agenttesla | 2f192a32d2b45bb6104607e955ad7034859a4f18a29ecd1107b119cc9c20094d

General

Target

c.c auth,-confirmation #1307654780,pdf.exe
Size

389KB
MD5

e80514ca1a42e6f28fbd78b561883c2c
SHA1

823c8f1ff7d961eb2a910af44d130997c76c01ce
SHA256

ac59fc8043fdbad6e5c65e7c9e34aaceffe49290761f5ff6befa5825a781bc27
SHA512

7cc4c8a5ef724b8226a06662b7323cf9210637ccff800649bdea56df16e16fd8995926a9f624287c15b02b4678e173d3873ec87694d739a07c105f60da2a2a6b

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.marketinfosales.com
Port:
587
Username:
[email protected]
Password:
QAZqaz123@

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1992-60-0x0000000000400000-0x0000000000452000-memory.dmp	family_agenttesla

Drops startup file 2 IoCs

Processes:

c.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe	c.c auth,-confirmation #1307654780,pdf.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe	c.c auth,-confirmation #1307654780,pdf.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

c.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exe

description	pid	process	target process
PID 1148 set thread context of 1992	1148	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1384 set thread context of 1204	1384	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1916 set thread context of 1656	1916	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1244 set thread context of 896	1244	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 932 set thread context of 1612	932	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1988 set thread context of 1692	1988	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1160 set thread context of 2036	1160	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1540 set thread context of 1672	1540	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 896 set thread context of 1580	896	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1936 set thread context of 1984	1936	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 2008 set thread context of 268	2008	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 360 set thread context of 1748	360	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1744 set thread context of 1656	1744	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 468 set thread context of 1688	468	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1728 set thread context of 868	1728	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1184 set thread context of 364	1184	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1652 set thread context of 1608	1652	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1472 set thread context of 1992	1472	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1904 set thread context of 956	1904	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1940 set thread context of 1164	1940	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 580 set thread context of 1972	580	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1984 set thread context of 1700	1984	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 760 set thread context of 1316	760	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1220 set thread context of 1932	1220	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1400 set thread context of 1020	1400	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1212 set thread context of 1824	1212	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 696 set thread context of 1604	696	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1480 set thread context of 1908	1480	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1828 set thread context of 544	1828	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1140 set thread context of 1608	1140	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 2036 set thread context of 1076	2036	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1164 set thread context of 1368	1164	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1792 set thread context of 544	1792	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1968 set thread context of 688	1968	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1348 set thread context of 992	1348	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 2032 set thread context of 868	2032	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 848 set thread context of 688	848	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 672 set thread context of 2000	672	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1056 set thread context of 536	1056	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 544 set thread context of 2020	544	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1972 set thread context of 988	1972	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1596 set thread context of 1452	1596	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1948 set thread context of 1020	1948	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1812 set thread context of 1884	1812	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1076 set thread context of 1956	1076	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 844 set thread context of 868	844	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1504 set thread context of 1120	1504	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1080 set thread context of 1500	1080	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 2012 set thread context of 1292	2012	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 868 set thread context of 1608	868	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 956 set thread context of 1992	956	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1976 set thread context of 1108	1976	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 2000 set thread context of 1700	2000	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 300 set thread context of 952	300	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1740 set thread context of 1544	1740	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1516 set thread context of 1604	1516	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1468 set thread context of 1748	1468	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1932 set thread context of 1500	1932	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 688 set thread context of 992	688	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1256 set thread context of 1588	1256	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1900 set thread context of 1028	1900	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 2020 set thread context of 1172	2020	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1288 set thread context of 1736	1288	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1360 set thread context of 692	1360	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

c.c auth,-confirmation #1307654780,pdf.exe

pid	process
1148	c.c auth,-confirmation #1307654780,pdf.exe
1148	c.c auth,-confirmation #1307654780,pdf.exe
1148	c.c auth,-confirmation #1307654780,pdf.exe
1148	c.c auth,-confirmation #1307654780,pdf.exe
1148	c.c auth,-confirmation #1307654780,pdf.exe
1148	c.c auth,-confirmation #1307654780,pdf.exe
1148	c.c auth,-confirmation #1307654780,pdf.exe
1148	c.c auth,-confirmation #1307654780,pdf.exe
1148	c.c auth,-confirmation #1307654780,pdf.exe
1148	c.c auth,-confirmation #1307654780,pdf.exe
1148	c.c auth,-confirmation #1307654780,pdf.exe
1148	c.c auth,-confirmation #1307654780,pdf.exe
1148	c.c auth,-confirmation #1307654780,pdf.exe
1148	c.c auth,-confirmation #1307654780,pdf.exe
1148	c.c auth,-confirmation #1307654780,pdf.exe
1148	c.c auth,-confirmation #1307654780,pdf.exe
1148	c.c auth,-confirmation #1307654780,pdf.exe
1148	c.c auth,-confirmation #1307654780,pdf.exe
1148	c.c auth,-confirmation #1307654780,pdf.exe
1148	c.c auth,-confirmation #1307654780,pdf.exe
1148	c.c auth,-confirmation #1307654780,pdf.exe
1148	c.c auth,-confirmation #1307654780,pdf.exe
1148	c.c auth,-confirmation #1307654780,pdf.exe
1148	c.c auth,-confirmation #1307654780,pdf.exe
1148	c.c auth,-confirmation #1307654780,pdf.exe
1148	c.c auth,-confirmation #1307654780,pdf.exe
1148	c.c auth,-confirmation #1307654780,pdf.exe
1148	c.c auth,-confirmation #1307654780,pdf.exe
1148	c.c auth,-confirmation #1307654780,pdf.exe
1148	c.c auth,-confirmation #1307654780,pdf.exe
1148	c.c auth,-confirmation #1307654780,pdf.exe
1148	c.c auth,-confirmation #1307654780,pdf.exe
1148	c.c auth,-confirmation #1307654780,pdf.exe
1148	c.c auth,-confirmation #1307654780,pdf.exe
1148	c.c auth,-confirmation #1307654780,pdf.exe
1148	c.c auth,-confirmation #1307654780,pdf.exe
1148	c.c auth,-confirmation #1307654780,pdf.exe
1148	c.c auth,-confirmation #1307654780,pdf.exe
1148	c.c auth,-confirmation #1307654780,pdf.exe
1148	c.c auth,-confirmation #1307654780,pdf.exe
1148	c.c auth,-confirmation #1307654780,pdf.exe
1148	c.c auth,-confirmation #1307654780,pdf.exe
1148	c.c auth,-confirmation #1307654780,pdf.exe
1148	c.c auth,-confirmation #1307654780,pdf.exe
1148	c.c auth,-confirmation #1307654780,pdf.exe
1148	c.c auth,-confirmation #1307654780,pdf.exe
1148	c.c auth,-confirmation #1307654780,pdf.exe
1148	c.c auth,-confirmation #1307654780,pdf.exe
1148	c.c auth,-confirmation #1307654780,pdf.exe
1148	c.c auth,-confirmation #1307654780,pdf.exe
1148	c.c auth,-confirmation #1307654780,pdf.exe
1148	c.c auth,-confirmation #1307654780,pdf.exe
1148	c.c auth,-confirmation #1307654780,pdf.exe
1148	c.c auth,-confirmation #1307654780,pdf.exe
1148	c.c auth,-confirmation #1307654780,pdf.exe
1148	c.c auth,-confirmation #1307654780,pdf.exe
1148	c.c auth,-confirmation #1307654780,pdf.exe
1148	c.c auth,-confirmation #1307654780,pdf.exe
1148	c.c auth,-confirmation #1307654780,pdf.exe
1148	c.c auth,-confirmation #1307654780,pdf.exe
1148	c.c auth,-confirmation #1307654780,pdf.exe
1148	c.c auth,-confirmation #1307654780,pdf.exe
1148	c.c auth,-confirmation #1307654780,pdf.exe
1148	c.c auth,-confirmation #1307654780,pdf.exe

Suspicious behavior: MapViewOfSection 64 IoCs

Processes:

c.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exe

pid	process
1148	c.c auth,-confirmation #1307654780,pdf.exe
1148	c.c auth,-confirmation #1307654780,pdf.exe
1148	c.c auth,-confirmation #1307654780,pdf.exe
1148	c.c auth,-confirmation #1307654780,pdf.exe
1148	c.c auth,-confirmation #1307654780,pdf.exe
1384	c.c auth,-confirmation #1307654780,pdf.exe
1384	c.c auth,-confirmation #1307654780,pdf.exe
1916	c.c auth,-confirmation #1307654780,pdf.exe
1244	c.c auth,-confirmation #1307654780,pdf.exe
932	c.c auth,-confirmation #1307654780,pdf.exe
932	c.c auth,-confirmation #1307654780,pdf.exe
1988	c.c auth,-confirmation #1307654780,pdf.exe
1988	c.c auth,-confirmation #1307654780,pdf.exe
1988	c.c auth,-confirmation #1307654780,pdf.exe
1988	c.c auth,-confirmation #1307654780,pdf.exe
1988	c.c auth,-confirmation #1307654780,pdf.exe
1160	c.c auth,-confirmation #1307654780,pdf.exe
1540	c.c auth,-confirmation #1307654780,pdf.exe
1540	c.c auth,-confirmation #1307654780,pdf.exe
896	c.c auth,-confirmation #1307654780,pdf.exe
1936	c.c auth,-confirmation #1307654780,pdf.exe
1936	c.c auth,-confirmation #1307654780,pdf.exe
2008	c.c auth,-confirmation #1307654780,pdf.exe
2008	c.c auth,-confirmation #1307654780,pdf.exe
2008	c.c auth,-confirmation #1307654780,pdf.exe
2008	c.c auth,-confirmation #1307654780,pdf.exe
360	c.c auth,-confirmation #1307654780,pdf.exe
360	c.c auth,-confirmation #1307654780,pdf.exe
360	c.c auth,-confirmation #1307654780,pdf.exe
1744	c.c auth,-confirmation #1307654780,pdf.exe
468	c.c auth,-confirmation #1307654780,pdf.exe
1728	c.c auth,-confirmation #1307654780,pdf.exe
1184	c.c auth,-confirmation #1307654780,pdf.exe
1184	c.c auth,-confirmation #1307654780,pdf.exe
1652	c.c auth,-confirmation #1307654780,pdf.exe
1652	c.c auth,-confirmation #1307654780,pdf.exe
1472	c.c auth,-confirmation #1307654780,pdf.exe
1472	c.c auth,-confirmation #1307654780,pdf.exe
1904	c.c auth,-confirmation #1307654780,pdf.exe
1940	c.c auth,-confirmation #1307654780,pdf.exe
580	c.c auth,-confirmation #1307654780,pdf.exe
1984	c.c auth,-confirmation #1307654780,pdf.exe
760	c.c auth,-confirmation #1307654780,pdf.exe
760	c.c auth,-confirmation #1307654780,pdf.exe
760	c.c auth,-confirmation #1307654780,pdf.exe
1220	c.c auth,-confirmation #1307654780,pdf.exe
1400	c.c auth,-confirmation #1307654780,pdf.exe
1212	c.c auth,-confirmation #1307654780,pdf.exe
696	c.c auth,-confirmation #1307654780,pdf.exe
696	c.c auth,-confirmation #1307654780,pdf.exe
1480	c.c auth,-confirmation #1307654780,pdf.exe
1828	c.c auth,-confirmation #1307654780,pdf.exe
1828	c.c auth,-confirmation #1307654780,pdf.exe
1828	c.c auth,-confirmation #1307654780,pdf.exe
1828	c.c auth,-confirmation #1307654780,pdf.exe
1140	c.c auth,-confirmation #1307654780,pdf.exe
1140	c.c auth,-confirmation #1307654780,pdf.exe
2036	c.c auth,-confirmation #1307654780,pdf.exe
2036	c.c auth,-confirmation #1307654780,pdf.exe
1164	c.c auth,-confirmation #1307654780,pdf.exe
1164	c.c auth,-confirmation #1307654780,pdf.exe
1164	c.c auth,-confirmation #1307654780,pdf.exe
1792	c.c auth,-confirmation #1307654780,pdf.exe
1968	c.c auth,-confirmation #1307654780,pdf.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

c.c auth,-confirmation #1307654780,pdf.exeRegAsm.exec.c auth,-confirmation #1307654780,pdf.exeRegAsm.exec.c auth,-confirmation #1307654780,pdf.exeRegAsm.exec.c auth,-confirmation #1307654780,pdf.exeRegAsm.exec.c auth,-confirmation #1307654780,pdf.exeRegAsm.exec.c auth,-confirmation #1307654780,pdf.exeRegAsm.exec.c auth,-confirmation #1307654780,pdf.exeRegAsm.exec.c auth,-confirmation #1307654780,pdf.exeRegAsm.exec.c auth,-confirmation #1307654780,pdf.exeRegAsm.exec.c auth,-confirmation #1307654780,pdf.exeRegAsm.exec.c auth,-confirmation #1307654780,pdf.exeRegAsm.exec.c auth,-confirmation #1307654780,pdf.exeRegAsm.exec.c auth,-confirmation #1307654780,pdf.exeRegAsm.exec.c auth,-confirmation #1307654780,pdf.exeRegAsm.exec.c auth,-confirmation #1307654780,pdf.exeRegAsm.exec.c auth,-confirmation #1307654780,pdf.exeRegAsm.exec.c auth,-confirmation #1307654780,pdf.exeRegAsm.exec.c auth,-confirmation #1307654780,pdf.exeRegAsm.exec.c auth,-confirmation #1307654780,pdf.exeRegAsm.exec.c auth,-confirmation #1307654780,pdf.exeRegAsm.exec.c auth,-confirmation #1307654780,pdf.exeRegAsm.exec.c auth,-confirmation #1307654780,pdf.exeRegAsm.exec.c auth,-confirmation #1307654780,pdf.exeRegAsm.exec.c auth,-confirmation #1307654780,pdf.exeRegAsm.exec.c auth,-confirmation #1307654780,pdf.exeRegAsm.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exeRegAsm.exec.c auth,-confirmation #1307654780,pdf.exeRegAsm.exec.c auth,-confirmation #1307654780,pdf.exeRegAsm.exec.c auth,-confirmation #1307654780,pdf.exeRegAsm.exec.c auth,-confirmation #1307654780,pdf.exeRegAsm.exec.c auth,-confirmation #1307654780,pdf.exeRegAsm.exec.c auth,-confirmation #1307654780,pdf.exe

description	pid	process
Token: SeDebugPrivilege	1148	c.c auth,-confirmation #1307654780,pdf.exe
Token: SeDebugPrivilege	1992	RegAsm.exe
Token: SeDebugPrivilege	1384	c.c auth,-confirmation #1307654780,pdf.exe
Token: SeDebugPrivilege	1204	RegAsm.exe
Token: SeDebugPrivilege	1916	c.c auth,-confirmation #1307654780,pdf.exe
Token: SeDebugPrivilege	1656	RegAsm.exe
Token: SeDebugPrivilege	1244	c.c auth,-confirmation #1307654780,pdf.exe
Token: SeDebugPrivilege	896	RegAsm.exe
Token: SeDebugPrivilege	932	c.c auth,-confirmation #1307654780,pdf.exe
Token: SeDebugPrivilege	1612	RegAsm.exe
Token: SeDebugPrivilege	1988	c.c auth,-confirmation #1307654780,pdf.exe
Token: SeDebugPrivilege	1692	RegAsm.exe
Token: SeDebugPrivilege	1160	c.c auth,-confirmation #1307654780,pdf.exe
Token: SeDebugPrivilege	2036	RegAsm.exe
Token: SeDebugPrivilege	1540	c.c auth,-confirmation #1307654780,pdf.exe
Token: SeDebugPrivilege	1672	RegAsm.exe
Token: SeDebugPrivilege	896	c.c auth,-confirmation #1307654780,pdf.exe
Token: SeDebugPrivilege	1580	RegAsm.exe
Token: SeDebugPrivilege	1936	c.c auth,-confirmation #1307654780,pdf.exe
Token: SeDebugPrivilege	1984	RegAsm.exe
Token: SeDebugPrivilege	2008	c.c auth,-confirmation #1307654780,pdf.exe
Token: SeDebugPrivilege	268	RegAsm.exe
Token: SeDebugPrivilege	360	c.c auth,-confirmation #1307654780,pdf.exe
Token: SeDebugPrivilege	1748	RegAsm.exe
Token: SeDebugPrivilege	1744	c.c auth,-confirmation #1307654780,pdf.exe
Token: SeDebugPrivilege	1656	RegAsm.exe
Token: SeDebugPrivilege	468	c.c auth,-confirmation #1307654780,pdf.exe
Token: SeDebugPrivilege	1688	RegAsm.exe
Token: SeDebugPrivilege	1728	c.c auth,-confirmation #1307654780,pdf.exe
Token: SeDebugPrivilege	868	RegAsm.exe
Token: SeDebugPrivilege	1184	c.c auth,-confirmation #1307654780,pdf.exe
Token: SeDebugPrivilege	364	RegAsm.exe
Token: SeDebugPrivilege	1652	c.c auth,-confirmation #1307654780,pdf.exe
Token: SeDebugPrivilege	1608	RegAsm.exe
Token: SeDebugPrivilege	1472	c.c auth,-confirmation #1307654780,pdf.exe
Token: SeDebugPrivilege	1992	RegAsm.exe
Token: SeDebugPrivilege	1904	c.c auth,-confirmation #1307654780,pdf.exe
Token: SeDebugPrivilege	956	RegAsm.exe
Token: SeDebugPrivilege	1940	c.c auth,-confirmation #1307654780,pdf.exe
Token: SeDebugPrivilege	1164	RegAsm.exe
Token: SeDebugPrivilege	580	c.c auth,-confirmation #1307654780,pdf.exe
Token: SeDebugPrivilege	1972	RegAsm.exe
Token: SeDebugPrivilege	1984	c.c auth,-confirmation #1307654780,pdf.exe
Token: SeDebugPrivilege	1700	RegAsm.exe
Token: SeDebugPrivilege	760	c.c auth,-confirmation #1307654780,pdf.exe
Token: SeDebugPrivilege	1316	RegAsm.exe
Token: SeDebugPrivilege	1220	c.c auth,-confirmation #1307654780,pdf.exe
Token: SeDebugPrivilege	1932	RegAsm.exe
Token: SeDebugPrivilege	1400	c.c auth,-confirmation #1307654780,pdf.exe
Token: SeDebugPrivilege	1020	RegAsm.exe
Token: SeDebugPrivilege	1212	c.c auth,-confirmation #1307654780,pdf.exe
Token: SeDebugPrivilege	696	c.c auth,-confirmation #1307654780,pdf.exe
Token: SeDebugPrivilege	1604	RegAsm.exe
Token: SeDebugPrivilege	1480	c.c auth,-confirmation #1307654780,pdf.exe
Token: SeDebugPrivilege	1908	RegAsm.exe
Token: SeDebugPrivilege	1828	c.c auth,-confirmation #1307654780,pdf.exe
Token: SeDebugPrivilege	544	RegAsm.exe
Token: SeDebugPrivilege	1140	c.c auth,-confirmation #1307654780,pdf.exe
Token: SeDebugPrivilege	1608	RegAsm.exe
Token: SeDebugPrivilege	2036	c.c auth,-confirmation #1307654780,pdf.exe
Token: SeDebugPrivilege	1076	RegAsm.exe
Token: SeDebugPrivilege	1164	c.c auth,-confirmation #1307654780,pdf.exe
Token: SeDebugPrivilege	1368	RegAsm.exe
Token: SeDebugPrivilege	1792	c.c auth,-confirmation #1307654780,pdf.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exe

description	pid	process	target process
PID 1148 wrote to memory of 1172	1148	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1148 wrote to memory of 1172	1148	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1148 wrote to memory of 1172	1148	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1148 wrote to memory of 1172	1148	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1148 wrote to memory of 1172	1148	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1148 wrote to memory of 1172	1148	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1148 wrote to memory of 1172	1148	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1148 wrote to memory of 952	1148	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1148 wrote to memory of 952	1148	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1148 wrote to memory of 952	1148	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1148 wrote to memory of 952	1148	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1148 wrote to memory of 952	1148	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1148 wrote to memory of 952	1148	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1148 wrote to memory of 952	1148	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1148 wrote to memory of 1936	1148	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1148 wrote to memory of 1936	1148	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1148 wrote to memory of 1936	1148	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1148 wrote to memory of 1936	1148	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1148 wrote to memory of 1936	1148	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1148 wrote to memory of 1936	1148	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1148 wrote to memory of 1936	1148	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1148 wrote to memory of 1988	1148	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1148 wrote to memory of 1988	1148	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1148 wrote to memory of 1988	1148	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1148 wrote to memory of 1988	1148	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1148 wrote to memory of 1988	1148	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1148 wrote to memory of 1988	1148	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1148 wrote to memory of 1988	1148	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1148 wrote to memory of 1992	1148	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1148 wrote to memory of 1992	1148	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1148 wrote to memory of 1992	1148	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1148 wrote to memory of 1992	1148	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1148 wrote to memory of 1992	1148	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1148 wrote to memory of 1992	1148	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1148 wrote to memory of 1992	1148	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1148 wrote to memory of 1992	1148	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1148 wrote to memory of 1384	1148	c.c auth,-confirmation #1307654780,pdf.exe	c.c auth,-confirmation #1307654780,pdf.exe
PID 1148 wrote to memory of 1384	1148	c.c auth,-confirmation #1307654780,pdf.exe	c.c auth,-confirmation #1307654780,pdf.exe
PID 1148 wrote to memory of 1384	1148	c.c auth,-confirmation #1307654780,pdf.exe	c.c auth,-confirmation #1307654780,pdf.exe
PID 1148 wrote to memory of 1384	1148	c.c auth,-confirmation #1307654780,pdf.exe	c.c auth,-confirmation #1307654780,pdf.exe
PID 1384 wrote to memory of 1056	1384	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1384 wrote to memory of 1056	1384	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1384 wrote to memory of 1056	1384	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1384 wrote to memory of 1056	1384	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1384 wrote to memory of 1056	1384	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1384 wrote to memory of 1056	1384	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1384 wrote to memory of 1056	1384	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1384 wrote to memory of 1204	1384	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1384 wrote to memory of 1204	1384	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1384 wrote to memory of 1204	1384	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1384 wrote to memory of 1204	1384	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1384 wrote to memory of 1204	1384	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1384 wrote to memory of 1204	1384	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1384 wrote to memory of 1204	1384	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1384 wrote to memory of 1204	1384	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1384 wrote to memory of 1916	1384	c.c auth,-confirmation #1307654780,pdf.exe	c.c auth,-confirmation #1307654780,pdf.exe
PID 1384 wrote to memory of 1916	1384	c.c auth,-confirmation #1307654780,pdf.exe	c.c auth,-confirmation #1307654780,pdf.exe
PID 1384 wrote to memory of 1916	1384	c.c auth,-confirmation #1307654780,pdf.exe	c.c auth,-confirmation #1307654780,pdf.exe
PID 1384 wrote to memory of 1916	1384	c.c auth,-confirmation #1307654780,pdf.exe	c.c auth,-confirmation #1307654780,pdf.exe
PID 1916 wrote to memory of 1656	1916	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1916 wrote to memory of 1656	1916	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1916 wrote to memory of 1656	1916	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1916 wrote to memory of 1656	1916	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1916 wrote to memory of 1656	1916	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1148

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:1172

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:1936

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:1988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
2⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1384

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1204

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1244

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:896

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
PID:1580

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
7⤵
PID:1940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
7⤵
PID:1984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
7⤵
PID:2004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
7⤵
PID:1948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:1692

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
7⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1160

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
8⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1540

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
9⤵
PID:1604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
9⤵
- Suspicious use of AdjustPrivilegeToken
PID:1672

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
9⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:896

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
10⤵
- Suspicious use of AdjustPrivilegeToken
PID:1580

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
10⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1936

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
11⤵
PID:1940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
11⤵
- Suspicious use of AdjustPrivilegeToken
PID:1984

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
11⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
12⤵
PID:1400

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
12⤵
PID:1596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
12⤵
- Suspicious use of AdjustPrivilegeToken
PID:268

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
12⤵
PID:868

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
12⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:360

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
PID:1752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
- Suspicious use of AdjustPrivilegeToken
PID:1748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
PID:1080

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
13⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1744

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
14⤵
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
14⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
15⤵
- Suspicious use of AdjustPrivilegeToken
PID:1688

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
15⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1728

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
16⤵
- Suspicious use of AdjustPrivilegeToken
PID:868

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
16⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1184

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
17⤵
PID:760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
17⤵
- Suspicious use of AdjustPrivilegeToken
PID:364

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
17⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
18⤵
PID:1076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
18⤵
- Suspicious use of AdjustPrivilegeToken
PID:1608

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
18⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
19⤵
PID:1452

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
19⤵
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
19⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1904

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
20⤵
- Suspicious use of AdjustPrivilegeToken
PID:956

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
20⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
21⤵
- Suspicious use of AdjustPrivilegeToken
PID:1164

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
21⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
22⤵
- Suspicious use of AdjustPrivilegeToken
PID:1972

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
22⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
23⤵
- Suspicious use of AdjustPrivilegeToken
PID:1700

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
23⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
24⤵
PID:844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
24⤵
PID:696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
24⤵
- Suspicious use of AdjustPrivilegeToken
PID:1316

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
24⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1220

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
25⤵
- Suspicious use of AdjustPrivilegeToken
PID:1932

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
25⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1400

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
26⤵
- Suspicious use of AdjustPrivilegeToken
PID:1020

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
26⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
27⤵
PID:1824

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
27⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
28⤵
PID:868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
28⤵
- Suspicious use of AdjustPrivilegeToken
PID:1604

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
28⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1480

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
29⤵
- Suspicious use of AdjustPrivilegeToken
PID:1908

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
29⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
30⤵
PID:672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
30⤵
PID:908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
30⤵
- Suspicious use of AdjustPrivilegeToken
PID:544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
30⤵
PID:1880

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
30⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1140

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
31⤵
PID:1824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
31⤵
- Suspicious use of AdjustPrivilegeToken
PID:1608

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
31⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
32⤵
PID:1604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
32⤵
- Suspicious use of AdjustPrivilegeToken
PID:1076

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
32⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
33⤵
PID:952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
33⤵
PID:296

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
33⤵
- Suspicious use of AdjustPrivilegeToken
PID:1368

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
33⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
34⤵
PID:544

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
34⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
35⤵
PID:1504

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
35⤵
PID:1608

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
35⤵
PID:688

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
35⤵
- Suspicious use of SetThreadContext
PID:1348

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
36⤵
PID:992

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
36⤵
PID:1824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
37⤵
PID:1108

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
37⤵
- Suspicious use of SetThreadContext
PID:2032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
38⤵
PID:868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
38⤵
PID:2016

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
38⤵
- Suspicious use of SetThreadContext
PID:848

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
39⤵
PID:1172

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
39⤵
PID:1648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
39⤵
PID:688

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
39⤵
- Suspicious use of SetThreadContext
PID:672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
40⤵
PID:2000

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
40⤵
- Suspicious use of SetThreadContext
PID:1056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
41⤵
PID:536

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
41⤵
- Suspicious use of SetThreadContext
PID:544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
42⤵
PID:1020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
42⤵
PID:2020

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
42⤵
- Suspicious use of SetThreadContext
PID:1972

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
43⤵
PID:988

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
43⤵
- Suspicious use of SetThreadContext
PID:1596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
44⤵
PID:1452

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
44⤵
- Suspicious use of SetThreadContext
PID:1948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
45⤵
PID:1928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
45⤵
PID:1712

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
45⤵
PID:1020

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
45⤵
- Suspicious use of SetThreadContext
PID:1812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
46⤵
PID:1884

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
46⤵
- Suspicious use of SetThreadContext
PID:1076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
47⤵
PID:1736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
47⤵
PID:1956

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
47⤵
- Suspicious use of SetThreadContext
PID:844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
48⤵
PID:868

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
48⤵
- Suspicious use of SetThreadContext
PID:1504

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
49⤵
PID:1120

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
49⤵
- Suspicious use of SetThreadContext
PID:1080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
50⤵
PID:1876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
50⤵
PID:1884

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
50⤵
PID:1500

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
50⤵
- Suspicious use of SetThreadContext
PID:2012

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
51⤵
PID:1292

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
51⤵
- Suspicious use of SetThreadContext
PID:868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
52⤵
PID:1608

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
52⤵
- Suspicious use of SetThreadContext
PID:956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
53⤵
PID:1224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
53⤵
PID:1432

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
53⤵
PID:1360

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
53⤵
PID:1992

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
53⤵
- Suspicious use of SetThreadContext
PID:1976

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
54⤵
PID:992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
54⤵
PID:1108

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
54⤵
- Suspicious use of SetThreadContext
PID:2000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
55⤵
PID:1524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
55⤵
PID:1960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
55⤵
PID:1932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
55⤵
PID:2020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
55⤵
PID:1516

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
55⤵
PID:1700

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
55⤵
- Suspicious use of SetThreadContext
PID:300

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
56⤵
PID:1468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
56⤵
PID:1888

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
56⤵
PID:952

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
56⤵
- Suspicious use of SetThreadContext
PID:1740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
57⤵
PID:1544

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
57⤵
- Suspicious use of SetThreadContext
PID:1516

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
58⤵
PID:1604

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
58⤵
- Suspicious use of SetThreadContext
PID:1468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
59⤵
PID:1600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
59⤵
PID:1748

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
59⤵
- Suspicious use of SetThreadContext
PID:1932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
60⤵
PID:1876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
60⤵
PID:1500

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
60⤵
- Suspicious use of SetThreadContext
PID:688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
61⤵
PID:2020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
61⤵
PID:992

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
61⤵
- Suspicious use of SetThreadContext
PID:1256

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
62⤵
PID:1588

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
62⤵
- Suspicious use of SetThreadContext
PID:1900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
63⤵
PID:1396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
63⤵
PID:1028

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
63⤵
- Suspicious use of SetThreadContext
PID:2020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
64⤵
PID:1732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
64⤵
PID:1172

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
64⤵
- Suspicious use of SetThreadContext
PID:1288

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
65⤵
PID:1736

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
65⤵
- Suspicious use of SetThreadContext
PID:1360

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
66⤵
PID:976

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
66⤵
PID:692

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
66⤵
PID:1876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
67⤵
PID:1292

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
67⤵
PID:1992

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
67⤵
PID:364

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
68⤵
PID:2016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
68⤵
PID:840

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
68⤵
PID:1820

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
69⤵
PID:296

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
69⤵
PID:1700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
70⤵
PID:1600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
70⤵
PID:1020

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
70⤵
PID:1604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
71⤵
PID:1672

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
71⤵
PID:1576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
72⤵
PID:1120

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
72⤵
PID:2016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
73⤵
PID:1324

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
73⤵
PID:1804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
74⤵
PID:1224

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
74⤵
PID:1884

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
75⤵
PID:1608

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
75⤵
PID:1460

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
76⤵
PID:1888

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
76⤵
PID:1688

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
76⤵
PID:1544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
77⤵
PID:1960

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
77⤵
PID:1908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
78⤵
PID:1416

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
78⤵
PID:1944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
79⤵
PID:1172

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
79⤵
PID:1600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
79⤵
PID:1588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
79⤵
PID:1964

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
79⤵
PID:952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
80⤵
PID:1692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
80⤵
PID:1100

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
80⤵
PID:1120

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
80⤵
PID:2004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
80⤵
PID:1500

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
80⤵
PID:1600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
81⤵
PID:1612

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
81⤵
PID:1416

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
82⤵
PID:2004

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
82⤵
PID:1736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
83⤵
PID:1476

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
83⤵
PID:1648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
84⤵
PID:1752

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
84⤵
PID:1108

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
85⤵
PID:1640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
85⤵
PID:976

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
85⤵
PID:972

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
86⤵
PID:1732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
86⤵
PID:1292

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
86⤵
PID:1100

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
87⤵
PID:1960

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
87⤵
PID:752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
88⤵
PID:296

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
88⤵
PID:764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
88⤵
PID:1060

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
88⤵
PID:1020

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
88⤵
PID:900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
89⤵
PID:1500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
89⤵
PID:1316

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
89⤵
PID:1692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
90⤵
PID:1172

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
90⤵
PID:576

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
90⤵
PID:1476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
91⤵
PID:1672

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
91⤵
PID:432

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
92⤵
PID:1060

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
92⤵
PID:1556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
93⤵
PID:1688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
93⤵
PID:1432

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
93⤵
PID:1172

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
94⤵
PID:1452

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
94⤵
PID:1888

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
95⤵
PID:296

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
95⤵
PID:1120

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
95⤵
PID:1616

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
95⤵
PID:1996

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
96⤵
PID:1060

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
96⤵
PID:1588

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
96⤵
PID:2004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
97⤵
PID:1612

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
97⤵
PID:1292

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
98⤵
PID:1224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
98⤵
PID:988

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
98⤵
PID:764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
99⤵
PID:1060

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
99⤵
PID:992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
100⤵
PID:1028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
100⤵
PID:1616

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
100⤵
PID:1224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
101⤵
PID:1608

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
101⤵
PID:1732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
101⤵
PID:2076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
101⤵
PID:2068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
101⤵
PID:2060

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
101⤵
PID:2052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
101⤵
PID:1060

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
101⤵
PID:2152

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
102⤵
PID:2180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
102⤵
PID:2188

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
102⤵
PID:2260

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
103⤵
PID:2292

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
103⤵
PID:2300

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
103⤵
PID:2308

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
103⤵
PID:2316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
103⤵
PID:2324

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
103⤵
PID:2332

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
103⤵
PID:2408

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
104⤵
PID:2444

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
104⤵
PID:2436

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
104⤵
PID:2452

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
104⤵
PID:2460

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
104⤵
PID:2468

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
104⤵
PID:2544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
105⤵
PID:2572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
105⤵
PID:2580

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
105⤵
PID:2660

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
106⤵
PID:2688

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
106⤵
PID:2772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
107⤵
PID:2800

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
107⤵
PID:2880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
108⤵
PID:2908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
108⤵
PID:2916

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
108⤵
PID:2976

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
109⤵
PID:3020

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
109⤵
PID:1548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
110⤵
PID:632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
110⤵
PID:1020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
110⤵
PID:1956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
110⤵
PID:1452

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
110⤵
PID:1432

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
110⤵
PID:576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
111⤵
PID:2196

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
111⤵
PID:1612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
112⤵
PID:2356

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
112⤵
PID:2204

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
112⤵
PID:2320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
113⤵
PID:2168

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
113⤵
PID:2256

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
113⤵
PID:2392

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
113⤵
PID:2448

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
114⤵
PID:2272

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
114⤵
PID:2280

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
114⤵
PID:2400

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
114⤵
PID:2684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
115⤵
PID:2428

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
115⤵
PID:2540

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
115⤵
PID:2796

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
116⤵
PID:2752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
116⤵
PID:2824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
116⤵
PID:2700

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
116⤵
PID:2764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
117⤵
PID:2816

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
117⤵
PID:2828

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
117⤵
PID:2872

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
118⤵
PID:2932

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
118⤵
PID:1120

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
119⤵
PID:3048

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
119⤵
PID:2992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
120⤵
PID:2060

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
120⤵
PID:840

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
121⤵
PID:2184

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
121⤵
PID:2356

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
122⤵
PID:268

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
122⤵
PID:2292

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
122⤵
PID:2188

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
122⤵
PID:2220

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
122⤵
PID:2232

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
122⤵
PID:2244

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
122⤵
PID:2384

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
122⤵
PID:2296

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
122⤵
PID:2376

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
122⤵
PID:2492

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
123⤵
PID:2380

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
123⤵
PID:2436

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
124⤵
PID:2484

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
124⤵
PID:2500

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
124⤵
PID:2612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
125⤵
PID:2608

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
125⤵
PID:2740

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
125⤵
PID:2420

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
126⤵
PID:2704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
126⤵
PID:2744

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
126⤵
PID:2920

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
127⤵
PID:2800

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
127⤵
PID:2916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
128⤵
PID:2100

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
128⤵
PID:1028

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
128⤵
PID:3052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
129⤵
PID:3048

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
129⤵
PID:1608

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
130⤵
PID:988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
130⤵
PID:2080

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
130⤵
PID:2252

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
131⤵
PID:268

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
131⤵
PID:2068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
132⤵
PID:2172

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
132⤵
PID:2480

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
133⤵
PID:2644

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
133⤵
PID:2440

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
134⤵
PID:2400

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
134⤵
PID:2628

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
134⤵
PID:2604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
135⤵
PID:2672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
135⤵
PID:2808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
135⤵
PID:2824

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
135⤵
PID:2652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
136⤵
PID:2788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
136⤵
PID:2548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
136⤵
PID:2940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
136⤵
PID:2648

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
136⤵
PID:2776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
137⤵
PID:2072

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe
Filesize
392KB

MD5
cb500bcc5957555b376b14fc847d9eb5

SHA1
cf25e726d40670c32dbd0541110b8e17761afc23

SHA256
3f87b9fe3f83f77f80d6bad1f56f06dce20683032cda510f84ea6d32f746b120

SHA512
c968f3a73b2faa564f439a7a04f1c6bbe8c285e1301a25cf242bd1cf5edebdd7c9c361ace612ce8011a0aa546598caf812784d3d5722557e6eb4787bb74bb389

Download Submit
memory/268-101-0x000000000044C7FE-mapping.dmp

Download
memory/360-103-0x0000000000000000-mapping.dmp

Download
memory/364-121-0x000000000044C7FE-mapping.dmp

Download
memory/468-111-0x0000000000000000-mapping.dmp

Download
memory/544-172-0x000000000044C7FE-mapping.dmp

Download
memory/580-139-0x0000000000000000-mapping.dmp

Download
memory/696-162-0x0000000000000000-mapping.dmp

Download
memory/760-147-0x0000000000000000-mapping.dmp

Download
memory/868-117-0x000000000044C7FE-mapping.dmp

Download
memory/896-73-0x000000000044C7FE-mapping.dmp

Download
memory/896-91-0x0000000000000000-mapping.dmp

Download
memory/932-75-0x0000000000000000-mapping.dmp

Download
memory/956-133-0x000000000044C7FE-mapping.dmp

Download
memory/1020-157-0x000000000044C7FE-mapping.dmp

Download
memory/1076-180-0x000000000044C7FE-mapping.dmp

Download
memory/1140-174-0x0000000000000000-mapping.dmp

Download
memory/1148-54-0x00000000000D0000-0x0000000000138000-memory.dmp

Filesize
416KB

Download
memory/1148-63-0x0000000000410000-0x0000000000413000-memory.dmp

Filesize
12KB

Download
memory/1148-57-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1148-55-0x0000000001E10000-0x0000000001E6A000-memory.dmp

Filesize
360KB

Download
memory/1148-56-0x00000000763E1000-0x00000000763E3000-memory.dmp

Filesize
8KB

Download
memory/1160-83-0x0000000000000000-mapping.dmp

Download
memory/1164-137-0x000000000044C7FE-mapping.dmp

Download
memory/1164-182-0x0000000000000000-mapping.dmp

Download
memory/1184-119-0x0000000000000000-mapping.dmp

Download
memory/1204-64-0x000000000044C7FE-mapping.dmp

Download
memory/1212-159-0x0000000000000000-mapping.dmp

Download
memory/1220-151-0x0000000000000000-mapping.dmp

Download
memory/1244-71-0x0000000000000000-mapping.dmp

Download
memory/1316-149-0x000000000044C7FE-mapping.dmp

Download
memory/1368-184-0x000000000044C7FE-mapping.dmp

Download
memory/1384-61-0x0000000000000000-mapping.dmp

Download
memory/1400-155-0x0000000000000000-mapping.dmp

Download
memory/1472-127-0x0000000000000000-mapping.dmp

Download
memory/1480-166-0x0000000000000000-mapping.dmp

Download
memory/1540-87-0x0000000000000000-mapping.dmp

Download
memory/1580-93-0x000000000044C7FE-mapping.dmp

Download
memory/1604-164-0x000000000044C7FE-mapping.dmp

Download
memory/1608-125-0x000000000044C7FE-mapping.dmp

Download
memory/1608-176-0x000000000044C7FE-mapping.dmp

Download
memory/1612-77-0x000000000044C7FE-mapping.dmp

Download
memory/1652-123-0x0000000000000000-mapping.dmp

Download
memory/1656-109-0x000000000044C7FE-mapping.dmp

Download
memory/1656-69-0x000000000044C7FE-mapping.dmp

Download
memory/1672-89-0x000000000044C7FE-mapping.dmp

Download
memory/1688-113-0x000000000044C7FE-mapping.dmp

Download
memory/1692-81-0x000000000044C7FE-mapping.dmp

Download
memory/1700-145-0x000000000044C7FE-mapping.dmp

Download
memory/1728-115-0x0000000000000000-mapping.dmp

Download
memory/1744-107-0x0000000000000000-mapping.dmp

Download
memory/1748-105-0x000000000044C7FE-mapping.dmp

Download
memory/1792-186-0x0000000000000000-mapping.dmp

Download
memory/1824-161-0x000000000044C7FE-mapping.dmp

Download
memory/1828-170-0x0000000000000000-mapping.dmp

Download
memory/1904-131-0x0000000000000000-mapping.dmp

Download
memory/1908-168-0x000000000044C7FE-mapping.dmp

Download
memory/1916-66-0x0000000000000000-mapping.dmp

Download
memory/1932-153-0x000000000044C7FE-mapping.dmp

Download
memory/1936-95-0x0000000000000000-mapping.dmp

Download
memory/1940-135-0x0000000000000000-mapping.dmp

Download
memory/1972-141-0x000000000044C7FE-mapping.dmp

Download
memory/1984-97-0x000000000044C7FE-mapping.dmp

Download
memory/1984-143-0x0000000000000000-mapping.dmp

Download
memory/1988-79-0x0000000000000000-mapping.dmp

Download
memory/1992-129-0x000000000044C7FE-mapping.dmp

Download
memory/1992-60-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1992-58-0x000000000044C7FE-mapping.dmp

Download
memory/2008-99-0x0000000000000000-mapping.dmp

Download
memory/2036-85-0x000000000044C7FE-mapping.dmp

Download
memory/2036-178-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads