nanocore | 14c4c5e45e22cc971bc21bb95b0b440214d9c418e3d447ee25c0bd6ec0f21d4f

General

Target

FT20200504 104835457 EMIRATE.exe
Size

633KB
MD5

0b9fffb2575af254598a1921a40c155c
SHA1

bd80b6c6e9d6134a4be8e69cd8dd644bbc57dfcc
SHA256

7fc1a736c594f6932e35c60e99b984b93280b68a48989683839ac1f25fe17d97
SHA512

dc09f18b3d6743f19a4ac5a7b34f4ad001b5ea8b53cf809745ce0e7e4706f0bb0542f72c6f284f9e0156add00dc6e990fe96e189c97511555bf307e2068f5d53

Score

10^/10

nanocore evasion keylogger spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

chaya.ddns.net:1960

185.140.53.208:1960

Mutex

d8052c0f-025c-473b-b040-53a55fb82415

Attributes

activate_away_mode
true
backup_connection_host
185.140.53.208
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-01-23T08:36:54.150343836Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
1960
default_group
Risen One
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
d8052c0f-025c-473b-b040-53a55fb82415
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
chaya.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Drops startup file 2 IoCs

Processes:

FT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe	FT20200504 104835457 EMIRATE.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe	FT20200504 104835457 EMIRATE.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

RegAsm.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegAsm.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

FT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exe

description	pid	process	target process
PID 1160 set thread context of 960	1160	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 1960 set thread context of 1072	1960	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 1364 set thread context of 868	1364	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 368 set thread context of 1932	368	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 1636 set thread context of 968	1636	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 1640 set thread context of 908	1640	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 944 set thread context of 2032	944	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 1760 set thread context of 1080	1760	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 1504 set thread context of 1260	1504	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 1132 set thread context of 1492	1132	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 1548 set thread context of 1644	1548	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 1776 set thread context of 2008	1776	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 1556 set thread context of 776	1556	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 2024 set thread context of 1200	2024	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 524 set thread context of 2000	524	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 1240 set thread context of 1316	1240	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 820 set thread context of 668	820	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 1696 set thread context of 1988	1696	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 1256 set thread context of 1060	1256	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 1044 set thread context of 2060	1044	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 2104 set thread context of 2132	2104	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 2172 set thread context of 2236	2172	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 2276 set thread context of 2308	2276	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 2376 set thread context of 2412	2376	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 2468 set thread context of 2532	2468	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 2596 set thread context of 2624	2596	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 2688 set thread context of 2720	2688	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 2788 set thread context of 2816	2788	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 2892 set thread context of 2928	2892	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 2996 set thread context of 3024	2996	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 1888 set thread context of 2068	1888	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 2180 set thread context of 2100	2180	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 2120 set thread context of 2348	2120	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 2288 set thread context of 1280	2288	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 2300 set thread context of 2568	2300	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 2516 set thread context of 2396	2516	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 968 set thread context of 2492	968	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 908 set thread context of 2612	908	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 2032 set thread context of 2708	2032	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 2956 set thread context of 2924	2956	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 1632 set thread context of 1956	1632	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 1684 set thread context of 1980	1684	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 1916 set thread context of 1644	1916	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 2400 set thread context of 2448	2400	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 632 set thread context of 2184	632	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 1416 set thread context of 2292	1416	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 2488 set thread context of 860	2488	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 2524 set thread context of 1856	2524	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 2776 set thread context of 2940	2776	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 2888 set thread context of 1520	2888	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 2076 set thread context of 2060	2076	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 1220 set thread context of 1492	1220	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 2240 set thread context of 1068	2240	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 2116 set thread context of 572	2116	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 2404 set thread context of 776	2404	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 2552 set thread context of 2532	2552	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 1552 set thread context of 280	1552	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 2696 set thread context of 2684	2696	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 1988 set thread context of 2796	1988	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 2752 set thread context of 2932	2752	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 3040 set thread context of 1756	3040	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 2092 set thread context of 2080	2092	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 2352 set thread context of 3016	2352	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 2320 set thread context of 2140	2320	FT20200504 104835457 EMIRATE.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

FT20200504 104835457 EMIRATE.exe

pid	process
1160	FT20200504 104835457 EMIRATE.exe
1160	FT20200504 104835457 EMIRATE.exe
1160	FT20200504 104835457 EMIRATE.exe
1160	FT20200504 104835457 EMIRATE.exe
1160	FT20200504 104835457 EMIRATE.exe
1160	FT20200504 104835457 EMIRATE.exe
1160	FT20200504 104835457 EMIRATE.exe
1160	FT20200504 104835457 EMIRATE.exe
1160	FT20200504 104835457 EMIRATE.exe
1160	FT20200504 104835457 EMIRATE.exe
1160	FT20200504 104835457 EMIRATE.exe
1160	FT20200504 104835457 EMIRATE.exe
1160	FT20200504 104835457 EMIRATE.exe
1160	FT20200504 104835457 EMIRATE.exe
1160	FT20200504 104835457 EMIRATE.exe
1160	FT20200504 104835457 EMIRATE.exe
1160	FT20200504 104835457 EMIRATE.exe
1160	FT20200504 104835457 EMIRATE.exe
1160	FT20200504 104835457 EMIRATE.exe
1160	FT20200504 104835457 EMIRATE.exe
1160	FT20200504 104835457 EMIRATE.exe
1160	FT20200504 104835457 EMIRATE.exe
1160	FT20200504 104835457 EMIRATE.exe
1160	FT20200504 104835457 EMIRATE.exe
1160	FT20200504 104835457 EMIRATE.exe
1160	FT20200504 104835457 EMIRATE.exe
1160	FT20200504 104835457 EMIRATE.exe
1160	FT20200504 104835457 EMIRATE.exe
1160	FT20200504 104835457 EMIRATE.exe
1160	FT20200504 104835457 EMIRATE.exe
1160	FT20200504 104835457 EMIRATE.exe
1160	FT20200504 104835457 EMIRATE.exe
1160	FT20200504 104835457 EMIRATE.exe
1160	FT20200504 104835457 EMIRATE.exe
1160	FT20200504 104835457 EMIRATE.exe
1160	FT20200504 104835457 EMIRATE.exe
1160	FT20200504 104835457 EMIRATE.exe
1160	FT20200504 104835457 EMIRATE.exe
1160	FT20200504 104835457 EMIRATE.exe
1160	FT20200504 104835457 EMIRATE.exe
1160	FT20200504 104835457 EMIRATE.exe
1160	FT20200504 104835457 EMIRATE.exe
1160	FT20200504 104835457 EMIRATE.exe
1160	FT20200504 104835457 EMIRATE.exe
1160	FT20200504 104835457 EMIRATE.exe
1160	FT20200504 104835457 EMIRATE.exe
1160	FT20200504 104835457 EMIRATE.exe
1160	FT20200504 104835457 EMIRATE.exe
1160	FT20200504 104835457 EMIRATE.exe
1160	FT20200504 104835457 EMIRATE.exe
1160	FT20200504 104835457 EMIRATE.exe
1160	FT20200504 104835457 EMIRATE.exe
1160	FT20200504 104835457 EMIRATE.exe
1160	FT20200504 104835457 EMIRATE.exe
1160	FT20200504 104835457 EMIRATE.exe
1160	FT20200504 104835457 EMIRATE.exe
1160	FT20200504 104835457 EMIRATE.exe
1160	FT20200504 104835457 EMIRATE.exe
1160	FT20200504 104835457 EMIRATE.exe
1160	FT20200504 104835457 EMIRATE.exe
1160	FT20200504 104835457 EMIRATE.exe
1160	FT20200504 104835457 EMIRATE.exe
1160	FT20200504 104835457 EMIRATE.exe
1160	FT20200504 104835457 EMIRATE.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RegAsm.exe

pid process

960 RegAsm.exe

pid	process
960	RegAsm.exe

Suspicious behavior: MapViewOfSection 64 IoCs

Processes:

FT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exe

pid	process
1160	FT20200504 104835457 EMIRATE.exe
1960	FT20200504 104835457 EMIRATE.exe
1960	FT20200504 104835457 EMIRATE.exe
1364	FT20200504 104835457 EMIRATE.exe
368	FT20200504 104835457 EMIRATE.exe
1636	FT20200504 104835457 EMIRATE.exe
1640	FT20200504 104835457 EMIRATE.exe
1640	FT20200504 104835457 EMIRATE.exe
1640	FT20200504 104835457 EMIRATE.exe
944	FT20200504 104835457 EMIRATE.exe
1760	FT20200504 104835457 EMIRATE.exe
1504	FT20200504 104835457 EMIRATE.exe
1504	FT20200504 104835457 EMIRATE.exe
1132	FT20200504 104835457 EMIRATE.exe
1548	FT20200504 104835457 EMIRATE.exe
1548	FT20200504 104835457 EMIRATE.exe
1776	FT20200504 104835457 EMIRATE.exe
1556	FT20200504 104835457 EMIRATE.exe
2024	FT20200504 104835457 EMIRATE.exe
524	FT20200504 104835457 EMIRATE.exe
1240	FT20200504 104835457 EMIRATE.exe
820	FT20200504 104835457 EMIRATE.exe
820	FT20200504 104835457 EMIRATE.exe
820	FT20200504 104835457 EMIRATE.exe
1696	FT20200504 104835457 EMIRATE.exe
1696	FT20200504 104835457 EMIRATE.exe
1256	FT20200504 104835457 EMIRATE.exe
1256	FT20200504 104835457 EMIRATE.exe
1044	FT20200504 104835457 EMIRATE.exe
1044	FT20200504 104835457 EMIRATE.exe
1044	FT20200504 104835457 EMIRATE.exe
2104	FT20200504 104835457 EMIRATE.exe
2172	FT20200504 104835457 EMIRATE.exe
2172	FT20200504 104835457 EMIRATE.exe
2172	FT20200504 104835457 EMIRATE.exe
2172	FT20200504 104835457 EMIRATE.exe
2172	FT20200504 104835457 EMIRATE.exe
2276	FT20200504 104835457 EMIRATE.exe
2376	FT20200504 104835457 EMIRATE.exe
2376	FT20200504 104835457 EMIRATE.exe
2468	FT20200504 104835457 EMIRATE.exe
2468	FT20200504 104835457 EMIRATE.exe
2468	FT20200504 104835457 EMIRATE.exe
2468	FT20200504 104835457 EMIRATE.exe
2596	FT20200504 104835457 EMIRATE.exe
2688	FT20200504 104835457 EMIRATE.exe
2788	FT20200504 104835457 EMIRATE.exe
2892	FT20200504 104835457 EMIRATE.exe
2892	FT20200504 104835457 EMIRATE.exe
2996	FT20200504 104835457 EMIRATE.exe
1888	FT20200504 104835457 EMIRATE.exe
2180	FT20200504 104835457 EMIRATE.exe
2120	FT20200504 104835457 EMIRATE.exe
2120	FT20200504 104835457 EMIRATE.exe
2288	FT20200504 104835457 EMIRATE.exe
2300	FT20200504 104835457 EMIRATE.exe
2300	FT20200504 104835457 EMIRATE.exe
2516	FT20200504 104835457 EMIRATE.exe
968	FT20200504 104835457 EMIRATE.exe
908	FT20200504 104835457 EMIRATE.exe
2032	FT20200504 104835457 EMIRATE.exe
2956	FT20200504 104835457 EMIRATE.exe
1632	FT20200504 104835457 EMIRATE.exe
1684	FT20200504 104835457 EMIRATE.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

FT20200504 104835457 EMIRATE.exeRegAsm.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exe

description	pid	process
Token: SeDebugPrivilege	1160	FT20200504 104835457 EMIRATE.exe
Token: SeDebugPrivilege	960	RegAsm.exe
Token: SeDebugPrivilege	1960	FT20200504 104835457 EMIRATE.exe
Token: SeDebugPrivilege	1364	FT20200504 104835457 EMIRATE.exe
Token: SeDebugPrivilege	368	FT20200504 104835457 EMIRATE.exe
Token: SeDebugPrivilege	1636	FT20200504 104835457 EMIRATE.exe
Token: SeDebugPrivilege	1640	FT20200504 104835457 EMIRATE.exe
Token: SeDebugPrivilege	944	FT20200504 104835457 EMIRATE.exe
Token: SeDebugPrivilege	1760	FT20200504 104835457 EMIRATE.exe
Token: SeDebugPrivilege	1504	FT20200504 104835457 EMIRATE.exe
Token: SeDebugPrivilege	1132	FT20200504 104835457 EMIRATE.exe
Token: SeDebugPrivilege	1548	FT20200504 104835457 EMIRATE.exe
Token: SeDebugPrivilege	1776	FT20200504 104835457 EMIRATE.exe
Token: SeDebugPrivilege	1556	FT20200504 104835457 EMIRATE.exe
Token: SeDebugPrivilege	2024	FT20200504 104835457 EMIRATE.exe
Token: SeDebugPrivilege	524	FT20200504 104835457 EMIRATE.exe
Token: SeDebugPrivilege	1240	FT20200504 104835457 EMIRATE.exe
Token: SeDebugPrivilege	820	FT20200504 104835457 EMIRATE.exe
Token: SeDebugPrivilege	1696	FT20200504 104835457 EMIRATE.exe
Token: SeDebugPrivilege	1256	FT20200504 104835457 EMIRATE.exe
Token: SeDebugPrivilege	1044	FT20200504 104835457 EMIRATE.exe
Token: SeDebugPrivilege	2104	FT20200504 104835457 EMIRATE.exe
Token: SeDebugPrivilege	2172	FT20200504 104835457 EMIRATE.exe
Token: SeDebugPrivilege	2276	FT20200504 104835457 EMIRATE.exe
Token: SeDebugPrivilege	2376	FT20200504 104835457 EMIRATE.exe
Token: SeDebugPrivilege	2468	FT20200504 104835457 EMIRATE.exe
Token: SeDebugPrivilege	2596	FT20200504 104835457 EMIRATE.exe
Token: SeDebugPrivilege	2688	FT20200504 104835457 EMIRATE.exe
Token: SeDebugPrivilege	2788	FT20200504 104835457 EMIRATE.exe
Token: SeDebugPrivilege	2892	FT20200504 104835457 EMIRATE.exe
Token: SeDebugPrivilege	2996	FT20200504 104835457 EMIRATE.exe
Token: SeDebugPrivilege	1888	FT20200504 104835457 EMIRATE.exe
Token: SeDebugPrivilege	2180	FT20200504 104835457 EMIRATE.exe
Token: SeDebugPrivilege	2120	FT20200504 104835457 EMIRATE.exe
Token: SeDebugPrivilege	2288	FT20200504 104835457 EMIRATE.exe
Token: SeDebugPrivilege	2300	FT20200504 104835457 EMIRATE.exe
Token: SeDebugPrivilege	2516	FT20200504 104835457 EMIRATE.exe
Token: SeDebugPrivilege	968	FT20200504 104835457 EMIRATE.exe
Token: SeDebugPrivilege	908	FT20200504 104835457 EMIRATE.exe
Token: SeDebugPrivilege	2032	FT20200504 104835457 EMIRATE.exe
Token: SeDebugPrivilege	2956	FT20200504 104835457 EMIRATE.exe
Token: SeDebugPrivilege	1632	FT20200504 104835457 EMIRATE.exe
Token: SeDebugPrivilege	1684	FT20200504 104835457 EMIRATE.exe
Token: SeDebugPrivilege	1916	FT20200504 104835457 EMIRATE.exe
Token: SeDebugPrivilege	2400	FT20200504 104835457 EMIRATE.exe
Token: SeDebugPrivilege	632	FT20200504 104835457 EMIRATE.exe
Token: SeDebugPrivilege	1416	FT20200504 104835457 EMIRATE.exe
Token: SeDebugPrivilege	2488	FT20200504 104835457 EMIRATE.exe
Token: SeDebugPrivilege	2524	FT20200504 104835457 EMIRATE.exe
Token: SeDebugPrivilege	2776	FT20200504 104835457 EMIRATE.exe
Token: SeDebugPrivilege	2888	FT20200504 104835457 EMIRATE.exe
Token: SeDebugPrivilege	2076	FT20200504 104835457 EMIRATE.exe
Token: SeDebugPrivilege	1220	FT20200504 104835457 EMIRATE.exe
Token: SeDebugPrivilege	2240	FT20200504 104835457 EMIRATE.exe
Token: SeDebugPrivilege	2116	FT20200504 104835457 EMIRATE.exe
Token: SeDebugPrivilege	2404	FT20200504 104835457 EMIRATE.exe
Token: SeDebugPrivilege	2552	FT20200504 104835457 EMIRATE.exe
Token: SeDebugPrivilege	1552	FT20200504 104835457 EMIRATE.exe
Token: SeDebugPrivilege	2696	FT20200504 104835457 EMIRATE.exe
Token: SeDebugPrivilege	1988	FT20200504 104835457 EMIRATE.exe
Token: SeDebugPrivilege	2752	FT20200504 104835457 EMIRATE.exe
Token: SeDebugPrivilege	3040	FT20200504 104835457 EMIRATE.exe
Token: SeDebugPrivilege	2092	FT20200504 104835457 EMIRATE.exe
Token: SeDebugPrivilege	2352	FT20200504 104835457 EMIRATE.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

FT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exeFT20200504 104835457 EMIRATE.exe

description	pid	process	target process
PID 1160 wrote to memory of 960	1160	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 1160 wrote to memory of 960	1160	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 1160 wrote to memory of 960	1160	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 1160 wrote to memory of 960	1160	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 1160 wrote to memory of 960	1160	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 1160 wrote to memory of 960	1160	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 1160 wrote to memory of 960	1160	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 1160 wrote to memory of 960	1160	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 1160 wrote to memory of 1960	1160	FT20200504 104835457 EMIRATE.exe	FT20200504 104835457 EMIRATE.exe
PID 1160 wrote to memory of 1960	1160	FT20200504 104835457 EMIRATE.exe	FT20200504 104835457 EMIRATE.exe
PID 1160 wrote to memory of 1960	1160	FT20200504 104835457 EMIRATE.exe	FT20200504 104835457 EMIRATE.exe
PID 1160 wrote to memory of 1960	1160	FT20200504 104835457 EMIRATE.exe	FT20200504 104835457 EMIRATE.exe
PID 1960 wrote to memory of 384	1960	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 1960 wrote to memory of 384	1960	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 1960 wrote to memory of 384	1960	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 1960 wrote to memory of 384	1960	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 1960 wrote to memory of 384	1960	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 1960 wrote to memory of 384	1960	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 1960 wrote to memory of 384	1960	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 1960 wrote to memory of 1072	1960	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 1960 wrote to memory of 1072	1960	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 1960 wrote to memory of 1072	1960	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 1960 wrote to memory of 1072	1960	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 1960 wrote to memory of 1072	1960	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 1960 wrote to memory of 1072	1960	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 1960 wrote to memory of 1072	1960	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 1960 wrote to memory of 1072	1960	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 1960 wrote to memory of 1364	1960	FT20200504 104835457 EMIRATE.exe	FT20200504 104835457 EMIRATE.exe
PID 1960 wrote to memory of 1364	1960	FT20200504 104835457 EMIRATE.exe	FT20200504 104835457 EMIRATE.exe
PID 1960 wrote to memory of 1364	1960	FT20200504 104835457 EMIRATE.exe	FT20200504 104835457 EMIRATE.exe
PID 1960 wrote to memory of 1364	1960	FT20200504 104835457 EMIRATE.exe	FT20200504 104835457 EMIRATE.exe
PID 1364 wrote to memory of 868	1364	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 1364 wrote to memory of 868	1364	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 1364 wrote to memory of 868	1364	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 1364 wrote to memory of 868	1364	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 1364 wrote to memory of 868	1364	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 1364 wrote to memory of 868	1364	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 1364 wrote to memory of 868	1364	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 1364 wrote to memory of 868	1364	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 1364 wrote to memory of 368	1364	FT20200504 104835457 EMIRATE.exe	FT20200504 104835457 EMIRATE.exe
PID 1364 wrote to memory of 368	1364	FT20200504 104835457 EMIRATE.exe	FT20200504 104835457 EMIRATE.exe
PID 1364 wrote to memory of 368	1364	FT20200504 104835457 EMIRATE.exe	FT20200504 104835457 EMIRATE.exe
PID 1364 wrote to memory of 368	1364	FT20200504 104835457 EMIRATE.exe	FT20200504 104835457 EMIRATE.exe
PID 368 wrote to memory of 1932	368	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 368 wrote to memory of 1932	368	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 368 wrote to memory of 1932	368	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 368 wrote to memory of 1932	368	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 368 wrote to memory of 1932	368	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 368 wrote to memory of 1932	368	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 368 wrote to memory of 1932	368	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 368 wrote to memory of 1932	368	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 368 wrote to memory of 1636	368	FT20200504 104835457 EMIRATE.exe	FT20200504 104835457 EMIRATE.exe
PID 368 wrote to memory of 1636	368	FT20200504 104835457 EMIRATE.exe	FT20200504 104835457 EMIRATE.exe
PID 368 wrote to memory of 1636	368	FT20200504 104835457 EMIRATE.exe	FT20200504 104835457 EMIRATE.exe
PID 368 wrote to memory of 1636	368	FT20200504 104835457 EMIRATE.exe	FT20200504 104835457 EMIRATE.exe
PID 1636 wrote to memory of 968	1636	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 1636 wrote to memory of 968	1636	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 1636 wrote to memory of 968	1636	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 1636 wrote to memory of 968	1636	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 1636 wrote to memory of 968	1636	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 1636 wrote to memory of 968	1636	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 1636 wrote to memory of 968	1636	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 1636 wrote to memory of 968	1636	FT20200504 104835457 EMIRATE.exe	RegAsm.exe
PID 1636 wrote to memory of 1640	1636	FT20200504 104835457 EMIRATE.exe	FT20200504 104835457 EMIRATE.exe

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1160

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:960

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
2⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:384

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1072

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1364

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:868

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
PID:1932

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
PID:968

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
7⤵
PID:1044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
7⤵
PID:976

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
7⤵
PID:908

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
7⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
8⤵
PID:2032

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
8⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
9⤵
PID:1080

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
9⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1504

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
10⤵
PID:776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
10⤵
PID:1260

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
10⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1132

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
11⤵
PID:1492

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
11⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
12⤵
PID:1688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
12⤵
PID:1644

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
12⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
PID:2008

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
13⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
14⤵
PID:776

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
14⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2024

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
15⤵
PID:1200

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
15⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
16⤵
PID:2000

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
16⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1240

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
17⤵
PID:1316

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
17⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:820

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
18⤵
PID:1268

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
18⤵
PID:852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
18⤵
PID:668

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
18⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
19⤵
PID:1524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
19⤵
PID:1988

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
19⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1256

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
20⤵
PID:1956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
20⤵
PID:1060

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
20⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
21⤵
PID:1404

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
21⤵
PID:2052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
21⤵
PID:2060

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
21⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2104

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
22⤵
PID:2132

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
22⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2172

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
23⤵
PID:2204

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
23⤵
PID:2212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
23⤵
PID:2220

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
23⤵
PID:2228

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
23⤵
PID:2236

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
23⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2276

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
24⤵
PID:2308

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
24⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2376

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
25⤵
PID:2404

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
25⤵
PID:2412

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
25⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
26⤵
PID:2508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
26⤵
PID:2516

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
26⤵
PID:2524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
26⤵
PID:2532

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
26⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
27⤵
PID:2624

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
27⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
28⤵
PID:2720

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
28⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
29⤵
PID:2816

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
29⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2892

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
30⤵
PID:2920

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
30⤵
PID:2928

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
30⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2996

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
31⤵
PID:3024

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
31⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1888

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
32⤵
PID:2068

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
32⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
33⤵
PID:2100

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
33⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2120

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
34⤵
PID:2352

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
34⤵
PID:2348

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
34⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2288

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
35⤵
PID:1280

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
35⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2300

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
36⤵
PID:2544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
36⤵
PID:2568

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
36⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2516

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
37⤵
PID:2396

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
37⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
38⤵
PID:2492

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
38⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
39⤵
PID:2612

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
39⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
40⤵
PID:2708

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
40⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
41⤵
PID:2924

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
41⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
42⤵
PID:1956

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
42⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
43⤵
PID:1980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
43⤵
PID:1568

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
43⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
44⤵
PID:1644

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
44⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2400

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
45⤵
PID:1420

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
45⤵
PID:2008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
45⤵
PID:2448

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
45⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
46⤵
PID:776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
46⤵
PID:2540

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
46⤵
PID:2184

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
46⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1416

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
47⤵
PID:2356

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
47⤵
PID:2420

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
47⤵
PID:2292

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
47⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
48⤵
PID:2508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
48⤵
PID:860

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
48⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
49⤵
PID:1704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
49⤵
PID:1992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
49⤵
PID:2856

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
49⤵
PID:1856

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
49⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
50⤵
PID:1512

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
50⤵
PID:2940

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
50⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2888

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
51⤵
PID:1520

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
51⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
52⤵
PID:2060

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
52⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1220

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
53⤵
PID:2248

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
53⤵
PID:1492

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
53⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2240

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
54⤵
PID:1068

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
54⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
55⤵
PID:2188

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
55⤵
PID:572

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
55⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2404

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
56⤵
PID:776

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
56⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2552

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
57⤵
PID:2532

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
57⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1552

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
58⤵
PID:280

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
58⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
59⤵
PID:2684

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
59⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
60⤵
PID:2812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
60⤵
PID:2796

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
60⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
61⤵
PID:2948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
61⤵
PID:2916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
61⤵
PID:2932

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
61⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
62⤵
PID:1756

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
62⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2092

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
63⤵
PID:2080

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
63⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2352

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
64⤵
PID:3016

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
64⤵
- Suspicious use of SetThreadContext
PID:2320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
65⤵
PID:2008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
65⤵
PID:2140

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
65⤵
PID:2500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
66⤵
PID:868

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
66⤵
PID:1628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
67⤵
PID:1952

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
67⤵
PID:2592

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
68⤵
PID:2492

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
68⤵
PID:2640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
69⤵
PID:2364

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
69⤵
PID:2712

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
70⤵
PID:2680

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
70⤵
PID:1708

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
71⤵
PID:2804

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
71⤵
PID:2836

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
72⤵
PID:2088

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
72⤵
PID:2792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
73⤵
PID:3004

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
73⤵
PID:3028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
74⤵
PID:2324

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
74⤵
PID:2216

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
74⤵
PID:1800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
75⤵
PID:2444

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
75⤵
PID:2188

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
76⤵
PID:2432

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
76⤵
PID:756

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
76⤵
PID:2584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
77⤵
PID:1308

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
77⤵
PID:2412

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
78⤵
PID:1536

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
78⤵
PID:2588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
79⤵
PID:2484

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
79⤵
PID:1804

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
79⤵
PID:1152

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
80⤵
PID:2736

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
80⤵
PID:568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
81⤵
PID:2656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
81⤵
PID:2652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
81⤵
PID:2872

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
81⤵
PID:2944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
82⤵
PID:2896

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
82⤵
PID:2952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
83⤵
PID:3052

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
83⤵
PID:2248

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
84⤵
PID:2340

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
84⤵
PID:1868

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
84⤵
PID:2344

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
85⤵
PID:1584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
85⤵
PID:2160

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
85⤵
PID:2440

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
85⤵
PID:2432

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
86⤵
PID:824

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
86⤵
PID:1432

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
87⤵
PID:1972

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
87⤵
PID:2664

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
88⤵
PID:2620

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
88⤵
PID:2576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
88⤵
PID:2616

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
88⤵
PID:3020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
89⤵
PID:1740

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
89⤵
PID:2976

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
90⤵
PID:1524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
90⤵
PID:2796

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
90⤵
PID:2844

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
90⤵
PID:2968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
91⤵
PID:2932

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
91⤵
PID:2988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
92⤵
PID:1956

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
92⤵
PID:2084

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
93⤵
PID:2340

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
93⤵
PID:2184

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
94⤵
PID:572

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
94⤵
PID:2312

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
95⤵
PID:1976

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
95⤵
PID:2208

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
95⤵
PID:2360

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
95⤵
PID:1744

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
95⤵
PID:1060

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
96⤵
PID:2228

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
96⤵
PID:1952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
97⤵
PID:2424

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
97⤵
PID:2176

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
97⤵
PID:2408

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
97⤵
PID:1904

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
98⤵
PID:2380

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
98⤵
PID:2916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
99⤵
PID:2072

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
99⤵
PID:1520

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
100⤵
PID:2900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
100⤵
PID:1268

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
100⤵
PID:2884

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
100⤵
PID:1644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
101⤵
PID:2388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
101⤵
PID:2912

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
101⤵
PID:2992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
102⤵
PID:2324

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
102⤵
PID:2080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
103⤵
PID:1296

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
103⤵
PID:1496

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
103⤵
PID:1876

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
103⤵
PID:2360

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
104⤵
PID:1072

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
104⤵
PID:1236

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
104⤵
PID:1676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
104⤵
PID:1400

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
104⤵
PID:868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
105⤵
PID:2560

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
105⤵
PID:1440

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
106⤵
PID:2608

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
106⤵
PID:2492

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
107⤵
PID:3060

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
107⤵
PID:2456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
108⤵
PID:2924

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
108⤵
PID:2060

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
109⤵
PID:2780

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
109⤵
PID:2644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
110⤵
PID:2244

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
110⤵
PID:1420

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
110⤵
PID:2928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
111⤵
PID:1080

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
111⤵
PID:1544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
112⤵
PID:2540

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
112⤵
PID:2052

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
112⤵
PID:1980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
113⤵
PID:2124

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
113⤵
PID:2636

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
113⤵
PID:2236

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
114⤵
PID:1308

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
114⤵
PID:2284

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
115⤵
PID:948

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
115⤵
PID:2700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
116⤵
PID:2632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
116⤵
PID:1068

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
116⤵
PID:2616

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
117⤵
PID:2756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
117⤵
PID:2900

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
117⤵
PID:2684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
118⤵
PID:1740

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
118⤵
PID:2656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
119⤵
PID:2480

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
119⤵
PID:1720

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
120⤵
PID:2576

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
120⤵
PID:2192

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
121⤵
PID:3016

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
121⤵
PID:1592

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
122⤵
PID:2296

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
122⤵
PID:2164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
122⤵
PID:1452

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
122⤵
PID:824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
123⤵
PID:584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
123⤵
PID:2176

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
123⤵
PID:2460

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
123⤵
PID:1912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
123⤵
PID:2604

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
123⤵
PID:2796

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
124⤵
PID:2292

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
124⤵
PID:1356

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
124⤵
PID:2920

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
125⤵
PID:1728

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
125⤵
PID:2880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
126⤵
PID:2380

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
126⤵
PID:2748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
127⤵
PID:1584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
127⤵
PID:1664

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
127⤵
PID:1968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
128⤵
PID:2004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
128⤵
PID:848

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
128⤵
PID:1984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
129⤵
PID:2452

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
129⤵
PID:1008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
129⤵
PID:384

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
129⤵
PID:756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
130⤵
PID:1676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
130⤵
PID:2568

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
130⤵
PID:584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
131⤵
PID:1912

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
131⤵
PID:2848

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
132⤵
PID:2292

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
132⤵
PID:2128

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
133⤵
PID:2732

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
133⤵
PID:3000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
134⤵
PID:300

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
134⤵
PID:2536

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
135⤵
PID:2832

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
135⤵
PID:2096

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
136⤵
PID:1572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
136⤵
PID:2140

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
136⤵
PID:2940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
137⤵
PID:2088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
137⤵
PID:904

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
137⤵
PID:2620

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
137⤵
PID:2416

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
137⤵
PID:2064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
138⤵
PID:1420

C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe
"C:\Users\Admin\AppData\Local\Temp\FT20200504 104835457 EMIRATE.exe"
138⤵
PID:2304

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
139⤵
PID:2420

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe
Filesize
636KB

MD5
e9108c549e256d5ad0a1a937062a630b

SHA1
6a7d9eec7ef3561ac51f2b440af7ef2f647c6f49

SHA256
754a51022eed720c942f3e8868d3d02c1f871955c9e07f19972c889270148728

SHA512
ca365b8458af197c7b4d30ca10ab3437b0a862a9a4e17c8027fcb222406690ab1e558f63b4586e9c4c79fc667b7f86d8ee700aaf2ae1daffc7d38db063d32ec5

Download Submit
memory/368-82-0x0000000000000000-mapping.dmp

Download
memory/524-126-0x0000000000000000-mapping.dmp

Download
memory/668-136-0x000000000041E792-mapping.dmp

Download
memory/776-120-0x000000000041E792-mapping.dmp

Download
memory/820-134-0x0000000000000000-mapping.dmp

Download
memory/868-80-0x000000000041E792-mapping.dmp

Download
memory/908-92-0x000000000041E792-mapping.dmp

Download
memory/944-94-0x0000000000000000-mapping.dmp

Download
memory/960-67-0x0000000000860000-0x000000000086E000-memory.dmp

Filesize
56KB

Download
memory/960-71-0x0000000004370000-0x0000000004384000-memory.dmp

Filesize
80KB

Download
memory/960-66-0x0000000000850000-0x0000000000864000-memory.dmp

Filesize
80KB

Download
memory/960-59-0x000000000041E792-mapping.dmp

Download
memory/960-68-0x0000000000870000-0x000000000088E000-memory.dmp

Filesize
120KB

Download
memory/960-69-0x0000000004310000-0x000000000431A000-memory.dmp

Filesize
40KB

Download
memory/960-70-0x0000000004460000-0x000000000448E000-memory.dmp

Filesize
184KB

Download
memory/960-65-0x0000000000800000-0x000000000080E000-memory.dmp

Filesize
56KB

Download
memory/960-61-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/960-74-0x00000000044B5000-0x00000000044C6000-memory.dmp

Filesize
68KB

Download
memory/960-64-0x0000000000750000-0x000000000076A000-memory.dmp

Filesize
104KB

Download
memory/960-63-0x0000000000740000-0x0000000000752000-memory.dmp

Filesize
72KB

Download
memory/960-62-0x00000000006F0000-0x00000000006FA000-memory.dmp

Filesize
40KB

Download
memory/968-88-0x000000000041E792-mapping.dmp

Download
memory/1044-146-0x0000000000000000-mapping.dmp

Download
memory/1060-144-0x000000000041E792-mapping.dmp

Download
memory/1072-75-0x000000000041E792-mapping.dmp

Download
memory/1080-100-0x000000000041E792-mapping.dmp

Download
memory/1132-106-0x0000000000000000-mapping.dmp

Download
memory/1160-55-0x0000000000550000-0x00000000005D6000-memory.dmp

Filesize
536KB

Download
memory/1160-56-0x0000000075581000-0x0000000075583000-memory.dmp

Filesize
8KB

Download
memory/1160-57-0x00000000003C0000-0x00000000003C3000-memory.dmp

Filesize
12KB

Download
memory/1160-58-0x00000000003E0000-0x00000000003E3000-memory.dmp

Filesize
12KB

Download
memory/1160-54-0x00000000013E0000-0x0000000001484000-memory.dmp

Filesize
656KB

Download
memory/1200-124-0x000000000041E792-mapping.dmp

Download
memory/1240-130-0x0000000000000000-mapping.dmp

Download
memory/1256-142-0x0000000000000000-mapping.dmp

Download
memory/1260-104-0x000000000041E792-mapping.dmp

Download
memory/1316-132-0x000000000041E792-mapping.dmp

Download
memory/1364-77-0x0000000000000000-mapping.dmp

Download
memory/1492-108-0x000000000041E792-mapping.dmp

Download
memory/1504-102-0x0000000000000000-mapping.dmp

Download
memory/1548-110-0x0000000000000000-mapping.dmp

Download
memory/1556-118-0x0000000000000000-mapping.dmp

Download
memory/1636-86-0x0000000000000000-mapping.dmp

Download
memory/1640-90-0x0000000000000000-mapping.dmp

Download
memory/1644-112-0x000000000041E792-mapping.dmp

Download
memory/1696-138-0x0000000000000000-mapping.dmp

Download
memory/1760-98-0x0000000000000000-mapping.dmp

Download
memory/1776-114-0x0000000000000000-mapping.dmp

Download
memory/1888-190-0x0000000000000000-mapping.dmp

Download
memory/1932-84-0x000000000041E792-mapping.dmp

Download
memory/1960-72-0x0000000000000000-mapping.dmp

Download
memory/1988-140-0x000000000041E792-mapping.dmp

Download
memory/2000-128-0x000000000041E792-mapping.dmp

Download
memory/2008-116-0x000000000041E792-mapping.dmp

Download
memory/2024-122-0x0000000000000000-mapping.dmp

Download
memory/2032-96-0x000000000041E792-mapping.dmp

Download
memory/2060-148-0x000000000041E792-mapping.dmp

Download
memory/2068-192-0x000000000041E792-mapping.dmp

Download
memory/2100-196-0x000000000041E792-mapping.dmp

Download
memory/2104-150-0x0000000000000000-mapping.dmp

Download
memory/2120-198-0x0000000000000000-mapping.dmp

Download
memory/2132-152-0x000000000041E792-mapping.dmp

Download
memory/2172-154-0x0000000000000000-mapping.dmp

Download
memory/2180-194-0x0000000000000000-mapping.dmp

Download
memory/2236-156-0x000000000041E792-mapping.dmp

Download
memory/2276-158-0x0000000000000000-mapping.dmp

Download
memory/2308-160-0x000000000041E792-mapping.dmp

Download
memory/2376-162-0x0000000000000000-mapping.dmp

Download
memory/2412-164-0x000000000041E792-mapping.dmp

Download
memory/2468-166-0x0000000000000000-mapping.dmp

Download
memory/2532-168-0x000000000041E792-mapping.dmp

Download
memory/2596-170-0x0000000000000000-mapping.dmp

Download
memory/2624-172-0x000000000041E792-mapping.dmp

Download
memory/2688-174-0x0000000000000000-mapping.dmp

Download
memory/2720-176-0x000000000041E792-mapping.dmp

Download
memory/2788-178-0x0000000000000000-mapping.dmp

Download
memory/2816-180-0x000000000041E792-mapping.dmp

Download
memory/2892-182-0x0000000000000000-mapping.dmp

Download
memory/2928-184-0x000000000041E792-mapping.dmp

Download
memory/2996-186-0x0000000000000000-mapping.dmp

Download
memory/3024-188-0x000000000041E792-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads