36fdd0455772cdb646d04b93858f9bc44fc94473bf73b253c2e4f25d

SHA512
83b5111afd7b24bf4bc193b01587ce590655d25ae9d0f333f6dbd1ddd2d93c2b22b48f5a52aa3c7d7d5833d774fcc729a7f6f9d1faf7277d1fc8deec16efd649

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
712a00a9d8164b3b6795c4e11800d2f1

SHA1
82952ef15a2e4e2b06cb149d3b206d11135128b5

SHA256
2a3b20384f9ce1100ea1c1d3fc24b874446506c627102da75ace1e7bcac4a052

SHA512
ab87d76996cf96e76f9182f72ffe16b1e014ac1ccbe2991a6cd85309622365fbf4a6e79023e616c529640f626cd3943bab9338816bf6ce6831cf5696d28ecd17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
d4d8cef58818612769a698c291ca3b37

SHA1
54e0a6e0c08723157829cea009ec4fe30bea5c50

SHA256
98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

SHA512
f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
d4d8cef58818612769a698c291ca3b37

SHA1
54e0a6e0c08723157829cea009ec4fe30bea5c50

SHA256
98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

SHA512
f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
d4d8cef58818612769a698c291ca3b37

SHA1
54e0a6e0c08723157829cea009ec4fe30bea5c50

SHA256
98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

SHA512
f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
d4d8cef58818612769a698c291ca3b37

SHA1
54e0a6e0c08723157829cea009ec4fe30bea5c50

SHA256
98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

SHA512
f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
d4d8cef58818612769a698c291ca3b37

SHA1
54e0a6e0c08723157829cea009ec4fe30bea5c50

SHA256
98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

SHA512
f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
d4d8cef58818612769a698c291ca3b37

SHA1
54e0a6e0c08723157829cea009ec4fe30bea5c50

SHA256
98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

SHA512
f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
d4d8cef58818612769a698c291ca3b37

SHA1
54e0a6e0c08723157829cea009ec4fe30bea5c50

SHA256
98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

SHA512
f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
d4d8cef58818612769a698c291ca3b37

SHA1
54e0a6e0c08723157829cea009ec4fe30bea5c50

SHA256
98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

SHA512
f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
d4d8cef58818612769a698c291ca3b37

SHA1
54e0a6e0c08723157829cea009ec4fe30bea5c50

SHA256
98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

SHA512
f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
346f9f8c8b62dc1e5eb59c3de0ee104f

SHA1
2a34d9904a8245a20b01feaf71b806b2f1e17db7

SHA256
28410c777571675d6f152a29a799c63ae9bb61cae8c70b74c877cf2d1dca23da

SHA512
59fdd25fc4fbf172d5add077800d8e2683d903200c481cd6272f6564d7425f09ffaaa664a7f39bc3bcfb1d837f19f58432f2ee517bbfd95e903d2e01dd53d287

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
d1ef93c936a8593cf03d9cc87485c6b7

SHA1
eb7e9f67859ea24a0db77fe9de176c34bee76556

SHA256
aadd7856237a43d270c31f9080e1ace8ed3bcda3e97b18b8c37c1c3f979b95ef

SHA512
873745c7111b8e0a34edf23aba3c36af646dd34bcb5e0710aaa2db956e460310c7fdf19259ed694574e091a5a3467f72255700a271822cc9a8c0da6a981a6633

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
d1ef93c936a8593cf03d9cc87485c6b7

SHA1
eb7e9f67859ea24a0db77fe9de176c34bee76556

SHA256
aadd7856237a43d270c31f9080e1ace8ed3bcda3e97b18b8c37c1c3f979b95ef

SHA512
873745c7111b8e0a34edf23aba3c36af646dd34bcb5e0710aaa2db956e460310c7fdf19259ed694574e091a5a3467f72255700a271822cc9a8c0da6a981a6633

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
d1ef93c936a8593cf03d9cc87485c6b7

SHA1
eb7e9f67859ea24a0db77fe9de176c34bee76556

SHA256
aadd7856237a43d270c31f9080e1ace8ed3bcda3e97b18b8c37c1c3f979b95ef

SHA512
873745c7111b8e0a34edf23aba3c36af646dd34bcb5e0710aaa2db956e460310c7fdf19259ed694574e091a5a3467f72255700a271822cc9a8c0da6a981a6633

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
d1ef93c936a8593cf03d9cc87485c6b7

SHA1
eb7e9f67859ea24a0db77fe9de176c34bee76556

SHA256
aadd7856237a43d270c31f9080e1ace8ed3bcda3e97b18b8c37c1c3f979b95ef

SHA512
873745c7111b8e0a34edf23aba3c36af646dd34bcb5e0710aaa2db956e460310c7fdf19259ed694574e091a5a3467f72255700a271822cc9a8c0da6a981a6633

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
d1ef93c936a8593cf03d9cc87485c6b7

SHA1
eb7e9f67859ea24a0db77fe9de176c34bee76556

SHA256
aadd7856237a43d270c31f9080e1ace8ed3bcda3e97b18b8c37c1c3f979b95ef

SHA512
873745c7111b8e0a34edf23aba3c36af646dd34bcb5e0710aaa2db956e460310c7fdf19259ed694574e091a5a3467f72255700a271822cc9a8c0da6a981a6633

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
3e1a14b41250f742b7fcef9e51fec423

SHA1
b07d5e81e800ec08087cca10ed049d5a2c64bd73

SHA256
ea84cc36cfd7dbd220b4f028956cd435ba1d05432ba5751295e52c2bdeb8ca7b

SHA512
e0997d97a6a313e6a83e8641fda48b2a449f646c80a8403503f4cf2208aee52aafcb7069f6dfc12701456b000663ecd6bb7dcb1ec76ed155dfbebe5f0fe9b259

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
31df93cd08e8001245bef2fb0de3b74e

SHA1
add652e1d4f5289dcf9e306077f10645bdd4b8c9

SHA256
d149ca9117d22b1b47134c1ee8b90d1344525023aaf33e9cc66492a102622037

SHA512
6ef77f602eab6abf384a54909879980cb1120c442eee126b9a0b573cca0e016b939160e1ebc680fe5627a540b088f821ec2cbe4932198b6c8368186362c9e163

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
edb75a37ab7d64a15b859e183e3dc87a

SHA1
8494c2b074468c4576e2db370973b02ef5810722

SHA256
f3e3ec78a8f7c88c140ddf435b262ed46922ca887319b507339777bbf46a21fe

SHA512
1d428e0cc45fb98237a0d6a847c3acf4cfd6db5a5d0465a7611082eb4587d4c650d8743c82cb14e44f8b2546484eb74a032a1b8ca404f918123aa3c6c3027a91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
f946bc591db9dfcbbf4bc364462a328d

SHA1
fcd1d0337ddfb70645a945a72feea8c75c2d967f

SHA256
d8f51301a7176d3a776ba3b3bad631ba7bdec0e4334630540cec11886719f705

SHA512
3317a493bfe0f59cdcf30635c8606e744531195f4f4f7160c90df0f8e2fd8f4f080200dbd8b4b9c8013057055ca4a4bff00036716ce04bb3d65a1e0d75e4aa02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
f946bc591db9dfcbbf4bc364462a328d

SHA1
fcd1d0337ddfb70645a945a72feea8c75c2d967f

SHA256
d8f51301a7176d3a776ba3b3bad631ba7bdec0e4334630540cec11886719f705

SHA512
3317a493bfe0f59cdcf30635c8606e744531195f4f4f7160c90df0f8e2fd8f4f080200dbd8b4b9c8013057055ca4a4bff00036716ce04bb3d65a1e0d75e4aa02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
c1adabed7df310aa7517b654b21ae467

SHA1
a13a52662e5264f33cb50ff81c91d2cb1eb3dab8

SHA256
ba3deef4112c08b8cf0ba7dfb64480f49032208fc435a6a91f1d5bb2f08dcd34

SHA512
ad2caa8e4318b440f19fa7ab7a06bb47367496755d5742a55b871d18c85fa242a260ef464192bcbd108e16fc833ec6259af51fa5be331de0786d912238c5ddb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
7874b49e95053845522e81d05ab20b27

SHA1
98d594091846f94d15aee31582e018bb335c3191

SHA256
bfe66fb24d19a88e72fdde888e440cb9c120a09324a4c0d7db2baa136ea1a61e

SHA512
8f53f58a132f3b63f964b8133ada3a6563c3c92dd8ff2c7fee1fb9e392d25911904d0870fa482c4cf12a20e92381d3d09cad834e79b176d414476f5e82272a98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
436d8ceafdf63e19386a8813207855ae

SHA1
03fd7ae28e2b5d657e8a488f5058f2db3252ef9e

SHA256
ff958f02f1f7a1ce4ad5a8a650b1fa8e6f456cadf05694de3aa21c5e280e2635

SHA512
d8071f20b488160a97cffc863dd204dd5faa76e2031692f9870534533ea18dd24aab400c5180ad7129783b4c69fc6f55c699fcd011c41f6b87ca4829487e893a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
436d8ceafdf63e19386a8813207855ae

SHA1
03fd7ae28e2b5d657e8a488f5058f2db3252ef9e

SHA256
ff958f02f1f7a1ce4ad5a8a650b1fa8e6f456cadf05694de3aa21c5e280e2635

SHA512
d8071f20b488160a97cffc863dd204dd5faa76e2031692f9870534533ea18dd24aab400c5180ad7129783b4c69fc6f55c699fcd011c41f6b87ca4829487e893a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
bd7a665414e10d5c07a3068811c66d2c

SHA1
dab81be076e1c29223ec71952014591e40b0b0fa

SHA256
c07edbfcc7b77414962ff321120c5aa2537c3179a555823dcc31743c230ca4c8

SHA512
f4e5251ef3f95022b57789d23f726823bfe920a4cd21b68c57d28a09a6c81e1735c3fce59064c1674cfb9fe0a4f7dbf88058e4559b11c920b05f1a09103e851b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
244B

MD5
b2ac5cb8e975cff300c900736527491d

SHA1
c4fb04d65d79e0a46b40210ef7a37fb2480c76be

SHA256
d8ad690f31168e4c68ce83f42e1e22499c0a120e860b96797b9ba36e194d17b0

SHA512
b59a0fb91814943a32dcb6c81d5784603d0d724c0c5e342dbc66de3569e75ba4cec7dcb4b9e7a226af4a155c7c93edb5ca4673dcaf94d4ee38b2a4a351b7e360

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
ecc30a26e47a4b012ea6250d5a109789

SHA1
9b44857fd94d2f59f725fda3d7a5815dfbdb10d4

SHA256
4a80a31ca3e2379d5ea2c6cf9206e028f2f129edcaeabc7186f91174484e9953

SHA512
910a6be61a2c10babb4dd5fd300800ce838e642944a89b12e47b54df9fdcf2e7fe4d9c68c46735cc16f008661f1787c2125cbf97e6d0a48a9b1e55070ce7abb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
72c70861791fccfeff1a282e4444aaff

SHA1
9ea1fec443fddc76d3abd5f5701ec0c79b3af4ee

SHA256
d54e3dcce5560894b574185597e61cd3137e6c4715e8254f69ae4c76c9f45fa4

SHA512
2c323497c1f4c63360bbf3ed114d39973ddbcd34df4c7837b81e7a369755643ebd16e87d1876109a5d8583853a71956e3223b4bc6af5b8d56d1b5c0994b22112

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
72c70861791fccfeff1a282e4444aaff

SHA1
9ea1fec443fddc76d3abd5f5701ec0c79b3af4ee

SHA256
d54e3dcce5560894b574185597e61cd3137e6c4715e8254f69ae4c76c9f45fa4

SHA512
2c323497c1f4c63360bbf3ed114d39973ddbcd34df4c7837b81e7a369755643ebd16e87d1876109a5d8583853a71956e3223b4bc6af5b8d56d1b5c0994b22112

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
294f586205f61c75c1425bfca52f45cc

SHA1
6e0bf41a39aa96f2fefa6805f1dacd5efb0e2751

SHA256
2e58ef965bdf96ea285b4eb4bd0c2c93a3d81f2545af803c43e9cade8d093f5f

SHA512
f36a7bc07225c78392b165de2165c8d6a612eb8da4ad60f76ace9613a8e09cba097794f153db4c44d758787ea1a3b53e064de58fc180abd77a4c29b58033a16d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
c5dc084f6c61c15b7823692301922b10

SHA1
be18424d12706db494bcdc0c8886f7494ffd6a5b

SHA256
5dfad52593951424c0585dcdf4a94c2d5b822efdbd278498674766d56663e155

SHA512
d5859a9b5cb559ed84f38e4494f66988e5a706a86e5b5a3ad9f65c8c47bde79e2526fbd1e1dc3f433dab27f7e766ec5ae346cf8acf5924f9414ea2eb01c69724

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
8169bcdf1842aa95ff3188977c854407

SHA1
0842ffd27a7f8a4d1fe2b0cf9261c7d66b4450aa

SHA256
74415fe8049b2163da399d567e9865a0c708552c7bc77e8aa013731dda57e269

SHA512
256008d74084c5bc0589ae550814c5776d67b02e17f2efbb2697dd1de4e216a99528dd648c9b4c21f565cf5a2314e419ba900c609725fb8f7f3ba56028a0287a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
8169bcdf1842aa95ff3188977c854407

SHA1
0842ffd27a7f8a4d1fe2b0cf9261c7d66b4450aa

SHA256
74415fe8049b2163da399d567e9865a0c708552c7bc77e8aa013731dda57e269

SHA512
256008d74084c5bc0589ae550814c5776d67b02e17f2efbb2697dd1de4e216a99528dd648c9b4c21f565cf5a2314e419ba900c609725fb8f7f3ba56028a0287a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
70d48d410cd8a13349432ec3c1e176a5

SHA1
4ba7c54d9d0932256a719e5844f27528a699c087

SHA256
e771b6b8663e15ed15cdec1176df0f2acdda155d252d8d8054bce8dc3cc05512

SHA512
aec88940b3088c1c1a81df7cd030dd162f00c83dc273259926a7e4d4054034b822bb52d23c082b1cbc1a7f3c0dd8e0427da93748e931b8f08bc1edb9f0bcdaea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
ea05190da76653e9b5bfe051c70edf55

SHA1
55cec21a5781a00aa042240feed6c15808f5da17

SHA256
3f5f572f243a6777ced8044b795a1d549fc2315d731b8c114641691bbe2c0c48

SHA512
56fe736b4305b89d84744ad9dee68f9faf6ed01065b130465c605bc3cdf7c4b0b249aeff6b97a1780c05e16af3915db5dc24ac3e5999f696fb1d4411d64a4c51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
fb69a96806085437b759c666cba5a533

SHA1
6eb1a5912a96a405c62f45e09e0ccc63415b8627

SHA256
06d24ca409eaacde15f87c2b9606899534b3ac7a9cad141413d3b66f7efe6d80

SHA512
7a22be66017537a10401664534fb5224e4837717c3a30839c3a577bc8deebd94a44cca5bb77ba0402854880322fe07d4a81dd26cc4bf8a21e145b349e8b72041

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
038e3a195dbf5b69e27efbce5b8ef78e

SHA1
525642162cc2c121be3835ce32950b57302bd116

SHA256
357ece3055d9a1fde35972c4945e31d1d97f7307ad50cb70588952225dcd9686

SHA512
757a97905468154762f2a0ec9d4969e8312cc6a7a018aac6d6d74d3eb2253c6d738ab2cee82f35c3def50b5c7303932fae13c1c524c170a97ccc7437ac280951

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
bad43e739ccf04fd816ed972c0995cda

SHA1
7c2b25cbdb8f5406e5b1189c283d4f3da22ac5bc

SHA256
3522ff8d24263fb1671888b46d7032f287f4231ae2706fffa5150e1a8a12c7bd

SHA512
fe55d68cb6eba59e432669922287b9e1131ce923cb585322d97c0e9b7a8e3a5ece305923e08509cecb82da658dc2d35544a5f802f274279867728d30b7f49c27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
723cfb6820ef51dcbb5b0b99b6745e7d

SHA1
34adbb72ecb6e900829d4186401c7032f0de37f4

SHA256
b108655425e5fd2386a04a66fdd92230cae2484e6a66ee9fbe8a1dc8775cf002

SHA512
27dc03bc724985615755fb4444acd25b1bc83c3c63515ed0e961433f6ac5ee6beda03fcb990683efe3abcc990321b28d5b250b45dc7236f63fef5933816246d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
723cfb6820ef51dcbb5b0b99b6745e7d

SHA1
34adbb72ecb6e900829d4186401c7032f0de37f4

SHA256
b108655425e5fd2386a04a66fdd92230cae2484e6a66ee9fbe8a1dc8775cf002

SHA512
27dc03bc724985615755fb4444acd25b1bc83c3c63515ed0e961433f6ac5ee6beda03fcb990683efe3abcc990321b28d5b250b45dc7236f63fef5933816246d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
80bbea18670b5f931178b3b972ceb9b0

SHA1
707894a570d58d7bb4664ba5cde0abf37f16bdf5

SHA256
e3a889805abd977f2df1916cc7e30d3a692c66b6b168c8f7bcf2de8dc4f7ad51

SHA512
cc701d138bca8dbdf60314d8c84dea2048d1f111e3c26c4c9571c1305a0e58ea297b393f7b69c8351bea4ac827d024962306ef6b381bb4718dddd43152443157

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
1cbac6632ef8c10064100693f5b51caf

SHA1
2840de2e65ea52c63fb32634fe2c4d56d9f25b97

SHA256
bb30e3d0a78ecd43f0d3129f54508065bc2f8ecc30a500c8fe91521142b2ad43

SHA512
a98f1fdc54b3630c192aa3cb560a471a88a23eda044f3d9ee3d9ffb7043165e8a860ac7f5c13e28f594212347103cceb3860ecf6216d86537143f244eb510489

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
1cbac6632ef8c10064100693f5b51caf

SHA1
2840de2e65ea52c63fb32634fe2c4d56d9f25b97

SHA256
bb30e3d0a78ecd43f0d3129f54508065bc2f8ecc30a500c8fe91521142b2ad43

SHA512
a98f1fdc54b3630c192aa3cb560a471a88a23eda044f3d9ee3d9ffb7043165e8a860ac7f5c13e28f594212347103cceb3860ecf6216d86537143f244eb510489

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
1cbac6632ef8c10064100693f5b51caf

SHA1
2840de2e65ea52c63fb32634fe2c4d56d9f25b97

SHA256
bb30e3d0a78ecd43f0d3129f54508065bc2f8ecc30a500c8fe91521142b2ad43

SHA512
a98f1fdc54b3630c192aa3cb560a471a88a23eda044f3d9ee3d9ffb7043165e8a860ac7f5c13e28f594212347103cceb3860ecf6216d86537143f244eb510489

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
1cbac6632ef8c10064100693f5b51caf

SHA1
2840de2e65ea52c63fb32634fe2c4d56d9f25b97

SHA256
bb30e3d0a78ecd43f0d3129f54508065bc2f8ecc30a500c8fe91521142b2ad43

SHA512
a98f1fdc54b3630c192aa3cb560a471a88a23eda044f3d9ee3d9ffb7043165e8a860ac7f5c13e28f594212347103cceb3860ecf6216d86537143f244eb510489

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
1cbac6632ef8c10064100693f5b51caf

SHA1
2840de2e65ea52c63fb32634fe2c4d56d9f25b97

SHA256
bb30e3d0a78ecd43f0d3129f54508065bc2f8ecc30a500c8fe91521142b2ad43

SHA512
a98f1fdc54b3630c192aa3cb560a471a88a23eda044f3d9ee3d9ffb7043165e8a860ac7f5c13e28f594212347103cceb3860ecf6216d86537143f244eb510489

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
1cbac6632ef8c10064100693f5b51caf

SHA1
2840de2e65ea52c63fb32634fe2c4d56d9f25b97

SHA256
bb30e3d0a78ecd43f0d3129f54508065bc2f8ecc30a500c8fe91521142b2ad43

SHA512
a98f1fdc54b3630c192aa3cb560a471a88a23eda044f3d9ee3d9ffb7043165e8a860ac7f5c13e28f594212347103cceb3860ecf6216d86537143f244eb510489

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
1cbac6632ef8c10064100693f5b51caf

SHA1
2840de2e65ea52c63fb32634fe2c4d56d9f25b97

SHA256
bb30e3d0a78ecd43f0d3129f54508065bc2f8ecc30a500c8fe91521142b2ad43

SHA512
a98f1fdc54b3630c192aa3cb560a471a88a23eda044f3d9ee3d9ffb7043165e8a860ac7f5c13e28f594212347103cceb3860ecf6216d86537143f244eb510489

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
1cbac6632ef8c10064100693f5b51caf

SHA1
2840de2e65ea52c63fb32634fe2c4d56d9f25b97

SHA256
bb30e3d0a78ecd43f0d3129f54508065bc2f8ecc30a500c8fe91521142b2ad43

SHA512
a98f1fdc54b3630c192aa3cb560a471a88a23eda044f3d9ee3d9ffb7043165e8a860ac7f5c13e28f594212347103cceb3860ecf6216d86537143f244eb510489

Download Submit
memory/228-208-0x0000000000000000-mapping.dmp

Download
memory/360-150-0x0000000000000000-mapping.dmp

Download
memory/412-202-0x0000000000000000-mapping.dmp

Download
memory/548-146-0x0000000000000000-mapping.dmp

Download
memory/620-177-0x0000000000000000-mapping.dmp

Download
memory/908-173-0x0000000005990000-0x00000000059F6000-memory.dmp

Filesize
408KB

Download
memory/908-162-0x0000000005A00000-0x0000000006028000-memory.dmp

Filesize
6.2MB

Download
memory/908-158-0x0000000000000000-mapping.dmp

Download
memory/908-185-0x0000000007F10000-0x000000000858A000-memory.dmp

Filesize
6.5MB

Download
memory/1056-175-0x0000000000000000-mapping.dmp

Download
memory/1088-196-0x0000000000000000-mapping.dmp

Download
memory/1108-194-0x0000000000000000-mapping.dmp

Download
memory/1120-151-0x0000000000000000-mapping.dmp

Download
memory/1240-148-0x0000000000000000-mapping.dmp

Download
memory/1356-176-0x0000000000000000-mapping.dmp

Download
memory/1364-209-0x0000000000000000-mapping.dmp

Download
memory/1404-147-0x0000000000000000-mapping.dmp

Download
memory/1440-144-0x0000000000000000-mapping.dmp

Download
memory/1472-164-0x0000000000000000-mapping.dmp

Download
memory/1672-168-0x0000000000000000-mapping.dmp

Download
memory/1716-152-0x0000000000000000-mapping.dmp

Download
memory/1732-174-0x0000000000000000-mapping.dmp

Download
memory/1836-172-0x0000000000000000-mapping.dmp

Download
memory/1872-200-0x0000000000000000-mapping.dmp

Download
memory/1888-130-0x00000000009A0000-0x0000000000AAC000-memory.dmp

Filesize
1.0MB

Download
memory/1888-132-0x0000000005520000-0x0000000005523000-memory.dmp

Filesize
12KB

Download
memory/1964-182-0x0000000000000000-mapping.dmp

Download
memory/1972-188-0x0000000000000000-mapping.dmp

Download
memory/1996-145-0x0000000000000000-mapping.dmp

Download
memory/2120-159-0x0000000000000000-mapping.dmp

Download
memory/2180-201-0x0000000000000000-mapping.dmp

Download
memory/2188-157-0x0000000000000000-mapping.dmp

Download
memory/2260-193-0x0000000000000000-mapping.dmp

Download
memory/2560-167-0x0000000000000000-mapping.dmp

Download
memory/2700-170-0x0000000000000000-mapping.dmp

Download
memory/3008-154-0x0000000000000000-mapping.dmp

Download
memory/3152-156-0x0000000000000000-mapping.dmp

Download
memory/3152-160-0x00000000023C0000-0x00000000023F6000-memory.dmp

Filesize
216KB

Download
memory/3160-166-0x0000000000000000-mapping.dmp

Download
memory/3168-191-0x0000000000000000-mapping.dmp

Download
memory/3192-203-0x0000000000000000-mapping.dmp

Download
memory/3224-149-0x0000000000000000-mapping.dmp

Download
memory/3228-161-0x0000000000000000-mapping.dmp

Download
memory/3312-169-0x0000000000000000-mapping.dmp

Download
memory/3460-141-0x0000000000000000-mapping.dmp

Download
memory/3536-133-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/3536-184-0x0000000000000000-mapping.dmp

Download
memory/3536-136-0x00000000059E0000-0x0000000005A46000-memory.dmp

Filesize
408KB

Download
memory/3536-131-0x0000000000000000-mapping.dmp

Download
memory/3536-134-0x0000000005E00000-0x00000000063A4000-memory.dmp

Filesize
5.6MB

Download
memory/3536-143-0x0000000005CF0000-0x0000000005D82000-memory.dmp

Filesize
584KB

Download
memory/3536-135-0x0000000005850000-0x00000000058EC000-memory.dmp

Filesize
624KB

Download
memory/3580-192-0x0000000000000000-mapping.dmp

Download
memory/3596-206-0x0000000000000000-mapping.dmp

Download
memory/3748-163-0x0000000000000000-mapping.dmp

Download
memory/3748-171-0x00000000051B0000-0x00000000051D2000-memory.dmp

Filesize
136KB

Download
memory/3748-178-0x0000000006160000-0x000000000617E000-memory.dmp

Filesize
120KB

Download
memory/3748-186-0x0000000006630000-0x000000000664A000-memory.dmp

Filesize
104KB

Download
memory/3748-197-0x0000000007320000-0x0000000007342000-memory.dmp

Filesize
136KB

Download
memory/3812-165-0x0000000000000000-mapping.dmp

Download
memory/3812-195-0x00000000077E0000-0x0000000007876000-memory.dmp

Filesize
600KB

Download
memory/3884-138-0x0000000000000000-mapping.dmp

Download
memory/4176-179-0x0000000000000000-mapping.dmp

Download
memory/4224-187-0x0000000000000000-mapping.dmp

Download
memory/4272-139-0x0000000000000000-mapping.dmp

Download
memory/4272-181-0x0000000000000000-mapping.dmp

Download
memory/4296-180-0x0000000000000000-mapping.dmp

Download
memory/4352-183-0x0000000000000000-mapping.dmp

Download
memory/4424-140-0x0000000000000000-mapping.dmp

Download
memory/4556-207-0x0000000000000000-mapping.dmp

Download
memory/4740-189-0x0000000000000000-mapping.dmp

Download
memory/4760-137-0x0000000000000000-mapping.dmp

Download
memory/4820-142-0x0000000000000000-mapping.dmp

Download
memory/4824-198-0x0000000000000000-mapping.dmp

Download
memory/4856-190-0x0000000000000000-mapping.dmp

Download
memory/4856-210-0x0000000000000000-mapping.dmp

Download
memory/4876-205-0x0000000000000000-mapping.dmp

Download
memory/4892-155-0x0000000000000000-mapping.dmp

Download
memory/4964-199-0x0000000000000000-mapping.dmp

Download
memory/5072-204-0x0000000000000000-mapping.dmp

Download