webmonitor | d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb

Analysis

max time kernel
168s
max time network
184s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
01-07-2022 05:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
Size

627KB
MD5

e3deaa2d0d0e8551a0e5aec0822b1b91
SHA1

fa8769f657dcac98042c2a3af1ced52fe98ef108
SHA256

d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb
SHA512

306b76d251aa7c59c6f09c5640d91e6c3d1df3a44e21d8a4458e5082634047204de0b939fcecf4404c527350e673f30723b40a2daf3dffd3a5f5e27bc55c8985

Score

10^/10

webmonitor backdoor infostealer rat upx

Malware Config

Extracted

Family

webmonitor

javalux111.wm01.to:443

Attributes

config_key
zekeDaEuDbc1YhvIHRdeIzXghxt4q89z
private_key
OvE194dh7
url_path
/recv5.php

Signatures

RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
backdoor rat infostealer webmonitor

WebMonitor Payload 49 IoCs

resource	yara_rule
behavioral2/memory/4072-135-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral2/memory/4264-140-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral2/memory/1432-146-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral2/memory/1056-147-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral2/memory/3372-151-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral2/memory/3124-154-0x0000000005350000-0x000000000587C000-memory.dmp	family_webmonitor
behavioral2/memory/2196-155-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral2/memory/660-162-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral2/memory/3076-161-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral2/memory/3128-165-0x0000000004DB0000-0x00000000052DC000-memory.dmp	family_webmonitor
behavioral2/memory/1568-166-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral2/memory/948-171-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral2/memory/2196-176-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral2/memory/4296-178-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral2/memory/3760-179-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral2/memory/4348-185-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral2/memory/4072-190-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral2/memory/4420-191-0x0000000004E80000-0x00000000053AC000-memory.dmp	family_webmonitor
behavioral2/memory/60-192-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral2/memory/1972-193-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral2/memory/4264-197-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral2/memory/3388-202-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral2/memory/1692-200-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral2/memory/1432-206-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral2/memory/1056-207-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral2/memory/4196-208-0x00000000056B0000-0x0000000005BDC000-memory.dmp	family_webmonitor
behavioral2/memory/1388-209-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral2/memory/1176-210-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral2/memory/3372-213-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral2/memory/216-215-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral2/memory/660-216-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral2/memory/3076-217-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral2/memory/4348-219-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral2/memory/1568-221-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral2/memory/948-222-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral2/memory/4296-223-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral2/memory/3760-224-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral2/memory/216-226-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral2/memory/60-228-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral2/memory/1972-229-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral2/memory/3388-230-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral2/memory/1692-231-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral2/memory/1388-232-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral2/memory/1176-233-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral2/memory/1176-235-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral2/memory/1388-238-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral2/memory/3760-241-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral2/memory/3388-244-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral2/memory/1692-247-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor

UPX packed file 45 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4072-135-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral2/memory/4264-140-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral2/memory/1432-146-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral2/memory/1056-147-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral2/memory/3372-151-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral2/memory/2196-155-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral2/memory/660-162-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral2/memory/3076-161-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral2/memory/1568-166-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral2/memory/948-171-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral2/memory/2196-176-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral2/memory/4296-178-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral2/memory/3760-179-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral2/memory/4348-185-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral2/memory/4072-190-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral2/memory/60-192-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral2/memory/1972-193-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral2/memory/4264-197-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral2/memory/3388-202-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral2/memory/1692-200-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral2/memory/1432-206-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral2/memory/1056-207-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral2/memory/1388-209-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral2/memory/1176-210-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral2/memory/3372-213-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral2/memory/216-215-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral2/memory/660-216-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral2/memory/3076-217-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral2/memory/4348-219-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral2/memory/1568-221-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral2/memory/948-222-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral2/memory/4296-223-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral2/memory/3760-224-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral2/memory/216-226-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral2/memory/60-228-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral2/memory/1972-229-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral2/memory/3388-230-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral2/memory/1692-231-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral2/memory/1388-232-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral2/memory/1176-233-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral2/memory/1176-235-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral2/memory/1388-238-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral2/memory/3760-241-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral2/memory/3388-244-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral2/memory/1692-247-0x0000000000400000-0x00000000004F6000-memory.dmp	upx

Checks computer location settings 2 TTPs 39 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	RegAsm.exe

Suspicious use of SetThreadContext 20 IoCs

description	pid	Process	procid_target
PID 2236 set thread context of 4072	2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	83
PID 4268 set thread context of 4264	4268	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	86
PID 4600 set thread context of 1432	4600	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	89
PID 4440 set thread context of 1056	4440	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	91
PID 4216 set thread context of 3372	4216	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	95
PID 3124 set thread context of 2196	3124	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	97
PID 2368 set thread context of 3076	2368	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	99
PID 1980 set thread context of 660	1980	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	102
PID 3128 set thread context of 1568	3128	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	104
PID 4452 set thread context of 948	4452	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	106
PID 3364 set thread context of 4296	3364	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	108
PID 1884 set thread context of 3760	1884	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	110
PID 2260 set thread context of 4348	2260	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	115
PID 3544 set thread context of 60	3544	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	117
PID 4420 set thread context of 1972	4420	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	120
PID 4736 set thread context of 1692	4736	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	122
PID 4576 set thread context of 3388	4576	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	124
PID 4100 set thread context of 1388	4100	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	126
PID 4196 set thread context of 1176	4196	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	129
PID 2572 set thread context of 216	2572	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	132

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe

Suspicious behavior: MapViewOfSection 31 IoCs

pid	Process
2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
4268	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
4268	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
4268	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
4600	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
4440	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
4440	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
4216	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
4216	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
3124	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
2368	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
2368	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
1980	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
3128	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
4452	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
3364	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
1884	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
1884	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
2260	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
3544	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
4420	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
4420	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
4736	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
4576	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
4100	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
4100	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
4196	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
4196	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
2572	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe

Suspicious use of AdjustPrivilegeToken 60 IoCs

description	pid	Process
Token: SeDebugPrivilege	2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
Token: SeDebugPrivilege	4268	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
Token: SeDebugPrivilege	4600	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
Token: SeDebugPrivilege	4440	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
Token: SeDebugPrivilege	4216	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
Token: SeDebugPrivilege	3124	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
Token: SeDebugPrivilege	2368	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
Token: SeShutdownPrivilege	4072	RegAsm.exe
Token: SeCreatePagefilePrivilege	4072	RegAsm.exe
Token: SeShutdownPrivilege	4264	RegAsm.exe
Token: SeCreatePagefilePrivilege	4264	RegAsm.exe
Token: SeDebugPrivilege	1980	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
Token: SeShutdownPrivilege	1432	RegAsm.exe
Token: SeCreatePagefilePrivilege	1432	RegAsm.exe
Token: SeDebugPrivilege	3128	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
Token: SeShutdownPrivilege	1056	RegAsm.exe
Token: SeCreatePagefilePrivilege	1056	RegAsm.exe
Token: SeDebugPrivilege	4452	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
Token: SeShutdownPrivilege	3372	RegAsm.exe
Token: SeCreatePagefilePrivilege	3372	RegAsm.exe
Token: SeDebugPrivilege	3364	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
Token: SeShutdownPrivilege	2196	RegAsm.exe
Token: SeCreatePagefilePrivilege	2196	RegAsm.exe
Token: SeDebugPrivilege	1884	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
Token: SeShutdownPrivilege	3076	RegAsm.exe
Token: SeCreatePagefilePrivilege	3076	RegAsm.exe
Token: SeDebugPrivilege	2260	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
Token: SeShutdownPrivilege	660	RegAsm.exe
Token: SeCreatePagefilePrivilege	660	RegAsm.exe
Token: SeDebugPrivilege	3544	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
Token: SeDebugPrivilege	4420	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
Token: SeShutdownPrivilege	1568	RegAsm.exe
Token: SeCreatePagefilePrivilege	1568	RegAsm.exe
Token: SeDebugPrivilege	4736	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
Token: SeDebugPrivilege	4576	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
Token: SeShutdownPrivilege	948	RegAsm.exe
Token: SeCreatePagefilePrivilege	948	RegAsm.exe
Token: SeDebugPrivilege	4100	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
Token: SeShutdownPrivilege	4296	RegAsm.exe
Token: SeCreatePagefilePrivilege	4296	RegAsm.exe
Token: SeShutdownPrivilege	3760	RegAsm.exe
Token: SeCreatePagefilePrivilege	3760	RegAsm.exe
Token: SeDebugPrivilege	4196	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
Token: SeShutdownPrivilege	4348	RegAsm.exe
Token: SeCreatePagefilePrivilege	4348	RegAsm.exe
Token: SeDebugPrivilege	2572	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
Token: SeShutdownPrivilege	60	RegAsm.exe
Token: SeCreatePagefilePrivilege	60	RegAsm.exe
Token: SeShutdownPrivilege	1972	RegAsm.exe
Token: SeCreatePagefilePrivilege	1972	RegAsm.exe
Token: SeShutdownPrivilege	1692	RegAsm.exe
Token: SeCreatePagefilePrivilege	1692	RegAsm.exe
Token: SeShutdownPrivilege	3388	RegAsm.exe
Token: SeCreatePagefilePrivilege	3388	RegAsm.exe
Token: SeShutdownPrivilege	1388	RegAsm.exe
Token: SeCreatePagefilePrivilege	1388	RegAsm.exe
Token: SeShutdownPrivilege	1176	RegAsm.exe
Token: SeCreatePagefilePrivilege	1176	RegAsm.exe
Token: SeShutdownPrivilege	216	RegAsm.exe
Token: SeCreatePagefilePrivilege	216	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 4820	2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	81
PID 2236 wrote to memory of 4820	2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	81
PID 2236 wrote to memory of 4820	2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	81
PID 2236 wrote to memory of 2216	2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	82
PID 2236 wrote to memory of 2216	2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	82
PID 2236 wrote to memory of 2216	2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	82
PID 2236 wrote to memory of 4072	2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	83
PID 2236 wrote to memory of 4072	2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	83
PID 2236 wrote to memory of 4072	2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	83
PID 2236 wrote to memory of 4072	2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	83
PID 2236 wrote to memory of 4268	2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	84
PID 2236 wrote to memory of 4268	2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	84
PID 2236 wrote to memory of 4268	2236	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	84
PID 4268 wrote to memory of 3056	4268	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	85
PID 4268 wrote to memory of 3056	4268	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	85
PID 4268 wrote to memory of 3056	4268	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	85
PID 4268 wrote to memory of 2104	4268	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	87
PID 4268 wrote to memory of 2104	4268	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	87
PID 4268 wrote to memory of 2104	4268	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	87
PID 4268 wrote to memory of 4264	4268	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	86
PID 4268 wrote to memory of 4264	4268	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	86
PID 4268 wrote to memory of 4264	4268	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	86
PID 4268 wrote to memory of 4264	4268	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	86
PID 4268 wrote to memory of 4600	4268	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	88
PID 4268 wrote to memory of 4600	4268	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	88
PID 4268 wrote to memory of 4600	4268	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	88
PID 4600 wrote to memory of 1432	4600	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	89
PID 4600 wrote to memory of 1432	4600	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	89
PID 4600 wrote to memory of 1432	4600	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	89
PID 4600 wrote to memory of 1432	4600	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	89
PID 4600 wrote to memory of 4440	4600	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	90
PID 4600 wrote to memory of 4440	4600	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	90
PID 4600 wrote to memory of 4440	4600	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	90
PID 4440 wrote to memory of 4364	4440	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	92
PID 4440 wrote to memory of 4364	4440	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	92
PID 4440 wrote to memory of 4364	4440	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	92
PID 4440 wrote to memory of 1056	4440	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	91
PID 4440 wrote to memory of 1056	4440	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	91
PID 4440 wrote to memory of 1056	4440	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	91
PID 4440 wrote to memory of 1056	4440	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	91
PID 4440 wrote to memory of 4216	4440	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	93
PID 4440 wrote to memory of 4216	4440	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	93
PID 4440 wrote to memory of 4216	4440	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	93
PID 4216 wrote to memory of 1072	4216	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	94
PID 4216 wrote to memory of 1072	4216	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	94
PID 4216 wrote to memory of 1072	4216	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	94
PID 4216 wrote to memory of 3372	4216	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	95
PID 4216 wrote to memory of 3372	4216	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	95
PID 4216 wrote to memory of 3372	4216	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	95
PID 4216 wrote to memory of 3372	4216	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	95
PID 4216 wrote to memory of 3124	4216	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	96
PID 4216 wrote to memory of 3124	4216	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	96
PID 4216 wrote to memory of 3124	4216	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	96
PID 3124 wrote to memory of 2196	3124	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	97
PID 3124 wrote to memory of 2196	3124	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	97
PID 3124 wrote to memory of 2196	3124	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	97
PID 3124 wrote to memory of 2196	3124	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	97
PID 3124 wrote to memory of 2368	3124	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	98
PID 3124 wrote to memory of 2368	3124	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	98
PID 3124 wrote to memory of 2368	3124	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	98
PID 2368 wrote to memory of 4200	2368	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	100
PID 2368 wrote to memory of 4200	2368	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	100
PID 2368 wrote to memory of 4200	2368	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	100
PID 2368 wrote to memory of 3076	2368	d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe	99

C:\Users\Admin\AppData\Local\Temp\d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
"C:\Users\Admin\AppData\Local\Temp\d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:4820
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:2216
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4072
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\w2lFf3UaxUXMheA8.bat" "
    3⤵
    PID:3360
- C:\Users\Admin\AppData\Local\Temp\d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
  "C:\Users\Admin\AppData\Local\Temp\d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4268
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:3056
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    PID:4264
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dtWb03HLcwr6Iwbo.bat" "
      4⤵
      PID:3600
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:2104
- - C:\Users\Admin\AppData\Local\Temp\d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
    "C:\Users\Admin\AppData\Local\Temp\d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4600
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      Checks computer location settings
      Suspicious use of AdjustPrivilegeToken
      PID:1432
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JlHxrYadGtApsE2z.bat" "
        5⤵
        
        PID:4632
  - - C:\Users\Admin\AppData\Local\Temp\d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
      "C:\Users\Admin\AppData\Local\Temp\d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe"
      4⤵
      Checks computer location settings
      Suspicious use of SetThreadContext
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4440
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1056
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0c2qh4uPvLTZTWTf.bat" "
        6⤵
        
        PID:3144
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:4364
    - - C:\Users\Admin\AppData\Local\Temp\d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe"
        5⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4216
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:1072
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:3372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ddBaBFUOlyBbVwUC.bat" "
        7⤵
        
        PID:4732
      - C:\Users\Admin\AppData\Local\Temp\d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe"
        6⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3124
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jWFiopSAeIWWChlM.bat" "
        8⤵
        
        PID:3908
        
        C:\Users\Admin\AppData\Local\Temp\d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe"
        7⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        8⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:3076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JVSx2EofQQUL6Evr.bat" "
        9⤵
        
        PID:1880
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        8⤵
        
        PID:4200
        
        C:\Users\Admin\AppData\Local\Temp\d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe"
        8⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1980
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        9⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zNDpskbR4so4hWMX.bat" "
        10⤵
        
        PID:3528
        
        C:\Users\Admin\AppData\Local\Temp\d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe"
        9⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:3128
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        10⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gEyBjGujjL7oHonC.bat" "
        11⤵
        
        PID:4172
        
        C:\Users\Admin\AppData\Local\Temp\d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe"
        10⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:4452
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        11⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\M6jXZliUNHRYs6Es.bat" "
        12⤵
        
        PID:4200
        
        C:\Users\Admin\AppData\Local\Temp\d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe"
        11⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:3364
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        12⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:4296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zbso3Qoziu8Zu1FP.bat" "
        13⤵
        
        PID:4012
        
        C:\Users\Admin\AppData\Local\Temp\d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe"
        12⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1884
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        13⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:3760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MYYVw885Bq5Yn70c.bat" "
        14⤵
        
        PID:4016
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        13⤵
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe"
        13⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2260
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        14⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\606xoeMBnfpVgIko.bat" "
        15⤵
        
        PID:4148
        
        C:\Users\Admin\AppData\Local\Temp\d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe"
        14⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:3544
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        15⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:60
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gSdAuw8lNMRJVKg5.bat" "
        16⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe"
        15⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:4420
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        16⤵
        
        PID:1484
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        16⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MKuWkRv2Xol35c7k.bat" "
        17⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe"
        16⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:4736
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        17⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3BfObxEoCH4nguYQ.bat" "
        18⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe"
        17⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:4576
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        18⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:3388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\j3QkSx26qjOWHCzb.bat" "
        19⤵
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe"
        18⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:4100
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        19⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3QJNmdSqpIsIuPRo.bat" "
        20⤵
        
        PID:3600
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        19⤵
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe"
        19⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:4196
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        20⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jHajd9F8UlC1UhsT.bat" "
        21⤵
        
        PID:4716
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        20⤵
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d0ad0b7647c5d8f05745070335039a2f8199d9ea789e5b223e707f84a9167cdb.exe"
        20⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2572
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        21⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\P9LbT8Yu8DVl5zJ9.bat" "
        22⤵
        
        PID:1308

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0c2qh4uPvLTZTWTf.bat

Filesize
204B

MD5
8b48589e38359fbc5dc2aa20b8efb097

SHA1
86ca8e0b76485572285768f53ac8f576016825d8

SHA256
e4b62e2fbf3f708ddc4e2bc18a0a1fce42904c8adbfc83912c810648d9ccae99

SHA512
b3f3538b1b12880dfbc6ced06f17070dfa5da1c688acc7fe87f02dfc98dc13744ae301c9a86eb5b745303650fb12f53f6f897dee28c78d8aa6a504ee196d3cb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\3BfObxEoCH4nguYQ.bat

Filesize
204B

MD5
3edca4b54cc5a01e1a86a7a206d8732e

SHA1
a2bf4ebb765f157599e39ff0b84ce622d418a711

SHA256
7a9ba7c8ca3f240ba3f03090a970bcbf5a2a6c292981d467862aabaa1b2e0074

SHA512
2a2fed0f099a79e5e49d50a819b483c540c531f9252a24cf4d0da11deddfa6c270c1b6703e74980e3abbac57da25fea66a4ff11d203b94ff9c93565f35f78c03

Download Submit
C:\Users\Admin\AppData\Local\Temp\3QJNmdSqpIsIuPRo.bat

Filesize
204B

MD5
ba680a0483883d1d5f4ec55815f19182

SHA1
2e9abb65e4e0ba3199cbd2871f4319c74f5ee608

SHA256
054983845f0a6acd36a90948fdd5a35ff8978a5fc4d0c48e9569d2452836b18e

SHA512
d6ee76b2c05f9484f01502156be2accbb930f55b2143fec2189377b3bb9d21f33969398a116a90d6a80859a3fe56ede247417209ed2b55a7d6cbb88da7359e05

Download Submit
C:\Users\Admin\AppData\Local\Temp\606xoeMBnfpVgIko.bat

Filesize
204B

MD5
503c4928c30fe4d502467fb8cdf809ad

SHA1
7e892a1562231fb011efc426ee9fd7e94db2a4dc

SHA256
6816fb5abd3d051dd64e02829847b5a2aa85799d840b1cd02662d21028655b9b

SHA512
c9fa94f891d625eabdac131df03f71587c9b369d8179c5ef5b34a56b1f5e4add733dc7d78f7a8d1b26ced2e831abe008b123ddb5a173aace12bf96ce1441d69f

Download Submit
C:\Users\Admin\AppData\Local\Temp\JVSx2EofQQUL6Evr.bat

Filesize
204B

MD5
8d4e2ba6e351c4e2236641ee4fd7b113

SHA1
846460640ec166bb7e66c176fc74aee334d93c16

SHA256
f7438e1fa0ce62641d6b19210598dcce14a5f6ba177f32d209711acbeaa0e1dd

SHA512
662ace0f5b518f546d1b0a5439001ee249a90dc3bc1989376fd36c5b28d6ec4306093f53280086f01984630f35ed43236953022b428d9459bf7780a3296ee6a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\JlHxrYadGtApsE2z.bat

Filesize
204B

MD5
c84ab91327e8125efd6cec3075d57659

SHA1
42b2a0815dbc6f9c58efe21abfd06dc95eb10929

SHA256
5c4c229e5a999e974f12a7d5326ea4874a6737ff4d122e5b0c2ccd7b677db4a0

SHA512
a1f9c32d9b67dd0c15548513d248f391a5549ce0624fc987ac6c01b7e290135ba44cc8490a7c193fdfe21af532609afcf08d434256c10cbf2b4f8388ee8d9e44

Download Submit
C:\Users\Admin\AppData\Local\Temp\M6jXZliUNHRYs6Es.bat

Filesize
204B

MD5
7cd1a711ccd31357fb8417e8fd88d0f6

SHA1
65c1e13b06ce5f1dd5bf6c0fdabedf2cd41b472b

SHA256
4e5123e92dde428383bad185bf79e73cf6d4374789ba9672370cd0b2e541b940

SHA512
b747f8d9bcfdeaf9484525b4797f92cbff42f99ccef0d42456b4382d81efc58a4bd17991e1b98cd39e2d6b2e9699c83766d5ff74a09fd9edb684f869e410c649

Download Submit
C:\Users\Admin\AppData\Local\Temp\MKuWkRv2Xol35c7k.bat

Filesize
204B

MD5
cf7878a7094bbe7c6c888e6ee4958318

SHA1
2efa63ad15cbaef2b943c7853384585e2867db4b

SHA256
7ec8e5fb92b2a56df7c5b1163c50d581acfdcf35d32ea63ea183ad07a2ed5707

SHA512
a8f84f0f7a4087292f8854743200291f05cc8d5789243f58c56bf4ea89a69792b11ca4a453ac7e9dba329e3a341be89960b1b44d51e720e08660a0f847571a07

Download Submit
C:\Users\Admin\AppData\Local\Temp\MYYVw885Bq5Yn70c.bat

Filesize
204B

MD5
db4fb4c62ffa5660701b9e254dc58093

SHA1
4c6ddf5ed2916753ab68e326f6dac9beaea3aca0

SHA256
54a9238411d2396ec75e18b2825a2b6ec421537cdcf9bafbb631b54d2caed703

SHA512
bf7b63d1fb36472c037c61ac12759e710b264d8e4ef35f8698b125f6329b30b31d087d170a5ab8dba2a552ec8b330607b757a0f9ff03a99268962777448674b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\P9LbT8Yu8DVl5zJ9.bat

Filesize
204B

MD5
363cd86adb7f12797d4b5c3e88719691

SHA1
4d2950fc4cd3e4ba93cc602d513c9395da2cdf31

SHA256
65beaf27f49e3c7414274225ee733825f66aa5697ee0d555c25e535dab63eb69

SHA512
68dd3acd2e12832b6ef79b2ddbad054bedd2ff19b597498287f55bfa2c493f20610a396cbcf5aa50329ad064450b5e595021ee195658ea5a335aef7ce9cbeb8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ddBaBFUOlyBbVwUC.bat

Filesize
204B

MD5
5733d754b6f5778db0e1789e6991fcd8

SHA1
b20254ddcfaec9dac60c899d24313f1f7577bf50

SHA256
e6e602170288b1b2f4d8aa70c0ce1612d0cc0f4c5d907bf240af89f431ca64e6

SHA512
33d33727f9d337474a0f288bbb574b2f3a12313fcf990576b823f7a7b23a10c5a313b95653fb65fe22df02cdaa5bfc0319fe17e6cf0ac41052977bb1f56b9465

Download Submit
C:\Users\Admin\AppData\Local\Temp\dtWb03HLcwr6Iwbo.bat

Filesize
204B

MD5
a18c47a8d9939ce4a36b7525f35ee076

SHA1
bfd1c57162a305d9fd38001aff8c534d019d908a

SHA256
9a2770e3362f53212c60ba75dee420c49abcf2beb8b88159163e72feca0ae1b7

SHA512
db25d0b61ae7f7f6d4e792fdb233b02df9cee128a48e4692e714cee07bba3a55b79a93927ff2a3f60cdfd18b5202ceea0112150e306a68c38809a7b2d988afa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\gEyBjGujjL7oHonC.bat

Filesize
204B

MD5
8518f7c144fef666e82d5f82243523cd

SHA1
76568eedff47a3077098c079d8ffa36b608474b4

SHA256
8f98cbd4eba4aa80b3e3afd4159f3f70efdb69c4481ea4fea6fdedb68d08e6bb

SHA512
7638822a2a8cc964fd8d338e6d238bdfa88941569758f54165b87361d0227c6e4c010358d9b8f41784b8495b4143fc055d97469650ea54899c3f65a2b8084b30

Download Submit
C:\Users\Admin\AppData\Local\Temp\gSdAuw8lNMRJVKg5.bat

Filesize
204B

MD5
c3dbe66d628b2b5677ebd1be56f5ca94

SHA1
993e090f518d4806666407495b575a9c06cf088c

SHA256
6a44c38666e0e9f2cc2e4c4dad9397116321e5b6892409586c6b19596b4c51da

SHA512
e1f8128a04aaac43fd787e90e4d0d21b6bc64bf1caacdcace053fe0c933ed1efae57ff47681f2364d4484917091974b261cd9c665c0a1d48fe34af1194cc209f

Download Submit
C:\Users\Admin\AppData\Local\Temp\j3QkSx26qjOWHCzb.bat

Filesize
204B

MD5
a6604be74d2a84453108bcf9eeb3002d

SHA1
2ecbe570f0c91b5bd1815558bf0f52bdba8cbfb6

SHA256
a0955bdac8ff4912d7755465e2c751548e99eae3b5ef93d7afeb4d3f040f5363

SHA512
1ee9565b197ff48e77dfdc8d144122689b7d1a059a2207419b1ad266992f699143eeaed75dd3ce0582e2279affda449dbeb1730454ebb3a00556f52b8340179c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jHajd9F8UlC1UhsT.bat

Filesize
204B

MD5
6883fe49e61bba49feb3da2deca7abc3

SHA1
f010fbab3c865386c8b0ffa72cd7f093f69c473e

SHA256
cf7859db995693a832b17b1bf9d118e2f38f3b63436a4c23525d975852d5cf6e

SHA512
980a730db980839655410321233069b31dda6991e111b8c54c41e534031242c97468deb913c26e5799b9f12401ffc0c92342c8ffdb22b96abe675992b125d4c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\jWFiopSAeIWWChlM.bat

Filesize
204B

MD5
6f9a3f17b8177600e952ea572e1e7fe1

SHA1
0f3a219148bef24980fb5c2b5f1094b83734c7c1

SHA256
239ed0a537bfc5441a1a79c318d9e384eff262b60d8c89a4c1cd941113e70ffb

SHA512
7ae3b5cb9e37ed5eba17193f53899f63df801e17a9b0b4ec5a767c8bc5fc5c412a7842002e6947ca1cf12fa10bdc599cedb4ee59057626f88e647c8270267ae6

Download Submit
C:\Users\Admin\AppData\Local\Temp\w2lFf3UaxUXMheA8.bat

Filesize
204B

MD5
94d065513e3f5ca73bf030bfdc86fb32

SHA1
ce7af307c949fe4ad3b45c6c4f04129c54a45531

SHA256
5ef5a354cb37543bc4ea68bb0faf60b1197f8ca033464c6b89e7e523cda3bdc8

SHA512
0727f7fd647348ead5aab49ec68bb887c4fe28d86842821b618eb554fa2434a959677170c806da02bc0738fa5615b9a56e25a45620a814b32c66c6defeb3c20a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zNDpskbR4so4hWMX.bat

Filesize
204B

MD5
197619f146269a4918700e5416ad3a92

SHA1
70ae99a96203fc82b888075dcfb1325c46ae2bdb

SHA256
fd3e35365a783e32d39a34379d39ae18cb7594a04a5d1eb119a8b959cf368ff8

SHA512
92058b88e64fe453f5d0b84ab45e575bfa6d2bc18e9803c5f614806b1d72ad6980398f6c0e928ad463d84d443d136236c5f09e2b38ad5e5c22cdd2336ad10aa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\zbso3Qoziu8Zu1FP.bat

Filesize
204B

MD5
523db366b5ee09b7652d7f68a783c925

SHA1
d0210b5c85428e0c9ab1a0753c3e7d85f209a750

SHA256
c796ddf213f200f4c43d168045794a2dd34c3d374ad890a640c5bf98c12e8386

SHA512
0317e0926555ffd152b661a87c2a8ea13cc0e98f025da8be35dd1e247b1a6199c735336b7a981337a9eca2ee25736e058e3bcd1e7f38ce92c76c0e089abdf747

Download Submit
memory/60-192-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/60-228-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/216-215-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/216-226-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/660-216-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/660-162-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/948-222-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/948-171-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/1056-207-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/1056-147-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/1176-235-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/1176-210-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/1176-233-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/1388-238-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/1388-232-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/1388-209-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/1432-146-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/1432-206-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/1568-166-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/1568-221-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/1692-200-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/1692-231-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/1692-247-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/1884-177-0x00000000049C0000-0x0000000004EEC000-memory.dmp

Filesize
5.2MB

Download
memory/1972-193-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/1972-229-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/1980-159-0x0000000004F00000-0x000000000542C000-memory.dmp

Filesize
5.2MB

Download
memory/2196-176-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/2196-155-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/2236-134-0x0000000005420000-0x000000000594C000-memory.dmp

Filesize
5.2MB

Download
memory/2236-132-0x0000000005610000-0x00000000056A2000-memory.dmp

Filesize
584KB

Download
memory/2236-131-0x0000000005950000-0x0000000005E7C000-memory.dmp

Filesize
5.2MB

Download
memory/2236-130-0x0000000000AD0000-0x0000000000B74000-memory.dmp

Filesize
656KB

Download
memory/2260-184-0x0000000005190000-0x00000000056BC000-memory.dmp

Filesize
5.2MB

Download
memory/2368-160-0x0000000005040000-0x000000000556C000-memory.dmp

Filesize
5.2MB

Download
memory/2572-214-0x0000000004D20000-0x000000000524C000-memory.dmp

Filesize
5.2MB

Download
memory/3076-161-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/3076-217-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/3124-154-0x0000000005350000-0x000000000587C000-memory.dmp

Filesize
5.2MB

Download
memory/3128-165-0x0000000004DB0000-0x00000000052DC000-memory.dmp

Filesize
5.2MB

Download
memory/3372-213-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/3372-151-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/3388-202-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/3388-230-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/3388-244-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/3760-179-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/3760-241-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/3760-224-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/4072-190-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/4072-135-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/4196-208-0x00000000056B0000-0x0000000005BDC000-memory.dmp

Filesize
5.2MB

Download
memory/4216-150-0x0000000004F20000-0x000000000544C000-memory.dmp

Filesize
5.2MB

Download
memory/4264-140-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/4264-197-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/4268-139-0x0000000005150000-0x000000000567C000-memory.dmp

Filesize
5.2MB

Download
memory/4296-178-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/4296-223-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/4348-219-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/4348-185-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/4420-191-0x0000000004E80000-0x00000000053AC000-memory.dmp

Filesize
5.2MB

Download
memory/4440-145-0x0000000004FE0000-0x000000000550C000-memory.dmp

Filesize
5.2MB

Download
memory/4452-170-0x00000000026F0000-0x00000000026F3000-memory.dmp

Filesize
12KB

Download
memory/4576-199-0x0000000004F10000-0x000000000543C000-memory.dmp

Filesize
5.2MB

Download
memory/4576-203-0x0000000004F10000-0x0000000004F24000-memory.dmp

Filesize
80KB

Download