agenttesla | 2f192a32d2b45bb6104607e955ad7034859a4f18a29ecd1107b119cc9c20094d

General

Target

c.c auth,-confirmation #1307654780,pdf.exe
Size

389KB
MD5

e80514ca1a42e6f28fbd78b561883c2c
SHA1

823c8f1ff7d961eb2a910af44d130997c76c01ce
SHA256

ac59fc8043fdbad6e5c65e7c9e34aaceffe49290761f5ff6befa5825a781bc27
SHA512

7cc4c8a5ef724b8226a06662b7323cf9210637ccff800649bdea56df16e16fd8995926a9f624287c15b02b4678e173d3873ec87694d739a07c105f60da2a2a6b

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.marketinfosales.com
Port:
587
Username:
[email protected]
Password:
QAZqaz123@

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2456-133-0x0000000000400000-0x0000000000452000-memory.dmp	family_agenttesla

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exeRegAsm.exeRegAsm.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exeRegAsm.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exeRegAsm.exeRegAsm.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exeRegAsm.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exeRegAsm.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exeRegAsm.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exeRegAsm.exeRegAsm.exec.c auth,-confirmation #1307654780,pdf.exeRegAsm.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exeRegAsm.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exeRegAsm.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exeRegAsm.exeRegAsm.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exeRegAsm.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exeRegAsm.exec.c auth,-confirmation #1307654780,pdf.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	c.c auth,-confirmation #1307654780,pdf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	c.c auth,-confirmation #1307654780,pdf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	c.c auth,-confirmation #1307654780,pdf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	c.c auth,-confirmation #1307654780,pdf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	c.c auth,-confirmation #1307654780,pdf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	c.c auth,-confirmation #1307654780,pdf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	c.c auth,-confirmation #1307654780,pdf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	c.c auth,-confirmation #1307654780,pdf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	c.c auth,-confirmation #1307654780,pdf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	c.c auth,-confirmation #1307654780,pdf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	c.c auth,-confirmation #1307654780,pdf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	c.c auth,-confirmation #1307654780,pdf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	c.c auth,-confirmation #1307654780,pdf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	c.c auth,-confirmation #1307654780,pdf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	c.c auth,-confirmation #1307654780,pdf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	c.c auth,-confirmation #1307654780,pdf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	c.c auth,-confirmation #1307654780,pdf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	c.c auth,-confirmation #1307654780,pdf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	c.c auth,-confirmation #1307654780,pdf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	c.c auth,-confirmation #1307654780,pdf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	c.c auth,-confirmation #1307654780,pdf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	c.c auth,-confirmation #1307654780,pdf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	c.c auth,-confirmation #1307654780,pdf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	c.c auth,-confirmation #1307654780,pdf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	c.c auth,-confirmation #1307654780,pdf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	c.c auth,-confirmation #1307654780,pdf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	c.c auth,-confirmation #1307654780,pdf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	c.c auth,-confirmation #1307654780,pdf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	c.c auth,-confirmation #1307654780,pdf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	c.c auth,-confirmation #1307654780,pdf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	c.c auth,-confirmation #1307654780,pdf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	c.c auth,-confirmation #1307654780,pdf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	c.c auth,-confirmation #1307654780,pdf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	c.c auth,-confirmation #1307654780,pdf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	c.c auth,-confirmation #1307654780,pdf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	c.c auth,-confirmation #1307654780,pdf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	c.c auth,-confirmation #1307654780,pdf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	c.c auth,-confirmation #1307654780,pdf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	c.c auth,-confirmation #1307654780,pdf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	c.c auth,-confirmation #1307654780,pdf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	c.c auth,-confirmation #1307654780,pdf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	c.c auth,-confirmation #1307654780,pdf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	c.c auth,-confirmation #1307654780,pdf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	c.c auth,-confirmation #1307654780,pdf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	c.c auth,-confirmation #1307654780,pdf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	c.c auth,-confirmation #1307654780,pdf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	c.c auth,-confirmation #1307654780,pdf.exe

Drops startup file 2 IoCs

Processes:

c.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe	c.c auth,-confirmation #1307654780,pdf.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe	c.c auth,-confirmation #1307654780,pdf.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

c.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exeRegAsm.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exeRegAsm.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exeRegAsm.exe

description	pid	process	target process
PID 2360 set thread context of 2456	2360	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 3172 set thread context of 4136	3172	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 3960 set thread context of 4872	3960	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 3832 set thread context of 4996	3832	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1384 set thread context of 3444	1384	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 4064 set thread context of 4052	4064	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 4180 set thread context of 320	4180	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1780 set thread context of 1872	1780	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 3408 set thread context of 4756	3408	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 960 set thread context of 2032	960	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 964 set thread context of 2396	964	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 4732 set thread context of 3012	4732	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1480 set thread context of 1460	1480	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1756 set thread context of 3212	1756	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1760 set thread context of 3704	1760	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 3736 set thread context of 3952	3736	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 2136 set thread context of 4200	2136	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 5004 set thread context of 2732	5004	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 4632 set thread context of 4860	4632	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1996 set thread context of 4052	1996	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 4140 set thread context of 2484	4140	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 3480 set thread context of 4344	3480	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1700 set thread context of 4736	1700	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 4164 set thread context of 3044	4164	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 4248 set thread context of 3120	4248	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1092 set thread context of 3580	1092	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 3032 set thread context of 4688	3032	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 456 set thread context of 624	456	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 4276 set thread context of 2856	4276	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 2500 set thread context of 4684	2500	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 3816 set thread context of 2468	3816	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 3592 set thread context of 3352	3592	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 4740 set thread context of 4660	4740	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 4876 set thread context of 4916	4876	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 2888 set thread context of 3832	2888	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 2572 set thread context of 2180	2572	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1932 set thread context of 4176	1932	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 204 set thread context of 216	204	c.c auth,-confirmation #1307654780,pdf.exe	c.c auth,-confirmation #1307654780,pdf.exe
PID 4444 set thread context of 1948	4444	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 4760 set thread context of 3424	4760	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 4984 set thread context of 2064	4984	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1312 set thread context of 4544	1312	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 2836 set thread context of 4248	2836	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 3984 set thread context of 784	3984	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 4692 set thread context of 4956	4692	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 2164 set thread context of 1392	2164	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 2228 set thread context of 3496	2228	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1216 set thread context of 2336	1216	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 2468 set thread context of 3184	2468	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 3352 set thread context of 2844	3352	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1200 set thread context of 4788	1200	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 3948 set thread context of 1192	3948	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1688 set thread context of 3844	1688	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 4776 set thread context of 1928	4776	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 216 set thread context of 4388	216	RegAsm.exe	RegAsm.exe
PID 652 set thread context of 1952	652	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 3052 set thread context of 5096	3052	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 2772 set thread context of 3564	2772	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 3476 set thread context of 5084	3476	RegAsm.exe	RegAsm.exe
PID 964 set thread context of 4688	964	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 3664 set thread context of 4956	3664	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 948 set thread context of 4600	948	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1632 set thread context of 5000	1632	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 3376 set thread context of 2456	3376	RegAsm.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

c.c auth,-confirmation #1307654780,pdf.exe

pid	process
2360	c.c auth,-confirmation #1307654780,pdf.exe
2360	c.c auth,-confirmation #1307654780,pdf.exe
2360	c.c auth,-confirmation #1307654780,pdf.exe
2360	c.c auth,-confirmation #1307654780,pdf.exe
2360	c.c auth,-confirmation #1307654780,pdf.exe
2360	c.c auth,-confirmation #1307654780,pdf.exe
2360	c.c auth,-confirmation #1307654780,pdf.exe
2360	c.c auth,-confirmation #1307654780,pdf.exe
2360	c.c auth,-confirmation #1307654780,pdf.exe
2360	c.c auth,-confirmation #1307654780,pdf.exe
2360	c.c auth,-confirmation #1307654780,pdf.exe
2360	c.c auth,-confirmation #1307654780,pdf.exe
2360	c.c auth,-confirmation #1307654780,pdf.exe
2360	c.c auth,-confirmation #1307654780,pdf.exe
2360	c.c auth,-confirmation #1307654780,pdf.exe
2360	c.c auth,-confirmation #1307654780,pdf.exe
2360	c.c auth,-confirmation #1307654780,pdf.exe
2360	c.c auth,-confirmation #1307654780,pdf.exe
2360	c.c auth,-confirmation #1307654780,pdf.exe
2360	c.c auth,-confirmation #1307654780,pdf.exe
2360	c.c auth,-confirmation #1307654780,pdf.exe
2360	c.c auth,-confirmation #1307654780,pdf.exe
2360	c.c auth,-confirmation #1307654780,pdf.exe
2360	c.c auth,-confirmation #1307654780,pdf.exe
2360	c.c auth,-confirmation #1307654780,pdf.exe
2360	c.c auth,-confirmation #1307654780,pdf.exe
2360	c.c auth,-confirmation #1307654780,pdf.exe
2360	c.c auth,-confirmation #1307654780,pdf.exe
2360	c.c auth,-confirmation #1307654780,pdf.exe
2360	c.c auth,-confirmation #1307654780,pdf.exe
2360	c.c auth,-confirmation #1307654780,pdf.exe
2360	c.c auth,-confirmation #1307654780,pdf.exe
2360	c.c auth,-confirmation #1307654780,pdf.exe
2360	c.c auth,-confirmation #1307654780,pdf.exe
2360	c.c auth,-confirmation #1307654780,pdf.exe
2360	c.c auth,-confirmation #1307654780,pdf.exe
2360	c.c auth,-confirmation #1307654780,pdf.exe
2360	c.c auth,-confirmation #1307654780,pdf.exe
2360	c.c auth,-confirmation #1307654780,pdf.exe
2360	c.c auth,-confirmation #1307654780,pdf.exe
2360	c.c auth,-confirmation #1307654780,pdf.exe
2360	c.c auth,-confirmation #1307654780,pdf.exe
2360	c.c auth,-confirmation #1307654780,pdf.exe
2360	c.c auth,-confirmation #1307654780,pdf.exe
2360	c.c auth,-confirmation #1307654780,pdf.exe
2360	c.c auth,-confirmation #1307654780,pdf.exe
2360	c.c auth,-confirmation #1307654780,pdf.exe
2360	c.c auth,-confirmation #1307654780,pdf.exe
2360	c.c auth,-confirmation #1307654780,pdf.exe
2360	c.c auth,-confirmation #1307654780,pdf.exe
2360	c.c auth,-confirmation #1307654780,pdf.exe
2360	c.c auth,-confirmation #1307654780,pdf.exe
2360	c.c auth,-confirmation #1307654780,pdf.exe
2360	c.c auth,-confirmation #1307654780,pdf.exe
2360	c.c auth,-confirmation #1307654780,pdf.exe
2360	c.c auth,-confirmation #1307654780,pdf.exe
2360	c.c auth,-confirmation #1307654780,pdf.exe
2360	c.c auth,-confirmation #1307654780,pdf.exe
2360	c.c auth,-confirmation #1307654780,pdf.exe
2360	c.c auth,-confirmation #1307654780,pdf.exe
2360	c.c auth,-confirmation #1307654780,pdf.exe
2360	c.c auth,-confirmation #1307654780,pdf.exe
2360	c.c auth,-confirmation #1307654780,pdf.exe
2360	c.c auth,-confirmation #1307654780,pdf.exe

Suspicious behavior: MapViewOfSection 64 IoCs

Processes:

c.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exe

pid	process
2360	c.c auth,-confirmation #1307654780,pdf.exe
3172	c.c auth,-confirmation #1307654780,pdf.exe
3960	c.c auth,-confirmation #1307654780,pdf.exe
3832	c.c auth,-confirmation #1307654780,pdf.exe
1384	c.c auth,-confirmation #1307654780,pdf.exe
4064	c.c auth,-confirmation #1307654780,pdf.exe
4180	c.c auth,-confirmation #1307654780,pdf.exe
1780	c.c auth,-confirmation #1307654780,pdf.exe
1780	c.c auth,-confirmation #1307654780,pdf.exe
3408	c.c auth,-confirmation #1307654780,pdf.exe
3408	c.c auth,-confirmation #1307654780,pdf.exe
960	c.c auth,-confirmation #1307654780,pdf.exe
964	c.c auth,-confirmation #1307654780,pdf.exe
964	c.c auth,-confirmation #1307654780,pdf.exe
4732	c.c auth,-confirmation #1307654780,pdf.exe
1480	c.c auth,-confirmation #1307654780,pdf.exe
1756	c.c auth,-confirmation #1307654780,pdf.exe
1760	c.c auth,-confirmation #1307654780,pdf.exe
3736	c.c auth,-confirmation #1307654780,pdf.exe
2136	c.c auth,-confirmation #1307654780,pdf.exe
5004	c.c auth,-confirmation #1307654780,pdf.exe
4632	c.c auth,-confirmation #1307654780,pdf.exe
1996	c.c auth,-confirmation #1307654780,pdf.exe
1996	c.c auth,-confirmation #1307654780,pdf.exe
4140	c.c auth,-confirmation #1307654780,pdf.exe
4140	c.c auth,-confirmation #1307654780,pdf.exe
4140	c.c auth,-confirmation #1307654780,pdf.exe
3480	c.c auth,-confirmation #1307654780,pdf.exe
1700	c.c auth,-confirmation #1307654780,pdf.exe
4164	c.c auth,-confirmation #1307654780,pdf.exe
4248	c.c auth,-confirmation #1307654780,pdf.exe
1092	c.c auth,-confirmation #1307654780,pdf.exe
3032	c.c auth,-confirmation #1307654780,pdf.exe
456	c.c auth,-confirmation #1307654780,pdf.exe
4276	c.c auth,-confirmation #1307654780,pdf.exe
4276	c.c auth,-confirmation #1307654780,pdf.exe
2500	c.c auth,-confirmation #1307654780,pdf.exe
3816	c.c auth,-confirmation #1307654780,pdf.exe
3592	c.c auth,-confirmation #1307654780,pdf.exe
4740	c.c auth,-confirmation #1307654780,pdf.exe
4876	c.c auth,-confirmation #1307654780,pdf.exe
2888	c.c auth,-confirmation #1307654780,pdf.exe
2572	c.c auth,-confirmation #1307654780,pdf.exe
1932	c.c auth,-confirmation #1307654780,pdf.exe
204	c.c auth,-confirmation #1307654780,pdf.exe
4444	c.c auth,-confirmation #1307654780,pdf.exe
4760	c.c auth,-confirmation #1307654780,pdf.exe
4984	c.c auth,-confirmation #1307654780,pdf.exe
1312	c.c auth,-confirmation #1307654780,pdf.exe
1312	c.c auth,-confirmation #1307654780,pdf.exe
2836	c.c auth,-confirmation #1307654780,pdf.exe
3984	c.c auth,-confirmation #1307654780,pdf.exe
3984	c.c auth,-confirmation #1307654780,pdf.exe
3984	c.c auth,-confirmation #1307654780,pdf.exe
4692	c.c auth,-confirmation #1307654780,pdf.exe
2164	c.c auth,-confirmation #1307654780,pdf.exe
2228	c.c auth,-confirmation #1307654780,pdf.exe
1216	c.c auth,-confirmation #1307654780,pdf.exe
2468	c.c auth,-confirmation #1307654780,pdf.exe
3352	c.c auth,-confirmation #1307654780,pdf.exe
3352	c.c auth,-confirmation #1307654780,pdf.exe
1200	c.c auth,-confirmation #1307654780,pdf.exe
3948	c.c auth,-confirmation #1307654780,pdf.exe
1688	c.c auth,-confirmation #1307654780,pdf.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

c.c auth,-confirmation #1307654780,pdf.exeRegAsm.exec.c auth,-confirmation #1307654780,pdf.exeRegAsm.exec.c auth,-confirmation #1307654780,pdf.exeRegAsm.exec.c auth,-confirmation #1307654780,pdf.exeRegAsm.exec.c auth,-confirmation #1307654780,pdf.exeRegAsm.exec.c auth,-confirmation #1307654780,pdf.exeRegAsm.exec.c auth,-confirmation #1307654780,pdf.exeRegAsm.exec.c auth,-confirmation #1307654780,pdf.exeRegAsm.exec.c auth,-confirmation #1307654780,pdf.exeRegAsm.exec.c auth,-confirmation #1307654780,pdf.exeRegAsm.exec.c auth,-confirmation #1307654780,pdf.exeRegAsm.exec.c auth,-confirmation #1307654780,pdf.exeRegAsm.exec.c auth,-confirmation #1307654780,pdf.exeRegAsm.exec.c auth,-confirmation #1307654780,pdf.exeRegAsm.exeRegAsm.exec.c auth,-confirmation #1307654780,pdf.exeRegAsm.exec.c auth,-confirmation #1307654780,pdf.exeRegAsm.exec.c auth,-confirmation #1307654780,pdf.exeRegAsm.exec.c auth,-confirmation #1307654780,pdf.exeRegAsm.exec.c auth,-confirmation #1307654780,pdf.exeRegAsm.exec.c auth,-confirmation #1307654780,pdf.exeRegAsm.exec.c auth,-confirmation #1307654780,pdf.exeRegAsm.exec.c auth,-confirmation #1307654780,pdf.exeRegAsm.exec.c auth,-confirmation #1307654780,pdf.exeRegAsm.exec.c auth,-confirmation #1307654780,pdf.exeRegAsm.exec.c auth,-confirmation #1307654780,pdf.exeRegAsm.exec.c auth,-confirmation #1307654780,pdf.exeRegAsm.exec.c auth,-confirmation #1307654780,pdf.exeRegAsm.exec.c auth,-confirmation #1307654780,pdf.exeRegAsm.exec.c auth,-confirmation #1307654780,pdf.exeRegAsm.exec.c auth,-confirmation #1307654780,pdf.exeRegAsm.exec.c auth,-confirmation #1307654780,pdf.exeRegAsm.exec.c auth,-confirmation #1307654780,pdf.exe

description	pid	process
Token: SeDebugPrivilege	2360	c.c auth,-confirmation #1307654780,pdf.exe
Token: SeDebugPrivilege	2456	RegAsm.exe
Token: SeDebugPrivilege	3172	c.c auth,-confirmation #1307654780,pdf.exe
Token: SeDebugPrivilege	4136	RegAsm.exe
Token: SeDebugPrivilege	3960	c.c auth,-confirmation #1307654780,pdf.exe
Token: SeDebugPrivilege	4872	RegAsm.exe
Token: SeDebugPrivilege	3832	c.c auth,-confirmation #1307654780,pdf.exe
Token: SeDebugPrivilege	4996	RegAsm.exe
Token: SeDebugPrivilege	1384	c.c auth,-confirmation #1307654780,pdf.exe
Token: SeDebugPrivilege	3444	RegAsm.exe
Token: SeDebugPrivilege	4064	c.c auth,-confirmation #1307654780,pdf.exe
Token: SeDebugPrivilege	4052	RegAsm.exe
Token: SeDebugPrivilege	4180	c.c auth,-confirmation #1307654780,pdf.exe
Token: SeDebugPrivilege	320	RegAsm.exe
Token: SeDebugPrivilege	1780	c.c auth,-confirmation #1307654780,pdf.exe
Token: SeDebugPrivilege	1872	RegAsm.exe
Token: SeDebugPrivilege	3408	c.c auth,-confirmation #1307654780,pdf.exe
Token: SeDebugPrivilege	4756	RegAsm.exe
Token: SeDebugPrivilege	960	c.c auth,-confirmation #1307654780,pdf.exe
Token: SeDebugPrivilege	2032	RegAsm.exe
Token: SeDebugPrivilege	964	c.c auth,-confirmation #1307654780,pdf.exe
Token: SeDebugPrivilege	2396	RegAsm.exe
Token: SeDebugPrivilege	4732	c.c auth,-confirmation #1307654780,pdf.exe
Token: SeDebugPrivilege	3012	RegAsm.exe
Token: SeDebugPrivilege	1480	c.c auth,-confirmation #1307654780,pdf.exe
Token: SeDebugPrivilege	1460	RegAsm.exe
Token: SeDebugPrivilege	1756	c.c auth,-confirmation #1307654780,pdf.exe
Token: SeDebugPrivilege	3212	RegAsm.exe
Token: SeDebugPrivilege	3116	RegAsm.exe
Token: SeDebugPrivilege	1760	c.c auth,-confirmation #1307654780,pdf.exe
Token: SeDebugPrivilege	3704	RegAsm.exe
Token: SeDebugPrivilege	3736	c.c auth,-confirmation #1307654780,pdf.exe
Token: SeDebugPrivilege	3952	RegAsm.exe
Token: SeDebugPrivilege	2136	c.c auth,-confirmation #1307654780,pdf.exe
Token: SeDebugPrivilege	4200	RegAsm.exe
Token: SeDebugPrivilege	5004	c.c auth,-confirmation #1307654780,pdf.exe
Token: SeDebugPrivilege	2732	RegAsm.exe
Token: SeDebugPrivilege	4632	c.c auth,-confirmation #1307654780,pdf.exe
Token: SeDebugPrivilege	4860	RegAsm.exe
Token: SeDebugPrivilege	1996	c.c auth,-confirmation #1307654780,pdf.exe
Token: SeDebugPrivilege	4052	RegAsm.exe
Token: SeDebugPrivilege	4140	c.c auth,-confirmation #1307654780,pdf.exe
Token: SeDebugPrivilege	2484	RegAsm.exe
Token: SeDebugPrivilege	3480	c.c auth,-confirmation #1307654780,pdf.exe
Token: SeDebugPrivilege	4344	RegAsm.exe
Token: SeDebugPrivilege	1700	c.c auth,-confirmation #1307654780,pdf.exe
Token: SeDebugPrivilege	4736	RegAsm.exe
Token: SeDebugPrivilege	4164	c.c auth,-confirmation #1307654780,pdf.exe
Token: SeDebugPrivilege	3044	RegAsm.exe
Token: SeDebugPrivilege	4248	c.c auth,-confirmation #1307654780,pdf.exe
Token: SeDebugPrivilege	3120	RegAsm.exe
Token: SeDebugPrivilege	1092	c.c auth,-confirmation #1307654780,pdf.exe
Token: SeDebugPrivilege	3580	RegAsm.exe
Token: SeDebugPrivilege	3032	c.c auth,-confirmation #1307654780,pdf.exe
Token: SeDebugPrivilege	4688	RegAsm.exe
Token: SeDebugPrivilege	456	c.c auth,-confirmation #1307654780,pdf.exe
Token: SeDebugPrivilege	624	RegAsm.exe
Token: SeDebugPrivilege	4276	c.c auth,-confirmation #1307654780,pdf.exe
Token: SeDebugPrivilege	2856	RegAsm.exe
Token: SeDebugPrivilege	2500	c.c auth,-confirmation #1307654780,pdf.exe
Token: SeDebugPrivilege	4684	RegAsm.exe
Token: SeDebugPrivilege	3816	c.c auth,-confirmation #1307654780,pdf.exe
Token: SeDebugPrivilege	2468	RegAsm.exe
Token: SeDebugPrivilege	3592	c.c auth,-confirmation #1307654780,pdf.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exec.c auth,-confirmation #1307654780,pdf.exe

description	pid	process	target process
PID 2360 wrote to memory of 2456	2360	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 2360 wrote to memory of 2456	2360	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 2360 wrote to memory of 2456	2360	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 2360 wrote to memory of 2456	2360	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 2360 wrote to memory of 3172	2360	c.c auth,-confirmation #1307654780,pdf.exe	c.c auth,-confirmation #1307654780,pdf.exe
PID 2360 wrote to memory of 3172	2360	c.c auth,-confirmation #1307654780,pdf.exe	c.c auth,-confirmation #1307654780,pdf.exe
PID 2360 wrote to memory of 3172	2360	c.c auth,-confirmation #1307654780,pdf.exe	c.c auth,-confirmation #1307654780,pdf.exe
PID 3172 wrote to memory of 4136	3172	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 3172 wrote to memory of 4136	3172	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 3172 wrote to memory of 4136	3172	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 3172 wrote to memory of 4136	3172	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 3172 wrote to memory of 3960	3172	c.c auth,-confirmation #1307654780,pdf.exe	c.c auth,-confirmation #1307654780,pdf.exe
PID 3172 wrote to memory of 3960	3172	c.c auth,-confirmation #1307654780,pdf.exe	c.c auth,-confirmation #1307654780,pdf.exe
PID 3172 wrote to memory of 3960	3172	c.c auth,-confirmation #1307654780,pdf.exe	c.c auth,-confirmation #1307654780,pdf.exe
PID 3960 wrote to memory of 4872	3960	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 3960 wrote to memory of 4872	3960	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 3960 wrote to memory of 4872	3960	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 3960 wrote to memory of 4872	3960	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 3960 wrote to memory of 3832	3960	c.c auth,-confirmation #1307654780,pdf.exe	c.c auth,-confirmation #1307654780,pdf.exe
PID 3960 wrote to memory of 3832	3960	c.c auth,-confirmation #1307654780,pdf.exe	c.c auth,-confirmation #1307654780,pdf.exe
PID 3960 wrote to memory of 3832	3960	c.c auth,-confirmation #1307654780,pdf.exe	c.c auth,-confirmation #1307654780,pdf.exe
PID 3832 wrote to memory of 4996	3832	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 3832 wrote to memory of 4996	3832	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 3832 wrote to memory of 4996	3832	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 3832 wrote to memory of 4996	3832	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 3832 wrote to memory of 1384	3832	c.c auth,-confirmation #1307654780,pdf.exe	c.c auth,-confirmation #1307654780,pdf.exe
PID 3832 wrote to memory of 1384	3832	c.c auth,-confirmation #1307654780,pdf.exe	c.c auth,-confirmation #1307654780,pdf.exe
PID 3832 wrote to memory of 1384	3832	c.c auth,-confirmation #1307654780,pdf.exe	c.c auth,-confirmation #1307654780,pdf.exe
PID 1384 wrote to memory of 3444	1384	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1384 wrote to memory of 3444	1384	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1384 wrote to memory of 3444	1384	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1384 wrote to memory of 3444	1384	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1384 wrote to memory of 4064	1384	c.c auth,-confirmation #1307654780,pdf.exe	c.c auth,-confirmation #1307654780,pdf.exe
PID 1384 wrote to memory of 4064	1384	c.c auth,-confirmation #1307654780,pdf.exe	c.c auth,-confirmation #1307654780,pdf.exe
PID 1384 wrote to memory of 4064	1384	c.c auth,-confirmation #1307654780,pdf.exe	c.c auth,-confirmation #1307654780,pdf.exe
PID 4064 wrote to memory of 4052	4064	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 4064 wrote to memory of 4052	4064	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 4064 wrote to memory of 4052	4064	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 4064 wrote to memory of 4052	4064	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 4064 wrote to memory of 4180	4064	c.c auth,-confirmation #1307654780,pdf.exe	c.c auth,-confirmation #1307654780,pdf.exe
PID 4064 wrote to memory of 4180	4064	c.c auth,-confirmation #1307654780,pdf.exe	c.c auth,-confirmation #1307654780,pdf.exe
PID 4064 wrote to memory of 4180	4064	c.c auth,-confirmation #1307654780,pdf.exe	c.c auth,-confirmation #1307654780,pdf.exe
PID 4180 wrote to memory of 320	4180	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 4180 wrote to memory of 320	4180	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 4180 wrote to memory of 320	4180	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 4180 wrote to memory of 320	4180	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 4180 wrote to memory of 1780	4180	c.c auth,-confirmation #1307654780,pdf.exe	c.c auth,-confirmation #1307654780,pdf.exe
PID 4180 wrote to memory of 1780	4180	c.c auth,-confirmation #1307654780,pdf.exe	c.c auth,-confirmation #1307654780,pdf.exe
PID 4180 wrote to memory of 1780	4180	c.c auth,-confirmation #1307654780,pdf.exe	c.c auth,-confirmation #1307654780,pdf.exe
PID 1780 wrote to memory of 3940	1780	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1780 wrote to memory of 3940	1780	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1780 wrote to memory of 3940	1780	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1780 wrote to memory of 1872	1780	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1780 wrote to memory of 1872	1780	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1780 wrote to memory of 1872	1780	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1780 wrote to memory of 1872	1780	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 1780 wrote to memory of 3408	1780	c.c auth,-confirmation #1307654780,pdf.exe	c.c auth,-confirmation #1307654780,pdf.exe
PID 1780 wrote to memory of 3408	1780	c.c auth,-confirmation #1307654780,pdf.exe	c.c auth,-confirmation #1307654780,pdf.exe
PID 1780 wrote to memory of 3408	1780	c.c auth,-confirmation #1307654780,pdf.exe	c.c auth,-confirmation #1307654780,pdf.exe
PID 3408 wrote to memory of 4344	3408	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 3408 wrote to memory of 4344	3408	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 3408 wrote to memory of 4344	3408	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 3408 wrote to memory of 4756	3408	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe
PID 3408 wrote to memory of 4756	3408	c.c auth,-confirmation #1307654780,pdf.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2360

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2456

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
2⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3172

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4136

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4872

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
4⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4996

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1384

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:3444

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
6⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:4052

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
7⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:320

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
8⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
9⤵
PID:3940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
9⤵
- Suspicious use of AdjustPrivilegeToken
PID:1872

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
9⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3408

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
10⤵
PID:4344

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
10⤵
- Suspicious use of AdjustPrivilegeToken
PID:4756

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
10⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
11⤵
- Suspicious use of AdjustPrivilegeToken
PID:2032

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
11⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
12⤵
PID:4108

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
12⤵
- Suspicious use of AdjustPrivilegeToken
PID:2396

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
12⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
- Suspicious use of AdjustPrivilegeToken
PID:3012

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
13⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1480

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
14⤵
- Suspicious use of AdjustPrivilegeToken
PID:1460

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
14⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
15⤵
- Suspicious use of AdjustPrivilegeToken
PID:3212

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
15⤵
- Checks computer location settings
PID:4360

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
16⤵
PID:2856

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
16⤵
- Suspicious use of AdjustPrivilegeToken
PID:3116

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
16⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
17⤵
- Suspicious use of AdjustPrivilegeToken
PID:3704

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
17⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
18⤵
- Suspicious use of AdjustPrivilegeToken
PID:3952

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
18⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2136

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
19⤵
- Suspicious use of AdjustPrivilegeToken
PID:4200

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
19⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
20⤵
- Suspicious use of AdjustPrivilegeToken
PID:2732

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
20⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
21⤵
- Suspicious use of AdjustPrivilegeToken
PID:4860

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
21⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1996

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
22⤵
- Suspicious use of AdjustPrivilegeToken
PID:4052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
22⤵
PID:208

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
22⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4140

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
23⤵
PID:1244

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
23⤵
PID:3940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
23⤵
- Suspicious use of AdjustPrivilegeToken
PID:2484

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
23⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3480

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
24⤵
- Suspicious use of AdjustPrivilegeToken
PID:4344

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
24⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
25⤵
- Suspicious use of AdjustPrivilegeToken
PID:4736

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
25⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
26⤵
- Suspicious use of AdjustPrivilegeToken
PID:3044

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
26⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4248

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
27⤵
- Suspicious use of AdjustPrivilegeToken
PID:3120

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
27⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1092

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
28⤵
- Suspicious use of AdjustPrivilegeToken
PID:3580

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
28⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
29⤵
- Suspicious use of AdjustPrivilegeToken
PID:4688

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
29⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
30⤵
- Suspicious use of AdjustPrivilegeToken
PID:624

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
30⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4276

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
31⤵
PID:4072

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
31⤵
- Suspicious use of AdjustPrivilegeToken
PID:2856

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
31⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
32⤵
- Suspicious use of AdjustPrivilegeToken
PID:4684

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
32⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3816

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
33⤵
- Suspicious use of AdjustPrivilegeToken
PID:2468

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
33⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3592

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
34⤵
PID:3352

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
34⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
35⤵
PID:4660

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
35⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
36⤵
PID:4916

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
36⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2888

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
37⤵
PID:3832

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
37⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
38⤵
PID:2180

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
38⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
39⤵
PID:4176

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
39⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:204

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
40⤵
PID:216

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
40⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4444

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
41⤵
PID:1948

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
41⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
42⤵
PID:3424

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
42⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
43⤵
PID:2064

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
43⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1312

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
44⤵
PID:1656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
44⤵
PID:4544

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
44⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2836

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
45⤵
PID:4248

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
45⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:3984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
46⤵
PID:5076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
46⤵
PID:1020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
46⤵
PID:784

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
46⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
47⤵
PID:4956

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
47⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
48⤵
PID:1392

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
48⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2228

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
49⤵
PID:3496

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
49⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1216

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
50⤵
PID:2336

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
50⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
51⤵
PID:3184

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
51⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:3352

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
52⤵
PID:4800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
52⤵
PID:2844

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
52⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1200

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
53⤵
PID:4788

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
53⤵
PID:3948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
54⤵
PID:1192

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
54⤵
PID:1688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
55⤵
PID:3844

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
55⤵
- Suspicious use of SetThreadContext
PID:4776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
56⤵
PID:4052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
56⤵
PID:1928

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
56⤵
PID:216

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
57⤵
PID:4388

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
57⤵
- Suspicious use of SetThreadContext
PID:652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
58⤵
PID:796

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
58⤵
PID:1952

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
58⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:3052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
59⤵
PID:5096

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
59⤵
- Suspicious use of SetThreadContext
PID:2772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
60⤵
PID:3564

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
60⤵
PID:3476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
61⤵
PID:5084

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
61⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
62⤵
PID:4688

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
62⤵
- Suspicious use of SetThreadContext
PID:3664

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
63⤵
PID:2252

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
63⤵
PID:4956

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
63⤵
PID:948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
64⤵
PID:4600

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
64⤵
- Suspicious use of SetThreadContext
PID:1632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
65⤵
PID:5000

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
65⤵
PID:3376

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
66⤵
PID:2456

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
66⤵
- Checks computer location settings
PID:4800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
67⤵
PID:4076

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
67⤵
PID:4284

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
68⤵
PID:4872

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
68⤵
- Checks computer location settings
PID:3544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
69⤵
PID:4812

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
69⤵
PID:4204

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
70⤵
PID:2480

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
70⤵
PID:4232

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
71⤵
PID:4536

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
71⤵
- Checks computer location settings
PID:4012

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
72⤵
PID:3448

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
72⤵
PID:1304

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
72⤵
- Checks computer location settings
PID:212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
73⤵
- Suspicious use of SetThreadContext
PID:216

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
73⤵
PID:3424

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
74⤵
PID:924

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
74⤵
- Checks computer location settings
PID:2600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
75⤵
PID:4272

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
75⤵
PID:2344

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
76⤵
PID:4312

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
76⤵
PID:3804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
77⤵
PID:3012

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
77⤵
PID:4248

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
77⤵
PID:1696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
78⤵
PID:3568

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
78⤵
PID:4220

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
79⤵
PID:3212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
79⤵
PID:448

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
79⤵
- Suspicious use of SetThreadContext
PID:948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
80⤵
PID:2584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
80⤵
PID:944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
80⤵
PID:3924

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
80⤵
PID:4532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
81⤵
PID:4156

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
81⤵
- Suspicious use of SetThreadContext
PID:3376

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
81⤵
PID:3304

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
82⤵
PID:4804

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
82⤵
PID:3188

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
83⤵
PID:5020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
83⤵
PID:2732

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
83⤵
PID:3832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
84⤵
PID:4696

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
84⤵
- Checks computer location settings
PID:4372

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
85⤵
PID:2900

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
85⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
86⤵
PID:1876

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
86⤵
PID:2700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
87⤵
PID:420

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
87⤵
- Checks computer location settings
PID:3460

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
88⤵
PID:2032

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
88⤵
PID:772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
89⤵
PID:3424

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
89⤵
PID:5064

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
89⤵
PID:3148

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
90⤵
PID:4440

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
90⤵
- Checks computer location settings
PID:1592

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
91⤵
PID:2836

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
91⤵
PID:3508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
92⤵
PID:640

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
92⤵
PID:1016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
93⤵
PID:4192

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
93⤵
PID:944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
94⤵
PID:4088

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
94⤵
PID:4156

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
95⤵
PID:4996

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
95⤵
PID:3040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
96⤵
PID:4076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
96⤵
PID:2364

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
96⤵
PID:2080

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
96⤵
- Checks computer location settings
PID:4892

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
97⤵
PID:4584

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
97⤵
PID:5068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
98⤵
PID:2888

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
98⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:3948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
99⤵
PID:2480

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
99⤵
PID:4160

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
100⤵
PID:4840

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
100⤵
PID:2356

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
100⤵
- Checks computer location settings
PID:4132

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
101⤵
PID:2084

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
101⤵
- Checks computer location settings
PID:3644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
102⤵
PID:2676

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
102⤵
PID:1900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
103⤵
PID:924

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
103⤵
PID:5064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
104⤵
PID:3068

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
104⤵
PID:4440

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
105⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:3476

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
105⤵
PID:2344

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
106⤵
PID:744

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
106⤵
PID:3932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
107⤵
PID:3580

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
107⤵
- Checks computer location settings
PID:4192

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
108⤵
PID:2532

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
108⤵
PID:4672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
109⤵
PID:2228

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
109⤵
PID:2136

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
110⤵
PID:1576

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
110⤵
- Checks computer location settings
PID:848

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
111⤵
PID:4128

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
111⤵
PID:2720

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
111⤵
PID:4080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
112⤵
PID:4900

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
112⤵
PID:4700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
113⤵
- Checks computer location settings
PID:4284

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
113⤵
PID:5080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
114⤵
PID:4696

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
114⤵
PID:796

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
115⤵
PID:2356

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
115⤵
PID:4644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
116⤵
PID:2084

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
116⤵
PID:2484

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
116⤵
- Checks computer location settings
PID:5096

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
117⤵
PID:2676

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
117⤵
PID:4544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
118⤵
PID:1960

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
118⤵
PID:4208

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
119⤵
PID:3676

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
119⤵
PID:3428

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
120⤵
PID:5076

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
120⤵
PID:1300

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
121⤵
PID:4384

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
121⤵
PID:1848

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
122⤵
PID:4960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
122⤵
PID:3212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
122⤵
PID:2208

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
122⤵
PID:4220

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
123⤵
PID:3308

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
123⤵
PID:3592

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
124⤵
PID:1864

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
124⤵
PID:4568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
125⤵
PID:4616

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
125⤵
PID:2844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
126⤵
PID:2080

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
126⤵
- Checks computer location settings
PID:3188

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
127⤵
PID:4196

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
127⤵
PID:3832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
128⤵
PID:4536

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
128⤵
PID:5092

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
128⤵
PID:2900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
129⤵
PID:3584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
129⤵
PID:5080

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
129⤵
PID:4344

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
130⤵
PID:1700

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
130⤵
- Checks computer location settings
PID:1688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
131⤵
PID:2700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
131⤵
PID:4644

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
131⤵
PID:3392

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
132⤵
PID:4272

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
132⤵
- Checks computer location settings
PID:924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
133⤵
PID:1824

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
133⤵
PID:1692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
134⤵
PID:1312

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
134⤵
- Checks computer location settings
PID:3148

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
135⤵
PID:3428

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
135⤵
PID:3212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
136⤵
PID:1360

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
136⤵
PID:2532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
137⤵
PID:740

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
137⤵
PID:4088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
138⤵
- Checks computer location settings
PID:944

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
138⤵
PID:4820

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
139⤵
PID:2228

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
139⤵
- Checks computer location settings
PID:3040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
140⤵
PID:4356

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
140⤵
PID:5028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
140⤵
PID:2136

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
140⤵
PID:2720

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
140⤵
PID:4144

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
141⤵
PID:3316

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
141⤵
PID:208

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
142⤵
PID:3716

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
142⤵
PID:1996

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
142⤵
PID:3584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
143⤵
PID:4204

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
143⤵
PID:4428

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
144⤵
PID:4652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
144⤵
PID:1780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
144⤵
PID:880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
144⤵
PID:3640

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
144⤵
PID:4264

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
145⤵
PID:4344

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
145⤵
PID:3484

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
145⤵
PID:216

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
145⤵
PID:388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
146⤵
PID:1888

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
146⤵
PID:1472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
147⤵
PID:2864

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
147⤵
PID:1080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
148⤵
PID:4868

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
148⤵
PID:800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
149⤵
PID:4260

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
149⤵
PID:1692

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
149⤵
PID:1956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
150⤵
PID:1940

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
150⤵
PID:828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
151⤵
PID:3212

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
151⤵
PID:1488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
152⤵
PID:3800

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
152⤵
PID:4744

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
153⤵
PID:4396

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
153⤵
PID:4356

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
154⤵
PID:948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
154⤵
PID:3592

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
154⤵
PID:4568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
155⤵
PID:4616

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
155⤵
PID:1580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
156⤵
PID:3716

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
156⤵
PID:2452

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
157⤵
PID:4764

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
157⤵
PID:5060

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
158⤵
PID:3832

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
158⤵
PID:5048

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
159⤵
PID:2160

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
159⤵
PID:4776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
160⤵
PID:3424

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
160⤵
PID:4100

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
160⤵
PID:852

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
160⤵
PID:3608

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
161⤵
PID:3012

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
161⤵
- Checks computer location settings
PID:388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
162⤵
PID:4816

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
162⤵
PID:556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
163⤵
PID:4072

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
163⤵
PID:4208

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
164⤵
PID:2488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
164⤵
- Checks computer location settings
PID:3428

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
164⤵
- Checks computer location settings
PID:4248

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
165⤵
PID:456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
165⤵
PID:2316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
165⤵
PID:2000

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
165⤵
PID:3492

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
166⤵
PID:3400

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
166⤵
PID:828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
167⤵
PID:2984

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
167⤵
PID:1488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
168⤵
PID:4088

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
168⤵
PID:2684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
169⤵
PID:2156

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
169⤵
PID:4420

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
169⤵
PID:1392

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
169⤵
PID:2080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
170⤵
- Checks computer location settings
PID:2844

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
170⤵
PID:3716

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
171⤵
PID:4700

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
171⤵
PID:2576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
172⤵
PID:4860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
172⤵
PID:208

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
172⤵
PID:3448

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
173⤵
PID:2516

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
173⤵
PID:4828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
174⤵
PID:1952

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
174⤵
PID:3220

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
175⤵
PID:5104

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
175⤵
PID:444

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
175⤵
PID:4444

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
175⤵
PID:1920

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
176⤵
PID:4212

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
176⤵
PID:428

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
177⤵
- Checks computer location settings
PID:4544

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
177⤵
PID:3068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
178⤵
PID:1352

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
178⤵
PID:640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
179⤵
PID:1268

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
179⤵
PID:2640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
179⤵
PID:2828

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
179⤵
PID:2164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
180⤵
PID:4932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
180⤵
PID:1956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
180⤵
PID:3864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
180⤵
PID:2132

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
180⤵
- Checks computer location settings
PID:3932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
181⤵
PID:4976

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
181⤵
- Checks computer location settings
PID:2456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
182⤵
PID:4076

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
182⤵
PID:1576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
183⤵
- Checks computer location settings
PID:1488

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
183⤵
PID:4452

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
184⤵
PID:2720

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
184⤵
PID:2604

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
184⤵
PID:3452

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
185⤵
PID:3904

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
185⤵
PID:4536

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
186⤵
PID:3544

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
186⤵
PID:4764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
187⤵
PID:3584

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
187⤵
PID:4984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
188⤵
PID:4652

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
188⤵
PID:1464

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
189⤵
PID:1144

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
189⤵
PID:3248

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
190⤵
PID:4116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
190⤵
PID:1000

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
190⤵
PID:2676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
191⤵
PID:3408

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
191⤵
PID:2680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
192⤵
PID:480

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
192⤵
PID:1080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
193⤵
PID:2836

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
193⤵
PID:1692

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
193⤵
PID:964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
194⤵
PID:4224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
194⤵
PID:4972

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
194⤵
PID:2348

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
194⤵
PID:3508

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
194⤵
PID:4932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
195⤵
PID:2252

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
195⤵
PID:4588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
196⤵
PID:1696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
196⤵
PID:2132

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
196⤵
PID:3740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
197⤵
PID:5000

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
197⤵
PID:4192

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
198⤵
PID:3496

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
198⤵
PID:2156

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
199⤵
PID:2868

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
199⤵
PID:3704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
200⤵
- Checks computer location settings
PID:1576

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
200⤵
PID:488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
201⤵
PID:5068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
201⤵
PID:4200

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
201⤵
PID:4128

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
201⤵
PID:2080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
202⤵
PID:4012

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
202⤵
PID:4388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
202⤵
PID:4736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
202⤵
- Checks computer location settings
PID:4700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
202⤵
PID:1356

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
202⤵
PID:4900

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
202⤵
PID:1780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
203⤵
PID:1700

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
203⤵
PID:1588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
204⤵
PID:3832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
204⤵
PID:4044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
204⤵
PID:5112

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
204⤵
PID:4168

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
204⤵
PID:3444

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
204⤵
PID:920

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
205⤵
PID:4760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
205⤵
PID:4428

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
205⤵
PID:4444

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
206⤵
PID:3608

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
206⤵
PID:60

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
207⤵
PID:652

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
207⤵
PID:2396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
208⤵
PID:4500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
208⤵
PID:556

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
208⤵
PID:3580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
209⤵
PID:2120

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
209⤵
PID:1940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
210⤵
PID:2828

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
210⤵
PID:3124

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
211⤵
PID:5024

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
211⤵
PID:4004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
212⤵
PID:3400

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
212⤵
PID:2364

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
213⤵
PID:3740

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
213⤵
PID:4088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
214⤵
PID:1864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
214⤵
PID:4640

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
214⤵
PID:1216

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
215⤵
PID:2720

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
215⤵
PID:4452

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
216⤵
PID:3592

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
216⤵
PID:3316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
217⤵
PID:3544

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
217⤵
PID:4144

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
218⤵
PID:4944

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
218⤵
PID:3640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
219⤵
PID:3448

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
219⤵
- Checks computer location settings
PID:3584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
220⤵
- Checks computer location settings
PID:4344

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
220⤵
PID:2284

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
221⤵
PID:1588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
221⤵
PID:4680

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
221⤵
PID:796

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
222⤵
PID:2812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
222⤵
PID:2168

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
222⤵
PID:772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
223⤵
PID:5116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
223⤵
PID:4212

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
223⤵
PID:4312

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
224⤵
PID:4580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
224⤵
- Checks computer location settings
PID:1472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
224⤵
PID:1900

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
224⤵
PID:2396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
225⤵
PID:1768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
225⤵
PID:4796

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
225⤵
PID:800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
226⤵
PID:544

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
226⤵
PID:3120

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
227⤵
PID:3656

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
227⤵
PID:2468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
228⤵
PID:4588

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
228⤵
PID:2136

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
229⤵
PID:4956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
229⤵
PID:3396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
229⤵
PID:4804

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
229⤵
PID:1008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
230⤵
PID:4788

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
230⤵
PID:2868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
231⤵
- Checks computer location settings
PID:4568

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
231⤵
PID:4844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
232⤵
PID:880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
232⤵
PID:2604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
232⤵
PID:2256

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
232⤵
PID:4800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
232⤵
PID:4128

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
232⤵
PID:4396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
233⤵
- Checks computer location settings
PID:5060

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
233⤵
PID:3544

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
233⤵
PID:3716

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
234⤵
PID:4944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
234⤵
PID:4696

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
234⤵
PID:4896

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
235⤵
PID:2724

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
235⤵
PID:4984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
236⤵
PID:4840

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
236⤵
PID:5104

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
237⤵
PID:920

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
237⤵
PID:1020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
238⤵
PID:3476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
238⤵
PID:3248

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
238⤵
PID:796

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
239⤵
PID:4072

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
239⤵
PID:2760

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
239⤵
PID:4940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
240⤵
PID:2664

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
240⤵
PID:3536

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
241⤵
PID:2260

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
241⤵
PID:2396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
242⤵
PID:2840

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
242⤵
PID:800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
243⤵
PID:3116

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
243⤵
PID:1312

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
244⤵
PID:2532

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
244⤵
PID:1264

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
245⤵
PID:1864

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
245⤵
PID:3440

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
246⤵
PID:828

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
246⤵
PID:4752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
247⤵
PID:2156

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
247⤵
PID:2256

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
248⤵
PID:4356

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
248⤵
PID:4012

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
249⤵
PID:460

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
249⤵
PID:4256

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
250⤵
PID:3436

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
250⤵
PID:488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
250⤵
PID:4520

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
250⤵
PID:4900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
251⤵
PID:2576

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
251⤵
PID:1780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
252⤵
PID:4876

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
252⤵
PID:4776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
253⤵
PID:1824

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
253⤵
PID:3408

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
254⤵
PID:1464

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
254⤵
PID:2168

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
255⤵
PID:3320

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
255⤵
PID:1080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
256⤵
PID:1592

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
256⤵
PID:4312

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
257⤵
PID:2680

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
257⤵
PID:4972

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
258⤵
PID:5040

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
258⤵
PID:2772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
259⤵
PID:4068

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
259⤵
PID:2344

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
260⤵
PID:548

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
260⤵
PID:3932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
261⤵
- Checks computer location settings
PID:2532

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
261⤵
PID:4956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
262⤵
PID:2304

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
262⤵
PID:4156

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
263⤵
- Checks computer location settings
PID:828

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
263⤵
PID:1608

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
264⤵
PID:4892

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
264⤵
PID:3796

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
265⤵
PID:4356

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
265⤵
PID:872

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
266⤵
PID:4320

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
266⤵
PID:1728

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
267⤵
PID:4764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
267⤵
PID:2352

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
267⤵
- Checks computer location settings
PID:3716

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
268⤵
PID:3644

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
268⤵
PID:4576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
269⤵
PID:1788

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
269⤵
PID:4652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
270⤵
PID:4840

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
270⤵
PID:4592

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
271⤵
PID:1852

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
271⤵
PID:852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
272⤵
PID:4816

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
272⤵
PID:3068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
273⤵
PID:3676

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
273⤵
PID:2836

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
274⤵
PID:3864

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
274⤵
PID:4224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
275⤵
PID:3564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
275⤵
PID:2260

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
275⤵
PID:764

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
275⤵
PID:1940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
276⤵
PID:1656

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
276⤵
PID:3396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
277⤵
PID:4588

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
277⤵
PID:2532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
278⤵
PID:3124

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
278⤵
PID:2304

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
279⤵
PID:2440

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
279⤵
PID:4672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
280⤵
PID:3440

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
280⤵
PID:3404

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
281⤵
PID:4852

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
281⤵
PID:2944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
282⤵
PID:1132

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
282⤵
PID:2032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
283⤵
PID:2844

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
283⤵
PID:1248

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
284⤵
PID:4520

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
284⤵
PID:2516

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
285⤵
PID:1596

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
285⤵
PID:216

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
286⤵
PID:3720

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
286⤵
PID:1268

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
287⤵
PID:1824

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
287⤵
PID:3248

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
288⤵
PID:4340

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
288⤵
PID:3900

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
288⤵
PID:2760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
289⤵
PID:60

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
289⤵
PID:3676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
290⤵
PID:388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
290⤵
PID:480

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
290⤵
PID:456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
291⤵
PID:4312

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
291⤵
PID:764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
292⤵
PID:4108

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
292⤵
PID:1656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
293⤵
PID:5024

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
293⤵
PID:4588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
294⤵
PID:1716

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
294⤵
PID:3124

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
295⤵
PID:1264

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
295⤵
PID:2016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
296⤵
- Checks computer location settings
PID:3492

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
296⤵
PID:3440

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
297⤵
PID:2604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
297⤵
PID:4708

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
297⤵
PID:4752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
298⤵
PID:1932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
298⤵
PID:3172

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
298⤵
PID:1132

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
299⤵
PID:1356

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
299⤵
PID:4176

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
300⤵
PID:3444

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
300⤵
PID:4372

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
301⤵
PID:3272

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
301⤵
PID:4144

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
301⤵
PID:5108

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
302⤵
PID:2812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
302⤵
PID:4680

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
302⤵
PID:1788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
303⤵
PID:4116

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
303⤵
PID:4316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
304⤵
PID:3476

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
304⤵
PID:5012

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
305⤵
PID:960

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
305⤵
PID:1284

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
306⤵
PID:4444

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
306⤵
PID:4332

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
307⤵
PID:2444

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
307⤵
PID:640

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
307⤵
PID:2920

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
308⤵
PID:3196

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
308⤵
PID:2000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
309⤵
PID:5040

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
309⤵
PID:1956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
310⤵
PID:2840

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
310⤵
PID:4788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
311⤵
PID:4824

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
311⤵
PID:1864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
312⤵
PID:2984

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
312⤵
PID:4196

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
313⤵
PID:2440

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
313⤵
PID:5020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
314⤵
PID:4088

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
314⤵
PID:3404

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
315⤵
PID:848

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
315⤵
PID:1872

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
315⤵
PID:320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
316⤵
PID:4848

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
316⤵
PID:4252

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
317⤵
PID:4860

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
317⤵
PID:3940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
318⤵
PID:4256

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
318⤵
PID:1700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
319⤵
PID:2724

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
319⤵
PID:2284

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
320⤵
PID:3012

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
320⤵
PID:924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
321⤵
PID:1020

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
321⤵
PID:1092

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
322⤵
PID:920

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
322⤵
- Checks computer location settings
PID:556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
323⤵
PID:4444

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
323⤵
PID:3600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
324⤵
PID:2120

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
324⤵
PID:4224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
325⤵
PID:620

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
325⤵
PID:2228

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
326⤵
PID:3712

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
326⤵
PID:2180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
327⤵
PID:3400

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
327⤵
PID:4532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
328⤵
PID:4640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
328⤵
PID:1716

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
328⤵
PID:3188

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
329⤵
PID:4596

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
329⤵
PID:1608

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
330⤵
PID:3304

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
330⤵
PID:4324

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
331⤵
PID:3172

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
331⤵
PID:4088

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
331⤵
PID:2256

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
332⤵
PID:3104

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
332⤵
PID:5112

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
332⤵
PID:1948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
333⤵
PID:4232

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
333⤵
PID:4832

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
333⤵
PID:4168

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
334⤵
PID:3448

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
334⤵
PID:2480

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
335⤵
PID:1204

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
335⤵
PID:5056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
336⤵
PID:2724

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
336⤵
PID:212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
337⤵
PID:3012

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
337⤵
PID:4316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
338⤵
PID:3248

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
338⤵
PID:1952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
339⤵
PID:920

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
339⤵
PID:2444

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
340⤵
PID:4656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
340⤵
PID:4560

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
340⤵
PID:3392

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
341⤵
PID:3736

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
341⤵
PID:2260

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
342⤵
PID:3604

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
342⤵
PID:3576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
343⤵
PID:5004

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
343⤵
PID:5028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
344⤵
PID:2252

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
344⤵
PID:948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
345⤵
PID:2984

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
345⤵
PID:4532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
346⤵
PID:2684

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
346⤵
PID:3188

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
347⤵
PID:1188

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
347⤵
PID:976

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
348⤵
PID:4452

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
348⤵
PID:4356

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
349⤵
PID:3452

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
349⤵
PID:2084

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
349⤵
PID:1356

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
350⤵
PID:2032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
350⤵
PID:3948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
350⤵
PID:4536

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
350⤵
PID:4944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
351⤵
PID:2844

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
351⤵
PID:2484

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
352⤵
PID:2812

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
352⤵
PID:3484

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
353⤵
- Checks computer location settings
PID:3220

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
353⤵
PID:5088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
354⤵
PID:4644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
354⤵
PID:1268

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
354⤵
PID:652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
355⤵
PID:3896

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
355⤵
PID:4428

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
355⤵
PID:444

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
356⤵
PID:1016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
356⤵
PID:4972

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
356⤵
PID:1952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
357⤵
PID:3656

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
357⤵
PID:428

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
358⤵
PID:3116

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
358⤵
PID:3148

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
359⤵
PID:1480

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
359⤵
PID:1460

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
359⤵
PID:2260

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
360⤵
PID:4588

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
360⤵
PID:3576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
361⤵
PID:4004

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
361⤵
PID:5000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
362⤵
PID:4788

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
362⤵
PID:1492

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
363⤵
PID:4892

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
363⤵
PID:1488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
364⤵
PID:4128

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
364⤵
PID:1288

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
365⤵
PID:5060

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
365⤵
PID:1832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
366⤵
PID:4024

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
366⤵
PID:4184

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
366⤵
PID:4752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
367⤵
PID:2080

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
367⤵
PID:3084

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
368⤵
PID:4520

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
368⤵
PID:3644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
369⤵
PID:3480

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
369⤵
PID:4776

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
369⤵
PID:3720

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
370⤵
PID:3052

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
370⤵
PID:216

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
371⤵
PID:1788

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
371⤵
PID:4340

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
372⤵
PID:3900

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
372⤵
PID:852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
373⤵
PID:4796

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
373⤵
PID:4656

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
373⤵
PID:3032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
374⤵
PID:2584

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
374⤵
PID:3196

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
375⤵
PID:4720

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
375⤵
PID:2444

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
376⤵
PID:1344

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
376⤵
PID:1756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
377⤵
PID:740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
377⤵
PID:4936

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
377⤵
PID:3352

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
378⤵
PID:3984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
378⤵
PID:3268

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
378⤵
PID:800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
379⤵
PID:1864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
379⤵
PID:2532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
379⤵
PID:4296

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
379⤵
PID:4824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
380⤵
PID:5008

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
380⤵
PID:3496

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
381⤵
PID:5068

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
381⤵
PID:4216

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
382⤵
PID:4900

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
382⤵
PID:4832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
383⤵
PID:3264

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
383⤵
PID:2500

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
383⤵
PID:3768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
384⤵
PID:5020

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
384⤵
PID:4344

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
385⤵
PID:2036

C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\c.c auth,-confirmation #1307654780,pdf.exe"
385⤵
PID:4176

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
386⤵
PID:2160

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe
Filesize
392KB

MD5
cb500bcc5957555b376b14fc847d9eb5

SHA1
cf25e726d40670c32dbd0541110b8e17761afc23

SHA256
3f87b9fe3f83f77f80d6bad1f56f06dce20683032cda510f84ea6d32f746b120

SHA512
c968f3a73b2faa564f439a7a04f1c6bbe8c285e1301a25cf242bd1cf5edebdd7c9c361ace612ce8011a0aa546598caf812784d3d5722557e6eb4787bb74bb389

Download Submit
memory/320-151-0x0000000000000000-mapping.dmp

Download
memory/456-192-0x0000000000000000-mapping.dmp

Download
memory/624-193-0x0000000000000000-mapping.dmp

Download
memory/960-156-0x0000000000000000-mapping.dmp

Download
memory/964-158-0x0000000000000000-mapping.dmp

Download
memory/1092-188-0x0000000000000000-mapping.dmp

Download
memory/1384-146-0x0000000000000000-mapping.dmp

Download
memory/1460-163-0x0000000000000000-mapping.dmp

Download
memory/1480-162-0x0000000000000000-mapping.dmp

Download
memory/1700-182-0x0000000000000000-mapping.dmp

Download
memory/1756-164-0x0000000000000000-mapping.dmp

Download
memory/1780-152-0x0000000000000000-mapping.dmp

Download
memory/1872-153-0x0000000000000000-mapping.dmp

Download
memory/1996-176-0x0000000000000000-mapping.dmp

Download
memory/2032-157-0x0000000000000000-mapping.dmp

Download
memory/2136-170-0x0000000000000000-mapping.dmp

Download
memory/2360-136-0x0000000002830000-0x0000000002833000-memory.dmp

Filesize
12KB

Download
memory/2360-131-0x0000000002820000-0x0000000002823000-memory.dmp

Filesize
12KB

Download
memory/2360-130-0x00000000003C0000-0x0000000000428000-memory.dmp

Filesize
416KB

Download
memory/2396-159-0x0000000000000000-mapping.dmp

Download
memory/2456-132-0x0000000000000000-mapping.dmp

Download
memory/2456-133-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2456-139-0x0000000005D90000-0x0000000005DF6000-memory.dmp

Filesize
408KB

Download
memory/2456-134-0x0000000005E30000-0x00000000063D4000-memory.dmp

Filesize
5.6MB

Download
memory/2456-135-0x0000000005630000-0x00000000056C2000-memory.dmp

Filesize
584KB

Download
memory/2456-137-0x0000000005880000-0x000000000591C000-memory.dmp

Filesize
624KB

Download
memory/2468-199-0x0000000000000000-mapping.dmp

Download
memory/2484-179-0x0000000000000000-mapping.dmp

Download
memory/2500-196-0x0000000000000000-mapping.dmp

Download
memory/2732-173-0x0000000000000000-mapping.dmp

Download
memory/2856-195-0x0000000000000000-mapping.dmp

Download
memory/3012-161-0x0000000000000000-mapping.dmp

Download
memory/3032-190-0x0000000000000000-mapping.dmp

Download
memory/3044-185-0x0000000000000000-mapping.dmp

Download
memory/3120-187-0x0000000000000000-mapping.dmp

Download
memory/3172-138-0x0000000000000000-mapping.dmp

Download
memory/3212-165-0x0000000000000000-mapping.dmp

Download
memory/3352-201-0x0000000000000000-mapping.dmp

Download
memory/3408-154-0x0000000000000000-mapping.dmp

Download
memory/3444-147-0x0000000000000000-mapping.dmp

Download
memory/3480-180-0x0000000000000000-mapping.dmp

Download
memory/3580-189-0x0000000000000000-mapping.dmp

Download
memory/3592-200-0x0000000000000000-mapping.dmp

Download
memory/3704-167-0x0000000000000000-mapping.dmp

Download
memory/3736-168-0x0000000000000000-mapping.dmp

Download
memory/3816-198-0x0000000000000000-mapping.dmp

Download
memory/3832-144-0x0000000000000000-mapping.dmp

Download
memory/3952-169-0x0000000000000000-mapping.dmp

Download
memory/3960-141-0x0000000000000000-mapping.dmp

Download
memory/4052-149-0x0000000000000000-mapping.dmp

Download
memory/4052-177-0x0000000000000000-mapping.dmp

Download
memory/4064-148-0x0000000000000000-mapping.dmp

Download
memory/4136-140-0x0000000000000000-mapping.dmp

Download
memory/4140-178-0x0000000000000000-mapping.dmp

Download
memory/4164-184-0x0000000000000000-mapping.dmp

Download
memory/4180-150-0x0000000000000000-mapping.dmp

Download
memory/4200-171-0x0000000000000000-mapping.dmp

Download
memory/4248-186-0x0000000000000000-mapping.dmp

Download
memory/4276-194-0x0000000000000000-mapping.dmp

Download
memory/4344-181-0x0000000000000000-mapping.dmp

Download
memory/4360-166-0x0000000000000000-mapping.dmp

Download
memory/4632-174-0x0000000000000000-mapping.dmp

Download
memory/4684-197-0x0000000000000000-mapping.dmp

Download
memory/4688-191-0x0000000000000000-mapping.dmp

Download
memory/4732-160-0x0000000000000000-mapping.dmp

Download
memory/4736-183-0x0000000000000000-mapping.dmp

Download
memory/4740-202-0x0000000000000000-mapping.dmp

Download
memory/4756-155-0x0000000000000000-mapping.dmp

Download
memory/4860-175-0x0000000000000000-mapping.dmp

Download
memory/4872-143-0x0000000000000000-mapping.dmp

Download
memory/4996-145-0x0000000000000000-mapping.dmp

Download
memory/5004-172-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads