agenttesla | 0297de22b433fe7ecee63b5f80b78c4749bb8f4cfec0cd737713d87781d1db52

General

Target

import_documents.exe
Size

395KB
MD5

22f207e5e15c4ec19b80e07fa45967b9
SHA1

7af28dc2d18281e450738b4a477cd14014458e72
SHA256

87c88de3a875c7997a34e00e8c7c97577f046332811dcef6cba7c33b37c42396
SHA512

5912b78fdc9b66639c5deb9d12e8b8aad4c404c6b2e919392e5032ee80a04e91e3cd1e4822ec6880fef0a2a830200a317ffb390745e21f0b0c697a00c71a3cd8

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.office365.com
Port:
587
Username:
[email protected]
Password:
bhsusa714

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4412-132-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

import_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	import_documents.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	import_documents.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	import_documents.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	import_documents.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	import_documents.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	import_documents.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	import_documents.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	import_documents.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	import_documents.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	import_documents.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	import_documents.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	import_documents.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	import_documents.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	import_documents.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	import_documents.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	import_documents.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	import_documents.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	import_documents.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	import_documents.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	import_documents.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	import_documents.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	import_documents.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	import_documents.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	import_documents.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	import_documents.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	import_documents.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	import_documents.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	import_documents.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	import_documents.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	import_documents.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	import_documents.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	import_documents.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	import_documents.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	import_documents.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	import_documents.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	import_documents.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	import_documents.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	import_documents.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	import_documents.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	import_documents.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	import_documents.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	import_documents.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	import_documents.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	import_documents.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	import_documents.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	import_documents.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	import_documents.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	import_documents.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	import_documents.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	import_documents.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	import_documents.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	import_documents.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	import_documents.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	import_documents.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	import_documents.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	import_documents.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	import_documents.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	import_documents.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	import_documents.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	import_documents.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	import_documents.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	import_documents.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	import_documents.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	import_documents.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gold = "C:\\Users\\Admin\\AppData\\Roaming\\Gold\\Gold.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gold = "C:\\Users\\Admin\\AppData\\Roaming\\Gold\\Gold.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gold = "C:\\Users\\Admin\\AppData\\Roaming\\Gold\\Gold.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gold = "C:\\Users\\Admin\\AppData\\Roaming\\Gold\\Gold.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gold = "C:\\Users\\Admin\\AppData\\Roaming\\Gold\\Gold.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gold = "C:\\Users\\Admin\\AppData\\Roaming\\Gold\\Gold.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gold = "C:\\Users\\Admin\\AppData\\Roaming\\Gold\\Gold.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gold = "C:\\Users\\Admin\\AppData\\Roaming\\Gold\\Gold.exe"	RegAsm.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

import_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exe

description	pid	process	target process
PID 3316 set thread context of 4412	3316	import_documents.exe	RegAsm.exe
PID 2884 set thread context of 1860	2884	import_documents.exe	RegAsm.exe
PID 4476 set thread context of 4432	4476	import_documents.exe	RegAsm.exe
PID 3596 set thread context of 3040	3596	import_documents.exe	RegAsm.exe
PID 4592 set thread context of 2152	4592	import_documents.exe	RegAsm.exe
PID 4680 set thread context of 2632	4680	import_documents.exe	RegAsm.exe
PID 2580 set thread context of 4988	2580	import_documents.exe	RegAsm.exe
PID 204 set thread context of 4116	204	import_documents.exe	RegAsm.exe
PID 1780 set thread context of 4928	1780	import_documents.exe	RegAsm.exe
PID 3192 set thread context of 2700	3192	import_documents.exe	RegAsm.exe
PID 1500 set thread context of 5084	1500	import_documents.exe	RegAsm.exe
PID 3308 set thread context of 5052	3308	import_documents.exe	RegAsm.exe
PID 2168 set thread context of 3712	2168	import_documents.exe	RegAsm.exe
PID 4488 set thread context of 520	4488	import_documents.exe	RegAsm.exe
PID 3584 set thread context of 5012	3584	import_documents.exe	RegAsm.exe
PID 3648 set thread context of 1124	3648	import_documents.exe	RegAsm.exe
PID 1712 set thread context of 1820	1712	import_documents.exe	RegAsm.exe
PID 392 set thread context of 2336	392	import_documents.exe	RegAsm.exe
PID 3960 set thread context of 4728	3960	import_documents.exe	RegAsm.exe
PID 3044 set thread context of 384	3044	import_documents.exe	RegAsm.exe
PID 1128 set thread context of 3936	1128	import_documents.exe	RegAsm.exe
PID 4092 set thread context of 3316	4092	import_documents.exe	RegAsm.exe
PID 3132 set thread context of 4396	3132	import_documents.exe	RegAsm.exe
PID 1348 set thread context of 3444	1348	import_documents.exe	RegAsm.exe
PID 1284 set thread context of 4996	1284	import_documents.exe	RegAsm.exe
PID 1620 set thread context of 4236	1620	import_documents.exe	RegAsm.exe
PID 4740 set thread context of 1688	4740	import_documents.exe	RegAsm.exe
PID 3488 set thread context of 5116	3488	import_documents.exe	RegAsm.exe
PID 2012 set thread context of 4916	2012	import_documents.exe	RegAsm.exe
PID 2448 set thread context of 4820	2448	import_documents.exe	RegAsm.exe
PID 4000 set thread context of 372	4000	import_documents.exe	RegAsm.exe
PID 3672 set thread context of 1680	3672	import_documents.exe	RegAsm.exe
PID 4892 set thread context of 1384	4892	import_documents.exe	RegAsm.exe
PID 4904 set thread context of 3412	4904	import_documents.exe	RegAsm.exe
PID 3252 set thread context of 5088	3252	import_documents.exe	RegAsm.exe
PID 3156 set thread context of 2932	3156	import_documents.exe	RegAsm.exe
PID 1128 set thread context of 4452	1128	import_documents.exe	RegAsm.exe
PID 2164 set thread context of 4084	2164	import_documents.exe	RegAsm.exe
PID 3224 set thread context of 3616	3224	import_documents.exe	RegAsm.exe
PID 4152 set thread context of 1088	4152	import_documents.exe	RegAsm.exe
PID 1836 set thread context of 1156	1836	import_documents.exe	RegAsm.exe
PID 4828 set thread context of 3300	4828	import_documents.exe	RegAsm.exe
PID 4928 set thread context of 4860	4928	import_documents.exe	RegAsm.exe
PID 2024 set thread context of 2268	2024	import_documents.exe	RegAsm.exe
PID 2216 set thread context of 116	2216	import_documents.exe	RegAsm.exe
PID 3508 set thread context of 308	3508	import_documents.exe	RegAsm.exe
PID 2684 set thread context of 540	2684	import_documents.exe	RegAsm.exe
PID 4652 set thread context of 3092	4652	import_documents.exe	RegAsm.exe
PID 3884 set thread context of 5032	3884	import_documents.exe	RegAsm.exe
PID 4060 set thread context of 3584	4060	import_documents.exe	RegAsm.exe
PID 1908 set thread context of 4216	1908	import_documents.exe	RegAsm.exe
PID 1396 set thread context of 4852	1396	import_documents.exe	RegAsm.exe
PID 4336 set thread context of 4776	4336	import_documents.exe	RegAsm.exe
PID 1400 set thread context of 1140	1400	import_documents.exe	RegAsm.exe
PID 3788 set thread context of 3052	3788	import_documents.exe	RegAsm.exe
PID 4116 set thread context of 3984	4116	import_documents.exe	RegAsm.exe
PID 1772 set thread context of 4464	1772	import_documents.exe	RegAsm.exe
PID 4940 set thread context of 3548	4940	import_documents.exe	RegAsm.exe
PID 3300 set thread context of 3112	3300	import_documents.exe	RegAsm.exe
PID 1832 set thread context of 1352	1832	import_documents.exe	RegAsm.exe
PID 4208 set thread context of 3448	4208	import_documents.exe	RegAsm.exe
PID 4268 set thread context of 2924	4268	import_documents.exe	RegAsm.exe
PID 3412 set thread context of 3616	3412	import_documents.exe	RegAsm.exe
PID 5116 set thread context of 4572	5116	import_documents.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

import_documents.exe

pid	process
3316	import_documents.exe
3316	import_documents.exe
3316	import_documents.exe
3316	import_documents.exe
3316	import_documents.exe
3316	import_documents.exe
3316	import_documents.exe
3316	import_documents.exe
3316	import_documents.exe
3316	import_documents.exe
3316	import_documents.exe
3316	import_documents.exe
3316	import_documents.exe
3316	import_documents.exe
3316	import_documents.exe
3316	import_documents.exe
3316	import_documents.exe
3316	import_documents.exe
3316	import_documents.exe
3316	import_documents.exe
3316	import_documents.exe
3316	import_documents.exe
3316	import_documents.exe
3316	import_documents.exe
3316	import_documents.exe
3316	import_documents.exe
3316	import_documents.exe
3316	import_documents.exe
3316	import_documents.exe
3316	import_documents.exe
3316	import_documents.exe
3316	import_documents.exe
3316	import_documents.exe
3316	import_documents.exe
3316	import_documents.exe
3316	import_documents.exe
3316	import_documents.exe
3316	import_documents.exe
3316	import_documents.exe
3316	import_documents.exe
3316	import_documents.exe
3316	import_documents.exe
3316	import_documents.exe
3316	import_documents.exe
3316	import_documents.exe
3316	import_documents.exe
3316	import_documents.exe
3316	import_documents.exe
3316	import_documents.exe
3316	import_documents.exe
3316	import_documents.exe
3316	import_documents.exe
3316	import_documents.exe
3316	import_documents.exe
3316	import_documents.exe
3316	import_documents.exe
3316	import_documents.exe
3316	import_documents.exe
3316	import_documents.exe
3316	import_documents.exe
3316	import_documents.exe
3316	import_documents.exe
3316	import_documents.exe
3316	import_documents.exe

Suspicious behavior: MapViewOfSection 64 IoCs

Processes:

import_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exe

pid	process
3316	import_documents.exe
2884	import_documents.exe
4476	import_documents.exe
4476	import_documents.exe
3596	import_documents.exe
4592	import_documents.exe
4592	import_documents.exe
4680	import_documents.exe
2580	import_documents.exe
2580	import_documents.exe
204	import_documents.exe
1780	import_documents.exe
3192	import_documents.exe
1500	import_documents.exe
3308	import_documents.exe
3308	import_documents.exe
2168	import_documents.exe
4488	import_documents.exe
3584	import_documents.exe
3648	import_documents.exe
1712	import_documents.exe
1712	import_documents.exe
392	import_documents.exe
3960	import_documents.exe
3044	import_documents.exe
3044	import_documents.exe
1128	import_documents.exe
4092	import_documents.exe
3132	import_documents.exe
3132	import_documents.exe
3132	import_documents.exe
1348	import_documents.exe
1284	import_documents.exe
1620	import_documents.exe
1620	import_documents.exe
4740	import_documents.exe
4740	import_documents.exe
3488	import_documents.exe
2012	import_documents.exe
2448	import_documents.exe
4000	import_documents.exe
4000	import_documents.exe
3672	import_documents.exe
3672	import_documents.exe
4892	import_documents.exe
4904	import_documents.exe
3252	import_documents.exe
3252	import_documents.exe
3156	import_documents.exe
1128	import_documents.exe
1128	import_documents.exe
2164	import_documents.exe
3224	import_documents.exe
4152	import_documents.exe
4152	import_documents.exe
1836	import_documents.exe
1836	import_documents.exe
4828	import_documents.exe
4928	import_documents.exe
4928	import_documents.exe
2024	import_documents.exe
2024	import_documents.exe
2024	import_documents.exe
2024	import_documents.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

import_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeRegAsm.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeRegAsm.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeRegAsm.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exe

description	pid	process
Token: SeDebugPrivilege	3316	import_documents.exe
Token: SeDebugPrivilege	2884	import_documents.exe
Token: SeDebugPrivilege	4476	import_documents.exe
Token: SeDebugPrivilege	3596	import_documents.exe
Token: SeDebugPrivilege	4592	import_documents.exe
Token: SeDebugPrivilege	4680	import_documents.exe
Token: SeDebugPrivilege	2580	import_documents.exe
Token: SeDebugPrivilege	204	import_documents.exe
Token: SeDebugPrivilege	1780	import_documents.exe
Token: SeDebugPrivilege	3192	import_documents.exe
Token: SeDebugPrivilege	1500	import_documents.exe
Token: SeDebugPrivilege	3308	import_documents.exe
Token: SeDebugPrivilege	2168	import_documents.exe
Token: SeDebugPrivilege	4488	import_documents.exe
Token: SeDebugPrivilege	3584	import_documents.exe
Token: SeDebugPrivilege	3648	import_documents.exe
Token: SeDebugPrivilege	1712	import_documents.exe
Token: SeDebugPrivilege	392	import_documents.exe
Token: SeDebugPrivilege	3960	import_documents.exe
Token: SeDebugPrivilege	3044	import_documents.exe
Token: SeDebugPrivilege	1128	import_documents.exe
Token: SeDebugPrivilege	4092	import_documents.exe
Token: SeDebugPrivilege	3132	import_documents.exe
Token: SeDebugPrivilege	4412	RegAsm.exe
Token: SeDebugPrivilege	1348	import_documents.exe
Token: SeDebugPrivilege	1284	import_documents.exe
Token: SeDebugPrivilege	1620	import_documents.exe
Token: SeDebugPrivilege	4740	import_documents.exe
Token: SeDebugPrivilege	3488	import_documents.exe
Token: SeDebugPrivilege	2012	import_documents.exe
Token: SeDebugPrivilege	2448	import_documents.exe
Token: SeDebugPrivilege	4000	import_documents.exe
Token: SeDebugPrivilege	3672	import_documents.exe
Token: SeDebugPrivilege	4892	import_documents.exe
Token: SeDebugPrivilege	4904	import_documents.exe
Token: SeDebugPrivilege	3252	import_documents.exe
Token: SeDebugPrivilege	3156	import_documents.exe
Token: SeDebugPrivilege	1128	import_documents.exe
Token: SeDebugPrivilege	2164	import_documents.exe
Token: SeDebugPrivilege	3224	import_documents.exe
Token: SeDebugPrivilege	4152	import_documents.exe
Token: SeDebugPrivilege	1836	import_documents.exe
Token: SeDebugPrivilege	4828	import_documents.exe
Token: SeDebugPrivilege	4928	import_documents.exe
Token: SeDebugPrivilege	2024	import_documents.exe
Token: SeDebugPrivilege	2216	import_documents.exe
Token: SeDebugPrivilege	3508	import_documents.exe
Token: SeDebugPrivilege	3444	RegAsm.exe
Token: SeDebugPrivilege	2684	import_documents.exe
Token: SeDebugPrivilege	4652	import_documents.exe
Token: SeDebugPrivilege	3884	import_documents.exe
Token: SeDebugPrivilege	4060	import_documents.exe
Token: SeDebugPrivilege	1908	import_documents.exe
Token: SeDebugPrivilege	1396	import_documents.exe
Token: SeDebugPrivilege	540	RegAsm.exe
Token: SeDebugPrivilege	4336	import_documents.exe
Token: SeDebugPrivilege	1400	import_documents.exe
Token: SeDebugPrivilege	3788	import_documents.exe
Token: SeDebugPrivilege	4116	import_documents.exe
Token: SeDebugPrivilege	1772	import_documents.exe
Token: SeDebugPrivilege	4940	import_documents.exe
Token: SeDebugPrivilege	3300	import_documents.exe
Token: SeDebugPrivilege	1832	import_documents.exe
Token: SeDebugPrivilege	4208	import_documents.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

import_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exeimport_documents.exe

description	pid	process	target process
PID 3316 wrote to memory of 4412	3316	import_documents.exe	RegAsm.exe
PID 3316 wrote to memory of 4412	3316	import_documents.exe	RegAsm.exe
PID 3316 wrote to memory of 4412	3316	import_documents.exe	RegAsm.exe
PID 3316 wrote to memory of 4412	3316	import_documents.exe	RegAsm.exe
PID 3316 wrote to memory of 2884	3316	import_documents.exe	import_documents.exe
PID 3316 wrote to memory of 2884	3316	import_documents.exe	import_documents.exe
PID 3316 wrote to memory of 2884	3316	import_documents.exe	import_documents.exe
PID 2884 wrote to memory of 1860	2884	import_documents.exe	RegAsm.exe
PID 2884 wrote to memory of 1860	2884	import_documents.exe	RegAsm.exe
PID 2884 wrote to memory of 1860	2884	import_documents.exe	RegAsm.exe
PID 2884 wrote to memory of 1860	2884	import_documents.exe	RegAsm.exe
PID 2884 wrote to memory of 4476	2884	import_documents.exe	import_documents.exe
PID 2884 wrote to memory of 4476	2884	import_documents.exe	import_documents.exe
PID 2884 wrote to memory of 4476	2884	import_documents.exe	import_documents.exe
PID 4476 wrote to memory of 4424	4476	import_documents.exe	RegAsm.exe
PID 4476 wrote to memory of 4424	4476	import_documents.exe	RegAsm.exe
PID 4476 wrote to memory of 4424	4476	import_documents.exe	RegAsm.exe
PID 4476 wrote to memory of 4432	4476	import_documents.exe	RegAsm.exe
PID 4476 wrote to memory of 4432	4476	import_documents.exe	RegAsm.exe
PID 4476 wrote to memory of 4432	4476	import_documents.exe	RegAsm.exe
PID 4476 wrote to memory of 4432	4476	import_documents.exe	RegAsm.exe
PID 4476 wrote to memory of 3596	4476	import_documents.exe	import_documents.exe
PID 4476 wrote to memory of 3596	4476	import_documents.exe	import_documents.exe
PID 4476 wrote to memory of 3596	4476	import_documents.exe	import_documents.exe
PID 3596 wrote to memory of 3040	3596	import_documents.exe	RegAsm.exe
PID 3596 wrote to memory of 3040	3596	import_documents.exe	RegAsm.exe
PID 3596 wrote to memory of 3040	3596	import_documents.exe	RegAsm.exe
PID 3596 wrote to memory of 3040	3596	import_documents.exe	RegAsm.exe
PID 3596 wrote to memory of 4592	3596	import_documents.exe	import_documents.exe
PID 3596 wrote to memory of 4592	3596	import_documents.exe	import_documents.exe
PID 3596 wrote to memory of 4592	3596	import_documents.exe	import_documents.exe
PID 4592 wrote to memory of 2268	4592	import_documents.exe	RegAsm.exe
PID 4592 wrote to memory of 2268	4592	import_documents.exe	RegAsm.exe
PID 4592 wrote to memory of 2268	4592	import_documents.exe	RegAsm.exe
PID 4592 wrote to memory of 2152	4592	import_documents.exe	RegAsm.exe
PID 4592 wrote to memory of 2152	4592	import_documents.exe	RegAsm.exe
PID 4592 wrote to memory of 2152	4592	import_documents.exe	RegAsm.exe
PID 4592 wrote to memory of 2152	4592	import_documents.exe	RegAsm.exe
PID 4592 wrote to memory of 4680	4592	import_documents.exe	import_documents.exe
PID 4592 wrote to memory of 4680	4592	import_documents.exe	import_documents.exe
PID 4592 wrote to memory of 4680	4592	import_documents.exe	import_documents.exe
PID 4680 wrote to memory of 2632	4680	import_documents.exe	RegAsm.exe
PID 4680 wrote to memory of 2632	4680	import_documents.exe	RegAsm.exe
PID 4680 wrote to memory of 2632	4680	import_documents.exe	RegAsm.exe
PID 4680 wrote to memory of 2632	4680	import_documents.exe	RegAsm.exe
PID 4680 wrote to memory of 2580	4680	import_documents.exe	import_documents.exe
PID 4680 wrote to memory of 2580	4680	import_documents.exe	import_documents.exe
PID 4680 wrote to memory of 2580	4680	import_documents.exe	import_documents.exe
PID 2580 wrote to memory of 2572	2580	import_documents.exe	RegAsm.exe
PID 2580 wrote to memory of 2572	2580	import_documents.exe	RegAsm.exe
PID 2580 wrote to memory of 2572	2580	import_documents.exe	RegAsm.exe
PID 2580 wrote to memory of 4988	2580	import_documents.exe	RegAsm.exe
PID 2580 wrote to memory of 4988	2580	import_documents.exe	RegAsm.exe
PID 2580 wrote to memory of 4988	2580	import_documents.exe	RegAsm.exe
PID 2580 wrote to memory of 4988	2580	import_documents.exe	RegAsm.exe
PID 2580 wrote to memory of 204	2580	import_documents.exe	import_documents.exe
PID 2580 wrote to memory of 204	2580	import_documents.exe	import_documents.exe
PID 2580 wrote to memory of 204	2580	import_documents.exe	import_documents.exe
PID 204 wrote to memory of 4116	204	import_documents.exe	RegAsm.exe
PID 204 wrote to memory of 4116	204	import_documents.exe	RegAsm.exe
PID 204 wrote to memory of 4116	204	import_documents.exe	RegAsm.exe
PID 204 wrote to memory of 4116	204	import_documents.exe	RegAsm.exe
PID 204 wrote to memory of 1780	204	import_documents.exe	import_documents.exe
PID 204 wrote to memory of 1780	204	import_documents.exe	import_documents.exe

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4412

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2884

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1860

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:4432

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:4424

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
PID:3040

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4592

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
PID:2268

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
PID:2152

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
6⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
7⤵
PID:2632

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
7⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
8⤵
PID:2572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
8⤵
PID:4988

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
8⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:204

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
9⤵
PID:4116

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
9⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
10⤵
PID:4928

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
10⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3192

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
11⤵
PID:2700

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
11⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
12⤵
PID:5084

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
12⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3308

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
PID:3356

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
PID:5052

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
13⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2168

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
14⤵
PID:3712

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
14⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
15⤵
PID:520

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
15⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
16⤵
PID:5012

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
16⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
17⤵
PID:1124

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
17⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
18⤵
PID:4844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
18⤵
PID:1820

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
18⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:392

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
19⤵
PID:2336

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
19⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
20⤵
PID:4728

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
20⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
21⤵
PID:2384

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
21⤵
PID:384

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
21⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1128

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
22⤵
PID:3936

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
22⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4092

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
23⤵
PID:3316

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
23⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3132

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
24⤵
PID:4480

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
24⤵
PID:4460

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
24⤵
PID:4396

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
24⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1348

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
25⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1284

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
26⤵
PID:4996

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
26⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
27⤵
PID:3756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
27⤵
PID:4236

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
27⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
28⤵
PID:4088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
28⤵
PID:1688

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
28⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
29⤵
PID:5116

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
29⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2012

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
30⤵
PID:4916

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
30⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2448

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
31⤵
PID:4820

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
31⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
32⤵
PID:4288

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
32⤵
PID:372

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
32⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
33⤵
PID:892

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
33⤵
PID:1680

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
33⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4892

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
34⤵
PID:1384

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
34⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4904

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
35⤵
PID:3412

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
35⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3252

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
36⤵
PID:1212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
36⤵
PID:5088

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
36⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3156

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
37⤵
PID:2932

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
37⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1128

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
38⤵
PID:4392

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
38⤵
PID:4452

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
38⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
39⤵
PID:4084

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
39⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
40⤵
PID:3616

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
40⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4152

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
41⤵
PID:4436

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
41⤵
PID:1088

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
41⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1836

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
42⤵
PID:3936

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
42⤵
PID:1156

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
42⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
43⤵
PID:3300

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
43⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
44⤵
PID:4396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
44⤵
PID:4860

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
44⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2024

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
45⤵
PID:1772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
45⤵
PID:1944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
45⤵
PID:4536

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
45⤵
PID:2268

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
45⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2216

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
46⤵
PID:116

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
46⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
47⤵
PID:308

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
47⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
48⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:540

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
48⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
49⤵
PID:3740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
49⤵
PID:3092

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
49⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3884

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
50⤵
PID:5032

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
50⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4060

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
51⤵
PID:5056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
51⤵
PID:3584

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
51⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
52⤵
PID:4216

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
52⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
53⤵
PID:4852

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
53⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4336

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
54⤵
- Adds Run key to start application
PID:4776

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
54⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1400

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
55⤵
PID:1140

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
55⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
56⤵
PID:3052

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
56⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
57⤵
PID:3984

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
57⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
58⤵
PID:4464

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
58⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
59⤵
PID:3548

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
59⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3300

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
60⤵
PID:3112

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
60⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
61⤵
PID:3228

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
61⤵
PID:4488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
61⤵
PID:1352

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
61⤵
PID:4780

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
61⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4208

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
62⤵
PID:4952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
62⤵
PID:3448

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
62⤵
- Suspicious use of SetThreadContext
PID:4268

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
63⤵
PID:2924

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
63⤵
- Suspicious use of SetThreadContext
PID:3412

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
64⤵
PID:3616

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
64⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:5116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
65⤵
PID:4572

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
65⤵
PID:2032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
66⤵
PID:2660

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
66⤵
PID:204

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
66⤵
PID:2180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
67⤵
PID:4620

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
67⤵
PID:4636

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
67⤵
PID:4848

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
67⤵
PID:1280

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
68⤵
PID:524

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
68⤵
PID:5112

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
69⤵
PID:4060

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
69⤵
PID:5092

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
69⤵
PID:1200

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
70⤵
PID:1504

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
70⤵
PID:3656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
71⤵
PID:3120

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
71⤵
PID:2968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
72⤵
PID:4552

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
72⤵
PID:4744

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
73⤵
PID:388

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
73⤵
PID:3252

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
74⤵
PID:3044

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
74⤵
PID:3444

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
75⤵
PID:1132

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
75⤵
PID:3684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
76⤵
PID:2064

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
76⤵
PID:1996

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
77⤵
PID:4872

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
77⤵
PID:628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
78⤵
PID:4644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
78⤵
PID:4568

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
78⤵
PID:4780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
79⤵
- Adds Run key to start application
PID:4832

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
79⤵
- Checks computer location settings
PID:4828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
80⤵
PID:4496

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
80⤵
PID:4952

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
80⤵
PID:3812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
81⤵
PID:4504

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
81⤵
PID:1316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
82⤵
PID:4788

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
82⤵
PID:1156

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
83⤵
PID:2604

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
83⤵
PID:2248

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
84⤵
PID:4636

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
84⤵
PID:4588

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
84⤵
- Checks computer location settings
PID:3844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
85⤵
PID:2068

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
85⤵
- Checks computer location settings
PID:4864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
86⤵
PID:1280

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
86⤵
PID:3620

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
87⤵
PID:4604

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
87⤵
PID:1928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
88⤵
PID:3840

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
88⤵
- Checks computer location settings
PID:3488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
89⤵
PID:2164

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
89⤵
PID:1800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
90⤵
PID:3948

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
90⤵
PID:2336

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
91⤵
PID:3460

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
91⤵
PID:384

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
92⤵
PID:684

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
92⤵
- Checks computer location settings
PID:2152

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
93⤵
PID:1032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
93⤵
PID:3120

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
93⤵
PID:1708

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
94⤵
PID:2620

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
94⤵
PID:2876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
95⤵
PID:5080

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
95⤵
PID:5016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
96⤵
PID:2288

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
96⤵
PID:2064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
97⤵
PID:2364

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
97⤵
PID:1740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
97⤵
PID:5052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
97⤵
PID:1820

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
97⤵
- Checks computer location settings
PID:3616

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
98⤵
PID:4456

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
98⤵
PID:540

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
99⤵
PID:4644

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
99⤵
- Checks computer location settings
PID:1348

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
100⤵
PID:4984

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
100⤵
PID:664

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
101⤵
PID:4220

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
101⤵
PID:100

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
102⤵
PID:1832

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
102⤵
PID:1580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
103⤵
PID:4812

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
103⤵
- Checks computer location settings
PID:2704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
104⤵
PID:3412

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
104⤵
PID:4920

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
105⤵
PID:3088

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
105⤵
PID:4016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
106⤵
- Adds Run key to start application
PID:4000

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
106⤵
PID:5112

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
107⤵
PID:1200

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
107⤵
PID:4576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
108⤵
PID:5068

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
108⤵
- Checks computer location settings
PID:3488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
109⤵
PID:1640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
109⤵
PID:3596

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
109⤵
PID:1860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
110⤵
PID:2336

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
110⤵
PID:5076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
111⤵
PID:1308

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
111⤵
- Checks computer location settings
PID:3344

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
112⤵
PID:3980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
112⤵
PID:720

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
112⤵
PID:524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
113⤵
PID:4792

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
113⤵
PID:1808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
114⤵
PID:4116

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
114⤵
- Checks computer location settings
PID:4132

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
115⤵
PID:4464

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
115⤵
PID:2548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
116⤵
PID:540

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
116⤵
PID:2696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
117⤵
PID:3032

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
117⤵
PID:1680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
118⤵
PID:4208

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
118⤵
PID:3152

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
119⤵
PID:3320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
119⤵
PID:3104

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
119⤵
PID:4416

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
120⤵
PID:1840

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
120⤵
PID:1752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
121⤵
PID:3120

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
121⤵
- Checks computer location settings
PID:3156

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
122⤵
PID:3972

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
122⤵
- Checks computer location settings
PID:4952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
123⤵
PID:2148

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
123⤵
PID:3920

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
124⤵
PID:372

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
124⤵
PID:2384

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
125⤵
PID:2260

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
125⤵
PID:1820

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
126⤵
PID:344

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
126⤵
- Checks computer location settings
PID:4860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
127⤵
PID:5116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
127⤵
PID:3804

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
127⤵
PID:4652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
128⤵
PID:3844

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
128⤵
PID:444

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
129⤵
PID:5032

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
129⤵
PID:1928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
130⤵
PID:1800

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
130⤵
- Checks computer location settings
PID:2276

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
131⤵
PID:1292

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
131⤵
PID:3980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
132⤵
PID:4312

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
132⤵
PID:4912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
133⤵
- Adds Run key to start application
PID:2252

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
133⤵
PID:4748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
134⤵
PID:2688

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
134⤵
PID:4908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
135⤵
PID:4700

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
135⤵
- Checks computer location settings
PID:2844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
136⤵
PID:4692

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
136⤵
PID:3716

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
137⤵
PID:956

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
137⤵
PID:4644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
138⤵
PID:3444

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
138⤵
PID:924

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
138⤵
PID:1132

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
139⤵
PID:3548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
139⤵
PID:4456

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
139⤵
PID:1832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
140⤵
PID:5064

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
140⤵
PID:5024

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
141⤵
PID:4276

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
141⤵
PID:1544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
142⤵
PID:2384

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
142⤵
PID:3088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
143⤵
PID:3192

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
143⤵
PID:1760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
143⤵
PID:708

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
143⤵
PID:2448

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
144⤵
PID:4652

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
144⤵
- Checks computer location settings
PID:2616

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
145⤵
PID:5108

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
145⤵
PID:1568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
146⤵
PID:1708

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
146⤵
PID:1496

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
147⤵
PID:4496

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
147⤵
PID:720

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
148⤵
PID:4228

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
148⤵
PID:4100

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
148⤵
- Checks computer location settings
PID:1436

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
149⤵
PID:3648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
149⤵
PID:1968

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
149⤵
PID:2508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
150⤵
PID:216

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
150⤵
- Checks computer location settings
PID:876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
151⤵
PID:1156

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
151⤵
PID:2364

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
152⤵
PID:4888

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
152⤵
- Checks computer location settings
PID:1316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
153⤵
PID:1080

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
153⤵
PID:632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
154⤵
PID:2276

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
154⤵
- Checks computer location settings
PID:2008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
155⤵
PID:1140

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
155⤵
PID:3344

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
155⤵
PID:2932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
156⤵
PID:4748

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
156⤵
PID:628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
157⤵
PID:1512

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
157⤵
PID:1348

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
157⤵
PID:1552

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
158⤵
PID:4892

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
158⤵
PID:2952

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
158⤵
PID:2492

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
159⤵
- Adds Run key to start application
PID:204

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
159⤵
PID:3984

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
159⤵
PID:4812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
160⤵
PID:4268

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
160⤵
PID:1852

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
160⤵
PID:4004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
161⤵
PID:3808

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
161⤵
PID:4856

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
162⤵
PID:4920

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
162⤵
PID:1640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
163⤵
PID:3524

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
163⤵
- Checks computer location settings
PID:3936

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
164⤵
PID:3868

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
164⤵
PID:3888

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
165⤵
PID:5088

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
165⤵
PID:4464

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
166⤵
PID:1996

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
166⤵
PID:1436

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
167⤵
PID:1908

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
167⤵
PID:5032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
168⤵
PID:1164

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
168⤵
PID:4792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
169⤵
PID:5052

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
169⤵
- Checks computer location settings
PID:384

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
170⤵
PID:2848

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
170⤵
- Checks computer location settings
PID:2924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
171⤵
PID:3044

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
171⤵
PID:2472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
172⤵
PID:2932

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
172⤵
PID:3200

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
173⤵
PID:4456

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
173⤵
PID:4972

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
174⤵
PID:5104

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
174⤵
- Checks computer location settings
PID:1088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
175⤵
PID:1516

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
175⤵
PID:2660

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
175⤵
PID:924

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
175⤵
PID:1708

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
176⤵
PID:752

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
176⤵
PID:4716

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
177⤵
PID:388

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
177⤵
PID:3252

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
178⤵
PID:812

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
178⤵
PID:4232

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
179⤵
PID:4896

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
179⤵
PID:5064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
180⤵
PID:4908

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
180⤵
PID:3984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
181⤵
PID:4256

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
181⤵
- Checks computer location settings
PID:2672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
182⤵
PID:1288

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
182⤵
PID:1540

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
183⤵
- Adds Run key to start application
PID:1544

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
183⤵
PID:4108

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
184⤵
PID:5072

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
184⤵
PID:1640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
185⤵
PID:5008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
185⤵
PID:2700

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
185⤵
PID:4236

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
186⤵
PID:3888

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
186⤵
PID:1564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
187⤵
PID:3844

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
187⤵
PID:3316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
188⤵
PID:4984

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
188⤵
PID:4708

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
189⤵
PID:3160

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
189⤵
PID:4032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
190⤵
PID:4092

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
190⤵
PID:1960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
191⤵
PID:1004

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
191⤵
PID:1516

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
192⤵
PID:452

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
192⤵
- Checks computer location settings
PID:1628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
193⤵
PID:2688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
193⤵
PID:1088

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
193⤵
PID:4916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
194⤵
PID:4332

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
194⤵
PID:1608

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
195⤵
PID:2620

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
195⤵
PID:4276

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
195⤵
PID:4572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
196⤵
PID:2408

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
196⤵
PID:5080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
196⤵
PID:1108

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
196⤵
PID:3088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
197⤵
PID:2848

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
197⤵
- Checks computer location settings
PID:4344

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
198⤵
PID:1212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
198⤵
PID:4996

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
198⤵
- Checks computer location settings
PID:2148

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
199⤵
PID:4084

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
199⤵
- Checks computer location settings
PID:4740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
200⤵
PID:1800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
200⤵
PID:4256

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
200⤵
PID:2252

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
201⤵
PID:4020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
201⤵
PID:3172

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
201⤵
PID:1996

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
201⤵
PID:388

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
201⤵
PID:1712

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
202⤵
PID:1280

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
202⤵
PID:3984

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
202⤵
PID:4392

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
203⤵
PID:4624

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
203⤵
PID:5100

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
204⤵
PID:4856

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
204⤵
PID:1548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
205⤵
PID:1640

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
205⤵
PID:5112

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
206⤵
PID:1620

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
206⤵
PID:872

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
207⤵
PID:4792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
207⤵
PID:3316

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
207⤵
PID:5016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
208⤵
- Adds Run key to start application
PID:1752

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
208⤵
- Checks computer location settings
PID:4496

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
209⤵
PID:2688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
209⤵
PID:2660

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
209⤵
PID:2024

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
210⤵
PID:2032

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
210⤵
PID:4900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
211⤵
PID:3364

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
211⤵
PID:4916

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
211⤵
PID:4892

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
212⤵
PID:2084

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
212⤵
- Checks computer location settings
PID:5088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
213⤵
PID:3088

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
213⤵
PID:4896

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
214⤵
PID:2844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
214⤵
PID:1800

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
214⤵
PID:3776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
215⤵
PID:812

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
215⤵
PID:1856

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
216⤵
PID:2000

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
216⤵
PID:4416

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
217⤵
PID:1712

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
217⤵
PID:2164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
218⤵
PID:612

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
218⤵
- Checks computer location settings
PID:3932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
219⤵
PID:4592

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
219⤵
PID:1656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
220⤵
PID:4564

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
220⤵
PID:2376

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
221⤵
PID:1108

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
221⤵
PID:4308

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
221⤵
- Checks computer location settings
PID:2924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
222⤵
PID:3572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
222⤵
PID:1848

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
222⤵
PID:4676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
223⤵
PID:4984

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
223⤵
PID:3896

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
224⤵
PID:2244

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
224⤵
PID:4780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
225⤵
PID:4464

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
225⤵
- Checks computer location settings
PID:4236

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
226⤵
PID:1564

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
226⤵
PID:2880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
227⤵
PID:4132

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
227⤵
- Checks computer location settings
PID:1348

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
228⤵
PID:688

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
228⤵
PID:2896

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
229⤵
PID:4376

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
229⤵
PID:3352

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
229⤵
- Checks computer location settings
PID:4100

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
230⤵
PID:3836

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
230⤵
PID:1956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
231⤵
PID:3920

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
231⤵
PID:2964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
232⤵
PID:3152

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
232⤵
PID:3132

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
233⤵
PID:4020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
233⤵
PID:4952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
233⤵
PID:1092

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
233⤵
- Checks computer location settings
PID:3032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
234⤵
PID:5100

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
234⤵
PID:4912

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
234⤵
- Checks computer location settings
PID:3852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
235⤵
PID:1108

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
235⤵
PID:4228

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
236⤵
PID:4084

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
236⤵
PID:2096

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
237⤵
PID:2960

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
237⤵
PID:4928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
238⤵
PID:1124

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
238⤵
PID:3728

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
238⤵
PID:224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
239⤵
PID:4792

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
239⤵
- Checks computer location settings
PID:3508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
240⤵
PID:1316

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
240⤵
PID:4376

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
241⤵
PID:4468

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
241⤵
PID:908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
242⤵
PID:4140

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
242⤵
PID:1808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
243⤵
PID:4748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
243⤵
PID:4100

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
243⤵
PID:1196

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
244⤵
PID:4108

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
244⤵
PID:3672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
245⤵
PID:4756

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
245⤵
PID:4916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
246⤵
PID:688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
246⤵
PID:3352

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
246⤵
PID:3836

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
247⤵
PID:3344

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
247⤵
PID:3652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
248⤵
PID:4860

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
248⤵
PID:3584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
249⤵
PID:1684

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
249⤵
- Checks computer location settings
PID:812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
250⤵
PID:4508

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
250⤵
PID:4136

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
251⤵
PID:5012

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
251⤵
PID:1164

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
251⤵
PID:1580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
252⤵
PID:1476

C:\Users\Admin\AppData\Local\Temp\import_documents.exe
"C:\Users\Admin\AppData\Local\Temp\import_documents.exe"
252⤵
PID:1272

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
253⤵
PID:2616

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3444

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Gold\Gold.exe
Filesize
63KB

MD5
0d5df43af2916f47d00c1573797c1a13

SHA1
230ab5559e806574d26b4c20847c368ed55483b0

SHA256
c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

SHA512
f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

Download Submit
C:\Users\Admin\AppData\Roaming\Gold\Gold.exe
Filesize
63KB

MD5
0d5df43af2916f47d00c1573797c1a13

SHA1
230ab5559e806574d26b4c20847c368ed55483b0

SHA256
c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

SHA512
f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

Download Submit
C:\Users\Admin\AppData\Roaming\Gold\Gold.exe
Filesize
63KB

MD5
0d5df43af2916f47d00c1573797c1a13

SHA1
230ab5559e806574d26b4c20847c368ed55483b0

SHA256
c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

SHA512
f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

Download Submit
C:\Users\Admin\AppData\Roaming\Gold\Gold.exe
Filesize
63KB

MD5
0d5df43af2916f47d00c1573797c1a13

SHA1
230ab5559e806574d26b4c20847c368ed55483b0

SHA256
c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

SHA512
f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

Download Submit
C:\Users\Admin\AppData\Roaming\Gold\Gold.exe
Filesize
63KB

MD5
0d5df43af2916f47d00c1573797c1a13

SHA1
230ab5559e806574d26b4c20847c368ed55483b0

SHA256
c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

SHA512
f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

Download Submit
memory/204-149-0x0000000000000000-mapping.dmp

Download
memory/372-196-0x0000000000000000-mapping.dmp

Download
memory/384-174-0x0000000000000000-mapping.dmp

Download
memory/392-169-0x0000000000000000-mapping.dmp

Download
memory/520-162-0x0000000000000000-mapping.dmp

Download
memory/524-202-0x0000000001690000-0x000000000173B000-memory.dmp

Filesize
684KB

Download
memory/1124-166-0x0000000000000000-mapping.dmp

Download
memory/1128-175-0x0000000000000000-mapping.dmp

Download
memory/1284-183-0x0000000000000000-mapping.dmp

Download
memory/1348-181-0x0000000000000000-mapping.dmp

Download
memory/1500-155-0x0000000000000000-mapping.dmp

Download
memory/1620-185-0x0000000000000000-mapping.dmp

Download
memory/1680-198-0x0000000000000000-mapping.dmp

Download
memory/1688-188-0x0000000000000000-mapping.dmp

Download
memory/1712-167-0x0000000000000000-mapping.dmp

Download
memory/1780-151-0x0000000000000000-mapping.dmp

Download
memory/1820-168-0x0000000000000000-mapping.dmp

Download
memory/1860-138-0x0000000000000000-mapping.dmp

Download
memory/2012-191-0x0000000000000000-mapping.dmp

Download
memory/2152-144-0x0000000000000000-mapping.dmp

Download
memory/2168-159-0x0000000000000000-mapping.dmp

Download
memory/2336-170-0x0000000000000000-mapping.dmp

Download
memory/2448-193-0x0000000000000000-mapping.dmp

Download
memory/2580-147-0x0000000000000000-mapping.dmp

Download
memory/2632-146-0x0000000000000000-mapping.dmp

Download
memory/2700-154-0x0000000000000000-mapping.dmp

Download
memory/2884-137-0x0000000000000000-mapping.dmp

Download
memory/3040-142-0x0000000000000000-mapping.dmp

Download
memory/3044-173-0x0000000000000000-mapping.dmp

Download
memory/3132-179-0x0000000000000000-mapping.dmp

Download
memory/3192-153-0x0000000000000000-mapping.dmp

Download
memory/3308-157-0x0000000000000000-mapping.dmp

Download
memory/3316-130-0x00000000006F0000-0x000000000075A000-memory.dmp

Filesize
424KB

Download
memory/3316-135-0x0000000005180000-0x0000000005183000-memory.dmp

Filesize
12KB

Download
memory/3316-178-0x0000000000000000-mapping.dmp

Download
memory/3444-182-0x0000000000000000-mapping.dmp

Download
memory/3488-189-0x0000000000000000-mapping.dmp

Download
memory/3584-163-0x0000000000000000-mapping.dmp

Download
memory/3596-141-0x0000000000000000-mapping.dmp

Download
memory/3648-165-0x0000000000000000-mapping.dmp

Download
memory/3672-197-0x0000000000000000-mapping.dmp

Download
memory/3712-160-0x0000000000000000-mapping.dmp

Download
memory/3936-176-0x0000000000000000-mapping.dmp

Download
memory/3960-171-0x0000000000000000-mapping.dmp

Download
memory/4000-195-0x0000000000000000-mapping.dmp

Download
memory/4092-177-0x0000000000000000-mapping.dmp

Download
memory/4116-150-0x0000000000000000-mapping.dmp

Download
memory/4236-186-0x0000000000000000-mapping.dmp

Download
memory/4396-180-0x0000000000000000-mapping.dmp

Download
memory/4412-131-0x0000000000000000-mapping.dmp

Download
memory/4412-132-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4412-133-0x00000000057E0000-0x0000000005D84000-memory.dmp

Filesize
5.6MB

Download
memory/4412-134-0x0000000004FD0000-0x0000000005062000-memory.dmp

Filesize
584KB

Download
memory/4412-136-0x00000000052D0000-0x000000000536C000-memory.dmp

Filesize
624KB

Download
memory/4412-200-0x0000000005ED0000-0x0000000005F36000-memory.dmp

Filesize
408KB

Download
memory/4432-140-0x0000000000000000-mapping.dmp

Download
memory/4476-139-0x0000000000000000-mapping.dmp

Download
memory/4488-161-0x0000000000000000-mapping.dmp

Download
memory/4592-143-0x0000000000000000-mapping.dmp

Download
memory/4680-145-0x0000000000000000-mapping.dmp

Download
memory/4728-172-0x0000000000000000-mapping.dmp

Download
memory/4740-187-0x0000000000000000-mapping.dmp

Download
memory/4820-194-0x0000000000000000-mapping.dmp

Download
memory/4892-199-0x0000000000000000-mapping.dmp

Download
memory/4916-192-0x0000000000000000-mapping.dmp

Download
memory/4928-152-0x0000000000000000-mapping.dmp

Download
memory/4988-148-0x0000000000000000-mapping.dmp

Download
memory/4996-184-0x0000000000000000-mapping.dmp

Download
memory/5012-164-0x0000000000000000-mapping.dmp

Download
memory/5052-158-0x0000000000000000-mapping.dmp

Download
memory/5084-156-0x0000000000000000-mapping.dmp

Download
memory/5116-190-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads