nanocore | d07d9907fc362026b64487d94fce8bf9ca89ed9623f2cb41f1593694ac76a4e4

General

Target

IMG74693969444.exe
Size

266KB
MD5

5e90e2d465e0f2a3f2495ef59c4b53d1
SHA1

f53591409c538d7e4f5b45f42d014d42ad003ad0
SHA256

e33ef485c574d639eae34cd252d97aa78c17718190c98a92f7b6dc5a5fc0cd69
SHA512

06290efbdb947376db922adc45454ebf048ba9fb217e3ef7b30c6a7dbdf4beec32d0aacdc65c0981930b6c3ec1a4d542f05eb371ff99ca3e28525ad5c47a2e8f

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

185.244.30.10:3310

Mutex

e2ebb08f-ebf7-4c0f-84d8-7041f8508ec8

Attributes

activate_away_mode
true
backup_connection_host
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-05-04T22:26:08.567797536Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
3310
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
e2ebb08f-ebf7-4c0f-84d8-7041f8508ec8
mutex_timeout
5000
prevent_system_sleep
true
primary_connection_host
185.244.30.10
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

IMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	IMG74693969444.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	IMG74693969444.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	IMG74693969444.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	IMG74693969444.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	IMG74693969444.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	IMG74693969444.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	IMG74693969444.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	IMG74693969444.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	IMG74693969444.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	IMG74693969444.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	IMG74693969444.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	IMG74693969444.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	IMG74693969444.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	IMG74693969444.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	IMG74693969444.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	IMG74693969444.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	IMG74693969444.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	IMG74693969444.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	IMG74693969444.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	IMG74693969444.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	IMG74693969444.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	IMG74693969444.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	IMG74693969444.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	IMG74693969444.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	IMG74693969444.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	IMG74693969444.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	IMG74693969444.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	IMG74693969444.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	IMG74693969444.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	IMG74693969444.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	IMG74693969444.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	IMG74693969444.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	IMG74693969444.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	IMG74693969444.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	IMG74693969444.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	IMG74693969444.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	IMG74693969444.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	IMG74693969444.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	IMG74693969444.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	IMG74693969444.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	IMG74693969444.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	IMG74693969444.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	IMG74693969444.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	IMG74693969444.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	IMG74693969444.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	IMG74693969444.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	IMG74693969444.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	IMG74693969444.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	IMG74693969444.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	IMG74693969444.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	IMG74693969444.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	IMG74693969444.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	IMG74693969444.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	IMG74693969444.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	IMG74693969444.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	IMG74693969444.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	IMG74693969444.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	IMG74693969444.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	IMG74693969444.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	IMG74693969444.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	IMG74693969444.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	IMG74693969444.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	IMG74693969444.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	IMG74693969444.exe

Drops startup file 2 IoCs

Processes:

IMG74693969444.exeIMG74693969444.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe	IMG74693969444.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe	IMG74693969444.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RegAsm.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WPA Service = "C:\\Program Files (x86)\\WPA Service\\wpasv.exe"	RegAsm.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

RegAsm.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegAsm.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

IMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exe

description	pid	process	target process
PID 880 set thread context of 8	880	IMG74693969444.exe	RegAsm.exe
PID 4876 set thread context of 1812	4876	IMG74693969444.exe	RegAsm.exe
PID 3012 set thread context of 2792	3012	IMG74693969444.exe	RegAsm.exe
PID 3828 set thread context of 2244	3828	IMG74693969444.exe	RegAsm.exe
PID 2368 set thread context of 3900	2368	IMG74693969444.exe	RegAsm.exe
PID 3100 set thread context of 1952	3100	IMG74693969444.exe	RegAsm.exe
PID 3972 set thread context of 2668	3972	IMG74693969444.exe	RegAsm.exe
PID 2924 set thread context of 4748	2924	IMG74693969444.exe	RegAsm.exe
PID 3716 set thread context of 3956	3716	IMG74693969444.exe	RegAsm.exe
PID 3600 set thread context of 3804	3600	IMG74693969444.exe	RegAsm.exe
PID 2264 set thread context of 2452	2264	IMG74693969444.exe	RegAsm.exe
PID 3812 set thread context of 2356	3812	IMG74693969444.exe	RegAsm.exe
PID 404 set thread context of 3868	404	IMG74693969444.exe	RegAsm.exe
PID 3980 set thread context of 2440	3980	IMG74693969444.exe	RegAsm.exe
PID 3548 set thread context of 3416	3548	IMG74693969444.exe	RegAsm.exe
PID 1156 set thread context of 2120	1156	IMG74693969444.exe	RegAsm.exe
PID 3164 set thread context of 1896	3164	IMG74693969444.exe	RegAsm.exe
PID 3828 set thread context of 1584	3828	IMG74693969444.exe	RegAsm.exe
PID 2368 set thread context of 2724	2368	IMG74693969444.exe	RegAsm.exe
PID 4512 set thread context of 2328	4512	IMG74693969444.exe	RegAsm.exe
PID 444 set thread context of 4544	444	IMG74693969444.exe	RegAsm.exe
PID 2684 set thread context of 2592	2684	IMG74693969444.exe	RegAsm.exe
PID 5028 set thread context of 3860	5028	IMG74693969444.exe	RegAsm.exe
PID 4328 set thread context of 1912	4328	IMG74693969444.exe	RegAsm.exe
PID 4988 set thread context of 3112	4988	IMG74693969444.exe	RegAsm.exe
PID 2308 set thread context of 4144	2308	IMG74693969444.exe	RegAsm.exe
PID 1224 set thread context of 4480	1224	IMG74693969444.exe	RegAsm.exe
PID 2616 set thread context of 1592	2616	IMG74693969444.exe	RegAsm.exe
PID 1860 set thread context of 4868	1860	IMG74693969444.exe	RegAsm.exe
PID 1984 set thread context of 2300	1984	IMG74693969444.exe	RegAsm.exe
PID 2260 set thread context of 2364	2260	IMG74693969444.exe	RegAsm.exe
PID 2352 set thread context of 2604	2352	IMG74693969444.exe	RegAsm.exe
PID 3488 set thread context of 2652	3488	IMG74693969444.exe	RegAsm.exe
PID 3008 set thread context of 2792	3008	IMG74693969444.exe	RegAsm.exe
PID 4756 set thread context of 2244	4756	IMG74693969444.exe	RegAsm.exe
PID 1760 set thread context of 4420	1760	IMG74693969444.exe	RegAsm.exe
PID 4356 set thread context of 4792	4356	IMG74693969444.exe	RegAsm.exe
PID 1204 set thread context of 1416	1204	IMG74693969444.exe	RegAsm.exe
PID 2096 set thread context of 2136	2096	IMG74693969444.exe	RegAsm.exe
PID 3044 set thread context of 4964	3044	IMG74693969444.exe	RegAsm.exe
PID 4484 set thread context of 2160	4484	IMG74693969444.exe	RegAsm.exe
PID 1224 set thread context of 1256	1224	IMG74693969444.exe	RegAsm.exe
PID 1688 set thread context of 4668	1688	IMG74693969444.exe	RegAsm.exe
PID 748 set thread context of 1208	748	IMG74693969444.exe	RegAsm.exe
PID 1984 set thread context of 5068	1984	IMG74693969444.exe	RegAsm.exe
PID 4880 set thread context of 4340	4880	IMG74693969444.exe	RegAsm.exe
PID 1360 set thread context of 3948	1360	IMG74693969444.exe	RegAsm.exe
PID 3256 set thread context of 2860	3256	IMG74693969444.exe	RegAsm.exe
PID 2544 set thread context of 1592	2544	IMG74693969444.exe	RegAsm.exe
PID 3628 set thread context of 4744	3628	IMG74693969444.exe	RegAsm.exe
PID 4008 set thread context of 4208	4008	IMG74693969444.exe	RegAsm.exe
PID 3088 set thread context of 3380	3088	IMG74693969444.exe	RegAsm.exe
PID 4004 set thread context of 1516	4004	IMG74693969444.exe	RegAsm.exe
PID 1988 set thread context of 2724	1988	IMG74693969444.exe	RegAsm.exe
PID 3364 set thread context of 1332	3364	IMG74693969444.exe	RegAsm.exe
PID 4592 set thread context of 3884	4592	IMG74693969444.exe	RegAsm.exe
PID 4848 set thread context of 4016	4848	IMG74693969444.exe	RegAsm.exe
PID 3772 set thread context of 3260	3772	IMG74693969444.exe	RegAsm.exe
PID 2676 set thread context of 3708	2676	IMG74693969444.exe	RegAsm.exe
PID 748 set thread context of 2668	748	IMG74693969444.exe	RegAsm.exe
PID 1412 set thread context of 4540	1412	IMG74693969444.exe	RegAsm.exe
PID 1552 set thread context of 1940	1552	IMG74693969444.exe	RegAsm.exe
PID 5088 set thread context of 3716	5088	IMG74693969444.exe	RegAsm.exe
PID 4680 set thread context of 3800	4680	IMG74693969444.exe	RegAsm.exe

Drops file in Program Files directory 2 IoCs

Processes:

RegAsm.exe

description	ioc	process
File created	C:\Program Files (x86)\WPA Service\wpasv.exe	RegAsm.exe
File opened for modification	C:\Program Files (x86)\WPA Service\wpasv.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3620 schtasks.exe
4512 schtasks.exe

pid	process
3620	schtasks.exe
4512	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

IMG74693969444.exe

pid	process
880	IMG74693969444.exe
880	IMG74693969444.exe
880	IMG74693969444.exe
880	IMG74693969444.exe
880	IMG74693969444.exe
880	IMG74693969444.exe
880	IMG74693969444.exe
880	IMG74693969444.exe
880	IMG74693969444.exe
880	IMG74693969444.exe
880	IMG74693969444.exe
880	IMG74693969444.exe
880	IMG74693969444.exe
880	IMG74693969444.exe
880	IMG74693969444.exe
880	IMG74693969444.exe
880	IMG74693969444.exe
880	IMG74693969444.exe
880	IMG74693969444.exe
880	IMG74693969444.exe
880	IMG74693969444.exe
880	IMG74693969444.exe
880	IMG74693969444.exe
880	IMG74693969444.exe
880	IMG74693969444.exe
880	IMG74693969444.exe
880	IMG74693969444.exe
880	IMG74693969444.exe
880	IMG74693969444.exe
880	IMG74693969444.exe
880	IMG74693969444.exe
880	IMG74693969444.exe
880	IMG74693969444.exe
880	IMG74693969444.exe
880	IMG74693969444.exe
880	IMG74693969444.exe
880	IMG74693969444.exe
880	IMG74693969444.exe
880	IMG74693969444.exe
880	IMG74693969444.exe
880	IMG74693969444.exe
880	IMG74693969444.exe
880	IMG74693969444.exe
880	IMG74693969444.exe
880	IMG74693969444.exe
880	IMG74693969444.exe
880	IMG74693969444.exe
880	IMG74693969444.exe
880	IMG74693969444.exe
880	IMG74693969444.exe
880	IMG74693969444.exe
880	IMG74693969444.exe
880	IMG74693969444.exe
880	IMG74693969444.exe
880	IMG74693969444.exe
880	IMG74693969444.exe
880	IMG74693969444.exe
880	IMG74693969444.exe
880	IMG74693969444.exe
880	IMG74693969444.exe
880	IMG74693969444.exe
880	IMG74693969444.exe
880	IMG74693969444.exe
880	IMG74693969444.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RegAsm.exe

pid process

8 RegAsm.exe

pid	process
8	RegAsm.exe

Suspicious behavior: MapViewOfSection 64 IoCs

Processes:

IMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exe

pid	process
880	IMG74693969444.exe
880	IMG74693969444.exe
880	IMG74693969444.exe
4876	IMG74693969444.exe
3012	IMG74693969444.exe
3828	IMG74693969444.exe
2368	IMG74693969444.exe
3100	IMG74693969444.exe
3972	IMG74693969444.exe
3972	IMG74693969444.exe
3972	IMG74693969444.exe
3972	IMG74693969444.exe
3972	IMG74693969444.exe
3972	IMG74693969444.exe
2924	IMG74693969444.exe
2924	IMG74693969444.exe
3716	IMG74693969444.exe
3600	IMG74693969444.exe
2264	IMG74693969444.exe
2264	IMG74693969444.exe
3812	IMG74693969444.exe
404	IMG74693969444.exe
3980	IMG74693969444.exe
3548	IMG74693969444.exe
3548	IMG74693969444.exe
1156	IMG74693969444.exe
3164	IMG74693969444.exe
3828	IMG74693969444.exe
2368	IMG74693969444.exe
4512	IMG74693969444.exe
444	IMG74693969444.exe
444	IMG74693969444.exe
2684	IMG74693969444.exe
5028	IMG74693969444.exe
5028	IMG74693969444.exe
4328	IMG74693969444.exe
4988	IMG74693969444.exe
4988	IMG74693969444.exe
2308	IMG74693969444.exe
1224	IMG74693969444.exe
2616	IMG74693969444.exe
1860	IMG74693969444.exe
1984	IMG74693969444.exe
2260	IMG74693969444.exe
2352	IMG74693969444.exe
3488	IMG74693969444.exe
3008	IMG74693969444.exe
4756	IMG74693969444.exe
1760	IMG74693969444.exe
4356	IMG74693969444.exe
4356	IMG74693969444.exe
1204	IMG74693969444.exe
1204	IMG74693969444.exe
2096	IMG74693969444.exe
3044	IMG74693969444.exe
3044	IMG74693969444.exe
4484	IMG74693969444.exe
4484	IMG74693969444.exe
4484	IMG74693969444.exe
4484	IMG74693969444.exe
1224	IMG74693969444.exe
1224	IMG74693969444.exe
1688	IMG74693969444.exe
748	IMG74693969444.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

IMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeRegAsm.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exe

description	pid	process
Token: SeDebugPrivilege	880	IMG74693969444.exe
Token: SeDebugPrivilege	4876	IMG74693969444.exe
Token: SeDebugPrivilege	3012	IMG74693969444.exe
Token: SeDebugPrivilege	3828	IMG74693969444.exe
Token: SeDebugPrivilege	2368	IMG74693969444.exe
Token: SeDebugPrivilege	3100	IMG74693969444.exe
Token: SeDebugPrivilege	3972	IMG74693969444.exe
Token: SeDebugPrivilege	2924	IMG74693969444.exe
Token: SeDebugPrivilege	8	RegAsm.exe
Token: SeDebugPrivilege	3716	IMG74693969444.exe
Token: SeDebugPrivilege	3600	IMG74693969444.exe
Token: SeDebugPrivilege	2264	IMG74693969444.exe
Token: SeDebugPrivilege	3812	IMG74693969444.exe
Token: SeDebugPrivilege	404	IMG74693969444.exe
Token: SeDebugPrivilege	3980	IMG74693969444.exe
Token: SeDebugPrivilege	3548	IMG74693969444.exe
Token: SeDebugPrivilege	1156	IMG74693969444.exe
Token: SeDebugPrivilege	3164	IMG74693969444.exe
Token: SeDebugPrivilege	3828	IMG74693969444.exe
Token: SeDebugPrivilege	2368	IMG74693969444.exe
Token: SeDebugPrivilege	4512	IMG74693969444.exe
Token: SeDebugPrivilege	444	IMG74693969444.exe
Token: SeDebugPrivilege	2684	IMG74693969444.exe
Token: SeDebugPrivilege	5028	IMG74693969444.exe
Token: SeDebugPrivilege	4328	IMG74693969444.exe
Token: SeDebugPrivilege	4988	IMG74693969444.exe
Token: SeDebugPrivilege	2308	IMG74693969444.exe
Token: SeDebugPrivilege	1224	IMG74693969444.exe
Token: SeDebugPrivilege	2616	IMG74693969444.exe
Token: SeDebugPrivilege	1860	IMG74693969444.exe
Token: SeDebugPrivilege	1984	IMG74693969444.exe
Token: SeDebugPrivilege	2260	IMG74693969444.exe
Token: SeDebugPrivilege	2352	IMG74693969444.exe
Token: SeDebugPrivilege	3488	IMG74693969444.exe
Token: SeDebugPrivilege	3008	IMG74693969444.exe
Token: SeDebugPrivilege	4756	IMG74693969444.exe
Token: SeDebugPrivilege	1760	IMG74693969444.exe
Token: SeDebugPrivilege	4356	IMG74693969444.exe
Token: SeDebugPrivilege	1204	IMG74693969444.exe
Token: SeDebugPrivilege	2096	IMG74693969444.exe
Token: SeDebugPrivilege	3044	IMG74693969444.exe
Token: SeDebugPrivilege	4484	IMG74693969444.exe
Token: SeDebugPrivilege	1224	IMG74693969444.exe
Token: SeDebugPrivilege	1688	IMG74693969444.exe
Token: SeDebugPrivilege	748	IMG74693969444.exe
Token: SeDebugPrivilege	1984	IMG74693969444.exe
Token: SeDebugPrivilege	4880	IMG74693969444.exe
Token: SeDebugPrivilege	1360	IMG74693969444.exe
Token: SeDebugPrivilege	3256	IMG74693969444.exe
Token: SeDebugPrivilege	2544	IMG74693969444.exe
Token: SeDebugPrivilege	3628	IMG74693969444.exe
Token: SeDebugPrivilege	4008	IMG74693969444.exe
Token: SeDebugPrivilege	3088	IMG74693969444.exe
Token: SeDebugPrivilege	4004	IMG74693969444.exe
Token: SeDebugPrivilege	1988	IMG74693969444.exe
Token: SeDebugPrivilege	3364	IMG74693969444.exe
Token: SeDebugPrivilege	4592	IMG74693969444.exe
Token: SeDebugPrivilege	4848	IMG74693969444.exe
Token: SeDebugPrivilege	3772	IMG74693969444.exe
Token: SeDebugPrivilege	2676	IMG74693969444.exe
Token: SeDebugPrivilege	748	IMG74693969444.exe
Token: SeDebugPrivilege	1412	IMG74693969444.exe
Token: SeDebugPrivilege	1552	IMG74693969444.exe
Token: SeDebugPrivilege	5088	IMG74693969444.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

IMG74693969444.exeIMG74693969444.exeRegAsm.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exeIMG74693969444.exe

description	pid	process	target process
PID 880 wrote to memory of 5032	880	IMG74693969444.exe	RegAsm.exe
PID 880 wrote to memory of 5032	880	IMG74693969444.exe	RegAsm.exe
PID 880 wrote to memory of 5032	880	IMG74693969444.exe	RegAsm.exe
PID 880 wrote to memory of 2732	880	IMG74693969444.exe	RegAsm.exe
PID 880 wrote to memory of 2732	880	IMG74693969444.exe	RegAsm.exe
PID 880 wrote to memory of 2732	880	IMG74693969444.exe	RegAsm.exe
PID 880 wrote to memory of 8	880	IMG74693969444.exe	RegAsm.exe
PID 880 wrote to memory of 8	880	IMG74693969444.exe	RegAsm.exe
PID 880 wrote to memory of 8	880	IMG74693969444.exe	RegAsm.exe
PID 880 wrote to memory of 8	880	IMG74693969444.exe	RegAsm.exe
PID 880 wrote to memory of 4876	880	IMG74693969444.exe	IMG74693969444.exe
PID 880 wrote to memory of 4876	880	IMG74693969444.exe	IMG74693969444.exe
PID 880 wrote to memory of 4876	880	IMG74693969444.exe	IMG74693969444.exe
PID 4876 wrote to memory of 1812	4876	IMG74693969444.exe	RegAsm.exe
PID 4876 wrote to memory of 1812	4876	IMG74693969444.exe	RegAsm.exe
PID 4876 wrote to memory of 1812	4876	IMG74693969444.exe	RegAsm.exe
PID 4876 wrote to memory of 1812	4876	IMG74693969444.exe	RegAsm.exe
PID 4876 wrote to memory of 3012	4876	IMG74693969444.exe	IMG74693969444.exe
PID 4876 wrote to memory of 3012	4876	IMG74693969444.exe	IMG74693969444.exe
PID 4876 wrote to memory of 3012	4876	IMG74693969444.exe	IMG74693969444.exe
PID 8 wrote to memory of 3620	8	RegAsm.exe	schtasks.exe
PID 8 wrote to memory of 3620	8	RegAsm.exe	schtasks.exe
PID 8 wrote to memory of 3620	8	RegAsm.exe	schtasks.exe
PID 3012 wrote to memory of 2792	3012	IMG74693969444.exe	RegAsm.exe
PID 3012 wrote to memory of 2792	3012	IMG74693969444.exe	RegAsm.exe
PID 3012 wrote to memory of 2792	3012	IMG74693969444.exe	RegAsm.exe
PID 3012 wrote to memory of 2792	3012	IMG74693969444.exe	RegAsm.exe
PID 3012 wrote to memory of 3828	3012	IMG74693969444.exe	IMG74693969444.exe
PID 3012 wrote to memory of 3828	3012	IMG74693969444.exe	IMG74693969444.exe
PID 3012 wrote to memory of 3828	3012	IMG74693969444.exe	IMG74693969444.exe
PID 3828 wrote to memory of 2244	3828	IMG74693969444.exe	RegAsm.exe
PID 3828 wrote to memory of 2244	3828	IMG74693969444.exe	RegAsm.exe
PID 3828 wrote to memory of 2244	3828	IMG74693969444.exe	RegAsm.exe
PID 3828 wrote to memory of 2244	3828	IMG74693969444.exe	RegAsm.exe
PID 3828 wrote to memory of 2368	3828	IMG74693969444.exe	IMG74693969444.exe
PID 3828 wrote to memory of 2368	3828	IMG74693969444.exe	IMG74693969444.exe
PID 3828 wrote to memory of 2368	3828	IMG74693969444.exe	IMG74693969444.exe
PID 2368 wrote to memory of 3900	2368	IMG74693969444.exe	RegAsm.exe
PID 2368 wrote to memory of 3900	2368	IMG74693969444.exe	RegAsm.exe
PID 2368 wrote to memory of 3900	2368	IMG74693969444.exe	RegAsm.exe
PID 2368 wrote to memory of 3900	2368	IMG74693969444.exe	RegAsm.exe
PID 2368 wrote to memory of 3100	2368	IMG74693969444.exe	IMG74693969444.exe
PID 2368 wrote to memory of 3100	2368	IMG74693969444.exe	IMG74693969444.exe
PID 2368 wrote to memory of 3100	2368	IMG74693969444.exe	IMG74693969444.exe
PID 3100 wrote to memory of 1952	3100	IMG74693969444.exe	RegAsm.exe
PID 3100 wrote to memory of 1952	3100	IMG74693969444.exe	RegAsm.exe
PID 3100 wrote to memory of 1952	3100	IMG74693969444.exe	RegAsm.exe
PID 3100 wrote to memory of 1952	3100	IMG74693969444.exe	RegAsm.exe
PID 3100 wrote to memory of 3972	3100	IMG74693969444.exe	IMG74693969444.exe
PID 3100 wrote to memory of 3972	3100	IMG74693969444.exe	IMG74693969444.exe
PID 3100 wrote to memory of 3972	3100	IMG74693969444.exe	IMG74693969444.exe
PID 3972 wrote to memory of 3876	3972	IMG74693969444.exe	RegAsm.exe
PID 3972 wrote to memory of 3876	3972	IMG74693969444.exe	RegAsm.exe
PID 3972 wrote to memory of 3876	3972	IMG74693969444.exe	RegAsm.exe
PID 3972 wrote to memory of 372	3972	IMG74693969444.exe	RegAsm.exe
PID 3972 wrote to memory of 372	3972	IMG74693969444.exe	RegAsm.exe
PID 3972 wrote to memory of 372	3972	IMG74693969444.exe	RegAsm.exe
PID 3972 wrote to memory of 992	3972	IMG74693969444.exe	RegAsm.exe
PID 3972 wrote to memory of 992	3972	IMG74693969444.exe	RegAsm.exe
PID 3972 wrote to memory of 992	3972	IMG74693969444.exe	RegAsm.exe
PID 3972 wrote to memory of 2260	3972	IMG74693969444.exe	RegAsm.exe
PID 3972 wrote to memory of 2260	3972	IMG74693969444.exe	RegAsm.exe
PID 3972 wrote to memory of 2260	3972	IMG74693969444.exe	RegAsm.exe
PID 3972 wrote to memory of 2300	3972	IMG74693969444.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:5032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:2732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:8

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "WPA Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp5EE9.tmp"
3⤵
- Creates scheduled task(s)
PID:3620

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "WPA Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp6FA3.tmp"
3⤵
- Creates scheduled task(s)
PID:4512

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
2⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1812

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3012

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:2792

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
4⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
PID:2244

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
5⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
PID:3900

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
6⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3100

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
7⤵
PID:1952

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
7⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3972

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
8⤵
PID:3876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
8⤵
PID:372

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
8⤵
PID:992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
8⤵
PID:2260

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
8⤵
PID:2300

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
8⤵
PID:2668

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
8⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
9⤵
PID:2632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
9⤵
PID:4748

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
9⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3716

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
10⤵
PID:3956

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
10⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
11⤵
PID:3804

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
11⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2264

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
12⤵
PID:3784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
12⤵
PID:2452

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
12⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
PID:2356

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
13⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:404

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
14⤵
PID:3868

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
14⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
15⤵
PID:2440

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
15⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
16⤵
PID:3388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
16⤵
PID:3416

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
16⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1156

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
17⤵
PID:2120

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
17⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
18⤵
PID:1896

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
18⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
19⤵
PID:1584

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
19⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
20⤵
PID:2724

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
20⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4512

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
21⤵
PID:2328

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
21⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:444

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
22⤵
PID:3124

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
22⤵
PID:4544

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
22⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
23⤵
PID:2592

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
23⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
24⤵
PID:1580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
24⤵
PID:3860

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
24⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4328

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
25⤵
PID:1912

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
25⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
26⤵
PID:2992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
26⤵
PID:3112

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
26⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2308

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
27⤵
PID:4144

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
27⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
28⤵
PID:4480

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
28⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2616

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
29⤵
PID:1592

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
29⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
30⤵
PID:4868

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
30⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
31⤵
PID:2300

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
31⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2260

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
32⤵
PID:2364

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
32⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2352

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
33⤵
PID:2604

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
33⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
34⤵
PID:2652

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
34⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
35⤵
PID:2792

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
35⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
36⤵
PID:2244

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
36⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
37⤵
PID:4420

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
37⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4356

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
38⤵
PID:4792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
38⤵
PID:1116

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
38⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1204

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
39⤵
PID:1712

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
39⤵
PID:1416

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
39⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2096

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
40⤵
PID:2136

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
40⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
41⤵
PID:4492

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
41⤵
PID:4964

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
41⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4484

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
42⤵
PID:3676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
42⤵
PID:4224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
42⤵
PID:3804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
42⤵
PID:2160

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
42⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
43⤵
PID:2452

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
43⤵
PID:1256

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
43⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
44⤵
PID:4668

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
44⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
45⤵
PID:3600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
45⤵
PID:1208

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
45⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
46⤵
PID:1524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
46⤵
PID:4532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
46⤵
PID:1912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
46⤵
PID:5068

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
46⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
47⤵
PID:3084

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
47⤵
PID:4340

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
47⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1360

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
48⤵
PID:3948

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
48⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3256

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
49⤵
PID:1016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
49⤵
PID:2860

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
49⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
50⤵
PID:1592

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
50⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
51⤵
PID:4744

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
51⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
52⤵
PID:4208

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
52⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
53⤵
PID:3380

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
53⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
54⤵
PID:1516

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
54⤵
PID:1204

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
54⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
55⤵
PID:2724

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
55⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3364

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
56⤵
PID:4276

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
56⤵
PID:1332

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
56⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4592

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
57⤵
PID:3884

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
57⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4848

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
58⤵
PID:4016

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
58⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
59⤵
PID:3260

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
59⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
60⤵
PID:3708

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
60⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
61⤵
PID:2668

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
61⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1412

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
62⤵
PID:1240

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
62⤵
PID:4540

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
62⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1552

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
63⤵
PID:1940

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
63⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:5088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
64⤵
PID:3716

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
64⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:4680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
65⤵
PID:3800

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
65⤵
PID:2240

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
66⤵
PID:1056

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
66⤵
- Checks computer location settings
PID:1116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
67⤵
PID:2356

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
67⤵
PID:4288

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
68⤵
PID:1328

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
68⤵
PID:3276

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
68⤵
PID:3460

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
69⤵
PID:2832

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
69⤵
- Checks computer location settings
PID:2652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
70⤵
PID:4832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
70⤵
PID:5020

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
70⤵
PID:4204

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
71⤵
PID:2584

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
71⤵
- Checks computer location settings
PID:4596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
72⤵
PID:5072

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
72⤵
PID:372

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
73⤵
PID:2528

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
73⤵
PID:3684

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
73⤵
PID:2656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
74⤵
PID:3744

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
74⤵
- Checks computer location settings
PID:1252

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
75⤵
PID:1416

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
75⤵
PID:3612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
76⤵
PID:3084

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
76⤵
PID:376

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
76⤵
PID:2724

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
77⤵
PID:520

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
77⤵
PID:1332

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
78⤵
PID:404

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
78⤵
PID:3884

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
79⤵
PID:1644

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
79⤵
- Checks computer location settings
PID:4016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
80⤵
PID:2264

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
80⤵
PID:1148

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
80⤵
- Checks computer location settings
PID:1580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
81⤵
PID:4284

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
81⤵
- Checks computer location settings
PID:1068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
82⤵
PID:4900

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
82⤵
- Checks computer location settings
PID:4968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
83⤵
PID:4008

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
83⤵
- Checks computer location settings
PID:2532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
84⤵
PID:4844

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
84⤵
- Checks computer location settings
PID:2580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
85⤵
PID:4040

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
85⤵
- Checks computer location settings
PID:2164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
86⤵
PID:1956

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
86⤵
PID:1224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
87⤵
PID:3944

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
87⤵
PID:4592

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
88⤵
PID:4996

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
88⤵
PID:3984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
89⤵
PID:5004

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
89⤵
PID:3772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
90⤵
PID:396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
90⤵
PID:2732

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
90⤵
PID:1584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
91⤵
PID:1252

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
91⤵
PID:1516

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
92⤵
PID:2096

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
92⤵
PID:3784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
93⤵
PID:4796

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
93⤵
- Checks computer location settings
PID:4928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
94⤵
PID:3956

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
94⤵
PID:2180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
95⤵
PID:4544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
95⤵
PID:972

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
95⤵
PID:3684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
96⤵
PID:2544

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
96⤵
PID:3744

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
97⤵
PID:4344

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
97⤵
PID:1416

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
98⤵
PID:2860

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
98⤵
PID:2228

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
99⤵
PID:4276

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
99⤵
PID:4832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
100⤵
PID:4248

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
100⤵
PID:4004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
100⤵
PID:2324

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
100⤵
- Checks computer location settings
PID:4308

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
101⤵
PID:2436

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
101⤵
PID:2164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
102⤵
PID:4456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
102⤵
PID:3432

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
102⤵
PID:4776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
103⤵
PID:3976

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
103⤵
PID:4756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
103⤵
PID:4476

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
103⤵
PID:3484

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
104⤵
PID:3116

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
104⤵
PID:3044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
105⤵
PID:1012

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
105⤵
PID:1204

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
105⤵
PID:3748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
106⤵
PID:4844

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
106⤵
- Checks computer location settings
PID:1876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
107⤵
PID:2900

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
107⤵
PID:4300

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
108⤵
PID:2100

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
108⤵
- Checks computer location settings
PID:2584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
109⤵
PID:2528

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
109⤵
PID:4480

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
110⤵
PID:3632

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
110⤵
- Checks computer location settings
PID:4116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
111⤵
PID:1396

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
111⤵
- Checks computer location settings
PID:3572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
112⤵
PID:2260

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
112⤵
- Checks computer location settings
PID:3812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
113⤵
PID:2660

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
113⤵
PID:628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
114⤵
PID:1904

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
114⤵
- Checks computer location settings
PID:2532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
115⤵
PID:4288

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
115⤵
PID:3956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
116⤵
PID:3356

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
116⤵
- Checks computer location settings
PID:972

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
117⤵
PID:4372

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
117⤵
- Checks computer location settings
PID:2544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
118⤵
PID:4748

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
118⤵
- Checks computer location settings
PID:3804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
119⤵
PID:4532

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
119⤵
- Checks computer location settings
PID:3900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
120⤵
PID:4336

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
120⤵
- Checks computer location settings
PID:2860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
121⤵
PID:396

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
121⤵
PID:2948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
122⤵
PID:1444

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
122⤵
PID:3084

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
123⤵
PID:2280

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
123⤵
PID:2832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
124⤵
PID:1860

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
124⤵
- Checks computer location settings
PID:5112

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
125⤵
PID:1192

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
125⤵
PID:1956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
126⤵
PID:3800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
126⤵
PID:1056

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
126⤵
- Checks computer location settings
PID:812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
127⤵
PID:4544

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
127⤵
PID:1688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
128⤵
PID:3428

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
128⤵
PID:2824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
129⤵
PID:5044

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
129⤵
PID:864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
130⤵
PID:4116

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
130⤵
PID:640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
131⤵
PID:1856

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
131⤵
PID:4492

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
132⤵
PID:3260

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
132⤵
PID:4972

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
133⤵
PID:1760

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
133⤵
- Checks computer location settings
PID:3364

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
134⤵
PID:2364

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
134⤵
PID:3552

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
134⤵
PID:3884

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
135⤵
PID:2504

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
135⤵
PID:1740

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
135⤵
PID:1208

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
136⤵
PID:1316

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
136⤵
PID:2164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
137⤵
PID:4400

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
137⤵
- Checks computer location settings
PID:5068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
138⤵
PID:3128

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
138⤵
PID:4788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
139⤵
PID:3856

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
139⤵
PID:3360

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
139⤵
PID:4468

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
139⤵
- Checks computer location settings
PID:3668

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
140⤵
PID:3528

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
140⤵
- Checks computer location settings
PID:3704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
141⤵
PID:3044

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
141⤵
- Checks computer location settings
PID:2704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
142⤵
PID:3748

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
142⤵
PID:4372

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
143⤵
PID:3388

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
143⤵
- Checks computer location settings
PID:4596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
144⤵
PID:3056

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
144⤵
PID:4480

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
145⤵
PID:5008

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
145⤵
PID:1576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
146⤵
PID:2980

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
146⤵
PID:3508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
147⤵
PID:4988

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
147⤵
PID:3892

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
148⤵
PID:3980

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
148⤵
- Checks computer location settings
PID:2228

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
149⤵
PID:2580

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
149⤵
- Checks computer location settings
PID:4832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
150⤵
PID:3712

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
150⤵
PID:1272

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
150⤵
PID:944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
151⤵
PID:3864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
151⤵
PID:3664

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
151⤵
PID:5116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
152⤵
PID:2028

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
152⤵
PID:3976

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
153⤵
PID:3956

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
153⤵
- Checks computer location settings
PID:3760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
154⤵
PID:992

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
154⤵
PID:4804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
155⤵
PID:2332

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
155⤵
PID:452

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
155⤵
PID:2240

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
156⤵
PID:4288

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
156⤵
PID:4784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
157⤵
PID:4396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
157⤵
PID:1360

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
157⤵
- Checks computer location settings
PID:4944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
158⤵
PID:1076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
158⤵
PID:3100

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
158⤵
PID:1884

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
158⤵
PID:1760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
159⤵
PID:4304

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
159⤵
PID:1544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
159⤵
PID:4664

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
159⤵
PID:3456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
160⤵
PID:3008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
160⤵
PID:2704

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
160⤵
PID:1404

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
161⤵
PID:1376

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
161⤵
PID:2260

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
162⤵
PID:4748

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
162⤵
- Checks computer location settings
PID:3688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
163⤵
PID:4552

C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe
"C:\Users\Admin\AppData\Local\Temp\IMG74693969444.exe"
163⤵
PID:1904

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
164⤵
PID:5040

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log
Filesize
1KB

MD5
84e77a587d94307c0ac1357eb4d3d46f

SHA1
83cc900f9401f43d181207d64c5adba7a85edc1e

SHA256
e16024b092a026a9dc00df69d4b9bbcab7b2dc178dc5291fc308a1abc9304a99

SHA512
aefb5c62200b3ed97718d20a89990954d4d8acdc0a6a73c5a420f1bba619cb79e70c2cd0a579b9f52dc6b09e1de2cea6cd6cac4376cfee92d94e2c01d310f691

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5EE9.tmp
Filesize
1KB

MD5
48ef7fa9033389ad7929d7a6b9d10298

SHA1
9db6cb7325c8bdf66a15f7b5f34703709a45aeb6

SHA256
0c1b5f67eeb276d1d4205b138ce32bc6149924e02281a2db8e4623a700e88f15

SHA512
ac8bd104ecbacc9bccce9e087f67e5b18072d59367ccd31d4e66132b6baaea520cba5b9b59464483d86abf74826b382c402f12e9a586c99bda8c78a0de33944e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6FA3.tmp
Filesize
1KB

MD5
21de6c3a6440d917bdbb4b491191d9b2

SHA1
c63c300affe7147910dc4544d2d5f3029bf321a6

SHA256
23af17733a3882cdd82a5bbc321d896b2430dc1bb4b4ac034d129cde5027afc4

SHA512
dcd1c464ed36593b990e072940ab415804ef8076743015fff4939211e30e436beb7ce6af3072769abe0214f737cedb210d2b45e6e90da20dac54c3945b11575f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe
Filesize
268KB

MD5
44540892e2dbc3f7303c15c3d1689ecf

SHA1
c45e3eb984a69a0607d3e30e01009185a405c47f

SHA256
f165aaaa891aac8a10cd6ae8ca9ae07a901daec1f4a97122466b65c7212aaeec

SHA512
e7e8b79995e41c29e3d5e0348c720a72fa45aa2f0b656173b295984e550ef54c424787a8ce77ce0b7d0327ac62a2853053f5d3307672f1827fa77b37d4cff01e

Download Submit
memory/8-133-0x0000000000000000-mapping.dmp

Download
memory/8-134-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/8-135-0x00000000054E0000-0x0000000005A84000-memory.dmp

Filesize
5.6MB

Download
memory/8-136-0x0000000004E80000-0x0000000004F12000-memory.dmp

Filesize
584KB

Download
memory/8-137-0x0000000004FD0000-0x000000000506C000-memory.dmp

Filesize
624KB

Download
memory/8-139-0x0000000004E70000-0x0000000004E7A000-memory.dmp

Filesize
40KB

Download
memory/404-167-0x0000000000000000-mapping.dmp

Download
memory/444-183-0x0000000000000000-mapping.dmp

Download
memory/880-130-0x0000000000A80000-0x0000000000ACA000-memory.dmp

Filesize
296KB

Download
memory/880-132-0x0000000005B40000-0x0000000005B43000-memory.dmp

Filesize
12KB

Download
memory/880-131-0x0000000005530000-0x0000000005533000-memory.dmp

Filesize
12KB

Download
memory/1156-173-0x0000000000000000-mapping.dmp

Download
memory/1224-195-0x0000000000000000-mapping.dmp

Download
memory/1584-178-0x0000000000000000-mapping.dmp

Download
memory/1592-198-0x0000000000000000-mapping.dmp

Download
memory/1812-140-0x0000000000000000-mapping.dmp

Download
memory/1860-199-0x0000000000000000-mapping.dmp

Download
memory/1896-176-0x0000000000000000-mapping.dmp

Download
memory/1912-190-0x0000000000000000-mapping.dmp

Download
memory/1952-150-0x0000000000000000-mapping.dmp

Download
memory/1984-201-0x0000000000000000-mapping.dmp

Download
memory/2120-174-0x0000000000000000-mapping.dmp

Download
memory/2244-146-0x0000000000000000-mapping.dmp

Download
memory/2260-203-0x0000000000000000-mapping.dmp

Download
memory/2264-163-0x0000000000000000-mapping.dmp

Download
memory/2300-202-0x0000000000000000-mapping.dmp

Download
memory/2308-193-0x0000000000000000-mapping.dmp

Download
memory/2328-182-0x0000000000000000-mapping.dmp

Download
memory/2352-205-0x0000000000000000-mapping.dmp

Download
memory/2356-166-0x0000000000000000-mapping.dmp

Download
memory/2364-204-0x0000000000000000-mapping.dmp

Download
memory/2368-147-0x0000000000000000-mapping.dmp

Download
memory/2368-179-0x0000000000000000-mapping.dmp

Download
memory/2440-170-0x0000000000000000-mapping.dmp

Download
memory/2452-164-0x0000000000000000-mapping.dmp

Download
memory/2592-186-0x0000000000000000-mapping.dmp

Download
memory/2616-197-0x0000000000000000-mapping.dmp

Download
memory/2668-152-0x0000000000000000-mapping.dmp

Download
memory/2684-185-0x0000000000000000-mapping.dmp

Download
memory/2724-180-0x0000000000000000-mapping.dmp

Download
memory/2792-144-0x0000000000000000-mapping.dmp

Download
memory/2924-154-0x0000000000000000-mapping.dmp

Download
memory/3012-141-0x0000000000000000-mapping.dmp

Download
memory/3100-149-0x0000000000000000-mapping.dmp

Download
memory/3112-192-0x0000000000000000-mapping.dmp

Download
memory/3164-175-0x0000000000000000-mapping.dmp

Download
memory/3416-172-0x0000000000000000-mapping.dmp

Download
memory/3548-171-0x0000000000000000-mapping.dmp

Download
memory/3600-161-0x0000000000000000-mapping.dmp

Download
memory/3620-142-0x0000000000000000-mapping.dmp

Download
memory/3716-158-0x0000000000000000-mapping.dmp

Download
memory/3804-162-0x0000000000000000-mapping.dmp

Download
memory/3812-165-0x0000000000000000-mapping.dmp

Download
memory/3828-145-0x0000000000000000-mapping.dmp

Download
memory/3828-177-0x0000000000000000-mapping.dmp

Download
memory/3860-188-0x0000000000000000-mapping.dmp

Download
memory/3868-168-0x0000000000000000-mapping.dmp

Download
memory/3900-148-0x0000000000000000-mapping.dmp

Download
memory/3956-159-0x0000000000000000-mapping.dmp

Download
memory/3972-151-0x0000000000000000-mapping.dmp

Download
memory/3980-169-0x0000000000000000-mapping.dmp

Download
memory/4144-194-0x0000000000000000-mapping.dmp

Download
memory/4328-189-0x0000000000000000-mapping.dmp

Download
memory/4480-196-0x0000000000000000-mapping.dmp

Download
memory/4512-181-0x0000000000000000-mapping.dmp

Download
memory/4512-155-0x0000000000000000-mapping.dmp

Download
memory/4544-184-0x0000000000000000-mapping.dmp

Download
memory/4748-157-0x0000000000000000-mapping.dmp

Download
memory/4868-200-0x0000000000000000-mapping.dmp

Download
memory/4876-138-0x0000000000000000-mapping.dmp

Download
memory/4988-191-0x0000000000000000-mapping.dmp

Download
memory/5028-187-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads