agenttesla | 06e32937444cad24306cd4020ba596618315a1329d0f6cc1aebdc8f9f2ed1dc7

General

Target

transfer copy.exe
Size

661KB
MD5

551285c43af035791a7d1dd2b6a5d3b3
SHA1

8ee21711c73f0f7482364e5decad825d11f56d89
SHA256

bc7796f8bd7d5a36829a8cb64edac24a195ba0887053f90ca0d74899ed9a4d3c
SHA512

4dbea5084c0b61262622bec592136cb5dff9c7b122447ba1be0f7c773982628add70ceee2c8359ff298b9ed65b41e3869ebb9a30a1031283997dacf1dea6085d

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
us2.smtp.mailhostbox.com
Port:
587
Username:
safaa.bishara@santemoraegypt.com
Password:
chimaroke2020

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2284-132-0x0000000000400000-0x0000000000450000-memory.dmp	family_agenttesla

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

transfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exeRegAsm.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exeRegAsm.exeRegAsm.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exeRegAsm.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exeRegAsm.exeRegAsm.exeRegAsm.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exeRegAsm.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exeRegAsm.exetransfer copy.exeRegAsm.exetransfer copy.exeRegAsm.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exeRegAsm.exetransfer copy.exeRegAsm.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exeRegAsm.exetransfer copy.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	transfer copy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	transfer copy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	transfer copy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	transfer copy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	transfer copy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	transfer copy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	transfer copy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	transfer copy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	transfer copy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	transfer copy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	transfer copy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	transfer copy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	transfer copy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	transfer copy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	transfer copy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	transfer copy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	transfer copy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	transfer copy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	transfer copy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	transfer copy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	transfer copy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	transfer copy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	transfer copy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	transfer copy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	transfer copy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	transfer copy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	transfer copy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	transfer copy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	transfer copy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	transfer copy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	transfer copy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	transfer copy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	transfer copy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	transfer copy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	transfer copy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	transfer copy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	transfer copy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	transfer copy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	transfer copy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	transfer copy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	transfer copy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	transfer copy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	transfer copy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	transfer copy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	transfer copy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	transfer copy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	transfer copy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	transfer copy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	transfer copy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	transfer copy.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

transfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exeRegAsm.exeRegAsm.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exeRegAsm.exetransfer copy.exetransfer copy.exetransfer copy.exeRegAsm.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exeRegAsm.exetransfer copy.exe

description	pid	process	target process
PID 2260 set thread context of 2284	2260	transfer copy.exe	RegAsm.exe
PID 1760 set thread context of 1952	1760	transfer copy.exe	RegAsm.exe
PID 1028 set thread context of 3116	1028	transfer copy.exe	RegAsm.exe
PID 3892 set thread context of 4516	3892	transfer copy.exe	RegAsm.exe
PID 3192 set thread context of 4172	3192	transfer copy.exe	RegAsm.exe
PID 4788 set thread context of 4696	4788	transfer copy.exe	RegAsm.exe
PID 1844 set thread context of 4456	1844	transfer copy.exe	RegAsm.exe
PID 1732 set thread context of 3952	1732	transfer copy.exe	RegAsm.exe
PID 968 set thread context of 3532	968	transfer copy.exe	RegAsm.exe
PID 1644 set thread context of 4056	1644	transfer copy.exe	RegAsm.exe
PID 1416 set thread context of 3556	1416	transfer copy.exe	RegAsm.exe
PID 3716 set thread context of 4468	3716	transfer copy.exe	RegAsm.exe
PID 3312 set thread context of 3292	3312	transfer copy.exe	RegAsm.exe
PID 1708 set thread context of 1356	1708	transfer copy.exe	RegAsm.exe
PID 4988 set thread context of 900	4988	transfer copy.exe	RegAsm.exe
PID 2748 set thread context of 4944	2748	transfer copy.exe	RegAsm.exe
PID 2316 set thread context of 1840	2316	transfer copy.exe	RegAsm.exe
PID 1548 set thread context of 3604	1548	transfer copy.exe	RegAsm.exe
PID 1484 set thread context of 1176	1484	transfer copy.exe	RegAsm.exe
PID 1028 set thread context of 4520	1028	transfer copy.exe	RegAsm.exe
PID 4760 set thread context of 4172	4760	transfer copy.exe	RegAsm.exe
PID 1296 set thread context of 3964	1296	transfer copy.exe	RegAsm.exe
PID 4600 set thread context of 3528	4600	transfer copy.exe	RegAsm.exe
PID 1096 set thread context of 3340	1096	transfer copy.exe	transfer copy.exe
PID 1992 set thread context of 3996	1992	transfer copy.exe	RegAsm.exe
PID 3808 set thread context of 2012	3808	transfer copy.exe	RegAsm.exe
PID 4780 set thread context of 3168	4780	transfer copy.exe	RegAsm.exe
PID 1416 set thread context of 3844	1416	transfer copy.exe	RegAsm.exe
PID 2988 set thread context of 1664	2988	transfer copy.exe	RegAsm.exe
PID 4272 set thread context of 4792	4272	transfer copy.exe	RegAsm.exe
PID 4088 set thread context of 1388	4088	transfer copy.exe	RegAsm.exe
PID 2348 set thread context of 1008	2348	transfer copy.exe	RegAsm.exe
PID 1648 set thread context of 2188	1648	transfer copy.exe	RegAsm.exe
PID 3420 set thread context of 4476	3420	RegAsm.exe	RegAsm.exe
PID 3488 set thread context of 3084	3488	RegAsm.exe	transfer copy.exe
PID 4676 set thread context of 3892	4676	transfer copy.exe	RegAsm.exe
PID 2136 set thread context of 1532	2136	transfer copy.exe	RegAsm.exe
PID 4816 set thread context of 1844	4816	transfer copy.exe	RegAsm.exe
PID 3340 set thread context of 1732	3340	transfer copy.exe	RegAsm.exe
PID 3012 set thread context of 2400	3012	transfer copy.exe	RegAsm.exe
PID 4628 set thread context of 2720	4628	transfer copy.exe	RegAsm.exe
PID 2268 set thread context of 1940	2268	transfer copy.exe	RegAsm.exe
PID 4024 set thread context of 2728	4024	transfer copy.exe	transfer copy.exe
PID 2764 set thread context of 2128	2764	transfer copy.exe	RegAsm.exe
PID 4468 set thread context of 1708	4468	transfer copy.exe	RegAsm.exe
PID 3456 set thread context of 1476	3456	transfer copy.exe	RegAsm.exe
PID 4728 set thread context of 3408	4728	transfer copy.exe	RegAsm.exe
PID 4300 set thread context of 4952	4300	transfer copy.exe	RegAsm.exe
PID 2684 set thread context of 3420	2684	transfer copy.exe	transfer copy.exe
PID 4400 set thread context of 1852	4400	transfer copy.exe	RegAsm.exe
PID 3208 set thread context of 5044	3208	RegAsm.exe	RegAsm.exe
PID 4580 set thread context of 1584	4580	transfer copy.exe	RegAsm.exe
PID 4816 set thread context of 1728	4816	transfer copy.exe	RegAsm.exe
PID 3340 set thread context of 4744	3340	transfer copy.exe	transfer copy.exe
PID 4628 set thread context of 3168	4628	transfer copy.exe	RegAsm.exe
PID 2796 set thread context of 3608	2796	transfer copy.exe	RegAsm.exe
PID 1624 set thread context of 900	1624	transfer copy.exe	RegAsm.exe
PID 4084 set thread context of 1388	4084	RegAsm.exe	RegAsm.exe
PID 4248 set thread context of 1944	4248	transfer copy.exe	RegAsm.exe
PID 3600 set thread context of 3648	3600	transfer copy.exe	transfer copy.exe
PID 4120 set thread context of 4360	4120	transfer copy.exe	RegAsm.exe
PID 4472 set thread context of 1484	4472	transfer copy.exe	RegAsm.exe
PID 3084 set thread context of 3488	3084	RegAsm.exe	RegAsm.exe
PID 2568 set thread context of 4876	2568	transfer copy.exe	transfer copy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

transfer copy.exe

pid	process
2260	transfer copy.exe
2260	transfer copy.exe
2260	transfer copy.exe
2260	transfer copy.exe
2260	transfer copy.exe
2260	transfer copy.exe
2260	transfer copy.exe
2260	transfer copy.exe
2260	transfer copy.exe
2260	transfer copy.exe
2260	transfer copy.exe
2260	transfer copy.exe
2260	transfer copy.exe
2260	transfer copy.exe
2260	transfer copy.exe
2260	transfer copy.exe
2260	transfer copy.exe
2260	transfer copy.exe
2260	transfer copy.exe
2260	transfer copy.exe
2260	transfer copy.exe
2260	transfer copy.exe
2260	transfer copy.exe
2260	transfer copy.exe
2260	transfer copy.exe
2260	transfer copy.exe
2260	transfer copy.exe
2260	transfer copy.exe
2260	transfer copy.exe
2260	transfer copy.exe
2260	transfer copy.exe
2260	transfer copy.exe
2260	transfer copy.exe
2260	transfer copy.exe
2260	transfer copy.exe
2260	transfer copy.exe
2260	transfer copy.exe
2260	transfer copy.exe
2260	transfer copy.exe
2260	transfer copy.exe
2260	transfer copy.exe
2260	transfer copy.exe
2260	transfer copy.exe
2260	transfer copy.exe
2260	transfer copy.exe
2260	transfer copy.exe
2260	transfer copy.exe
2260	transfer copy.exe
2260	transfer copy.exe
2260	transfer copy.exe
2260	transfer copy.exe
2260	transfer copy.exe
2260	transfer copy.exe
2260	transfer copy.exe
2260	transfer copy.exe
2260	transfer copy.exe
2260	transfer copy.exe
2260	transfer copy.exe
2260	transfer copy.exe
2260	transfer copy.exe
2260	transfer copy.exe
2260	transfer copy.exe
2260	transfer copy.exe
2260	transfer copy.exe

Suspicious behavior: MapViewOfSection 64 IoCs

Processes:

transfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exeRegAsm.exeRegAsm.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exeRegAsm.exe

pid	process
2260	transfer copy.exe
1760	transfer copy.exe
1028	transfer copy.exe
1028	transfer copy.exe
3892	transfer copy.exe
3892	transfer copy.exe
3192	transfer copy.exe
4788	transfer copy.exe
4788	transfer copy.exe
1844	transfer copy.exe
1732	transfer copy.exe
968	transfer copy.exe
1644	transfer copy.exe
1416	transfer copy.exe
3716	transfer copy.exe
3312	transfer copy.exe
1708	transfer copy.exe
4988	transfer copy.exe
2748	transfer copy.exe
2316	transfer copy.exe
1548	transfer copy.exe
1484	transfer copy.exe
1484	transfer copy.exe
1028	transfer copy.exe
4760	transfer copy.exe
1296	transfer copy.exe
4600	transfer copy.exe
1096	transfer copy.exe
1992	transfer copy.exe
3808	transfer copy.exe
4780	transfer copy.exe
4780	transfer copy.exe
4780	transfer copy.exe
1416	transfer copy.exe
2988	transfer copy.exe
4272	transfer copy.exe
4088	transfer copy.exe
2348	transfer copy.exe
1648	transfer copy.exe
3420	RegAsm.exe
3488	RegAsm.exe
3488	RegAsm.exe
4676	transfer copy.exe
2136	transfer copy.exe
2136	transfer copy.exe
4816	transfer copy.exe
3340	transfer copy.exe
3340	transfer copy.exe
3012	transfer copy.exe
4628	transfer copy.exe
2268	transfer copy.exe
4024	transfer copy.exe
2764	transfer copy.exe
2764	transfer copy.exe
4468	transfer copy.exe
3456	transfer copy.exe
4728	transfer copy.exe
4300	transfer copy.exe
4300	transfer copy.exe
2684	transfer copy.exe
2684	transfer copy.exe
2684	transfer copy.exe
4400	transfer copy.exe
3208	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

transfer copy.exeRegAsm.exetransfer copy.exeRegAsm.exetransfer copy.exeRegAsm.exetransfer copy.exeRegAsm.exetransfer copy.exeRegAsm.exetransfer copy.exeRegAsm.exetransfer copy.exeRegAsm.exetransfer copy.exeRegAsm.exetransfer copy.exeRegAsm.exetransfer copy.exeRegAsm.exetransfer copy.exeRegAsm.exetransfer copy.exetransfer copy.exeRegAsm.exetransfer copy.exetransfer copy.exeRegAsm.exetransfer copy.exeRegAsm.exetransfer copy.exeRegAsm.exetransfer copy.exeRegAsm.exetransfer copy.exeRegAsm.exetransfer copy.exeRegAsm.exetransfer copy.exeRegAsm.exetransfer copy.exeRegAsm.exetransfer copy.exeRegAsm.exetransfer copy.exetransfer copy.exetransfer copy.exeRegAsm.exetransfer copy.exeRegAsm.exetransfer copy.exeRegAsm.exetransfer copy.exeRegAsm.exetransfer copy.exeRegAsm.exetransfer copy.exeRegAsm.exetransfer copy.exeRegAsm.exetransfer copy.exeRegAsm.exetransfer copy.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	2260	transfer copy.exe
Token: SeDebugPrivilege	2284	RegAsm.exe
Token: SeDebugPrivilege	1760	transfer copy.exe
Token: SeDebugPrivilege	1952	RegAsm.exe
Token: SeDebugPrivilege	1028	transfer copy.exe
Token: SeDebugPrivilege	3116	RegAsm.exe
Token: SeDebugPrivilege	3892	transfer copy.exe
Token: SeDebugPrivilege	4516	RegAsm.exe
Token: SeDebugPrivilege	3192	transfer copy.exe
Token: SeDebugPrivilege	4172	RegAsm.exe
Token: SeDebugPrivilege	4788	transfer copy.exe
Token: SeDebugPrivilege	4696	RegAsm.exe
Token: SeDebugPrivilege	1844	transfer copy.exe
Token: SeDebugPrivilege	4456	RegAsm.exe
Token: SeDebugPrivilege	1732	transfer copy.exe
Token: SeDebugPrivilege	3952	RegAsm.exe
Token: SeDebugPrivilege	968	transfer copy.exe
Token: SeDebugPrivilege	3532	RegAsm.exe
Token: SeDebugPrivilege	1644	transfer copy.exe
Token: SeDebugPrivilege	4056	RegAsm.exe
Token: SeDebugPrivilege	1416	transfer copy.exe
Token: SeDebugPrivilege	3556	RegAsm.exe
Token: SeDebugPrivilege	3716	transfer copy.exe
Token: SeDebugPrivilege	3312	transfer copy.exe
Token: SeDebugPrivilege	4468	RegAsm.exe
Token: SeDebugPrivilege	1708	transfer copy.exe
Token: SeDebugPrivilege	4988	transfer copy.exe
Token: SeDebugPrivilege	1356	RegAsm.exe
Token: SeDebugPrivilege	2748	transfer copy.exe
Token: SeDebugPrivilege	4944	RegAsm.exe
Token: SeDebugPrivilege	2316	transfer copy.exe
Token: SeDebugPrivilege	1840	RegAsm.exe
Token: SeDebugPrivilege	1548	transfer copy.exe
Token: SeDebugPrivilege	3604	RegAsm.exe
Token: SeDebugPrivilege	1484	transfer copy.exe
Token: SeDebugPrivilege	1176	RegAsm.exe
Token: SeDebugPrivilege	1028	transfer copy.exe
Token: SeDebugPrivilege	4520	RegAsm.exe
Token: SeDebugPrivilege	4760	transfer copy.exe
Token: SeDebugPrivilege	4172	RegAsm.exe
Token: SeDebugPrivilege	1296	transfer copy.exe
Token: SeDebugPrivilege	3964	RegAsm.exe
Token: SeDebugPrivilege	4600	transfer copy.exe
Token: SeDebugPrivilege	3528	RegAsm.exe
Token: SeDebugPrivilege	1096	transfer copy.exe
Token: SeDebugPrivilege	3340	transfer copy.exe
Token: SeDebugPrivilege	1992	transfer copy.exe
Token: SeDebugPrivilege	3996	RegAsm.exe
Token: SeDebugPrivilege	3808	transfer copy.exe
Token: SeDebugPrivilege	2012	RegAsm.exe
Token: SeDebugPrivilege	4780	transfer copy.exe
Token: SeDebugPrivilege	3168	RegAsm.exe
Token: SeDebugPrivilege	1416	transfer copy.exe
Token: SeDebugPrivilege	3844	RegAsm.exe
Token: SeDebugPrivilege	2988	transfer copy.exe
Token: SeDebugPrivilege	1664	RegAsm.exe
Token: SeDebugPrivilege	4272	transfer copy.exe
Token: SeDebugPrivilege	4792	RegAsm.exe
Token: SeDebugPrivilege	4088	transfer copy.exe
Token: SeDebugPrivilege	1388	RegAsm.exe
Token: SeDebugPrivilege	2348	transfer copy.exe
Token: SeDebugPrivilege	1008	RegAsm.exe
Token: SeDebugPrivilege	1648	transfer copy.exe
Token: SeDebugPrivilege	2188	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

transfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exetransfer copy.exe

description	pid	process	target process
PID 2260 wrote to memory of 2284	2260	transfer copy.exe	RegAsm.exe
PID 2260 wrote to memory of 2284	2260	transfer copy.exe	RegAsm.exe
PID 2260 wrote to memory of 2284	2260	transfer copy.exe	RegAsm.exe
PID 2260 wrote to memory of 2284	2260	transfer copy.exe	RegAsm.exe
PID 2260 wrote to memory of 1760	2260	transfer copy.exe	transfer copy.exe
PID 2260 wrote to memory of 1760	2260	transfer copy.exe	transfer copy.exe
PID 2260 wrote to memory of 1760	2260	transfer copy.exe	transfer copy.exe
PID 1760 wrote to memory of 1952	1760	transfer copy.exe	RegAsm.exe
PID 1760 wrote to memory of 1952	1760	transfer copy.exe	RegAsm.exe
PID 1760 wrote to memory of 1952	1760	transfer copy.exe	RegAsm.exe
PID 1760 wrote to memory of 1952	1760	transfer copy.exe	RegAsm.exe
PID 1760 wrote to memory of 1028	1760	transfer copy.exe	transfer copy.exe
PID 1760 wrote to memory of 1028	1760	transfer copy.exe	transfer copy.exe
PID 1760 wrote to memory of 1028	1760	transfer copy.exe	transfer copy.exe
PID 1028 wrote to memory of 2188	1028	transfer copy.exe	RegAsm.exe
PID 1028 wrote to memory of 2188	1028	transfer copy.exe	RegAsm.exe
PID 1028 wrote to memory of 2188	1028	transfer copy.exe	RegAsm.exe
PID 1028 wrote to memory of 3116	1028	transfer copy.exe	RegAsm.exe
PID 1028 wrote to memory of 3116	1028	transfer copy.exe	RegAsm.exe
PID 1028 wrote to memory of 3116	1028	transfer copy.exe	RegAsm.exe
PID 1028 wrote to memory of 3116	1028	transfer copy.exe	RegAsm.exe
PID 1028 wrote to memory of 3892	1028	transfer copy.exe	transfer copy.exe
PID 1028 wrote to memory of 3892	1028	transfer copy.exe	transfer copy.exe
PID 1028 wrote to memory of 3892	1028	transfer copy.exe	transfer copy.exe
PID 3892 wrote to memory of 4508	3892	transfer copy.exe	RegAsm.exe
PID 3892 wrote to memory of 4508	3892	transfer copy.exe	RegAsm.exe
PID 3892 wrote to memory of 4508	3892	transfer copy.exe	RegAsm.exe
PID 3892 wrote to memory of 4516	3892	transfer copy.exe	RegAsm.exe
PID 3892 wrote to memory of 4516	3892	transfer copy.exe	RegAsm.exe
PID 3892 wrote to memory of 4516	3892	transfer copy.exe	RegAsm.exe
PID 3892 wrote to memory of 4516	3892	transfer copy.exe	RegAsm.exe
PID 3892 wrote to memory of 3192	3892	transfer copy.exe	transfer copy.exe
PID 3892 wrote to memory of 3192	3892	transfer copy.exe	transfer copy.exe
PID 3892 wrote to memory of 3192	3892	transfer copy.exe	transfer copy.exe
PID 3192 wrote to memory of 4172	3192	transfer copy.exe	RegAsm.exe
PID 3192 wrote to memory of 4172	3192	transfer copy.exe	RegAsm.exe
PID 3192 wrote to memory of 4172	3192	transfer copy.exe	RegAsm.exe
PID 3192 wrote to memory of 4172	3192	transfer copy.exe	RegAsm.exe
PID 3192 wrote to memory of 4788	3192	transfer copy.exe	transfer copy.exe
PID 3192 wrote to memory of 4788	3192	transfer copy.exe	transfer copy.exe
PID 3192 wrote to memory of 4788	3192	transfer copy.exe	transfer copy.exe
PID 4788 wrote to memory of 656	4788	transfer copy.exe	RegAsm.exe
PID 4788 wrote to memory of 656	4788	transfer copy.exe	RegAsm.exe
PID 4788 wrote to memory of 656	4788	transfer copy.exe	RegAsm.exe
PID 4788 wrote to memory of 4696	4788	transfer copy.exe	RegAsm.exe
PID 4788 wrote to memory of 4696	4788	transfer copy.exe	RegAsm.exe
PID 4788 wrote to memory of 4696	4788	transfer copy.exe	RegAsm.exe
PID 4788 wrote to memory of 4696	4788	transfer copy.exe	RegAsm.exe
PID 4788 wrote to memory of 1844	4788	transfer copy.exe	transfer copy.exe
PID 4788 wrote to memory of 1844	4788	transfer copy.exe	transfer copy.exe
PID 4788 wrote to memory of 1844	4788	transfer copy.exe	transfer copy.exe
PID 1844 wrote to memory of 4456	1844	transfer copy.exe	RegAsm.exe
PID 1844 wrote to memory of 4456	1844	transfer copy.exe	RegAsm.exe
PID 1844 wrote to memory of 4456	1844	transfer copy.exe	RegAsm.exe
PID 1844 wrote to memory of 4456	1844	transfer copy.exe	RegAsm.exe
PID 1844 wrote to memory of 1732	1844	transfer copy.exe	transfer copy.exe
PID 1844 wrote to memory of 1732	1844	transfer copy.exe	transfer copy.exe
PID 1844 wrote to memory of 1732	1844	transfer copy.exe	transfer copy.exe
PID 1732 wrote to memory of 3952	1732	transfer copy.exe	RegAsm.exe
PID 1732 wrote to memory of 3952	1732	transfer copy.exe	RegAsm.exe
PID 1732 wrote to memory of 3952	1732	transfer copy.exe	RegAsm.exe
PID 1732 wrote to memory of 3952	1732	transfer copy.exe	RegAsm.exe
PID 1732 wrote to memory of 968	1732	transfer copy.exe	transfer copy.exe
PID 1732 wrote to memory of 968	1732	transfer copy.exe	transfer copy.exe

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2260

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2284

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1952

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
3⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:2188

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3116

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3892

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
PID:4508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4516

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3192

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4172

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
6⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
7⤵
PID:656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:4696

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
7⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:4456

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
8⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
9⤵
- Suspicious use of AdjustPrivilegeToken
PID:3952

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
9⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
10⤵
- Suspicious use of AdjustPrivilegeToken
PID:3532

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
10⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
11⤵
- Suspicious use of AdjustPrivilegeToken
PID:4056

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
11⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1416

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
12⤵
- Suspicious use of AdjustPrivilegeToken
PID:3556

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
12⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3716

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
- Suspicious use of AdjustPrivilegeToken
PID:4468

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
13⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3312

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
14⤵
PID:3292

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
14⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1708

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
15⤵
- Suspicious use of AdjustPrivilegeToken
PID:1356

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
15⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
16⤵
PID:900

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
16⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
17⤵
- Suspicious use of AdjustPrivilegeToken
PID:4944

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
17⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
18⤵
- Suspicious use of AdjustPrivilegeToken
PID:1840

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
18⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
19⤵
- Suspicious use of AdjustPrivilegeToken
PID:3604

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
19⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1484

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
20⤵
PID:3420

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
20⤵
- Suspicious use of AdjustPrivilegeToken
PID:1176

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
20⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
21⤵
- Suspicious use of AdjustPrivilegeToken
PID:4520

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
21⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
22⤵
- Suspicious use of AdjustPrivilegeToken
PID:4172

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
22⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1296

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
23⤵
- Suspicious use of AdjustPrivilegeToken
PID:3964

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
23⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
24⤵
- Suspicious use of AdjustPrivilegeToken
PID:3528

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
24⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1096

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
25⤵
PID:3340

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
25⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
26⤵
- Suspicious use of AdjustPrivilegeToken
PID:3996

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
26⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
27⤵
- Suspicious use of AdjustPrivilegeToken
PID:2012

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
27⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
28⤵
PID:2908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
28⤵
PID:2332

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
28⤵
- Suspicious use of AdjustPrivilegeToken
PID:3168

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
28⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1416

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
29⤵
- Suspicious use of AdjustPrivilegeToken
PID:3844

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
29⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
30⤵
- Suspicious use of AdjustPrivilegeToken
PID:1664

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
30⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4272

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
31⤵
- Suspicious use of AdjustPrivilegeToken
PID:4792

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
31⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
32⤵
PID:1388

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
32⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2348

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
33⤵
- Suspicious use of AdjustPrivilegeToken
PID:1008

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
33⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
34⤵
- Suspicious use of AdjustPrivilegeToken
PID:2188

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
34⤵
PID:3420

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
35⤵
PID:4476

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
35⤵
PID:3488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
36⤵
PID:3084

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
36⤵
PID:2684

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
36⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
37⤵
PID:3892

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
37⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2136

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
38⤵
PID:3208

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
38⤵
PID:1532

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
38⤵
PID:4816

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
39⤵
PID:1844

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
39⤵
- Suspicious use of AdjustPrivilegeToken
PID:3340

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
40⤵
PID:3952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
40⤵
PID:1732

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
40⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:3012

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
41⤵
PID:2400

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
41⤵
PID:4628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
42⤵
PID:2720

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
42⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2268

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
43⤵
PID:1940

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
43⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4024

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
44⤵
PID:2728

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
44⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
45⤵
PID:3748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
45⤵
PID:2128

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
45⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
46⤵
PID:1708

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
46⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:3456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
47⤵
PID:1476

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
47⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4728

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
48⤵
PID:3408

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
48⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4300

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
49⤵
PID:4488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
49⤵
PID:4952

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
49⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
50⤵
PID:1312

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
50⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:3420

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
50⤵
PID:3644

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
50⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4400

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
51⤵
PID:1852

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
51⤵
PID:3208

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
52⤵
PID:5044

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
52⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:4580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
53⤵
PID:1584

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
53⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4816

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
54⤵
PID:1728

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
54⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:3340

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
55⤵
PID:4744

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
55⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
56⤵
PID:3168

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
56⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:2796

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
57⤵
PID:3608

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
57⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:1624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
58⤵
PID:3544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
58⤵
PID:900

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
58⤵
PID:4084

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
59⤵
PID:4180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
59⤵
- Suspicious use of AdjustPrivilegeToken
PID:1388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
59⤵
PID:3068

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
59⤵
- Suspicious use of SetThreadContext
PID:4248

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
60⤵
PID:1944

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
60⤵
- Suspicious use of SetThreadContext
PID:3600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
61⤵
PID:3648

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
61⤵
PID:4120

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
62⤵
PID:4360

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
62⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:4472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
63⤵
PID:1484

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
63⤵
PID:3084

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
64⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:3488

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
64⤵
- Suspicious use of SetThreadContext
PID:2568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
65⤵
PID:4876

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
65⤵
- Checks computer location settings
PID:3964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
66⤵
PID:1960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
66⤵
PID:444

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
66⤵
- Checks computer location settings
PID:2952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
67⤵
PID:1048

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
67⤵
PID:5020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
68⤵
PID:3784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
68⤵
PID:2400

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
68⤵
- Checks computer location settings
PID:2196

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
69⤵
PID:2656

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
69⤵
PID:4664

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
70⤵
PID:4260

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
70⤵
PID:4712

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
71⤵
PID:4572

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
71⤵
PID:4824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
72⤵
PID:1708

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
72⤵
PID:2204

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
72⤵
- Checks computer location settings
PID:600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
73⤵
PID:1476

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
73⤵
PID:3404

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
74⤵
PID:4460

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
74⤵
PID:1508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
75⤵
PID:1648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
75⤵
PID:4736

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
75⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:4120

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
76⤵
PID:4480

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
76⤵
PID:3888

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
77⤵
PID:116

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
77⤵
PID:1208

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
78⤵
PID:5032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
78⤵
PID:2832

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
78⤵
PID:4280

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
79⤵
PID:920

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
79⤵
PID:2480

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
79⤵
PID:2040

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
79⤵
PID:2544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
80⤵
PID:1992

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
80⤵
PID:4992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
81⤵
PID:2400

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
81⤵
PID:2728

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
82⤵
PID:2656

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
82⤵
PID:4484

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
83⤵
PID:4260

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
83⤵
- Checks computer location settings
PID:944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
84⤵
PID:2884

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
84⤵
PID:3432

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
85⤵
PID:1356

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
85⤵
PID:4824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
86⤵
PID:1476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
86⤵
- Suspicious use of SetThreadContext
PID:4084

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
86⤵
PID:5036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
87⤵
PID:4460

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
87⤵
- Checks computer location settings
PID:3420

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
88⤵
PID:4736

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
88⤵
PID:4476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
89⤵
PID:4480

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
89⤵
PID:3572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
90⤵
PID:5112

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
90⤵
PID:3560

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
90⤵
PID:4876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
91⤵
PID:1584

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
91⤵
PID:1208

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
92⤵
PID:4016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
92⤵
PID:3344

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
92⤵
- Checks computer location settings
PID:1544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
93⤵
PID:3244

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
93⤵
PID:1856

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
94⤵
PID:4996

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
94⤵
- Checks computer location settings
PID:4596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
95⤵
PID:3168

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
95⤵
PID:4904

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
95⤵
- Checks computer location settings
PID:4376

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
96⤵
PID:2476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
96⤵
PID:2344

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
96⤵
PID:1716

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
97⤵
PID:1712

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
97⤵
PID:4880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
98⤵
PID:1356

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
98⤵
PID:552

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
99⤵
PID:2556

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
99⤵
PID:3644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
100⤵
PID:5052

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
100⤵
PID:2188

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
101⤵
PID:1852

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
101⤵
PID:4440

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
102⤵
PID:4788

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
102⤵
PID:4476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
103⤵
PID:3584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
103⤵
- Checks computer location settings
PID:3888

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
103⤵
PID:4232

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
104⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:3208

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
104⤵
PID:4696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
105⤵
PID:5024

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
105⤵
PID:3532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
106⤵
PID:2704

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
106⤵
PID:4744

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
107⤵
PID:1644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
107⤵
PID:4780

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
107⤵
PID:1492

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
108⤵
PID:3544

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
108⤵
PID:3748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
109⤵
PID:3268

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
109⤵
PID:3672

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
109⤵
PID:1416

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
110⤵
PID:2204

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
110⤵
PID:3648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
111⤵
PID:4528

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
111⤵
PID:4880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
112⤵
PID:2484

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
112⤵
PID:4408

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
113⤵
PID:4728

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
113⤵
PID:4928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
114⤵
PID:1752

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
114⤵
PID:3088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
115⤵
PID:1508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
115⤵
PID:3960

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
115⤵
PID:5044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
116⤵
PID:5016

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
116⤵
PID:4056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
117⤵
PID:1028

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
117⤵
PID:4392

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
118⤵
- Suspicious use of SetThreadContext
PID:3084

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
118⤵
- Checks computer location settings
PID:1208

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
119⤵
PID:4048

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
119⤵
- Checks computer location settings
PID:5096

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
120⤵
PID:1728

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
120⤵
PID:372

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
121⤵
- Checks computer location settings
PID:2544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
121⤵
PID:1848

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
121⤵
- Checks computer location settings
PID:3844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
122⤵
PID:2344

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
122⤵
PID:856

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
123⤵
PID:4468

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
123⤵
PID:1716

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
124⤵
PID:3688

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
124⤵
PID:1356

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
125⤵
PID:4528

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
125⤵
PID:3648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
126⤵
PID:1308

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
126⤵
PID:996

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
127⤵
- Checks computer location settings
PID:4824

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
127⤵
PID:3600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
128⤵
PID:2700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
128⤵
PID:1760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
128⤵
PID:1484

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
128⤵
- Checks computer location settings
PID:4464

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
129⤵
PID:1784

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
129⤵
- Checks computer location settings
PID:1844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
130⤵
PID:4400

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
130⤵
PID:2740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
131⤵
PID:4196

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
131⤵
PID:4016

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
131⤵
PID:5104

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
132⤵
PID:2816

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
132⤵
PID:444

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
133⤵
PID:4820

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
133⤵
PID:968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
134⤵
PID:672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
134⤵
PID:4576

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
134⤵
PID:2656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
135⤵
PID:3496

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
135⤵
PID:4992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
136⤵
PID:1364

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
136⤵
PID:4628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
137⤵
PID:812

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
137⤵
- Checks computer location settings
PID:1668

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
138⤵
PID:3364

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
138⤵
PID:4680

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
138⤵
PID:2364

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
139⤵
PID:2168

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
139⤵
PID:748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
140⤵
PID:2280

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
140⤵
PID:2960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
141⤵
- Checks computer location settings
PID:3644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
141⤵
PID:2748

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
141⤵
PID:1348

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
142⤵
PID:3904

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
142⤵
PID:3196

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
143⤵
PID:3600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
143⤵
PID:3192

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
143⤵
PID:2468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
144⤵
PID:920

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
144⤵
PID:3956

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
144⤵
PID:3560

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
145⤵
PID:112

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
145⤵
PID:1584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
146⤵
PID:5024

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
146⤵
PID:3360

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
147⤵
PID:4304

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
147⤵
PID:4696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
148⤵
- Checks computer location settings
PID:3532

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
148⤵
PID:2400

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
149⤵
PID:4664

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
149⤵
PID:2244

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
150⤵
PID:1684

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
150⤵
PID:3268

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
151⤵
PID:3748

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
151⤵
- Checks computer location settings
PID:4040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
152⤵
PID:1920

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
152⤵
PID:4488

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
152⤵
- Checks computer location settings
PID:1652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
153⤵
PID:1552

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
153⤵
PID:4404

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
154⤵
PID:4880

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
154⤵
PID:724

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
155⤵
PID:4408

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
155⤵
PID:5052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
156⤵
PID:3420

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
156⤵
PID:5112

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
156⤵
PID:4248

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
156⤵
PID:2688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
157⤵
PID:1176

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
157⤵
- Checks computer location settings
PID:4476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
158⤵
PID:4400

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
158⤵
PID:4504

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
158⤵
PID:3084

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
159⤵
PID:1384

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
159⤵
PID:3560

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
160⤵
- Checks computer location settings
PID:4056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
160⤵
PID:3664

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
160⤵
PID:3608

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
161⤵
PID:4876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
161⤵
PID:2412

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
161⤵
- Checks computer location settings
PID:3360

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
162⤵
PID:4904

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
162⤵
PID:4580

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
162⤵
PID:4384

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
163⤵
PID:2476

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
163⤵
PID:4744

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
164⤵
PID:3392

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
164⤵
PID:2248

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
164⤵
PID:2244

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
165⤵
PID:4868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
165⤵
PID:4596

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
165⤵
PID:3268

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
166⤵
PID:1708

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
166⤵
PID:2880

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
166⤵
PID:932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
167⤵
PID:4272

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
167⤵
PID:1764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
168⤵
PID:2164

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
168⤵
PID:2748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
169⤵
- Checks computer location settings
PID:2960

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
169⤵
PID:5092

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
170⤵
PID:4700

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
170⤵
- Checks computer location settings
PID:3600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
171⤵
PID:656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
171⤵
PID:4704

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
171⤵
PID:216

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
172⤵
PID:1704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
172⤵
PID:4872

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
172⤵
PID:1028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
173⤵
PID:2568

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
173⤵
PID:672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
174⤵
- Checks computer location settings
PID:1584

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
174⤵
PID:4232

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
175⤵
PID:2852

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
175⤵
PID:4048

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
176⤵
PID:1096

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
176⤵
PID:4696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
177⤵
PID:1588

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
177⤵
PID:4184

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
178⤵
PID:3676

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
178⤵
PID:372

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
179⤵
- Checks computer location settings
PID:1416

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
179⤵
PID:4712

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
180⤵
PID:3760

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
180⤵
PID:4080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
181⤵
PID:3268

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
181⤵
PID:4832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
181⤵
PID:4528

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
181⤵
PID:4112

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
182⤵
PID:2364

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
182⤵
PID:3832

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
182⤵
PID:1648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
183⤵
PID:1312

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
183⤵
PID:3124

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
184⤵
PID:2748

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
184⤵
PID:656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
185⤵
PID:2460

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
185⤵
PID:1704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
186⤵
PID:4736

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
186⤵
PID:2108

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
187⤵
PID:2312

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
187⤵
PID:2568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
188⤵
PID:1048

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
188⤵
PID:4988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
189⤵
PID:5024

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
189⤵
PID:3964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
190⤵
- Checks computer location settings
PID:3560

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
190⤵
PID:2332

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
191⤵
PID:3504

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
191⤵
PID:1848

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
191⤵
PID:3364

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
192⤵
PID:3140

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
192⤵
PID:1496

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
193⤵
PID:4384

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
193⤵
PID:3948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
194⤵
PID:4628

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
194⤵
PID:4160

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
195⤵
PID:4180

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
195⤵
PID:4492

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
196⤵
PID:524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
196⤵
PID:1548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
196⤵
PID:2348

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
196⤵
PID:3832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
197⤵
PID:2164

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
197⤵
PID:4824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
198⤵
PID:2408

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
198⤵
PID:628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
199⤵
PID:920

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
199⤵
PID:3892

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
200⤵
PID:3888

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
200⤵
- Checks computer location settings
PID:216

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
201⤵
PID:1576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
201⤵
PID:3488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
201⤵
PID:4476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
201⤵
PID:4504

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
201⤵
PID:2740

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
201⤵
PID:4480

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
202⤵
PID:1960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
202⤵
PID:3720

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
202⤵
PID:5104

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
203⤵
PID:4876

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
203⤵
PID:4304

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
204⤵
PID:3684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
204⤵
PID:4580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
204⤵
PID:5020

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
204⤵
PID:3964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
205⤵
PID:5084

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
205⤵
PID:3672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
206⤵
PID:3496

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
206⤵
PID:4344

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
207⤵
PID:3364

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
207⤵
PID:2988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
208⤵
PID:1160

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
208⤵
PID:4656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
208⤵
- Checks computer location settings
PID:372

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
208⤵
PID:4428

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
209⤵
PID:2484

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
209⤵
PID:4912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
210⤵
PID:1952

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
210⤵
PID:4088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
211⤵
PID:2560

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
211⤵
PID:4408

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
212⤵
PID:724

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
212⤵
PID:1764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
213⤵
PID:4824

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
213⤵
PID:2688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
214⤵
PID:4252

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
214⤵
PID:4504

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
215⤵
PID:1536

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
215⤵
PID:2832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
216⤵
PID:5000

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
216⤵
PID:4820

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
217⤵
PID:3572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
217⤵
PID:3976

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
217⤵
PID:4756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
218⤵
PID:760

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
218⤵
PID:3312

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
219⤵
PID:1100

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
219⤵
PID:2952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
220⤵
PID:5084

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
220⤵
PID:1868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
221⤵
PID:3496

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
221⤵
PID:4780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
221⤵
PID:2332

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
221⤵
PID:2796

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
222⤵
PID:2268

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
222⤵
PID:1708

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
222⤵
PID:1944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
223⤵
PID:3760

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
223⤵
PID:2988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
224⤵
PID:3400

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
224⤵
PID:4428

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
225⤵
PID:1968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
225⤵
PID:5036

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
225⤵
PID:4460

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
226⤵
PID:1308

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
226⤵
PID:2260

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
226⤵
PID:3492

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
227⤵
PID:724

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
227⤵
PID:1484

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
228⤵
PID:4824

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
228⤵
PID:3196

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
229⤵
PID:4648

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
229⤵
PID:4668

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
230⤵
PID:2356

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
230⤵
PID:2480

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
230⤵
PID:4472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
231⤵
PID:3668

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
231⤵
PID:1732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
232⤵
PID:1816

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
232⤵
PID:672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
233⤵
PID:1992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
233⤵
PID:3108

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
233⤵
PID:3320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
234⤵
PID:3504

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
234⤵
PID:2884

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
235⤵
PID:3680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
235⤵
PID:4024

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
235⤵
PID:1716

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
236⤵
PID:2332

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
236⤵
PID:376

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
237⤵
PID:3676

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
237⤵
PID:2168

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
238⤵
PID:1388

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
238⤵
PID:4008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
239⤵
PID:5036

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
239⤵
PID:2404

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
240⤵
PID:932

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
240⤵
PID:3640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
241⤵
PID:4676

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
241⤵
PID:4548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
242⤵
PID:4520

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
242⤵
PID:220

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
243⤵
PID:4824

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
243⤵
PID:5040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
244⤵
PID:1536

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
244⤵
PID:4660

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
245⤵
PID:2480

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
245⤵
PID:3572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
246⤵
PID:3784

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
246⤵
PID:2568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
247⤵
PID:3208

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
247⤵
PID:1208

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
248⤵
PID:1096

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
248⤵
PID:672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
249⤵
PID:1500

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
249⤵
PID:1364

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
250⤵
PID:4060

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
250⤵
PID:2884

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
251⤵
PID:1152

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
251⤵
PID:3980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
252⤵
PID:4572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
252⤵
PID:2004

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
252⤵
PID:3692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
253⤵
PID:2084

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
253⤵
PID:3948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
254⤵
PID:1952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
254⤵
PID:1784

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
254⤵
PID:4080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
255⤵
PID:3596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
255⤵
PID:1968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
255⤵
PID:2700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
255⤵
PID:4912

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
255⤵
PID:3912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
256⤵
PID:3124

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
256⤵
PID:4252

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
257⤵
PID:3192

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
257⤵
PID:2468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
258⤵
PID:628

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
258⤵
PID:3956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
259⤵
PID:4788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
259⤵
PID:1976

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
259⤵
PID:2832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
260⤵
PID:4464

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
260⤵
PID:5056

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
260⤵
PID:3608

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
261⤵
PID:1544

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
261⤵
PID:3108

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
262⤵
PID:760

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
262⤵
PID:1096

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
263⤵
PID:2196

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
263⤵
PID:3320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
264⤵
PID:3244

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
264⤵
PID:1920

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
265⤵
PID:3168

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
265⤵
PID:4976

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
266⤵
PID:2004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
266⤵
PID:372

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
266⤵
PID:1304

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
267⤵
PID:4344

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
267⤵
PID:5108

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
268⤵
PID:1944

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
268⤵
PID:932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
269⤵
PID:1968

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
269⤵
PID:5064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
270⤵
PID:4912

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
270⤵
PID:2712

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
271⤵
PID:4548

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
271⤵
PID:5092

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
272⤵
PID:3204

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
272⤵
PID:4568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
273⤵
PID:628

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
273⤵
PID:5040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
274⤵
PID:4772

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
274⤵
PID:552

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
275⤵
PID:1080

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
275⤵
PID:4904

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
276⤵
PID:3572

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
276⤵
PID:4232

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
277⤵
PID:1732

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
277⤵
PID:4228

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
278⤵
- Checks computer location settings
PID:3560

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
278⤵
PID:3504

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
279⤵
PID:4664

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
279⤵
- Checks computer location settings
PID:672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
280⤵
PID:4076

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
280⤵
PID:2952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
281⤵
PID:3408

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
281⤵
PID:4572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
282⤵
PID:3364

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
282⤵
PID:3100

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
282⤵
PID:4744

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
282⤵
PID:4384

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
283⤵
PID:4532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
283⤵
PID:3744

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
283⤵
PID:4360

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
283⤵
PID:2084

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
284⤵
PID:5108

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
284⤵
PID:4960

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
284⤵
PID:3596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
285⤵
PID:996

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
285⤵
PID:2560

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
285⤵
PID:1852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
286⤵
PID:4676

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
286⤵
PID:1312

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
287⤵
PID:1576

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
287⤵
PID:5092

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
288⤵
PID:2392

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
288⤵
- Checks computer location settings
PID:4476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
289⤵
PID:4772

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
289⤵
PID:3556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
290⤵
PID:4504

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
290⤵
PID:1264

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
291⤵
PID:3344

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
291⤵
PID:3976

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
291⤵
PID:4340

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
292⤵
PID:3684

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
292⤵
PID:3964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
293⤵
PID:1608

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
293⤵
PID:692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
294⤵
PID:5080

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
294⤵
PID:3604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
295⤵
PID:3748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
295⤵
PID:1364

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
295⤵
PID:3140

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
296⤵
PID:4296

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
296⤵
PID:4900

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
296⤵
PID:4532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
297⤵
PID:5072

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
297⤵
PID:3764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
297⤵
PID:1856

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
297⤵
PID:3036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
298⤵
PID:524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
298⤵
PID:4728

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
298⤵
PID:3992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
299⤵
PID:2764

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
299⤵
PID:720

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
300⤵
PID:896

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
300⤵
PID:2164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
301⤵
PID:2692

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
301⤵
PID:2712

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
302⤵
PID:3192

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
302⤵
PID:920

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
303⤵
PID:1332

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
303⤵
PID:3892

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
304⤵
PID:3784

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
304⤵
PID:1384

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
305⤵
PID:4412

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
305⤵
PID:1080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
306⤵
PID:3556

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
306⤵
PID:4280

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
307⤵
PID:604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
307⤵
PID:4012

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
307⤵
PID:1848

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
308⤵
PID:444

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
308⤵
PID:812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
309⤵
PID:2376

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
309⤵
PID:3320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
310⤵
PID:2880

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
310⤵
PID:3716

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
311⤵
PID:4712

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
311⤵
PID:5072

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
312⤵
PID:5012

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
312⤵
PID:1324

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
312⤵
PID:3456

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
312⤵
PID:1860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
313⤵
PID:1308

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
313⤵
PID:4532

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
313⤵
PID:5036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
314⤵
PID:2968

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
314⤵
PID:3224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
315⤵
PID:2664

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
315⤵
PID:4912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
315⤵
PID:3420

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
315⤵
PID:4928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
316⤵
PID:2524

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
316⤵
PID:3888

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
317⤵
PID:1312

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
317⤵
PID:4196

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
318⤵
PID:1392

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
318⤵
PID:4400

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
318⤵
PID:320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
319⤵
PID:3956

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
319⤵
PID:3924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
320⤵
PID:4508

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
320⤵
PID:4440

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
321⤵
PID:1264

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
321⤵
PID:4996

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
322⤵
PID:4232

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
322⤵
PID:4048

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
323⤵
PID:4268

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
323⤵
PID:3844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
324⤵
PID:1920

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
324⤵
PID:2268

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
324⤵
PID:812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
325⤵
PID:1304

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
325⤵
PID:4528

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
326⤵
PID:944

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
326⤵
PID:4244

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
327⤵
PID:4360

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
327⤵
PID:3092

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
328⤵
PID:3948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
328⤵
PID:4932

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
328⤵
PID:4368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
329⤵
PID:4924

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
329⤵
PID:3404

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
330⤵
PID:3288

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
330⤵
PID:680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
331⤵
PID:3224

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
331⤵
PID:3832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
332⤵
PID:1852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
332⤵
PID:3192

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
332⤵
PID:4648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
333⤵
PID:3888

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
333⤵
PID:4824

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
333⤵
PID:3836

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
334⤵
PID:1772

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
334⤵
PID:5000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
335⤵
PID:4504

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
335⤵
PID:4872

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
336⤵
PID:760

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
336⤵
PID:4440

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
337⤵
PID:2544

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
337⤵
PID:4340

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
338⤵
PID:4664

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
338⤵
PID:3392

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
339⤵
PID:1740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
339⤵
PID:1880

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
339⤵
PID:3504

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
340⤵
PID:3688

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
340⤵
PID:4296

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
341⤵
PID:2700

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
341⤵
PID:1388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
342⤵
PID:3356

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
342⤵
PID:4792

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
342⤵
PID:4184

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
343⤵
PID:3672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
343⤵
PID:4628

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
343⤵
PID:1856

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
344⤵
PID:968

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
344⤵
PID:2996

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
345⤵
PID:1952

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
345⤵
PID:4960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
346⤵
PID:220

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
346⤵
PID:3204

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
347⤵
PID:1820

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
347⤵
PID:748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
348⤵
PID:2420

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
348⤵
PID:1648

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
348⤵
PID:4824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
349⤵
PID:4148

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
349⤵
PID:428

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
349⤵
PID:1772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
350⤵
PID:4600

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
350⤵
PID:4504

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
351⤵
PID:552

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
351⤵
PID:4576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
352⤵
PID:1992

C:\Users\Admin\AppData\Local\Temp\transfer copy.exe
"C:\Users\Admin\AppData\Local\Temp\transfer copy.exe"
352⤵
PID:2544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
353⤵
PID:3268

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/900-165-0x0000000000000000-mapping.dmp

Download
memory/968-152-0x0000000000000000-mapping.dmp

Download
memory/1008-199-0x0000000000000000-mapping.dmp

Download
memory/1028-174-0x0000000000000000-mapping.dmp

Download
memory/1028-140-0x0000000000000000-mapping.dmp

Download
memory/1096-182-0x0000000000000000-mapping.dmp

Download
memory/1176-173-0x0000000000000000-mapping.dmp

Download
memory/1296-178-0x0000000000000000-mapping.dmp

Download
memory/1356-163-0x0000000000000000-mapping.dmp

Download
memory/1388-197-0x0000000000000000-mapping.dmp

Download
memory/1416-156-0x0000000000000000-mapping.dmp

Download
memory/1416-190-0x0000000000000000-mapping.dmp

Download
memory/1484-172-0x0000000000000000-mapping.dmp

Download
memory/1548-170-0x0000000000000000-mapping.dmp

Download
memory/1644-154-0x0000000000000000-mapping.dmp

Download
memory/1648-200-0x0000000000000000-mapping.dmp

Download
memory/1664-193-0x0000000000000000-mapping.dmp

Download
memory/1708-162-0x0000000000000000-mapping.dmp

Download
memory/1732-150-0x0000000000000000-mapping.dmp

Download
memory/1760-137-0x0000000000000000-mapping.dmp

Download
memory/1840-169-0x0000000000000000-mapping.dmp

Download
memory/1844-148-0x0000000000000000-mapping.dmp

Download
memory/1952-139-0x0000000000000000-mapping.dmp

Download
memory/1992-184-0x0000000000000000-mapping.dmp

Download
memory/2012-187-0x0000000000000000-mapping.dmp

Download
memory/2260-135-0x00000000049B0000-0x00000000049B3000-memory.dmp

Filesize
12KB

Download
memory/2260-130-0x0000000000010000-0x00000000000BC000-memory.dmp

Filesize
688KB

Download
memory/2284-134-0x0000000005800000-0x0000000005892000-memory.dmp

Filesize
584KB

Download
memory/2284-138-0x0000000006720000-0x0000000006786000-memory.dmp

Filesize
408KB

Download
memory/2284-131-0x0000000000000000-mapping.dmp

Download
memory/2284-132-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2284-136-0x00000000058A0000-0x000000000593C000-memory.dmp

Filesize
624KB

Download
memory/2284-133-0x0000000005F30000-0x00000000064D4000-memory.dmp

Filesize
5.6MB

Download
memory/2316-168-0x0000000000000000-mapping.dmp

Download
memory/2348-198-0x0000000000000000-mapping.dmp

Download
memory/2748-166-0x0000000000000000-mapping.dmp

Download
memory/2988-192-0x0000000000000000-mapping.dmp

Download
memory/3116-141-0x0000000000000000-mapping.dmp

Download
memory/3168-189-0x0000000000000000-mapping.dmp

Download
memory/3192-144-0x0000000000000000-mapping.dmp

Download
memory/3292-161-0x0000000000000000-mapping.dmp

Download
memory/3312-160-0x0000000000000000-mapping.dmp

Download
memory/3340-183-0x0000000000000000-mapping.dmp

Download
memory/3528-181-0x0000000000000000-mapping.dmp

Download
memory/3532-153-0x0000000000000000-mapping.dmp

Download
memory/3556-157-0x0000000000000000-mapping.dmp

Download
memory/3604-171-0x0000000000000000-mapping.dmp

Download
memory/3716-158-0x0000000000000000-mapping.dmp

Download
memory/3808-186-0x0000000000000000-mapping.dmp

Download
memory/3844-191-0x0000000000000000-mapping.dmp

Download
memory/3892-142-0x0000000000000000-mapping.dmp

Download
memory/3952-151-0x0000000000000000-mapping.dmp

Download
memory/3964-179-0x0000000000000000-mapping.dmp

Download
memory/3996-185-0x0000000000000000-mapping.dmp

Download
memory/4056-155-0x0000000000000000-mapping.dmp

Download
memory/4088-196-0x0000000000000000-mapping.dmp

Download
memory/4172-177-0x0000000000000000-mapping.dmp

Download
memory/4172-145-0x0000000000000000-mapping.dmp

Download
memory/4272-194-0x0000000000000000-mapping.dmp

Download
memory/4456-149-0x0000000000000000-mapping.dmp

Download
memory/4468-159-0x0000000000000000-mapping.dmp

Download
memory/4516-143-0x0000000000000000-mapping.dmp

Download
memory/4520-175-0x0000000000000000-mapping.dmp

Download
memory/4600-180-0x0000000000000000-mapping.dmp

Download
memory/4696-147-0x0000000000000000-mapping.dmp

Download
memory/4760-176-0x0000000000000000-mapping.dmp

Download
memory/4780-188-0x0000000000000000-mapping.dmp

Download
memory/4788-146-0x0000000000000000-mapping.dmp

Download
memory/4792-195-0x0000000000000000-mapping.dmp

Download
memory/4944-167-0x0000000000000000-mapping.dmp

Download
memory/4988-164-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads