nanocore | d07d9907fc362026b64487d94fce8bf9ca89ed9623f2cb41f1593694ac76a4e4

Analysis

max time kernel
151s
max time network
155s
platform
windows7_x64
resource
win7-20220414-en
submitted
21-05-2022 12:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IMG74693969444.exe
Size

266KB
MD5

5e90e2d465e0f2a3f2495ef59c4b53d1
SHA1

f53591409c538d7e4f5b45f42d014d42ad003ad0
SHA256

e33ef485c574d639eae34cd252d97aa78c17718190c98a92f7b6dc5a5fc0cd69
SHA512

06290efbdb947376db922adc45454ebf048ba9fb217e3ef7b30c6a7dbdf4beec32d0aacdc65c0981930b6c3ec1a4d542f05eb371ff99ca3e28525ad5c47a2e8f

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

185.244.30.10:3310

Mutex

e2ebb08f-ebf7-4c0f-84d8-7041f8508ec8

Attributes

activate_away_mode
true
backup_connection_host
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-05-04T22:26:08.567797536Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
3310
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
e2ebb08f-ebf7-4c0f-84d8-7041f8508ec8
mutex_timeout
5000
prevent_system_sleep
true
primary_connection_host
185.244.30.10
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Drops startup file 2 IoCs

Processes:

IMG74693969444.exeIMG74693969444.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe	IMG74693969444.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe	IMG74693969444.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RegAsm.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DSL Service = "C:\\Program Files (x86)\\DSL Service\\dslsv.exe"	RegAsm.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

RegAsm.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegAsm.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

IMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exe

description	pid	process	target process
PID 2000 set thread context of 2008	2000	IMG74693969444.exe	RegAsm.exe
PID 1616 set thread context of 1376	1616	IMG74693969444.exe	RegAsm.exe
PID 324 set thread context of 1748	324	IMG74693969444.exe	RegAsm.exe
PID 1212 set thread context of 528	1212	IMG74693969444.exe	RegAsm.exe
PID 1672 set thread context of 1476	1672	IMG74693969444.exe	RegAsm.exe
PID 880 set thread context of 1096	880	IMG74693969444.exe	RegAsm.exe
PID 1988 set thread context of 1852	1988	IMG74693969444.exe	RegAsm.exe
PID 980 set thread context of 684	980	IMG74693969444.exe	RegAsm.exe
PID 1216 set thread context of 1692	1216	IMG74693969444.exe	RegAsm.exe
PID 788 set thread context of 1120	788	IMG74693969444.exe	RegAsm.exe
PID 1928 set thread context of 884	1928	IMG74693969444.exe	RegAsm.exe
PID 1588 set thread context of 1592	1588	IMG74693969444.exe	RegAsm.exe
PID 944 set thread context of 820	944	IMG74693969444.exe	RegAsm.exe
PID 564 set thread context of 804	564	IMG74693969444.exe	RegAsm.exe
PID 636 set thread context of 960	636	IMG74693969444.exe	RegAsm.exe
PID 1516 set thread context of 748	1516	IMG74693969444.exe	RegAsm.exe
PID 1200 set thread context of 992	1200	IMG74693969444.exe	RegAsm.exe
PID 1580 set thread context of 1684	1580	IMG74693969444.exe	RegAsm.exe
PID 580 set thread context of 1916	580	IMG74693969444.exe	RegAsm.exe
PID 1668 set thread context of 1116	1668	IMG74693969444.exe	RegAsm.exe
PID 432 set thread context of 2056	432	IMG74693969444.exe	RegAsm.exe
PID 2112 set thread context of 2184	2112	IMG74693969444.exe	RegAsm.exe
PID 2236 set thread context of 2292	2236	IMG74693969444.exe	RegAsm.exe
PID 2336 set thread context of 2384	2336	IMG74693969444.exe	RegAsm.exe
PID 2432 set thread context of 2484	2432	IMG74693969444.exe	RegAsm.exe
PID 2540 set thread context of 2592	2540	IMG74693969444.exe	RegAsm.exe
PID 2640 set thread context of 2688	2640	IMG74693969444.exe	RegAsm.exe
PID 2736 set thread context of 2772	2736	IMG74693969444.exe	RegAsm.exe
PID 2840 set thread context of 2872	2840	IMG74693969444.exe	RegAsm.exe
PID 2936 set thread context of 2968	2936	IMG74693969444.exe	RegAsm.exe
PID 3032 set thread context of 3064	3032	IMG74693969444.exe	RegAsm.exe
PID 2072 set thread context of 1700	2072	IMG74693969444.exe	RegAsm.exe
PID 1432 set thread context of 620	1432	IMG74693969444.exe	RegAsm.exe
PID 2280 set thread context of 1532	2280	IMG74693969444.exe	RegAsm.exe
PID 1628 set thread context of 2116	1628	IMG74693969444.exe	RegAsm.exe
PID 1584 set thread context of 2472	1584	IMG74693969444.exe	RegAsm.exe
PID 1620 set thread context of 2356	1620	IMG74693969444.exe	RegAsm.exe
PID 2676 set thread context of 2444	2676	IMG74693969444.exe	RegAsm.exe
PID 2556 set thread context of 2784	2556	IMG74693969444.exe	RegAsm.exe
PID 2652 set thread context of 2820	2652	IMG74693969444.exe	RegAsm.exe
PID 2748 set thread context of 2916	2748	IMG74693969444.exe	RegAsm.exe
PID 3060 set thread context of 2928	3060	IMG74693969444.exe	RegAsm.exe
PID 1360 set thread context of 3024	1360	IMG74693969444.exe	RegAsm.exe
PID 3044 set thread context of 836	3044	IMG74693969444.exe	RegAsm.exe
PID 2172 set thread context of 1496	2172	IMG74693969444.exe	RegAsm.exe
PID 528 set thread context of 1912	528	IMG74693969444.exe	RegAsm.exe
PID 2368 set thread context of 1548	2368	IMG74693969444.exe	RegAsm.exe
PID 2524 set thread context of 2604	2524	IMG74693969444.exe	RegAsm.exe
PID 2672 set thread context of 2700	2672	IMG74693969444.exe	RegAsm.exe
PID 2816 set thread context of 2808	2816	IMG74693969444.exe	RegAsm.exe
PID 2912 set thread context of 2060	2912	IMG74693969444.exe	RegAsm.exe
PID 3004 set thread context of 884	3004	IMG74693969444.exe	RegAsm.exe
PID 2312 set thread context of 2752	2312	IMG74693969444.exe	RegAsm.exe
PID 1508 set thread context of 2844	1508	IMG74693969444.exe	RegAsm.exe
PID 856 set thread context of 2940	856	IMG74693969444.exe	RegAsm.exe
PID 2596 set thread context of 3056	2596	IMG74693969444.exe	RegAsm.exe
PID 2688 set thread context of 2216	2688	IMG74693969444.exe	RegAsm.exe
PID 2772 set thread context of 2392	2772	IMG74693969444.exe	RegAsm.exe
PID 2876 set thread context of 2496	2876	IMG74693969444.exe	RegAsm.exe
PID 2988 set thread context of 1848	2988	IMG74693969444.exe	RegAsm.exe
PID 740 set thread context of 1536	740	IMG74693969444.exe	RegAsm.exe
PID 612 set thread context of 948	612	IMG74693969444.exe	RegAsm.exe
PID 1204 set thread context of 2896	1204	IMG74693969444.exe	RegAsm.exe
PID 596 set thread context of 560	596	IMG74693969444.exe	RegAsm.exe

Drops file in Program Files directory 2 IoCs

Processes:

RegAsm.exe

description	ioc	process
File created	C:\Program Files (x86)\DSL Service\dslsv.exe	RegAsm.exe
File opened for modification	C:\Program Files (x86)\DSL Service\dslsv.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1848 schtasks.exe
672 schtasks.exe

pid	process
1848	schtasks.exe
672	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

IMG74693969444.exe

pid	process
2000	IMG74693969444.exe
2000	IMG74693969444.exe
2000	IMG74693969444.exe
2000	IMG74693969444.exe
2000	IMG74693969444.exe
2000	IMG74693969444.exe
2000	IMG74693969444.exe
2000	IMG74693969444.exe
2000	IMG74693969444.exe
2000	IMG74693969444.exe
2000	IMG74693969444.exe
2000	IMG74693969444.exe
2000	IMG74693969444.exe
2000	IMG74693969444.exe
2000	IMG74693969444.exe
2000	IMG74693969444.exe
2000	IMG74693969444.exe
2000	IMG74693969444.exe
2000	IMG74693969444.exe
2000	IMG74693969444.exe
2000	IMG74693969444.exe
2000	IMG74693969444.exe
2000	IMG74693969444.exe
2000	IMG74693969444.exe
2000	IMG74693969444.exe
2000	IMG74693969444.exe
2000	IMG74693969444.exe
2000	IMG74693969444.exe
2000	IMG74693969444.exe
2000	IMG74693969444.exe
2000	IMG74693969444.exe
2000	IMG74693969444.exe
2000	IMG74693969444.exe
2000	IMG74693969444.exe
2000	IMG74693969444.exe
2000	IMG74693969444.exe
2000	IMG74693969444.exe
2000	IMG74693969444.exe
2000	IMG74693969444.exe
2000	IMG74693969444.exe
2000	IMG74693969444.exe
2000	IMG74693969444.exe
2000	IMG74693969444.exe
2000	IMG74693969444.exe
2000	IMG74693969444.exe
2000	IMG74693969444.exe
2000	IMG74693969444.exe
2000	IMG74693969444.exe
2000	IMG74693969444.exe
2000	IMG74693969444.exe
2000	IMG74693969444.exe
2000	IMG74693969444.exe
2000	IMG74693969444.exe
2000	IMG74693969444.exe
2000	IMG74693969444.exe
2000	IMG74693969444.exe
2000	IMG74693969444.exe
2000	IMG74693969444.exe
2000	IMG74693969444.exe
2000	IMG74693969444.exe
2000	IMG74693969444.exe
2000	IMG74693969444.exe
2000	IMG74693969444.exe
2000	IMG74693969444.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RegAsm.exe

pid process

2008 RegAsm.exe

pid	process
2008	RegAsm.exe

Suspicious behavior: MapViewOfSection 64 IoCs

Processes:

pid	process
2000	IMG74693969444.exe
2000	IMG74693969444.exe
1616	IMG74693969444.exe
324	IMG74693969444.exe
1212	IMG74693969444.exe
1672	IMG74693969444.exe
1672	IMG74693969444.exe
880	IMG74693969444.exe
880	IMG74693969444.exe
1988	IMG74693969444.exe
980	IMG74693969444.exe
1216	IMG74693969444.exe
788	IMG74693969444.exe
1928	IMG74693969444.exe
1588	IMG74693969444.exe
944	IMG74693969444.exe
564	IMG74693969444.exe
636	IMG74693969444.exe
1516	IMG74693969444.exe
1200	IMG74693969444.exe
1580	IMG74693969444.exe
580	IMG74693969444.exe
1668	IMG74693969444.exe
432	IMG74693969444.exe
2112	IMG74693969444.exe
2112	IMG74693969444.exe
2236	IMG74693969444.exe
2336	IMG74693969444.exe
2432	IMG74693969444.exe
2540	IMG74693969444.exe
2640	IMG74693969444.exe
2736	IMG74693969444.exe
2840	IMG74693969444.exe
2936	IMG74693969444.exe
3032	IMG74693969444.exe
2072	IMG74693969444.exe
1432	IMG74693969444.exe
2280	IMG74693969444.exe
1628	IMG74693969444.exe
1628	IMG74693969444.exe
1584	IMG74693969444.exe
1620	IMG74693969444.exe
1620	IMG74693969444.exe
2676	IMG74693969444.exe
2556	IMG74693969444.exe
2652	IMG74693969444.exe
2748	IMG74693969444.exe
3060	IMG74693969444.exe
1360	IMG74693969444.exe
3044	IMG74693969444.exe
2172	IMG74693969444.exe
528	IMG74693969444.exe
2368	IMG74693969444.exe
2524	IMG74693969444.exe
2672	IMG74693969444.exe
2816	IMG74693969444.exe
2912	IMG74693969444.exe
3004	IMG74693969444.exe
2312	IMG74693969444.exe
1508	IMG74693969444.exe
856	IMG74693969444.exe
2596	IMG74693969444.exe
2688	IMG74693969444.exe
2772	IMG74693969444.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

IMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeRegAsm.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exe

description	pid	process
Token: SeDebugPrivilege	2000	IMG74693969444.exe
Token: SeDebugPrivilege	1616	IMG74693969444.exe
Token: SeDebugPrivilege	324	IMG74693969444.exe
Token: SeDebugPrivilege	1212	IMG74693969444.exe
Token: SeDebugPrivilege	2008	RegAsm.exe
Token: SeDebugPrivilege	1672	IMG74693969444.exe
Token: SeDebugPrivilege	880	IMG74693969444.exe
Token: SeDebugPrivilege	1988	IMG74693969444.exe
Token: SeDebugPrivilege	980	IMG74693969444.exe
Token: SeDebugPrivilege	1216	IMG74693969444.exe
Token: SeDebugPrivilege	788	IMG74693969444.exe
Token: SeDebugPrivilege	1928	IMG74693969444.exe
Token: SeDebugPrivilege	1588	IMG74693969444.exe
Token: SeDebugPrivilege	944	IMG74693969444.exe
Token: SeDebugPrivilege	564	IMG74693969444.exe
Token: SeDebugPrivilege	636	IMG74693969444.exe
Token: SeDebugPrivilege	1516	IMG74693969444.exe
Token: SeDebugPrivilege	1200	IMG74693969444.exe
Token: SeDebugPrivilege	1580	IMG74693969444.exe
Token: SeDebugPrivilege	580	IMG74693969444.exe
Token: SeDebugPrivilege	1668	IMG74693969444.exe
Token: SeDebugPrivilege	432	IMG74693969444.exe
Token: SeDebugPrivilege	2112	IMG74693969444.exe
Token: SeDebugPrivilege	2236	IMG74693969444.exe
Token: SeDebugPrivilege	2336	IMG74693969444.exe
Token: SeDebugPrivilege	2432	IMG74693969444.exe
Token: SeDebugPrivilege	2540	IMG74693969444.exe
Token: SeDebugPrivilege	2640	IMG74693969444.exe
Token: SeDebugPrivilege	2736	IMG74693969444.exe
Token: SeDebugPrivilege	2840	IMG74693969444.exe
Token: SeDebugPrivilege	2936	IMG74693969444.exe
Token: SeDebugPrivilege	3032	IMG74693969444.exe
Token: SeDebugPrivilege	2072	IMG74693969444.exe
Token: SeDebugPrivilege	1432	IMG74693969444.exe
Token: SeDebugPrivilege	2280	IMG74693969444.exe
Token: SeDebugPrivilege	1628	IMG74693969444.exe
Token: SeDebugPrivilege	1584	IMG74693969444.exe
Token: SeDebugPrivilege	1620	IMG74693969444.exe
Token: SeDebugPrivilege	2676	IMG74693969444.exe
Token: SeDebugPrivilege	2556	IMG74693969444.exe
Token: SeDebugPrivilege	2652	IMG74693969444.exe
Token: SeDebugPrivilege	2748	IMG74693969444.exe
Token: SeDebugPrivilege	3060	IMG74693969444.exe
Token: SeDebugPrivilege	1360	IMG74693969444.exe
Token: SeDebugPrivilege	3044	IMG74693969444.exe
Token: SeDebugPrivilege	2172	IMG74693969444.exe
Token: SeDebugPrivilege	528	IMG74693969444.exe
Token: SeDebugPrivilege	2368	IMG74693969444.exe
Token: SeDebugPrivilege	2524	IMG74693969444.exe
Token: SeDebugPrivilege	2672	IMG74693969444.exe
Token: SeDebugPrivilege	2816	IMG74693969444.exe
Token: SeDebugPrivilege	2912	IMG74693969444.exe
Token: SeDebugPrivilege	3004	IMG74693969444.exe
Token: SeDebugPrivilege	2312	IMG74693969444.exe
Token: SeDebugPrivilege	1508	IMG74693969444.exe
Token: SeDebugPrivilege	856	IMG74693969444.exe
Token: SeDebugPrivilege	2596	IMG74693969444.exe
Token: SeDebugPrivilege	2688	IMG74693969444.exe
Token: SeDebugPrivilege	2772	IMG74693969444.exe
Token: SeDebugPrivilege	2876	IMG74693969444.exe
Token: SeDebugPrivilege	2988	IMG74693969444.exe
Token: SeDebugPrivilege	740	IMG74693969444.exe
Token: SeDebugPrivilege	612	IMG74693969444.exe
Token: SeDebugPrivilege	1204	IMG74693969444.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

IMG74693969444.exeIMG74693969444.exeRegAsm.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exe

description	pid	process	target process
PID 2000 wrote to memory of 1460	2000	IMG74693969444.exe	RegAsm.exe
PID 2000 wrote to memory of 1460	2000	IMG74693969444.exe	RegAsm.exe
PID 2000 wrote to memory of 1460	2000	IMG74693969444.exe	RegAsm.exe
PID 2000 wrote to memory of 1460	2000	IMG74693969444.exe	RegAsm.exe
PID 2000 wrote to memory of 1460	2000	IMG74693969444.exe	RegAsm.exe
PID 2000 wrote to memory of 1460	2000	IMG74693969444.exe	RegAsm.exe
PID 2000 wrote to memory of 1460	2000	IMG74693969444.exe	RegAsm.exe
PID 2000 wrote to memory of 2008	2000	IMG74693969444.exe	RegAsm.exe
PID 2000 wrote to memory of 2008	2000	IMG74693969444.exe	RegAsm.exe
PID 2000 wrote to memory of 2008	2000	IMG74693969444.exe	RegAsm.exe
PID 2000 wrote to memory of 2008	2000	IMG74693969444.exe	RegAsm.exe
PID 2000 wrote to memory of 2008	2000	IMG74693969444.exe	RegAsm.exe
PID 2000 wrote to memory of 2008	2000	IMG74693969444.exe	RegAsm.exe
PID 2000 wrote to memory of 2008	2000	IMG74693969444.exe	RegAsm.exe
PID 2000 wrote to memory of 2008	2000	IMG74693969444.exe	RegAsm.exe
PID 2000 wrote to memory of 1616	2000	IMG74693969444.exe	IMG74693969444.exe
PID 2000 wrote to memory of 1616	2000	IMG74693969444.exe	IMG74693969444.exe
PID 2000 wrote to memory of 1616	2000	IMG74693969444.exe	IMG74693969444.exe
PID 2000 wrote to memory of 1616	2000	IMG74693969444.exe	IMG74693969444.exe
PID 1616 wrote to memory of 1376	1616	IMG74693969444.exe	RegAsm.exe
PID 1616 wrote to memory of 1376	1616	IMG74693969444.exe	RegAsm.exe
PID 1616 wrote to memory of 1376	1616	IMG74693969444.exe	RegAsm.exe
PID 1616 wrote to memory of 1376	1616	IMG74693969444.exe	RegAsm.exe
PID 1616 wrote to memory of 1376	1616	IMG74693969444.exe	RegAsm.exe
PID 1616 wrote to memory of 1376	1616	IMG74693969444.exe	RegAsm.exe
PID 1616 wrote to memory of 1376	1616	IMG74693969444.exe	RegAsm.exe
PID 1616 wrote to memory of 1376	1616	IMG74693969444.exe	RegAsm.exe
PID 2008 wrote to memory of 1848	2008	RegAsm.exe	schtasks.exe
PID 2008 wrote to memory of 1848	2008	RegAsm.exe	schtasks.exe
PID 2008 wrote to memory of 1848	2008	RegAsm.exe	schtasks.exe
PID 2008 wrote to memory of 1848	2008	RegAsm.exe	schtasks.exe
PID 1616 wrote to memory of 324	1616	IMG74693969444.exe	IMG74693969444.exe
PID 1616 wrote to memory of 324	1616	IMG74693969444.exe	IMG74693969444.exe
PID 1616 wrote to memory of 324	1616	IMG74693969444.exe	IMG74693969444.exe
PID 1616 wrote to memory of 324	1616	IMG74693969444.exe	IMG74693969444.exe
PID 324 wrote to memory of 1748	324	IMG74693969444.exe	RegAsm.exe
PID 324 wrote to memory of 1748	324	IMG74693969444.exe	RegAsm.exe
PID 324 wrote to memory of 1748	324	IMG74693969444.exe	RegAsm.exe
PID 324 wrote to memory of 1748	324	IMG74693969444.exe	RegAsm.exe
PID 324 wrote to memory of 1748	324	IMG74693969444.exe	RegAsm.exe
PID 324 wrote to memory of 1748	324	IMG74693969444.exe	RegAsm.exe
PID 324 wrote to memory of 1748	324	IMG74693969444.exe	RegAsm.exe
PID 324 wrote to memory of 1748	324	IMG74693969444.exe	RegAsm.exe
PID 2008 wrote to memory of 672	2008	RegAsm.exe	schtasks.exe
PID 2008 wrote to memory of 672	2008	RegAsm.exe	schtasks.exe
PID 2008 wrote to memory of 672	2008	RegAsm.exe	schtasks.exe
PID 2008 wrote to memory of 672	2008	RegAsm.exe	schtasks.exe
PID 324 wrote to memory of 1212	324	IMG74693969444.exe	IMG74693969444.exe
PID 324 wrote to memory of 1212	324	IMG74693969444.exe	IMG74693969444.exe
PID 324 wrote to memory of 1212	324	IMG74693969444.exe	IMG74693969444.exe
PID 324 wrote to memory of 1212	324	IMG74693969444.exe	IMG74693969444.exe
PID 1212 wrote to memory of 528	1212	IMG74693969444.exe	RegAsm.exe
PID 1212 wrote to memory of 528	1212	IMG74693969444.exe	RegAsm.exe
PID 1212 wrote to memory of 528	1212	IMG74693969444.exe	RegAsm.exe
PID 1212 wrote to memory of 528	1212	IMG74693969444.exe	RegAsm.exe
PID 1212 wrote to memory of 528	1212	IMG74693969444.exe	RegAsm.exe
PID 1212 wrote to memory of 528	1212	IMG74693969444.exe	RegAsm.exe
PID 1212 wrote to memory of 528	1212	IMG74693969444.exe	RegAsm.exe
PID 1212 wrote to memory of 528	1212	IMG74693969444.exe	RegAsm.exe
PID 1212 wrote to memory of 1672	1212	IMG74693969444.exe	IMG74693969444.exe
PID 1212 wrote to memory of 1672	1212	IMG74693969444.exe	IMG74693969444.exe
PID 1212 wrote to memory of 1672	1212	IMG74693969444.exe	IMG74693969444.exe
PID 1212 wrote to memory of 1672	1212	IMG74693969444.exe	IMG74693969444.exe
PID 1672 wrote to memory of 1760	1672	IMG74693969444.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:1460

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DSL Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp70AE.tmp"
3⤵
- Creates scheduled task(s)
PID:1848

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DSL Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp74B5.tmp"
3⤵
- Creates scheduled task(s)
PID:672

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
2⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1616

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1376

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:324

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:1748

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
PID:528

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
PID:1760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
PID:1476

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
7⤵
PID:1960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
7⤵
PID:1096

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
7⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
8⤵
PID:1852

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
8⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
9⤵
PID:684

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
9⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1216

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
10⤵
PID:1692

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
10⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
11⤵
PID:1120

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
11⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
12⤵
PID:884

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
12⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
PID:1592

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
13⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
14⤵
PID:820

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
14⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
15⤵
PID:804

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
15⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:636

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
16⤵
PID:960

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
16⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1516

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
17⤵
PID:748

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
17⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1200

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
18⤵
PID:992

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
18⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
19⤵
PID:1684

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
19⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
20⤵
PID:1916

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
20⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1668

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
21⤵
PID:1116

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
21⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:432

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
22⤵
PID:2056

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
22⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2112

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
23⤵
PID:2176

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
23⤵
PID:2184

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
23⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2236

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
24⤵
PID:2292

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
24⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2336

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
25⤵
PID:2384

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
25⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2432

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
26⤵
PID:2484

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
26⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2540

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
27⤵
PID:2592

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
27⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
28⤵
PID:2688

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
28⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
29⤵
PID:2772

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
29⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2840

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
30⤵
PID:2872

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
30⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2936

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
31⤵
PID:2968

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
31⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
32⤵
PID:3064

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
32⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2072

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
33⤵
PID:1700

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
33⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1432

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
34⤵
PID:620

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
34⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2280

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
35⤵
PID:1532

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
35⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
36⤵
PID:1476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
36⤵
PID:2116

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
36⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
37⤵
PID:2472

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
37⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
38⤵
PID:2340

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
38⤵
PID:2356

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
38⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
39⤵
PID:2444

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
39⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
40⤵
PID:2784

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
40⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
41⤵
PID:2820

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
41⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
42⤵
PID:2916

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
42⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3060

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
43⤵
PID:2928

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
43⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1360

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
44⤵
PID:3024

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
44⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
45⤵
PID:836

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
45⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2172

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
46⤵
PID:1496

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
46⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:528

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
47⤵
PID:1912

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
47⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
48⤵
PID:1548

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
48⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
49⤵
PID:2604

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
49⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
50⤵
PID:2700

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
50⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2816

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
51⤵
PID:2808

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
51⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
52⤵
PID:2060

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
52⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
53⤵
PID:884

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
53⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2312

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
54⤵
PID:2752

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
54⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
55⤵
PID:2844

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
55⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:856

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
56⤵
PID:2940

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
56⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
57⤵
PID:3056

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
57⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
58⤵
PID:2216

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
58⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
59⤵
PID:2392

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
59⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
60⤵
PID:2496

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
60⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
61⤵
PID:1848

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
61⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
62⤵
PID:1536

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
62⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
63⤵
PID:948

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
63⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1204

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
64⤵
PID:2896

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
64⤵
- Suspicious use of SetThreadContext
PID:596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
65⤵
PID:560

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
65⤵
PID:548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
66⤵
PID:2116

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
66⤵
PID:2124

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
67⤵
PID:2240

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
67⤵
PID:3052

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
67⤵
PID:2420

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
68⤵
PID:2712

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
68⤵
PID:2528

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
69⤵
PID:2480

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
69⤵
PID:2340

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
70⤵
PID:1852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
70⤵
PID:2776

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
70⤵
PID:2972

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
71⤵
PID:2572

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
71⤵
PID:2576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
72⤵
PID:2636

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
72⤵
PID:1172

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
73⤵
PID:2292

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
73⤵
PID:760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
74⤵
PID:2080

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
74⤵
PID:2212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
75⤵
PID:2208

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
75⤵
PID:2308

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
75⤵
PID:852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
76⤵
PID:2104

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
76⤵
PID:2004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
77⤵
PID:2168

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
77⤵
PID:1592

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
77⤵
PID:2488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
78⤵
PID:1572

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
78⤵
PID:3048

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
79⤵
PID:2416

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
79⤵
PID:2424

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
80⤵
PID:1772

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
80⤵
PID:1852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
81⤵
PID:2900

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
81⤵
PID:2916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
82⤵
PID:2564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
82⤵
PID:2872

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
82⤵
PID:2868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
83⤵
PID:1292

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
83⤵
PID:2628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
84⤵
PID:2964

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
84⤵
PID:1688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
85⤵
PID:1496

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
85⤵
PID:2848

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
86⤵
PID:1716

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
86⤵
PID:2160

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
87⤵
PID:1320

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
87⤵
PID:1064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
88⤵
PID:2704

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
88⤵
PID:1480

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
89⤵
PID:2332

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
89⤵
PID:2032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
90⤵
PID:2256

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
90⤵
PID:2544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
91⤵
PID:1952

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
91⤵
PID:2648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
92⤵
PID:948

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
92⤵
PID:2180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
93⤵
PID:2992

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
93⤵
PID:1068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
94⤵
PID:2820

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
94⤵
PID:2264

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
95⤵
PID:2756

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
95⤵
PID:2260

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
96⤵
PID:1732

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
96⤵
PID:2520

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
97⤵
PID:2276

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
97⤵
PID:2224

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
97⤵
PID:272

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
98⤵
PID:1236

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
98⤵
PID:2692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
99⤵
PID:2452

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
99⤵
PID:2476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
100⤵
PID:2052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
100⤵
PID:884

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
100⤵
PID:2044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
101⤵
PID:2784

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
101⤵
PID:2360

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
102⤵
PID:2812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
102⤵
PID:2220

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
102⤵
PID:2304

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
103⤵
PID:3020

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
103⤵
PID:2192

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
104⤵
PID:1980

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
104⤵
PID:1948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
105⤵
PID:2444

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
105⤵
PID:1376

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
106⤵
PID:2320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
106⤵
PID:1328

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
106⤵
PID:2612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
107⤵
PID:1916

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
107⤵
PID:2548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
108⤵
PID:2768

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
108⤵
PID:2560

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
109⤵
PID:2752

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
109⤵
PID:2664

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
110⤵
PID:1848

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
110⤵
PID:2720

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
111⤵
PID:1256

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
111⤵
PID:2960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
112⤵
PID:2964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
112⤵
PID:1800

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
112⤵
PID:836

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
113⤵
PID:2668

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
113⤵
PID:2116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
114⤵
PID:360

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
114⤵
PID:516

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
115⤵
PID:1572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
115⤵
PID:3064

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
115⤵
PID:2400

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
116⤵
PID:1352

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
116⤵
PID:2568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
117⤵
PID:2716

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
117⤵
PID:2348

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
117⤵
PID:2256

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
118⤵
PID:2624

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
118⤵
PID:1952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
119⤵
PID:2152

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
119⤵
PID:1384

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
120⤵
PID:2056

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
120⤵
PID:2404

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
121⤵
PID:1696

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
121⤵
PID:2828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
122⤵
PID:1532

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
122⤵
PID:2228

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
123⤵
PID:2472

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
123⤵
PID:2356

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
124⤵
PID:2536

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
124⤵
PID:2852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
125⤵
PID:2616

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
125⤵
PID:2284

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
126⤵
PID:2324

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
126⤵
PID:2464

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
126⤵
PID:2644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
127⤵
PID:768

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp70AE.tmp
Filesize
1KB

MD5
48ef7fa9033389ad7929d7a6b9d10298

SHA1
9db6cb7325c8bdf66a15f7b5f34703709a45aeb6

SHA256
0c1b5f67eeb276d1d4205b138ce32bc6149924e02281a2db8e4623a700e88f15

SHA512
ac8bd104ecbacc9bccce9e087f67e5b18072d59367ccd31d4e66132b6baaea520cba5b9b59464483d86abf74826b382c402f12e9a586c99bda8c78a0de33944e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp74B5.tmp
Filesize
1KB

MD5
afb71a33ece3758f782f052bbe5da94f

SHA1
e69b9070ff52f81fdf01a40f775d021e4b4e71e4

SHA256
abd73bfca8458750ee751d4c6c106d54dcf0969592f476acc64ab0d7f2bb1978

SHA512
22c45992ca358ca9d4605ac426b65903b11b27db1b9c608739245dc412aa256d0908566626b3cfdafb32fca0809bf46c8824ab98cea7b7662216c915e6ef013f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe
Filesize
268KB

MD5
44540892e2dbc3f7303c15c3d1689ecf

SHA1
c45e3eb984a69a0607d3e30e01009185a405c47f

SHA256
f165aaaa891aac8a10cd6ae8ca9ae07a901daec1f4a97122466b65c7212aaeec

SHA512
e7e8b79995e41c29e3d5e0348c720a72fa45aa2f0b656173b295984e550ef54c424787a8ce77ce0b7d0327ac62a2853053f5d3307672f1827fa77b37d4cff01e

Download Submit
memory/272-348-0x00000000004F0000-0x0000000000532000-memory.dmp

Filesize
264KB

Download
memory/324-68-0x0000000000000000-mapping.dmp

Download
memory/432-154-0x0000000000000000-mapping.dmp

Download
memory/528-80-0x000000000041E792-mapping.dmp

Download
memory/548-278-0x00000000001F0000-0x0000000000232000-memory.dmp

Filesize
264KB

Download
memory/564-122-0x0000000000000000-mapping.dmp

Download
memory/564-123-0x0000000000470000-0x00000000004B2000-memory.dmp

Filesize
264KB

Download
memory/580-146-0x00000000004D0000-0x0000000000512000-memory.dmp

Filesize
264KB

Download
memory/580-145-0x0000000000000000-mapping.dmp

Download
memory/636-127-0x0000000000000000-mapping.dmp

Download
memory/672-74-0x0000000000000000-mapping.dmp

Download
memory/684-99-0x000000000041E792-mapping.dmp

Download
memory/748-134-0x000000000041E792-mapping.dmp

Download
memory/788-106-0x0000000000000000-mapping.dmp

Download
memory/804-125-0x000000000041E792-mapping.dmp

Download
memory/820-120-0x000000000041E792-mapping.dmp

Download
memory/836-387-0x0000000000320000-0x0000000000362000-memory.dmp

Filesize
264KB

Download
memory/880-88-0x0000000000000000-mapping.dmp

Download
memory/884-112-0x000000000041E792-mapping.dmp

Download
memory/944-118-0x0000000000000000-mapping.dmp

Download
memory/960-129-0x000000000041E792-mapping.dmp

Download
memory/980-97-0x0000000000000000-mapping.dmp

Download
memory/992-138-0x000000000041E792-mapping.dmp

Download
memory/1064-326-0x00000000003A0000-0x00000000003E2000-memory.dmp

Filesize
264KB

Download
memory/1096-91-0x000000000041E792-mapping.dmp

Download
memory/1116-152-0x000000000041E792-mapping.dmp

Download
memory/1120-108-0x000000000041E792-mapping.dmp

Download
memory/1172-294-0x00000000003C0000-0x0000000000402000-memory.dmp

Filesize
264KB

Download
memory/1200-136-0x0000000000000000-mapping.dmp

Download
memory/1212-77-0x0000000000000000-mapping.dmp

Download
memory/1212-78-0x00000000004D0000-0x0000000000512000-memory.dmp

Filesize
264KB

Download
memory/1216-101-0x0000000000000000-mapping.dmp

Download
memory/1216-102-0x0000000000560000-0x00000000005A2000-memory.dmp

Filesize
264KB

Download
memory/1376-368-0x00000000004B0000-0x00000000004F2000-memory.dmp

Filesize
264KB

Download
memory/1376-65-0x000000000041E792-mapping.dmp

Download
memory/1384-403-0x00000000003B0000-0x00000000003F2000-memory.dmp

Filesize
264KB

Download
memory/1476-86-0x000000000041E792-mapping.dmp

Download
memory/1516-132-0x0000000000410000-0x0000000000452000-memory.dmp

Filesize
264KB

Download
memory/1516-131-0x0000000000000000-mapping.dmp

Download
memory/1580-141-0x0000000000940000-0x0000000000982000-memory.dmp

Filesize
264KB

Download
memory/1580-140-0x0000000000000000-mapping.dmp

Download
memory/1588-114-0x0000000000000000-mapping.dmp

Download
memory/1592-116-0x000000000041E792-mapping.dmp

Download
memory/1616-63-0x0000000000000000-mapping.dmp

Download
memory/1620-213-0x0000000000430000-0x0000000000472000-memory.dmp

Filesize
264KB

Download
memory/1668-150-0x0000000000000000-mapping.dmp

Download
memory/1672-84-0x0000000000000000-mapping.dmp

Download
memory/1684-143-0x000000000041E792-mapping.dmp

Download
memory/1692-104-0x000000000041E792-mapping.dmp

Download
memory/1748-71-0x000000000041E792-mapping.dmp

Download
memory/1848-67-0x0000000000000000-mapping.dmp

Download
memory/1852-95-0x000000000041E792-mapping.dmp

Download
memory/1916-148-0x000000000041E792-mapping.dmp

Download
memory/1928-110-0x0000000000000000-mapping.dmp

Download
memory/1948-365-0x00000000003D0000-0x0000000000412000-memory.dmp

Filesize
264KB

Download
memory/1952-400-0x00000000005C0000-0x0000000000602000-memory.dmp

Filesize
264KB

Download
memory/1988-93-0x0000000000000000-mapping.dmp

Download
memory/2000-58-0x00000000005A0000-0x00000000005A3000-memory.dmp

Filesize
12KB

Download
memory/2000-54-0x0000000000D60000-0x0000000000DAA000-memory.dmp

Filesize
296KB

Download
memory/2000-55-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2000-56-0x0000000000550000-0x0000000000592000-memory.dmp

Filesize
264KB

Download
memory/2000-57-0x0000000075221000-0x0000000075223000-memory.dmp

Filesize
8KB

Download
memory/2000-59-0x00000000005B0000-0x00000000005B3000-memory.dmp

Filesize
12KB

Download
memory/2008-62-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2008-60-0x000000000041E792-mapping.dmp

Download
memory/2008-76-0x00000000003F0000-0x00000000003FA000-memory.dmp

Filesize
40KB

Download
memory/2008-82-0x0000000000500000-0x000000000051E000-memory.dmp

Filesize
120KB

Download
memory/2008-83-0x00000000004E0000-0x00000000004EA000-memory.dmp

Filesize
40KB

Download
memory/2008-90-0x0000000005245000-0x0000000005256000-memory.dmp

Filesize
68KB

Download
memory/2044-355-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/2056-156-0x000000000041E792-mapping.dmp

Download
memory/2072-202-0x0000000000000000-mapping.dmp

Download
memory/2112-158-0x0000000000000000-mapping.dmp

Download
memory/2184-160-0x000000000041E792-mapping.dmp

Download
memory/2236-163-0x00000000003C0000-0x0000000000402000-memory.dmp

Filesize
264KB

Download
memory/2236-162-0x0000000000000000-mapping.dmp

Download
memory/2292-165-0x000000000041E792-mapping.dmp

Download
memory/2312-252-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/2336-167-0x0000000000000000-mapping.dmp

Download
memory/2356-412-0x0000000000720000-0x0000000000762000-memory.dmp

Filesize
264KB

Download
memory/2360-358-0x0000000000370000-0x00000000003B2000-memory.dmp

Filesize
264KB

Download
memory/2368-236-0x00000000005D0000-0x0000000000612000-memory.dmp

Filesize
264KB

Download
memory/2384-169-0x000000000041E792-mapping.dmp

Download
memory/2432-171-0x0000000000000000-mapping.dmp

Download
memory/2432-172-0x0000000000490000-0x00000000004D2000-memory.dmp

Filesize
264KB

Download
memory/2484-174-0x000000000041E792-mapping.dmp

Download
memory/2528-285-0x00000000004A0000-0x00000000004E2000-memory.dmp

Filesize
264KB

Download
memory/2540-176-0x0000000000000000-mapping.dmp

Download
memory/2540-177-0x00000000001E0000-0x0000000000222000-memory.dmp

Filesize
264KB

Download
memory/2548-374-0x00000000002F0000-0x0000000000332000-memory.dmp

Filesize
264KB

Download
memory/2560-377-0x0000000000430000-0x0000000000472000-memory.dmp

Filesize
264KB

Download
memory/2592-179-0x000000000041E792-mapping.dmp

Download
memory/2612-371-0x0000000000650000-0x0000000000692000-memory.dmp

Filesize
264KB

Download
memory/2640-181-0x0000000000000000-mapping.dmp

Download
memory/2648-335-0x0000000000260000-0x00000000002A2000-memory.dmp

Filesize
264KB

Download
memory/2664-380-0x0000000000270000-0x00000000002B2000-memory.dmp

Filesize
264KB

Download
memory/2672-241-0x0000000000610000-0x0000000000652000-memory.dmp

Filesize
264KB

Download
memory/2688-183-0x000000000041E792-mapping.dmp

Download
memory/2736-186-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download
memory/2736-185-0x0000000000000000-mapping.dmp

Download
memory/2772-188-0x000000000041E792-mapping.dmp

Download
memory/2840-190-0x0000000000000000-mapping.dmp

Download
memory/2852-415-0x00000000003A0000-0x00000000003E2000-memory.dmp

Filesize
264KB

Download
memory/2872-192-0x000000000041E792-mapping.dmp

Download
memory/2876-265-0x00000000005D0000-0x0000000000612000-memory.dmp

Filesize
264KB

Download
memory/2912-246-0x00000000006B0000-0x00000000006F2000-memory.dmp

Filesize
264KB

Download
memory/2936-194-0x0000000000000000-mapping.dmp

Download
memory/2968-196-0x000000000041E792-mapping.dmp

Download
memory/3004-249-0x0000000000310000-0x0000000000352000-memory.dmp

Filesize
264KB

Download
memory/3032-198-0x0000000000000000-mapping.dmp

Download
memory/3044-229-0x00000000003B0000-0x00000000003F2000-memory.dmp

Filesize
264KB

Download
memory/3044-228-0x00000000002E0000-0x0000000000322000-memory.dmp

Filesize
264KB

Download
memory/3048-307-0x0000000000420000-0x0000000000462000-memory.dmp

Filesize
264KB

Download
memory/3064-200-0x000000000041E792-mapping.dmp

Download