agenttesla | 06e32937444cad24306cd4020ba596618315a1329d0f6cc1aebdc8f9f2ed1dc7

General

Target

transfer copy.exe
Size

661KB
MD5

551285c43af035791a7d1dd2b6a5d3b3
SHA1

8ee21711c73f0f7482364e5decad825d11f56d89
SHA256

bc7796f8bd7d5a36829a8cb64edac24a195ba0887053f90ca0d74899ed9a4d3c
SHA512

4dbea5084c0b61262622bec592136cb5dff9c7b122447ba1be0f7c773982628add70ceee2c8359ff298b9ed65b41e3869ebb9a30a1031283997dacf1dea6085d

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
us2.smtp.mailhostbox.com
Port:
587
Username:
safaa.bishara@santemoraegypt.com
Password:
chimaroke2020

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2008-59-0x0000000000400000-0x0000000000450000-memory.dmp	family_agenttesla

Suspicious use of SetThreadContext 64 IoCs

Processes:

transfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exe

description	pid	process	target process
PID 756 set thread context of 2008	756	transfer copy.exe	RegAsm.exe
PID 1616 set thread context of 1952	1616	transfer copy.exe	RegAsm.exe
PID 868 set thread context of 1468	868	transfer copy.exe	RegAsm.exe
PID 1080 set thread context of 1792	1080	transfer copy.exe	RegAsm.exe
PID 468 set thread context of 1456	468	transfer copy.exe	RegAsm.exe
PID 384 set thread context of 520	384	transfer copy.exe	RegAsm.exe
PID 1148 set thread context of 1756	1148	transfer copy.exe	RegAsm.exe
PID 1360 set thread context of 1076	1360	transfer copy.exe	RegAsm.exe
PID 2032 set thread context of 432	2032	transfer copy.exe	RegAsm.exe
PID 956 set thread context of 1824	956	transfer copy.exe	RegAsm.exe
PID 1712 set thread context of 1220	1712	transfer copy.exe	RegAsm.exe
PID 1952 set thread context of 760	1952	transfer copy.exe	RegAsm.exe
PID 1900 set thread context of 296	1900	transfer copy.exe	RegAsm.exe
PID 1784 set thread context of 1700	1784	transfer copy.exe	RegAsm.exe
PID 1968 set thread context of 2044	1968	transfer copy.exe	RegAsm.exe
PID 1056 set thread context of 1772	1056	transfer copy.exe	RegAsm.exe
PID 536 set thread context of 1588	536	transfer copy.exe	RegAsm.exe
PID 1076 set thread context of 296	1076	transfer copy.exe	RegAsm.exe
PID 952 set thread context of 568	952	transfer copy.exe	RegAsm.exe
PID 932 set thread context of 608	932	transfer copy.exe	RegAsm.exe
PID 1752 set thread context of 688	1752	transfer copy.exe	RegAsm.exe
PID 1524 set thread context of 1812	1524	transfer copy.exe	RegAsm.exe
PID 892 set thread context of 836	892	transfer copy.exe	RegAsm.exe
PID 1172 set thread context of 1540	1172	transfer copy.exe	RegAsm.exe
PID 1508 set thread context of 1656	1508	transfer copy.exe	RegAsm.exe
PID 1100 set thread context of 1588	1100	transfer copy.exe	RegAsm.exe
PID 1472 set thread context of 840	1472	transfer copy.exe	RegAsm.exe
PID 1916 set thread context of 1824	1916	transfer copy.exe	RegAsm.exe
PID 580 set thread context of 1204	580	transfer copy.exe	RegAsm.exe
PID 688 set thread context of 1880	688	transfer copy.exe	RegAsm.exe
PID 1812 set thread context of 900	1812	transfer copy.exe	RegAsm.exe
PID 852 set thread context of 976	852	transfer copy.exe	RegAsm.exe
PID 1940 set thread context of 576	1940	transfer copy.exe	RegAsm.exe
PID 1288 set thread context of 1588	1288	transfer copy.exe	RegAsm.exe
PID 1804 set thread context of 268	1804	transfer copy.exe	RegAsm.exe
PID 2020 set thread context of 1456	2020	transfer copy.exe	RegAsm.exe
PID 588 set thread context of 584	588	transfer copy.exe	RegAsm.exe
PID 2016 set thread context of 1140	2016	transfer copy.exe	RegAsm.exe
PID 608 set thread context of 1576	608	transfer copy.exe	RegAsm.exe
PID 296 set thread context of 1468	296	transfer copy.exe	RegAsm.exe
PID 1928 set thread context of 1596	1928	transfer copy.exe	RegAsm.exe
PID 1672 set thread context of 1020	1672	transfer copy.exe	RegAsm.exe
PID 1876 set thread context of 1540	1876	transfer copy.exe	RegAsm.exe
PID 2024 set thread context of 1604	2024	transfer copy.exe	RegAsm.exe
PID 696 set thread context of 1868	696	transfer copy.exe	RegAsm.exe
PID 992 set thread context of 1960	992	transfer copy.exe	RegAsm.exe
PID 1164 set thread context of 1652	1164	transfer copy.exe	RegAsm.exe
PID 1452 set thread context of 996	1452	transfer copy.exe	RegAsm.exe
PID 1020 set thread context of 1896	1020	transfer copy.exe	RegAsm.exe
PID 1608 set thread context of 1728	1608	transfer copy.exe	RegAsm.exe
PID 568 set thread context of 1652	568	transfer copy.exe	RegAsm.exe
PID 1600 set thread context of 1316	1600	transfer copy.exe	RegAsm.exe
PID 1768 set thread context of 1868	1768	transfer copy.exe	RegAsm.exe
PID 364 set thread context of 520	364	transfer copy.exe	RegAsm.exe
PID 1640 set thread context of 1108	1640	transfer copy.exe	RegAsm.exe
PID 2044 set thread context of 872	2044	transfer copy.exe	RegAsm.exe
PID 1220 set thread context of 1008	1220	transfer copy.exe	RegAsm.exe
PID 1112 set thread context of 544	1112	transfer copy.exe	RegAsm.exe
PID 1264 set thread context of 996	1264	transfer copy.exe	RegAsm.exe
PID 2008 set thread context of 1704	2008	transfer copy.exe	RegAsm.exe
PID 1904 set thread context of 1248	1904	transfer copy.exe	RegAsm.exe
PID 760 set thread context of 1772	760	transfer copy.exe	RegAsm.exe
PID 1324 set thread context of 1256	1324	transfer copy.exe	RegAsm.exe
PID 1656 set thread context of 1476	1656	transfer copy.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

transfer copy.exe

pid	process
756	transfer copy.exe
756	transfer copy.exe
756	transfer copy.exe
756	transfer copy.exe
756	transfer copy.exe
756	transfer copy.exe
756	transfer copy.exe
756	transfer copy.exe
756	transfer copy.exe
756	transfer copy.exe
756	transfer copy.exe
756	transfer copy.exe
756	transfer copy.exe
756	transfer copy.exe
756	transfer copy.exe
756	transfer copy.exe
756	transfer copy.exe
756	transfer copy.exe
756	transfer copy.exe
756	transfer copy.exe
756	transfer copy.exe
756	transfer copy.exe
756	transfer copy.exe
756	transfer copy.exe
756	transfer copy.exe
756	transfer copy.exe
756	transfer copy.exe
756	transfer copy.exe
756	transfer copy.exe
756	transfer copy.exe
756	transfer copy.exe
756	transfer copy.exe
756	transfer copy.exe
756	transfer copy.exe
756	transfer copy.exe
756	transfer copy.exe
756	transfer copy.exe
756	transfer copy.exe
756	transfer copy.exe
756	transfer copy.exe
756	transfer copy.exe
756	transfer copy.exe
756	transfer copy.exe
756	transfer copy.exe
756	transfer copy.exe
756	transfer copy.exe
756	transfer copy.exe
756	transfer copy.exe
756	transfer copy.exe
756	transfer copy.exe
756	transfer copy.exe
756	transfer copy.exe
756	transfer copy.exe
756	transfer copy.exe
756	transfer copy.exe
756	transfer copy.exe
756	transfer copy.exe
756	transfer copy.exe
756	transfer copy.exe
756	transfer copy.exe
756	transfer copy.exe
756	transfer copy.exe
756	transfer copy.exe
756	transfer copy.exe

Suspicious behavior: MapViewOfSection 64 IoCs

Processes:

transfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exe

pid	process
756	transfer copy.exe
1616	transfer copy.exe
868	transfer copy.exe
1080	transfer copy.exe
1080	transfer copy.exe
468	transfer copy.exe
384	transfer copy.exe
1148	transfer copy.exe
1360	transfer copy.exe
1360	transfer copy.exe
2032	transfer copy.exe
956	transfer copy.exe
1712	transfer copy.exe
1952	transfer copy.exe
1900	transfer copy.exe
1784	transfer copy.exe
1968	transfer copy.exe
1056	transfer copy.exe
536	transfer copy.exe
1076	transfer copy.exe
952	transfer copy.exe
932	transfer copy.exe
1752	transfer copy.exe
1524	transfer copy.exe
892	transfer copy.exe
1172	transfer copy.exe
1508	transfer copy.exe
1100	transfer copy.exe
1472	transfer copy.exe
1916	transfer copy.exe
580	transfer copy.exe
688	transfer copy.exe
1812	transfer copy.exe
852	transfer copy.exe
1940	transfer copy.exe
1288	transfer copy.exe
1804	transfer copy.exe
2020	transfer copy.exe
588	transfer copy.exe
2016	transfer copy.exe
608	transfer copy.exe
296	transfer copy.exe
1928	transfer copy.exe
1672	transfer copy.exe
1876	transfer copy.exe
2024	transfer copy.exe
696	transfer copy.exe
696	transfer copy.exe
992	transfer copy.exe
1164	transfer copy.exe
1452	transfer copy.exe
1020	transfer copy.exe
1020	transfer copy.exe
1608	transfer copy.exe
568	transfer copy.exe
1600	transfer copy.exe
1768	transfer copy.exe
364	transfer copy.exe
1640	transfer copy.exe
2044	transfer copy.exe
1220	transfer copy.exe
1112	transfer copy.exe
1264	transfer copy.exe
2008	transfer copy.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

transfer copy.exeRegAsm.exetransfer copy.exeRegAsm.exetransfer copy.exeRegAsm.exetransfer copy.exeRegAsm.exetransfer copy.exeRegAsm.exetransfer copy.exeRegAsm.exetransfer copy.exeRegAsm.exetransfer copy.exeRegAsm.exetransfer copy.exeRegAsm.exetransfer copy.exetransfer copy.exeRegAsm.exetransfer copy.exeRegAsm.exetransfer copy.exeRegAsm.exetransfer copy.exeRegAsm.exetransfer copy.exeRegAsm.exetransfer copy.exeRegAsm.exetransfer copy.exeRegAsm.exetransfer copy.exeRegAsm.exetransfer copy.exeRegAsm.exetransfer copy.exeRegAsm.exetransfer copy.exeRegAsm.exetransfer copy.exeRegAsm.exetransfer copy.exeRegAsm.exeRegAsm.exetransfer copy.exeRegAsm.exetransfer copy.exeRegAsm.exetransfer copy.exeRegAsm.exetransfer copy.exeRegAsm.exetransfer copy.exetransfer copy.exeRegAsm.exetransfer copy.exeRegAsm.exetransfer copy.exeRegAsm.exetransfer copy.exeRegAsm.exetransfer copy.exe

description	pid	process
Token: SeDebugPrivilege	756	transfer copy.exe
Token: SeDebugPrivilege	2008	RegAsm.exe
Token: SeDebugPrivilege	1616	transfer copy.exe
Token: SeDebugPrivilege	1952	RegAsm.exe
Token: SeDebugPrivilege	868	transfer copy.exe
Token: SeDebugPrivilege	1468	RegAsm.exe
Token: SeDebugPrivilege	1080	transfer copy.exe
Token: SeDebugPrivilege	1792	RegAsm.exe
Token: SeDebugPrivilege	468	transfer copy.exe
Token: SeDebugPrivilege	1456	RegAsm.exe
Token: SeDebugPrivilege	384	transfer copy.exe
Token: SeDebugPrivilege	520	RegAsm.exe
Token: SeDebugPrivilege	1148	transfer copy.exe
Token: SeDebugPrivilege	1756	RegAsm.exe
Token: SeDebugPrivilege	1360	transfer copy.exe
Token: SeDebugPrivilege	1076	RegAsm.exe
Token: SeDebugPrivilege	2032	transfer copy.exe
Token: SeDebugPrivilege	432	RegAsm.exe
Token: SeDebugPrivilege	956	transfer copy.exe
Token: SeDebugPrivilege	1712	transfer copy.exe
Token: SeDebugPrivilege	1220	RegAsm.exe
Token: SeDebugPrivilege	1952	transfer copy.exe
Token: SeDebugPrivilege	760	RegAsm.exe
Token: SeDebugPrivilege	1900	transfer copy.exe
Token: SeDebugPrivilege	296	RegAsm.exe
Token: SeDebugPrivilege	1784	transfer copy.exe
Token: SeDebugPrivilege	1700	RegAsm.exe
Token: SeDebugPrivilege	1968	transfer copy.exe
Token: SeDebugPrivilege	2044	RegAsm.exe
Token: SeDebugPrivilege	1056	transfer copy.exe
Token: SeDebugPrivilege	1772	RegAsm.exe
Token: SeDebugPrivilege	536	transfer copy.exe
Token: SeDebugPrivilege	1588	RegAsm.exe
Token: SeDebugPrivilege	1076	transfer copy.exe
Token: SeDebugPrivilege	296	RegAsm.exe
Token: SeDebugPrivilege	952	transfer copy.exe
Token: SeDebugPrivilege	568	RegAsm.exe
Token: SeDebugPrivilege	932	transfer copy.exe
Token: SeDebugPrivilege	608	RegAsm.exe
Token: SeDebugPrivilege	1752	transfer copy.exe
Token: SeDebugPrivilege	688	RegAsm.exe
Token: SeDebugPrivilege	1524	transfer copy.exe
Token: SeDebugPrivilege	1812	RegAsm.exe
Token: SeDebugPrivilege	892	transfer copy.exe
Token: SeDebugPrivilege	836	RegAsm.exe
Token: SeDebugPrivilege	900	RegAsm.exe
Token: SeDebugPrivilege	1172	transfer copy.exe
Token: SeDebugPrivilege	1540	RegAsm.exe
Token: SeDebugPrivilege	1508	transfer copy.exe
Token: SeDebugPrivilege	1656	RegAsm.exe
Token: SeDebugPrivilege	1100	transfer copy.exe
Token: SeDebugPrivilege	1588	RegAsm.exe
Token: SeDebugPrivilege	1472	transfer copy.exe
Token: SeDebugPrivilege	840	RegAsm.exe
Token: SeDebugPrivilege	1916	transfer copy.exe
Token: SeDebugPrivilege	580	transfer copy.exe
Token: SeDebugPrivilege	1204	RegAsm.exe
Token: SeDebugPrivilege	688	transfer copy.exe
Token: SeDebugPrivilege	1880	RegAsm.exe
Token: SeDebugPrivilege	1812	transfer copy.exe
Token: SeDebugPrivilege	900	RegAsm.exe
Token: SeDebugPrivilege	852	transfer copy.exe
Token: SeDebugPrivilege	976	RegAsm.exe
Token: SeDebugPrivilege	1940	transfer copy.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

transfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exe

description	pid	process	target process
PID 756 wrote to memory of 2008	756	transfer copy.exe	RegAsm.exe
PID 756 wrote to memory of 2008	756	transfer copy.exe	RegAsm.exe
PID 756 wrote to memory of 2008	756	transfer copy.exe	RegAsm.exe
PID 756 wrote to memory of 2008	756	transfer copy.exe	RegAsm.exe
PID 756 wrote to memory of 2008	756	transfer copy.exe	RegAsm.exe
PID 756 wrote to memory of 2008	756	transfer copy.exe	RegAsm.exe
PID 756 wrote to memory of 2008	756	transfer copy.exe	RegAsm.exe
PID 756 wrote to memory of 2008	756	transfer copy.exe	RegAsm.exe
PID 756 wrote to memory of 1616	756	transfer copy.exe	transfer copy.exe
PID 756 wrote to memory of 1616	756	transfer copy.exe	transfer copy.exe
PID 756 wrote to memory of 1616	756	transfer copy.exe	transfer copy.exe
PID 756 wrote to memory of 1616	756	transfer copy.exe	transfer copy.exe
PID 1616 wrote to memory of 1952	1616	transfer copy.exe	RegAsm.exe
PID 1616 wrote to memory of 1952	1616	transfer copy.exe	RegAsm.exe
PID 1616 wrote to memory of 1952	1616	transfer copy.exe	RegAsm.exe
PID 1616 wrote to memory of 1952	1616	transfer copy.exe	RegAsm.exe
PID 1616 wrote to memory of 1952	1616	transfer copy.exe	RegAsm.exe
PID 1616 wrote to memory of 1952	1616	transfer copy.exe	RegAsm.exe
PID 1616 wrote to memory of 1952	1616	transfer copy.exe	RegAsm.exe
PID 1616 wrote to memory of 1952	1616	transfer copy.exe	RegAsm.exe
PID 1616 wrote to memory of 868	1616	transfer copy.exe	transfer copy.exe
PID 1616 wrote to memory of 868	1616	transfer copy.exe	transfer copy.exe
PID 1616 wrote to memory of 868	1616	transfer copy.exe	transfer copy.exe
PID 1616 wrote to memory of 868	1616	transfer copy.exe	transfer copy.exe
PID 868 wrote to memory of 1468	868	transfer copy.exe	RegAsm.exe
PID 868 wrote to memory of 1468	868	transfer copy.exe	RegAsm.exe
PID 868 wrote to memory of 1468	868	transfer copy.exe	RegAsm.exe
PID 868 wrote to memory of 1468	868	transfer copy.exe	RegAsm.exe
PID 868 wrote to memory of 1468	868	transfer copy.exe	RegAsm.exe
PID 868 wrote to memory of 1468	868	transfer copy.exe	RegAsm.exe
PID 868 wrote to memory of 1468	868	transfer copy.exe	RegAsm.exe
PID 868 wrote to memory of 1468	868	transfer copy.exe	RegAsm.exe
PID 868 wrote to memory of 1080	868	transfer copy.exe	transfer copy.exe
PID 868 wrote to memory of 1080	868	transfer copy.exe	transfer copy.exe
PID 868 wrote to memory of 1080	868	transfer copy.exe	transfer copy.exe
PID 868 wrote to memory of 1080	868	transfer copy.exe	transfer copy.exe
PID 1080 wrote to memory of 536	1080	transfer copy.exe	RegAsm.exe
PID 1080 wrote to memory of 536	1080	transfer copy.exe	RegAsm.exe
PID 1080 wrote to memory of 536	1080	transfer copy.exe	RegAsm.exe
PID 1080 wrote to memory of 536	1080	transfer copy.exe	RegAsm.exe
PID 1080 wrote to memory of 536	1080	transfer copy.exe	RegAsm.exe
PID 1080 wrote to memory of 536	1080	transfer copy.exe	RegAsm.exe
PID 1080 wrote to memory of 536	1080	transfer copy.exe	RegAsm.exe
PID 1080 wrote to memory of 1792	1080	transfer copy.exe	RegAsm.exe
PID 1080 wrote to memory of 1792	1080	transfer copy.exe	RegAsm.exe
PID 1080 wrote to memory of 1792	1080	transfer copy.exe	RegAsm.exe
PID 1080 wrote to memory of 1792	1080	transfer copy.exe	RegAsm.exe
PID 1080 wrote to memory of 1792	1080	transfer copy.exe	RegAsm.exe
PID 1080 wrote to memory of 1792	1080	transfer copy.exe	RegAsm.exe
PID 1080 wrote to memory of 1792	1080	transfer copy.exe	RegAsm.exe
PID 1080 wrote to memory of 1792	1080	transfer copy.exe	RegAsm.exe
PID 1080 wrote to memory of 468	1080	transfer copy.exe	transfer copy.exe
PID 1080 wrote to memory of 468	1080	transfer copy.exe	transfer copy.exe
PID 1080 wrote to memory of 468	1080	transfer copy.exe	transfer copy.exe
PID 1080 wrote to memory of 468	1080	transfer copy.exe	transfer copy.exe
PID 468 wrote to memory of 1456	468	transfer copy.exe	RegAsm.exe
PID 468 wrote to memory of 1456	468	transfer copy.exe	RegAsm.exe
PID 468 wrote to memory of 1456	468	transfer copy.exe	RegAsm.exe
PID 468 wrote to memory of 1456	468	transfer copy.exe	RegAsm.exe
PID 468 wrote to memory of 1456	468	transfer copy.exe	RegAsm.exe
PID 468 wrote to memory of 1456	468	transfer copy.exe	RegAsm.exe
PID 468 wrote to memory of 1456	468	transfer copy.exe	RegAsm.exe
PID 468 wrote to memory of 1456	468	transfer copy.exe	RegAsm.exe
PID 468 wrote to memory of 384	468	transfer copy.exe	transfer copy.exe

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2008

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1616

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1952

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1468

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
PID:536

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1792

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1456

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:384

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:520

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
7⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1148

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:1756

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
8⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1360

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
9⤵
PID:576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
9⤵
- Suspicious use of AdjustPrivilegeToken
PID:1076

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
9⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
10⤵
- Suspicious use of AdjustPrivilegeToken
PID:432

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
10⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
11⤵
PID:1824

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
11⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
12⤵
- Suspicious use of AdjustPrivilegeToken
PID:1220

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
12⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
- Suspicious use of AdjustPrivilegeToken
PID:760

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
13⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
14⤵
- Suspicious use of AdjustPrivilegeToken
PID:296

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
14⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
15⤵
- Suspicious use of AdjustPrivilegeToken
PID:1700

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
15⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
16⤵
- Suspicious use of AdjustPrivilegeToken
PID:2044

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
16⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
17⤵
- Suspicious use of AdjustPrivilegeToken
PID:1772

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
17⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:536

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
18⤵
- Suspicious use of AdjustPrivilegeToken
PID:1588

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
18⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
19⤵
- Suspicious use of AdjustPrivilegeToken
PID:296

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
19⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
20⤵
- Suspicious use of AdjustPrivilegeToken
PID:568

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
20⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
21⤵
- Suspicious use of AdjustPrivilegeToken
PID:608

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
21⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
22⤵
- Suspicious use of AdjustPrivilegeToken
PID:688

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
22⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
23⤵
- Suspicious use of AdjustPrivilegeToken
PID:1812

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
23⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:892

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
24⤵
- Suspicious use of AdjustPrivilegeToken
PID:836

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
24⤵
PID:1824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
25⤵
- Suspicious use of AdjustPrivilegeToken
PID:900

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
25⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1172

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
26⤵
- Suspicious use of AdjustPrivilegeToken
PID:1540

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
26⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
27⤵
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
27⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1100

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
28⤵
- Suspicious use of AdjustPrivilegeToken
PID:1588

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
28⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
29⤵
- Suspicious use of AdjustPrivilegeToken
PID:840

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
29⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
30⤵
PID:1824

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
30⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
31⤵
- Suspicious use of AdjustPrivilegeToken
PID:1204

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
31⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
32⤵
- Suspicious use of AdjustPrivilegeToken
PID:1880

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
32⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
33⤵
- Suspicious use of AdjustPrivilegeToken
PID:900

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
33⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
34⤵
- Suspicious use of AdjustPrivilegeToken
PID:976

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
34⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
35⤵
PID:576

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
35⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1288

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
36⤵
PID:1588

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
36⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
37⤵
PID:268

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
37⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
38⤵
PID:1456

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
38⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
39⤵
PID:584

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
39⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
40⤵
PID:1140

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
40⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:608

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
41⤵
PID:1576

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
41⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:296

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
42⤵
PID:1468

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
42⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
43⤵
PID:1596

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
43⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
44⤵
PID:1020

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
44⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
45⤵
PID:1540

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
45⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2024

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
46⤵
PID:1604

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
46⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
47⤵
PID:988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
47⤵
PID:1868

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
47⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
48⤵
PID:1960

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
48⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
49⤵
PID:1652

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
49⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1452

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
50⤵
PID:996

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
50⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
51⤵
PID:1276

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
51⤵
PID:1896

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
51⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1608

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
52⤵
PID:1728

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
52⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
53⤵
PID:1652

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
53⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
54⤵
PID:1316

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
54⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
55⤵
PID:1868

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
55⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:364

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
56⤵
PID:520

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
56⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
57⤵
PID:1108

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
57⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
58⤵
PID:872

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
58⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1220

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
59⤵
PID:1008

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
59⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1112

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
60⤵
PID:544

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
60⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1264

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
61⤵
PID:996

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
61⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
62⤵
PID:1704

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
62⤵
- Suspicious use of SetThreadContext
PID:1904

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
63⤵
PID:1248

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
63⤵
- Suspicious use of SetThreadContext
PID:760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
64⤵
PID:1772

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
64⤵
- Suspicious use of SetThreadContext
PID:1324

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
65⤵
PID:1256

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
65⤵
- Suspicious use of SetThreadContext
PID:1656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
66⤵
PID:1476

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
66⤵
PID:1960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
67⤵
PID:1576

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
67⤵
PID:896

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
68⤵
PID:544

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
68⤵
PID:988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
69⤵
PID:1696

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
69⤵
PID:1204

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
70⤵
PID:704

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
70⤵
PID:1596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
71⤵
PID:1700

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
71⤵
PID:1896

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
72⤵
PID:996

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
72⤵
PID:692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
73⤵
PID:1432

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
73⤵
PID:1396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
74⤵
PID:908

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
74⤵
PID:900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
75⤵
PID:1912

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
75⤵
PID:1604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
76⤵
PID:704

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
76⤵
PID:1756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
77⤵
PID:360

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
77⤵
PID:1696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
78⤵
PID:1880

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
78⤵
PID:1504

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
79⤵
PID:1612

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
79⤵
PID:908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
80⤵
PID:1108

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
80⤵
PID:1244

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
81⤵
PID:1208

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
81⤵
PID:1416

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
82⤵
PID:976

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
82⤵
PID:1540

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
83⤵
PID:1772

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
83⤵
PID:1140

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
84⤵
PID:1208

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
84⤵
PID:1556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
85⤵
PID:1316

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
85⤵
PID:432

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
86⤵
PID:520

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
86⤵
PID:1664

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
87⤵
PID:1476

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
87⤵
PID:1256

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
88⤵
PID:1576

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
88⤵
PID:1276

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
89⤵
PID:2036

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
89⤵
PID:1888

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
90⤵
PID:1908

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
90⤵
PID:1868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
91⤵
PID:2012

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
91⤵
PID:2036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
92⤵
PID:520

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
92⤵
PID:1184

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
93⤵
PID:1740

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
93⤵
PID:1824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
94⤵
PID:584

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
94⤵
PID:836

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
95⤵
PID:1652

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
95⤵
PID:1544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
96⤵
PID:576

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
96⤵
PID:544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
97⤵
PID:1824

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
97⤵
PID:1772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
98⤵
PID:1516

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
98⤵
PID:1580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
99⤵
PID:764

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
99⤵
PID:1576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
100⤵
PID:996

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
100⤵
PID:1480

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
100⤵
PID:284

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
101⤵
PID:1548

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
101⤵
PID:1476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
102⤵
PID:1908

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
102⤵
PID:360

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
103⤵
PID:1740

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
103⤵
PID:632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
104⤵
PID:704

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
104⤵
PID:976

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
105⤵
PID:1792

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
105⤵
PID:1872

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
106⤵
PID:1880

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
106⤵
PID:1516

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
107⤵
PID:1824

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
107⤵
PID:520

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
108⤵
PID:704

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
108⤵
PID:996

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
109⤵
PID:1792

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
109⤵
PID:1500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
110⤵
PID:1120

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
110⤵
PID:1964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
111⤵
PID:1740

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
111⤵
PID:1348

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
112⤵
PID:1432

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
112⤵
PID:940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
113⤵
PID:1292

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
113⤵
PID:844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
114⤵
PID:1944

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
114⤵
PID:1824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
115⤵
PID:1292

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
115⤵
PID:1792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
116⤵
PID:552

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
116⤵
PID:2124

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
117⤵
PID:2148

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
117⤵
PID:2228

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
118⤵
PID:2252

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
118⤵
PID:2328

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
119⤵
PID:2352

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
119⤵
PID:2432

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
120⤵
PID:2456

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
120⤵
PID:2536

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
121⤵
PID:2560

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
121⤵
PID:2648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
122⤵
PID:2672

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
122⤵
PID:2752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
123⤵
PID:2776

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
123⤵
PID:2840

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
124⤵
PID:2872

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
124⤵
PID:2952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
125⤵
PID:2976

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
125⤵
PID:2984

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
125⤵
PID:3068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
126⤵
PID:1912

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
126⤵
PID:2144

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
127⤵
PID:1884

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
127⤵
PID:1880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
128⤵
PID:2120

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
128⤵
PID:2128

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
129⤵
PID:2224

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
129⤵
PID:2244

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
130⤵
PID:2388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
130⤵
PID:2364

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
130⤵
PID:2344

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
131⤵
PID:2472

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
131⤵
PID:2628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
132⤵
PID:2576

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
132⤵
PID:2732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
133⤵
PID:2692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
133⤵
PID:2704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
133⤵
PID:2716

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
133⤵
PID:2788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
134⤵
PID:2776

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
134⤵
PID:2912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
135⤵
PID:1468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
135⤵
PID:584

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
135⤵
PID:3016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
136⤵
PID:2984

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
136⤵
PID:2072

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
137⤵
PID:2092

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
137⤵
PID:872

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
138⤵
PID:2188

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
138⤵
PID:2196

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
139⤵
PID:1008

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
139⤵
PID:2292

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
140⤵
PID:2132

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
140⤵
PID:2516

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
141⤵
PID:2572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
141⤵
PID:2320

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
141⤵
PID:2444

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
142⤵
PID:2568

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
142⤵
PID:1536

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
143⤵
PID:2704

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
143⤵
PID:2740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
144⤵
PID:3036

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
144⤵
PID:2932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
145⤵
PID:3000

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
145⤵
PID:2856

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
146⤵
PID:704

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
146⤵
PID:764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
147⤵
PID:2156

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
147⤵
PID:2092

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
148⤵
PID:1120

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/296-106-0x000000000044B5BE-mapping.dmp

Download
memory/296-126-0x000000000044B5BE-mapping.dmp

Download
memory/384-77-0x0000000000000000-mapping.dmp

Download
memory/432-91-0x000000000044B5BE-mapping.dmp

Download
memory/468-73-0x0000000000000000-mapping.dmp

Download
memory/520-79-0x000000000044B5BE-mapping.dmp

Download
memory/536-120-0x0000000000000000-mapping.dmp

Download
memory/568-130-0x000000000044B5BE-mapping.dmp

Download
memory/580-168-0x0000000000000000-mapping.dmp

Download
memory/608-134-0x000000000044B5BE-mapping.dmp

Download
memory/688-172-0x0000000000000000-mapping.dmp

Download
memory/688-138-0x000000000044B5BE-mapping.dmp

Download
memory/756-54-0x0000000000170000-0x000000000021C000-memory.dmp

Filesize
688KB

Download
memory/756-60-0x00000000002B0000-0x00000000002B3000-memory.dmp

Filesize
12KB

Download
memory/756-56-0x00000000763E1000-0x00000000763E3000-memory.dmp

Filesize
8KB

Download
memory/756-55-0x00000000006C0000-0x0000000000718000-memory.dmp

Filesize
352KB

Download
memory/760-102-0x000000000044B5BE-mapping.dmp

Download
memory/836-146-0x000000000044B5BE-mapping.dmp

Download
memory/840-163-0x000000000044B5BE-mapping.dmp

Download
memory/852-180-0x0000000000000000-mapping.dmp

Download
memory/868-65-0x0000000000000000-mapping.dmp

Download
memory/892-144-0x0000000000000000-mapping.dmp

Download
memory/900-178-0x000000000044B5BE-mapping.dmp

Download
memory/932-132-0x0000000000000000-mapping.dmp

Download
memory/952-128-0x0000000000000000-mapping.dmp

Download
memory/956-93-0x0000000000000000-mapping.dmp

Download
memory/976-182-0x000000000044B5BE-mapping.dmp

Download
memory/1056-116-0x0000000000000000-mapping.dmp

Download
memory/1076-124-0x0000000000000000-mapping.dmp

Download
memory/1076-87-0x000000000044B5BE-mapping.dmp

Download
memory/1080-69-0x0000000000000000-mapping.dmp

Download
memory/1100-157-0x0000000000000000-mapping.dmp

Download
memory/1148-81-0x0000000000000000-mapping.dmp

Download
memory/1204-170-0x000000000044B5BE-mapping.dmp

Download
memory/1220-98-0x000000000044B5BE-mapping.dmp

Download
memory/1360-85-0x0000000000000000-mapping.dmp

Download
memory/1456-75-0x000000000044B5BE-mapping.dmp

Download
memory/1468-67-0x000000000044B5BE-mapping.dmp

Download
memory/1472-161-0x0000000000000000-mapping.dmp

Download
memory/1508-153-0x0000000000000000-mapping.dmp

Download
memory/1524-140-0x0000000000000000-mapping.dmp

Download
memory/1540-151-0x000000000044B5BE-mapping.dmp

Download
memory/1588-159-0x000000000044B5BE-mapping.dmp

Download
memory/1588-122-0x000000000044B5BE-mapping.dmp

Download
memory/1616-61-0x0000000000000000-mapping.dmp

Download
memory/1656-155-0x000000000044B5BE-mapping.dmp

Download
memory/1700-110-0x000000000044B5BE-mapping.dmp

Download
memory/1712-96-0x0000000000000000-mapping.dmp

Download
memory/1752-136-0x0000000000000000-mapping.dmp

Download
memory/1756-83-0x000000000044B5BE-mapping.dmp

Download
memory/1772-118-0x000000000044B5BE-mapping.dmp

Download
memory/1784-108-0x0000000000000000-mapping.dmp

Download
memory/1792-71-0x000000000044B5BE-mapping.dmp

Download
memory/1812-176-0x0000000000000000-mapping.dmp

Download
memory/1812-142-0x000000000044B5BE-mapping.dmp

Download
memory/1824-148-0x0000000000000000-mapping.dmp

Download
memory/1824-95-0x000000000044B5BE-mapping.dmp

Download
memory/1824-167-0x000000000044B5BE-mapping.dmp

Download
memory/1880-174-0x000000000044B5BE-mapping.dmp

Download
memory/1900-104-0x0000000000000000-mapping.dmp

Download
memory/1916-165-0x0000000000000000-mapping.dmp

Download
memory/1940-184-0x0000000000000000-mapping.dmp

Download
memory/1952-63-0x000000000044B5BE-mapping.dmp

Download
memory/1952-100-0x0000000000000000-mapping.dmp

Download
memory/1968-112-0x0000000000000000-mapping.dmp

Download
memory/2008-59-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2008-57-0x000000000044B5BE-mapping.dmp

Download
memory/2032-89-0x0000000000000000-mapping.dmp

Download
memory/2044-114-0x000000000044B5BE-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads