agenttesla | 0297de22b433fe7ecee63b5f80b78c4749bb8f4cfec0cd737713d87781d1db52

Analysis

max time kernel
151s
max time network
46s
platform
windows7_x64
resource
win7-20220414-en
submitted
21-05-2022 01:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

import_documents.exe
Size

395KB
MD5

22f207e5e15c4ec19b80e07fa45967b9
SHA1

7af28dc2d18281e450738b4a477cd14014458e72
SHA256

87c88de3a875c7997a34e00e8c7c97577f046332811dcef6cba7c33b37c42396
SHA512

5912b78fdc9b66639c5deb9d12e8b8aad4c404c6b2e919392e5032ee80a04e91e3cd1e4822ec6880fef0a2a830200a317ffb390745e21f0b0c697a00c71a3cd8

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.office365.com
Port:
587
Username:
[email protected]
Password:
bhsusa714

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1260-59-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gold = "C:\\Users\\Admin\\AppData\\Roaming\\Gold\\Gold.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gold = "C:\\Users\\Admin\\AppData\\Roaming\\Gold\\Gold.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gold = "C:\\Users\\Admin\\AppData\\Roaming\\Gold\\Gold.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gold = "C:\\Users\\Admin\\AppData\\Roaming\\Gold\\Gold.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gold = "C:\\Users\\Admin\\AppData\\Roaming\\Gold\\Gold.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gold = "C:\\Users\\Admin\\AppData\\Roaming\\Gold\\Gold.exe"	RegAsm.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

import_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exe

description	pid	process	target process
PID 1720 set thread context of 1260	1720	import_documents.exe	RegAsm.exe
PID 1704 set thread context of 1584	1704	import_documents.exe	RegAsm.exe
PID 884 set thread context of 1184	884	import_documents.exe	RegAsm.exe
PID 1492 set thread context of 828	1492	import_documents.exe	RegAsm.exe
PID 1308 set thread context of 568	1308	import_documents.exe	RegAsm.exe
PID 1108 set thread context of 1816	1108	import_documents.exe	RegAsm.exe
PID 988 set thread context of 1036	988	import_documents.exe	RegAsm.exe
PID 1992 set thread context of 916	1992	import_documents.exe	RegAsm.exe
PID 1812 set thread context of 692	1812	import_documents.exe	RegAsm.exe
PID 1316 set thread context of 1340	1316	import_documents.exe	RegAsm.exe
PID 1776 set thread context of 1940	1776	import_documents.exe	RegAsm.exe
PID 1164 set thread context of 1272	1164	import_documents.exe	RegAsm.exe
PID 1696 set thread context of 2040	1696	import_documents.exe	RegAsm.exe
PID 1924 set thread context of 1680	1924	import_documents.exe	RegAsm.exe
PID 580 set thread context of 1412	580	import_documents.exe	RegAsm.exe
PID 908 set thread context of 1588	908	import_documents.exe	RegAsm.exe
PID 976 set thread context of 1224	976	import_documents.exe	RegAsm.exe
PID 1712 set thread context of 1052	1712	import_documents.exe	RegAsm.exe
PID 964 set thread context of 592	964	import_documents.exe	RegAsm.exe
PID 776 set thread context of 1788	776	import_documents.exe	RegAsm.exe
PID 1388 set thread context of 1060	1388	import_documents.exe	RegAsm.exe
PID 704 set thread context of 856	704	import_documents.exe	RegAsm.exe
PID 1528 set thread context of 692	1528	import_documents.exe	RegAsm.exe
PID 1272 set thread context of 268	1272	import_documents.exe	RegAsm.exe
PID 1104 set thread context of 1144	1104	import_documents.exe	RegAsm.exe
PID 832 set thread context of 1956	832	import_documents.exe	RegAsm.exe
PID 1984 set thread context of 1440	1984	import_documents.exe	RegAsm.exe
PID 916 set thread context of 1296	916	import_documents.exe	RegAsm.exe
PID 984 set thread context of 2004	984	import_documents.exe	RegAsm.exe
PID 1660 set thread context of 1744	1660	import_documents.exe	RegAsm.exe
PID 836 set thread context of 612	836	import_documents.exe	RegAsm.exe
PID 1320 set thread context of 1684	1320	import_documents.exe	RegAsm.exe
PID 1808 set thread context of 1756	1808	import_documents.exe	RegAsm.exe
PID 2084 set thread context of 2112	2084	import_documents.exe	RegAsm.exe
PID 2156 set thread context of 2192	2156	import_documents.exe	RegAsm.exe
PID 2232 set thread context of 2260	2232	import_documents.exe	RegAsm.exe
PID 2300 set thread context of 2328	2300	import_documents.exe	RegAsm.exe
PID 2372 set thread context of 2400	2372	import_documents.exe	RegAsm.exe
PID 2444 set thread context of 2472	2444	import_documents.exe	RegAsm.exe
PID 2552 set thread context of 2580	2552	import_documents.exe	RegAsm.exe
PID 2616 set thread context of 2648	2616	import_documents.exe	RegAsm.exe
PID 2684 set thread context of 2720	2684	import_documents.exe	RegAsm.exe
PID 2760 set thread context of 2796	2760	import_documents.exe	RegAsm.exe
PID 2840 set thread context of 2868	2840	import_documents.exe	RegAsm.exe
PID 2912 set thread context of 2940	2912	import_documents.exe	RegAsm.exe
PID 2984 set thread context of 3012	2984	import_documents.exe	RegAsm.exe
PID 3052 set thread context of 640	3052	import_documents.exe	RegAsm.exe
PID 1516 set thread context of 2140	1516	import_documents.exe	RegAsm.exe
PID 2220 set thread context of 2100	2220	import_documents.exe	RegAsm.exe
PID 2168 set thread context of 2356	2168	import_documents.exe	RegAsm.exe
PID 2428 set thread context of 2360	2428	import_documents.exe	RegAsm.exe
PID 1256 set thread context of 1036	1256	import_documents.exe	RegAsm.exe
PID 1032 set thread context of 2116	1032	import_documents.exe	RegAsm.exe
PID 2280 set thread context of 2204	2280	import_documents.exe	RegAsm.exe
PID 1796 set thread context of 2264	1796	import_documents.exe	RegAsm.exe
PID 1128 set thread context of 1744	1128	import_documents.exe	RegAsm.exe
PID 1876 set thread context of 2380	1876	import_documents.exe	RegAsm.exe
PID 2448 set thread context of 2716	2448	import_documents.exe	RegAsm.exe
PID 2748 set thread context of 2692	2748	import_documents.exe	RegAsm.exe
PID 2752 set thread context of 2784	2752	import_documents.exe	RegAsm.exe
PID 2852 set thread context of 3020	2852	import_documents.exe	RegAsm.exe
PID 3036 set thread context of 3000	3036	import_documents.exe	RegAsm.exe
PID 3068 set thread context of 2336	3068	import_documents.exe	RegAsm.exe
PID 2268 set thread context of 2324	2268	import_documents.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

import_documents.exe

pid	process
1720	import_documents.exe
1720	import_documents.exe
1720	import_documents.exe
1720	import_documents.exe
1720	import_documents.exe
1720	import_documents.exe
1720	import_documents.exe
1720	import_documents.exe
1720	import_documents.exe
1720	import_documents.exe
1720	import_documents.exe
1720	import_documents.exe
1720	import_documents.exe
1720	import_documents.exe
1720	import_documents.exe
1720	import_documents.exe
1720	import_documents.exe
1720	import_documents.exe
1720	import_documents.exe
1720	import_documents.exe
1720	import_documents.exe
1720	import_documents.exe
1720	import_documents.exe
1720	import_documents.exe
1720	import_documents.exe
1720	import_documents.exe
1720	import_documents.exe
1720	import_documents.exe
1720	import_documents.exe
1720	import_documents.exe
1720	import_documents.exe
1720	import_documents.exe
1720	import_documents.exe
1720	import_documents.exe
1720	import_documents.exe
1720	import_documents.exe
1720	import_documents.exe
1720	import_documents.exe
1720	import_documents.exe
1720	import_documents.exe
1720	import_documents.exe
1720	import_documents.exe
1720	import_documents.exe
1720	import_documents.exe
1720	import_documents.exe
1720	import_documents.exe
1720	import_documents.exe
1720	import_documents.exe
1720	import_documents.exe
1720	import_documents.exe
1720	import_documents.exe
1720	import_documents.exe
1720	import_documents.exe
1720	import_documents.exe
1720	import_documents.exe
1720	import_documents.exe
1720	import_documents.exe
1720	import_documents.exe
1720	import_documents.exe
1720	import_documents.exe
1720	import_documents.exe
1720	import_documents.exe
1720	import_documents.exe
1720	import_documents.exe

Suspicious behavior: MapViewOfSection 64 IoCs

Processes:

pid	process
1720	import_documents.exe
1704	import_documents.exe
884	import_documents.exe
1492	import_documents.exe
1308	import_documents.exe
1108	import_documents.exe
988	import_documents.exe
1992	import_documents.exe
1812	import_documents.exe
1316	import_documents.exe
1316	import_documents.exe
1776	import_documents.exe
1164	import_documents.exe
1696	import_documents.exe
1924	import_documents.exe
580	import_documents.exe
908	import_documents.exe
976	import_documents.exe
1712	import_documents.exe
964	import_documents.exe
776	import_documents.exe
1388	import_documents.exe
704	import_documents.exe
1528	import_documents.exe
1272	import_documents.exe
1272	import_documents.exe
1104	import_documents.exe
1104	import_documents.exe
1104	import_documents.exe
832	import_documents.exe
832	import_documents.exe
1984	import_documents.exe
916	import_documents.exe
984	import_documents.exe
984	import_documents.exe
1660	import_documents.exe
836	import_documents.exe
1320	import_documents.exe
1808	import_documents.exe
2084	import_documents.exe
2156	import_documents.exe
2156	import_documents.exe
2232	import_documents.exe
2300	import_documents.exe
2372	import_documents.exe
2444	import_documents.exe
2552	import_documents.exe
2616	import_documents.exe
2684	import_documents.exe
2760	import_documents.exe
2840	import_documents.exe
2912	import_documents.exe
2984	import_documents.exe
3052	import_documents.exe
1516	import_documents.exe
2220	import_documents.exe
2168	import_documents.exe
2428	import_documents.exe
1256	import_documents.exe
1032	import_documents.exe
2280	import_documents.exe
1796	import_documents.exe
1128	import_documents.exe
1876	import_documents.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

import_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeRegAsm.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeRegAsm.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeRegAsm.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exe

description	pid	process
Token: SeDebugPrivilege	1720	import_documents.exe
Token: SeDebugPrivilege	1704	import_documents.exe
Token: SeDebugPrivilege	884	import_documents.exe
Token: SeDebugPrivilege	1492	import_documents.exe
Token: SeDebugPrivilege	1308	import_documents.exe
Token: SeDebugPrivilege	1108	import_documents.exe
Token: SeDebugPrivilege	988	import_documents.exe
Token: SeDebugPrivilege	1992	import_documents.exe
Token: SeDebugPrivilege	1812	import_documents.exe
Token: SeDebugPrivilege	1316	import_documents.exe
Token: SeDebugPrivilege	1776	import_documents.exe
Token: SeDebugPrivilege	1164	import_documents.exe
Token: SeDebugPrivilege	1696	import_documents.exe
Token: SeDebugPrivilege	1924	import_documents.exe
Token: SeDebugPrivilege	580	import_documents.exe
Token: SeDebugPrivilege	908	import_documents.exe
Token: SeDebugPrivilege	976	import_documents.exe
Token: SeDebugPrivilege	1712	import_documents.exe
Token: SeDebugPrivilege	964	import_documents.exe
Token: SeDebugPrivilege	1260	RegAsm.exe
Token: SeDebugPrivilege	776	import_documents.exe
Token: SeDebugPrivilege	1388	import_documents.exe
Token: SeDebugPrivilege	704	import_documents.exe
Token: SeDebugPrivilege	1528	import_documents.exe
Token: SeDebugPrivilege	1272	import_documents.exe
Token: SeDebugPrivilege	1104	import_documents.exe
Token: SeDebugPrivilege	832	import_documents.exe
Token: SeDebugPrivilege	1984	import_documents.exe
Token: SeDebugPrivilege	916	import_documents.exe
Token: SeDebugPrivilege	984	import_documents.exe
Token: SeDebugPrivilege	1660	import_documents.exe
Token: SeDebugPrivilege	836	import_documents.exe
Token: SeDebugPrivilege	1320	import_documents.exe
Token: SeDebugPrivilege	1808	import_documents.exe
Token: SeDebugPrivilege	2084	import_documents.exe
Token: SeDebugPrivilege	2156	import_documents.exe
Token: SeDebugPrivilege	2232	import_documents.exe
Token: SeDebugPrivilege	2300	import_documents.exe
Token: SeDebugPrivilege	2372	import_documents.exe
Token: SeDebugPrivilege	2444	import_documents.exe
Token: SeDebugPrivilege	1788	RegAsm.exe
Token: SeDebugPrivilege	2552	import_documents.exe
Token: SeDebugPrivilege	2616	import_documents.exe
Token: SeDebugPrivilege	2684	import_documents.exe
Token: SeDebugPrivilege	2760	import_documents.exe
Token: SeDebugPrivilege	2840	import_documents.exe
Token: SeDebugPrivilege	2912	import_documents.exe
Token: SeDebugPrivilege	2984	import_documents.exe
Token: SeDebugPrivilege	3052	import_documents.exe
Token: SeDebugPrivilege	1516	import_documents.exe
Token: SeDebugPrivilege	2220	import_documents.exe
Token: SeDebugPrivilege	2168	import_documents.exe
Token: SeDebugPrivilege	2428	import_documents.exe
Token: SeDebugPrivilege	1256	import_documents.exe
Token: SeDebugPrivilege	1032	import_documents.exe
Token: SeDebugPrivilege	2280	import_documents.exe
Token: SeDebugPrivilege	1796	import_documents.exe
Token: SeDebugPrivilege	1128	import_documents.exe
Token: SeDebugPrivilege	2580	RegAsm.exe
Token: SeDebugPrivilege	1876	import_documents.exe
Token: SeDebugPrivilege	2448	import_documents.exe
Token: SeDebugPrivilege	2748	import_documents.exe
Token: SeDebugPrivilege	2752	import_documents.exe
Token: SeDebugPrivilege	2852	import_documents.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

import_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exe

description	pid	process	target process
PID 1720 wrote to memory of 1260	1720	import_documents.exe	RegAsm.exe
PID 1720 wrote to memory of 1260	1720	import_documents.exe	RegAsm.exe
PID 1720 wrote to memory of 1260	1720	import_documents.exe	RegAsm.exe
PID 1720 wrote to memory of 1260	1720	import_documents.exe	RegAsm.exe
PID 1720 wrote to memory of 1260	1720	import_documents.exe	RegAsm.exe
PID 1720 wrote to memory of 1260	1720	import_documents.exe	RegAsm.exe
PID 1720 wrote to memory of 1260	1720	import_documents.exe	RegAsm.exe
PID 1720 wrote to memory of 1260	1720	import_documents.exe	RegAsm.exe
PID 1720 wrote to memory of 1704	1720	import_documents.exe	import_documents.exe
PID 1720 wrote to memory of 1704	1720	import_documents.exe	import_documents.exe
PID 1720 wrote to memory of 1704	1720	import_documents.exe	import_documents.exe
PID 1720 wrote to memory of 1704	1720	import_documents.exe	import_documents.exe
PID 1704 wrote to memory of 1584	1704	import_documents.exe	RegAsm.exe
PID 1704 wrote to memory of 1584	1704	import_documents.exe	RegAsm.exe
PID 1704 wrote to memory of 1584	1704	import_documents.exe	RegAsm.exe
PID 1704 wrote to memory of 1584	1704	import_documents.exe	RegAsm.exe
PID 1704 wrote to memory of 1584	1704	import_documents.exe	RegAsm.exe
PID 1704 wrote to memory of 1584	1704	import_documents.exe	RegAsm.exe
PID 1704 wrote to memory of 1584	1704	import_documents.exe	RegAsm.exe
PID 1704 wrote to memory of 1584	1704	import_documents.exe	RegAsm.exe
PID 1704 wrote to memory of 884	1704	import_documents.exe	import_documents.exe
PID 1704 wrote to memory of 884	1704	import_documents.exe	import_documents.exe
PID 1704 wrote to memory of 884	1704	import_documents.exe	import_documents.exe
PID 1704 wrote to memory of 884	1704	import_documents.exe	import_documents.exe
PID 884 wrote to memory of 1184	884	import_documents.exe	RegAsm.exe
PID 884 wrote to memory of 1184	884	import_documents.exe	RegAsm.exe
PID 884 wrote to memory of 1184	884	import_documents.exe	RegAsm.exe
PID 884 wrote to memory of 1184	884	import_documents.exe	RegAsm.exe
PID 884 wrote to memory of 1184	884	import_documents.exe	RegAsm.exe
PID 884 wrote to memory of 1184	884	import_documents.exe	RegAsm.exe
PID 884 wrote to memory of 1184	884	import_documents.exe	RegAsm.exe
PID 884 wrote to memory of 1184	884	import_documents.exe	RegAsm.exe
PID 884 wrote to memory of 1492	884	import_documents.exe	import_documents.exe
PID 884 wrote to memory of 1492	884	import_documents.exe	import_documents.exe
PID 884 wrote to memory of 1492	884	import_documents.exe	import_documents.exe
PID 884 wrote to memory of 1492	884	import_documents.exe	import_documents.exe
PID 1492 wrote to memory of 828	1492	import_documents.exe	RegAsm.exe
PID 1492 wrote to memory of 828	1492	import_documents.exe	RegAsm.exe
PID 1492 wrote to memory of 828	1492	import_documents.exe	RegAsm.exe
PID 1492 wrote to memory of 828	1492	import_documents.exe	RegAsm.exe
PID 1492 wrote to memory of 828	1492	import_documents.exe	RegAsm.exe
PID 1492 wrote to memory of 828	1492	import_documents.exe	RegAsm.exe
PID 1492 wrote to memory of 828	1492	import_documents.exe	RegAsm.exe
PID 1492 wrote to memory of 828	1492	import_documents.exe	RegAsm.exe
PID 1492 wrote to memory of 1308	1492	import_documents.exe	import_documents.exe
PID 1492 wrote to memory of 1308	1492	import_documents.exe	import_documents.exe
PID 1492 wrote to memory of 1308	1492	import_documents.exe	import_documents.exe
PID 1492 wrote to memory of 1308	1492	import_documents.exe	import_documents.exe
PID 1308 wrote to memory of 568	1308	import_documents.exe	RegAsm.exe
PID 1308 wrote to memory of 568	1308	import_documents.exe	RegAsm.exe
PID 1308 wrote to memory of 568	1308	import_documents.exe	RegAsm.exe
PID 1308 wrote to memory of 568	1308	import_documents.exe	RegAsm.exe
PID 1308 wrote to memory of 568	1308	import_documents.exe	RegAsm.exe
PID 1308 wrote to memory of 568	1308	import_documents.exe	RegAsm.exe
PID 1308 wrote to memory of 568	1308	import_documents.exe	RegAsm.exe
PID 1308 wrote to memory of 568	1308	import_documents.exe	RegAsm.exe
PID 1308 wrote to memory of 1108	1308	import_documents.exe	import_documents.exe
PID 1308 wrote to memory of 1108	1308	import_documents.exe	import_documents.exe
PID 1308 wrote to memory of 1108	1308	import_documents.exe	import_documents.exe
PID 1308 wrote to memory of 1108	1308	import_documents.exe	import_documents.exe
PID 1108 wrote to memory of 1816	1108	import_documents.exe	RegAsm.exe
PID 1108 wrote to memory of 1816	1108	import_documents.exe	RegAsm.exe
PID 1108 wrote to memory of 1816	1108	import_documents.exe	RegAsm.exe
PID 1108 wrote to memory of 1816	1108	import_documents.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1260

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1584

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:884

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:1184

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1492

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
PID:828

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1308

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
PID:568

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1108

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
7⤵
PID:1816

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
7⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
8⤵
PID:1036

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
8⤵
PID:1176

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
9⤵
PID:1576

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
9⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
10⤵
PID:916

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
10⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
11⤵
PID:692

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
11⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
12⤵
PID:1336

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
12⤵
PID:1340

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
12⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
PID:1940

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
13⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
14⤵
PID:1272

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
14⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
15⤵
PID:2040

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
15⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
16⤵
PID:1680

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
16⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
17⤵
PID:1412

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
17⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
18⤵
PID:1588

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
18⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:976

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
19⤵
PID:1224

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
19⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
20⤵
PID:1052

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
20⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
21⤵
PID:592

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
21⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
22⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1788

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
22⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
23⤵
PID:1060

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
23⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
24⤵
PID:856

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
24⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1528

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
25⤵
PID:692

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
25⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1272

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
26⤵
PID:1996

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
26⤵
PID:268

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
26⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1104

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
27⤵
PID:828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
27⤵
PID:360

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
27⤵
PID:1144

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
27⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
28⤵
PID:1620

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
28⤵
PID:1956

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
28⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
29⤵
PID:1440

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
29⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
30⤵
PID:1296

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
30⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
31⤵
PID:1596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
31⤵
PID:2004

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
31⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1660

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
32⤵
PID:1744

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
32⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:836

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
33⤵
PID:612

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
33⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
34⤵
PID:1684

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
34⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
35⤵
PID:1756

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
35⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2084

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
36⤵
PID:2112

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
36⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2156

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
37⤵
PID:2184

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
37⤵
PID:2192

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
37⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2232

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
38⤵
PID:2260

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
38⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2300

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
39⤵
PID:2328

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
39⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2372

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
40⤵
PID:2400

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
40⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2444

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
41⤵
PID:2472

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
41⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2552

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
42⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2580

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
42⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2616

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
43⤵
PID:2648

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
43⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
44⤵
PID:2720

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
44⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
45⤵
PID:2796

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
45⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2840

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
46⤵
PID:2868

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
46⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
47⤵
PID:2940

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
47⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
48⤵
PID:3012

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
48⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
49⤵
PID:640

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
49⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1516

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
50⤵
PID:2140

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
50⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2220

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
51⤵
PID:2100

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
51⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2168

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
52⤵
PID:2356

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
52⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2428

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
53⤵
PID:2360

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
53⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1256

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
54⤵
PID:1036

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
54⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
55⤵
PID:2116

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
55⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2280

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
56⤵
PID:2204

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
56⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1796

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
57⤵
PID:2264

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
57⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1128

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
58⤵
PID:1744

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
58⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
59⤵
- Adds Run key to start application
PID:2380

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
59⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2448

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
60⤵
PID:2548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
60⤵
PID:2656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
60⤵
PID:2716

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
60⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
61⤵
PID:2692

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
61⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
62⤵
PID:2784

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
62⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
63⤵
PID:3020

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
63⤵
- Suspicious use of SetThreadContext
PID:3036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
64⤵
PID:3000

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
64⤵
- Suspicious use of SetThreadContext
PID:3068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
65⤵
PID:2336

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
65⤵
- Suspicious use of SetThreadContext
PID:2268

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
66⤵
PID:2324

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
66⤵
PID:2172

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
67⤵
PID:2484

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
67⤵
PID:1952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
68⤵
PID:2340

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
68⤵
PID:1340

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
69⤵
PID:2056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
69⤵
PID:1756

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
69⤵
PID:700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
70⤵
PID:2020

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
70⤵
PID:2500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
71⤵
PID:428

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
71⤵
PID:2416

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
72⤵
PID:1632

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
72⤵
PID:1864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
73⤵
PID:2952

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
73⤵
PID:1596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
74⤵
PID:2800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
74⤵
PID:2180

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
74⤵
PID:2060

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
75⤵
PID:1744

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
75⤵
PID:2544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
76⤵
PID:1144

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
76⤵
PID:2016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
77⤵
PID:2644

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
77⤵
PID:2464

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
78⤵
- Adds Run key to start application
PID:2640

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
78⤵
PID:2848

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
79⤵
PID:2860

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
79⤵
PID:1412

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
80⤵
PID:3064

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
80⤵
PID:556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
81⤵
PID:2308

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
81⤵
PID:2176

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
82⤵
PID:1664

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
82⤵
PID:1456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
83⤵
PID:2032

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
83⤵
PID:780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
84⤵
PID:3032

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
84⤵
PID:2768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
85⤵
PID:1552

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
85⤵
PID:2364

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
86⤵
PID:2800

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
86⤵
PID:692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
87⤵
PID:1700

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
87⤵
PID:2636

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
88⤵
PID:2596

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
88⤵
PID:2624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
89⤵
PID:1620

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
89⤵
PID:3048

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
90⤵
PID:2492

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
90⤵
PID:1608

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
91⤵
PID:2924

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
91⤵
PID:1816

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
92⤵
PID:2244

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
92⤵
PID:2808

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
92⤵
PID:2148

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
93⤵
PID:3020

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
93⤵
PID:2576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
94⤵
- Adds Run key to start application
PID:2904

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
94⤵
PID:2164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
95⤵
PID:576

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
95⤵
PID:2120

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
96⤵
PID:2348

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
96⤵
PID:2044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
97⤵
PID:2224

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
97⤵
PID:2028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
98⤵
PID:548

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
98⤵
PID:2424

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
99⤵
PID:1060

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
99⤵
PID:1036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
100⤵
PID:2040

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
100⤵
PID:2724

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
101⤵
PID:428

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
101⤵
PID:2572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
102⤵
PID:1144

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
102⤵
PID:2632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
103⤵
PID:2864

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
103⤵
PID:2788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
104⤵
PID:2652

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
104⤵
PID:2272

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
105⤵
PID:2100

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
105⤵
PID:2008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
106⤵
PID:2880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
106⤵
PID:2296

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
106⤵
PID:2088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
107⤵
PID:2600

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
107⤵
PID:2668

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
108⤵
PID:2032

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
108⤵
PID:1620

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
109⤵
PID:3020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
109⤵
PID:2368

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
109⤵
PID:2792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
110⤵
PID:2856

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
110⤵
PID:3008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
111⤵
PID:2108

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
111⤵
PID:360

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
112⤵
PID:2276

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
112⤵
PID:936

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
113⤵
PID:2960

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
113⤵
PID:2660

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
114⤵
PID:640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
114⤵
PID:2052

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
114⤵
PID:1968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
115⤵
PID:2680

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
115⤵
PID:108

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
116⤵
PID:2804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
116⤵
PID:2356

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
116⤵
PID:2968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
117⤵
PID:2468

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
117⤵
PID:592

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
118⤵
PID:1756

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
118⤵
PID:268

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
119⤵
PID:2776

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
119⤵
PID:2564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
120⤵
PID:2676

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
120⤵
PID:2180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
121⤵
PID:1600

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
121⤵
PID:2212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
122⤵
PID:2312

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
122⤵
PID:1072

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
123⤵
PID:1380

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
123⤵
PID:2648

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
123⤵
PID:3000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
124⤵
PID:2704

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
124⤵
PID:2692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
125⤵
PID:2144

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
125⤵
PID:1672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
126⤵
PID:2652

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
126⤵
PID:2856

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
127⤵
PID:1176

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
127⤵
PID:2744

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
128⤵
PID:1588

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
128⤵
PID:640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
129⤵
PID:1532

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
129⤵
PID:2580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
130⤵
PID:612

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
130⤵
PID:568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
131⤵
PID:2892

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
131⤵
PID:2824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
132⤵
PID:2196

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
132⤵
PID:1016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
133⤵
PID:2380

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
133⤵
PID:2952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
134⤵
PID:2508

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
134⤵
PID:2656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
135⤵
PID:2132

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
135⤵
PID:2432

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
136⤵
PID:2348

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
136⤵
PID:2972

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
137⤵
PID:2808

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
137⤵
PID:1420

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
138⤵
PID:2080

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
138⤵
PID:2556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
139⤵
PID:828

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
139⤵
PID:1300

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
140⤵
PID:2820

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Gold\Gold.exe
Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Roaming\Gold\Gold.exe
Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Roaming\Gold\Gold.exe
Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
memory/268-157-0x000000000044744E-mapping.dmp

Download
memory/360-357-0x00000000004D0000-0x0000000000524000-memory.dmp

Filesize
336KB

Download
memory/568-76-0x000000000044744E-mapping.dmp

Download
memory/580-115-0x0000000000000000-mapping.dmp

Download
memory/592-135-0x000000000044744E-mapping.dmp

Download
memory/612-186-0x000000000044744E-mapping.dmp

Download
memory/692-93-0x000000000044744E-mapping.dmp

Download
memory/692-152-0x000000000044744E-mapping.dmp

Download
memory/692-304-0x0000000000520000-0x0000000000574000-memory.dmp

Filesize
336KB

Download
memory/704-146-0x0000000000000000-mapping.dmp

Download
memory/776-137-0x0000000000000000-mapping.dmp

Download
memory/776-138-0x0000000000260000-0x00000000002B4000-memory.dmp

Filesize
336KB

Download
memory/780-297-0x00000000001E0000-0x0000000000234000-memory.dmp

Filesize
336KB

Download
memory/828-72-0x000000000044744E-mapping.dmp

Download
memory/832-163-0x0000000000000000-mapping.dmp

Download
memory/836-184-0x0000000000000000-mapping.dmp

Download
memory/856-148-0x000000000044744E-mapping.dmp

Download
memory/884-65-0x0000000000000000-mapping.dmp

Download
memory/908-119-0x0000000000000000-mapping.dmp

Download
memory/916-171-0x0000000000000000-mapping.dmp

Download
memory/916-89-0x000000000044744E-mapping.dmp

Download
memory/936-360-0x0000000000460000-0x00000000004B4000-memory.dmp

Filesize
336KB

Download
memory/964-133-0x0000000000000000-mapping.dmp

Download
memory/976-124-0x0000000000500000-0x0000000000554000-memory.dmp

Filesize
336KB

Download
memory/976-123-0x0000000000000000-mapping.dmp

Download
memory/984-175-0x0000000000000000-mapping.dmp

Download
memory/988-82-0x0000000000000000-mapping.dmp

Download
memory/1036-84-0x000000000044744E-mapping.dmp

Download
memory/1052-131-0x000000000044744E-mapping.dmp

Download
memory/1060-144-0x000000000044744E-mapping.dmp

Download
memory/1104-159-0x0000000000000000-mapping.dmp

Download
memory/1108-78-0x0000000000000000-mapping.dmp

Download
memory/1144-161-0x000000000044744E-mapping.dmp

Download
memory/1164-103-0x0000000000000000-mapping.dmp

Download
memory/1176-86-0x0000000000000000-mapping.dmp

Download
memory/1184-67-0x000000000044744E-mapping.dmp

Download
memory/1224-126-0x000000000044744E-mapping.dmp

Download
memory/1256-231-0x0000000000240000-0x0000000000294000-memory.dmp

Filesize
336KB

Download
memory/1260-57-0x000000000044744E-mapping.dmp

Download
memory/1260-59-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1272-155-0x0000000000360000-0x00000000003B4000-memory.dmp

Filesize
336KB

Download
memory/1272-154-0x0000000000000000-mapping.dmp

Download
memory/1272-105-0x000000000044744E-mapping.dmp

Download
memory/1296-173-0x000000000044744E-mapping.dmp

Download
memory/1300-420-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1308-74-0x0000000000000000-mapping.dmp

Download
memory/1316-95-0x0000000000000000-mapping.dmp

Download
memory/1320-188-0x0000000000000000-mapping.dmp

Download
memory/1340-97-0x000000000044744E-mapping.dmp

Download
memory/1388-142-0x0000000000000000-mapping.dmp

Download
memory/1412-117-0x000000000044744E-mapping.dmp

Download
memory/1440-169-0x000000000044744E-mapping.dmp

Download
memory/1492-69-0x0000000000000000-mapping.dmp

Download
memory/1492-70-0x0000000000430000-0x0000000000484000-memory.dmp

Filesize
336KB

Download
memory/1528-150-0x0000000000000000-mapping.dmp

Download
memory/1584-63-0x000000000044744E-mapping.dmp

Download
memory/1588-121-0x000000000044744E-mapping.dmp

Download
memory/1596-276-0x0000000000810000-0x0000000000864000-memory.dmp

Filesize
336KB

Download
memory/1660-179-0x0000000000000000-mapping.dmp

Download
memory/1660-180-0x00000000002A0000-0x00000000002F4000-memory.dmp

Filesize
336KB

Download
memory/1680-113-0x000000000044744E-mapping.dmp

Download
memory/1684-190-0x000000000044744E-mapping.dmp

Download
memory/1696-107-0x0000000000000000-mapping.dmp

Download
memory/1704-61-0x0000000000000000-mapping.dmp

Download
memory/1712-129-0x0000000000440000-0x0000000000494000-memory.dmp

Filesize
336KB

Download
memory/1712-128-0x0000000000000000-mapping.dmp

Download
memory/1720-60-0x0000000000410000-0x0000000000413000-memory.dmp

Filesize
12KB

Download
memory/1720-54-0x00000000002F0000-0x000000000035A000-memory.dmp

Filesize
424KB

Download
memory/1720-56-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/1720-55-0x00000000006F0000-0x0000000000744000-memory.dmp

Filesize
336KB

Download
memory/1744-182-0x000000000044744E-mapping.dmp

Download
memory/1776-99-0x0000000000000000-mapping.dmp

Download
memory/1788-140-0x000000000044744E-mapping.dmp

Download
memory/1808-192-0x0000000000000000-mapping.dmp

Download
memory/1812-91-0x0000000000000000-mapping.dmp

Download
memory/1816-80-0x000000000044744E-mapping.dmp

Download
memory/1924-111-0x0000000000000000-mapping.dmp

Download
memory/1940-101-0x000000000044744E-mapping.dmp

Download
memory/1956-165-0x000000000044744E-mapping.dmp

Download
memory/1984-167-0x0000000000000000-mapping.dmp

Download
memory/2004-177-0x000000000044744E-mapping.dmp

Download
memory/2040-109-0x000000000044744E-mapping.dmp

Download
memory/2172-261-0x0000000000410000-0x0000000000464000-memory.dmp

Filesize
336KB

Download
memory/2180-377-0x00000000005F0000-0x0000000000644000-memory.dmp

Filesize
336KB

Download
memory/2556-417-0x0000000000360000-0x00000000003B4000-memory.dmp

Filesize
336KB

Download
memory/2656-407-0x00000000006B0000-0x0000000000704000-memory.dmp

Filesize
336KB

Download
memory/2724-334-0x0000000000260000-0x00000000002B4000-memory.dmp

Filesize
336KB

Download
memory/2748-247-0x0000000000360000-0x00000000003B4000-memory.dmp

Filesize
336KB

Download
memory/2952-404-0x0000000000360000-0x00000000003B4000-memory.dmp

Filesize
336KB

Download
memory/2972-412-0x00000000004D0000-0x0000000000524000-memory.dmp

Filesize
336KB

Download
memory/3068-256-0x0000000000260000-0x00000000002B4000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads