nanocore | 3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de

Analysis

max time kernel
151s
max time network
140s
platform
windows7_x64
resource
win7-20220414-en
submitted
03-07-2022 08:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Size

774KB
MD5

da609eb2e4ff25c05db64c9a53a96c97
SHA1

99997f99d2a0250fe1e185ab0c157b5311a2c6c6
SHA256

3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de
SHA512

3b6408cc4f42e7caa95c5667604496e57d9778c65619b8b49caf4bcfe2c6b011a57c2338964ec59d989bceb6f5e1de74f4c38cab20fd0812a9efbebef343d6e4

Score

10^/10

nanocore agilenet evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Drops startup file 2 IoCs

Processes:

3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe

Obfuscated with Agile.Net obfuscator 6 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/304-56-0x00000000021D0000-0x000000000227E000-memory.dmp	agile_net
behavioral1/memory/1940-88-0x00000000003E0000-0x0000000000480000-memory.dmp	agile_net
behavioral1/memory/1624-99-0x0000000000220000-0x00000000002C0000-memory.dmp	agile_net
behavioral1/memory/1908-142-0x00000000004B0000-0x0000000000550000-memory.dmp	agile_net
behavioral1/memory/1380-170-0x00000000001B0000-0x0000000000250000-memory.dmp	agile_net
behavioral1/memory/1380-172-0x00000000001B0000-0x0000000000250000-memory.dmp	agile_net

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RegAsm.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DSL Service = "C:\\Program Files (x86)\\DSL Service\\dslsv.exe"	RegAsm.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

RegAsm.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegAsm.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe

description	pid	process	target process
PID 304 set thread context of 1948	304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1360 set thread context of 1264	1360	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1192 set thread context of 1308	1192	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 820 set thread context of 836	820	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1940 set thread context of 1484	1940	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1376 set thread context of 1612	1376	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1624 set thread context of 904	1624	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1224 set thread context of 1232	1224	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 788 set thread context of 792	788	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1640 set thread context of 1080	1640	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1472 set thread context of 1768	1472	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1644 set thread context of 1140	1644	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1908 set thread context of 2036	1908	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1280 set thread context of 1812	1280	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1188 set thread context of 1896	1188	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 560 set thread context of 1208	560	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1380 set thread context of 1544	1380	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1124 set thread context of 1636	1124	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1412 set thread context of 1520	1412	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 2044 set thread context of 580	2044	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1028 set thread context of 1216	1028	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 792 set thread context of 1832	792	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 784 set thread context of 996	784	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1616 set thread context of 1536	1616	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1664 set thread context of 1956	1664	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1584 set thread context of 1748	1584	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1332 set thread context of 1932	1332	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1916 set thread context of 816	1916	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1880 set thread context of 656	1880	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1568 set thread context of 2032	1568	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 916 set thread context of 1152	916	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1648 set thread context of 472	1648	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1140 set thread context of 992	1140	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1520 set thread context of 1056	1520	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1392 set thread context of 1712	1392	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1912 set thread context of 2004	1912	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1812 set thread context of 1308	1812	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1756 set thread context of 1888	1756	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 2028 set thread context of 1496	2028	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1372 set thread context of 900	1372	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1476 set thread context of 832	1476	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1084 set thread context of 1964	1084	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 2036 set thread context of 1512	2036	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1484 set thread context of 1228	1484	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1668 set thread context of 1408	1668	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1548 set thread context of 1532	1548	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1936 set thread context of 1080	1936	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 752 set thread context of 1932	752	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 744 set thread context of 1700	744	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1324 set thread context of 1056	1324	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 996 set thread context of 920	996	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 836 set thread context of 1208	836	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1956 set thread context of 1516	1956	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1176 set thread context of 1628	1176	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1972 set thread context of 1108	1972	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1092 set thread context of 1708	1092	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1832 set thread context of 1984	1832	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1300 set thread context of 1152	1300	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1052 set thread context of 832	1052	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 904 set thread context of 900	904	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1740 set thread context of 320	1740	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1296 set thread context of 1064	1296	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1096 set thread context of 1560	1096	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1428 set thread context of 1636	1428	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe

Drops file in Program Files directory 2 IoCs

Processes:

RegAsm.exe

description	ioc	process
File created	C:\Program Files (x86)\DSL Service\dslsv.exe	RegAsm.exe
File opened for modification	C:\Program Files (x86)\DSL Service\dslsv.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe

pid	process
304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RegAsm.exe

pid process

1948 RegAsm.exe

pid	process
1948	RegAsm.exe

Suspicious behavior: MapViewOfSection 64 IoCs

Processes:

pid	process
304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
1360	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
1192	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
820	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
820	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
1940	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
1376	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
1624	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
1224	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
788	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
1640	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
1640	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
1472	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
1644	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
1908	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
1908	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
1280	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
1280	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
1280	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
1280	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
1188	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
560	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
1380	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
1124	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
1412	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
2044	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
1028	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
792	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
784	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
1616	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
1664	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
1664	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
1584	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
1332	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
1916	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
1880	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
1880	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
1880	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
1568	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
916	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
1648	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
1648	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
1140	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
1520	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
1392	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
1912	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
1912	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
1812	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
1756	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
2028	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
1372	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
1476	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
1084	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
2036	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
1484	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
1668	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
1548	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
1936	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
752	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
744	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
1324	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
996	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
836	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
836	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exeRegAsm.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe

description	pid	process
Token: SeDebugPrivilege	304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	1360	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	1948	RegAsm.exe
Token: SeDebugPrivilege	1192	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	820	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	1940	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	1376	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	1624	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	1224	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	788	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	1640	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	1472	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	1644	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	1908	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	1280	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	1188	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	560	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	1380	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	1124	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	1412	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	2044	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	1028	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	792	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	784	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	1616	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	1664	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	1584	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	1332	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	1916	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	1880	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	1568	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	916	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	1648	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	1140	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	1520	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	1392	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	1912	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	1812	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	1756	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	2028	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	1372	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	1476	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	1084	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	2036	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	1484	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	1668	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	1548	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	1936	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	752	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	744	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	1324	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	996	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	836	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	1956	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	1176	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	1972	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	1092	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	1832	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	1300	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	1052	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	904	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	1740	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	1296	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	1096	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 304 wrote to memory of 1948	304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 304 wrote to memory of 1948	304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 304 wrote to memory of 1948	304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 304 wrote to memory of 1948	304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 304 wrote to memory of 1948	304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 304 wrote to memory of 1948	304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 304 wrote to memory of 1948	304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 304 wrote to memory of 1948	304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 304 wrote to memory of 1360	304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
PID 304 wrote to memory of 1360	304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
PID 304 wrote to memory of 1360	304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
PID 304 wrote to memory of 1360	304	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
PID 1360 wrote to memory of 1264	1360	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1360 wrote to memory of 1264	1360	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1360 wrote to memory of 1264	1360	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1360 wrote to memory of 1264	1360	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1360 wrote to memory of 1264	1360	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1360 wrote to memory of 1264	1360	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1360 wrote to memory of 1264	1360	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1360 wrote to memory of 1264	1360	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1360 wrote to memory of 1192	1360	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
PID 1360 wrote to memory of 1192	1360	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
PID 1360 wrote to memory of 1192	1360	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
PID 1360 wrote to memory of 1192	1360	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
PID 1192 wrote to memory of 1308	1192	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1192 wrote to memory of 1308	1192	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1192 wrote to memory of 1308	1192	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1192 wrote to memory of 1308	1192	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1192 wrote to memory of 1308	1192	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1192 wrote to memory of 1308	1192	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1192 wrote to memory of 1308	1192	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1192 wrote to memory of 1308	1192	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1192 wrote to memory of 820	1192	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
PID 1192 wrote to memory of 820	1192	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
PID 1192 wrote to memory of 820	1192	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
PID 1192 wrote to memory of 820	1192	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
PID 820 wrote to memory of 792	820	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 820 wrote to memory of 792	820	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 820 wrote to memory of 792	820	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 820 wrote to memory of 792	820	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 820 wrote to memory of 792	820	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 820 wrote to memory of 792	820	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 820 wrote to memory of 792	820	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 820 wrote to memory of 836	820	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 820 wrote to memory of 836	820	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 820 wrote to memory of 836	820	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 820 wrote to memory of 836	820	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 820 wrote to memory of 836	820	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 820 wrote to memory of 836	820	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 820 wrote to memory of 836	820	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 820 wrote to memory of 836	820	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 820 wrote to memory of 1940	820	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
PID 820 wrote to memory of 1940	820	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
PID 820 wrote to memory of 1940	820	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
PID 820 wrote to memory of 1940	820	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
PID 1940 wrote to memory of 1484	1940	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1940 wrote to memory of 1484	1940	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1940 wrote to memory of 1484	1940	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1940 wrote to memory of 1484	1940	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1940 wrote to memory of 1484	1940	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1940 wrote to memory of 1484	1940	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1940 wrote to memory of 1484	1940	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1940 wrote to memory of 1484	1940	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1940 wrote to memory of 1376	1940	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:304

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
2⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1360

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
3⤵
PID:1264

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1192

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
4⤵
PID:1308

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:820

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
5⤵
PID:792

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
5⤵
PID:836

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1940

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
6⤵
PID:1484

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1376

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
7⤵
PID:1612

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
7⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
8⤵
PID:904

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
8⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1224

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
9⤵
PID:1232

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
9⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:788

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
10⤵
PID:792

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
10⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1640

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
11⤵
PID:2008

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
11⤵
PID:1080

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
11⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1472

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
12⤵
PID:1768

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
12⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1644

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
13⤵
PID:1140

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
13⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1908

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
14⤵
PID:108

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
14⤵
PID:2036

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
14⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1280

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
15⤵
PID:1888

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
15⤵
PID:1996

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
15⤵
PID:996

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
15⤵
PID:1812

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
15⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1188

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
16⤵
PID:1896

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
16⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:560

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
17⤵
PID:1208

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
17⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1380

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
18⤵
PID:1544

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
18⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1124

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
19⤵
PID:1636

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
19⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1412

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
20⤵
PID:1520

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
20⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2044

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
21⤵
PID:580

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
21⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1028

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
22⤵
PID:1216

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
22⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:792

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
23⤵
PID:1832

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
23⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:784

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
24⤵
PID:996

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
24⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
25⤵
PID:1536

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
25⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1664

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
26⤵
PID:1484

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
26⤵
PID:1956

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
26⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
27⤵
PID:1748

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
27⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1332

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
28⤵
PID:1932

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
28⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1916

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
29⤵
PID:816

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
29⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1880

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
30⤵
PID:656

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
30⤵
PID:992

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
30⤵
PID:1648

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
30⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1568

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
31⤵
PID:2032

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
31⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:916

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
32⤵
PID:1152

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
32⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1648

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
33⤵
PID:1972

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
33⤵
PID:472

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
33⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1140

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
34⤵
PID:992

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
34⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1520

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
35⤵
PID:1056

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
35⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1392

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
36⤵
PID:1712

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
36⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1912

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
37⤵
PID:2004

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
37⤵
PID:1992

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
37⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1812

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
38⤵
PID:1308

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
38⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1756

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
39⤵
PID:1888

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
39⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2028

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
40⤵
PID:1496

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
40⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1372

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
41⤵
PID:900

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
41⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1476

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
42⤵
PID:832

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
42⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1084

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
43⤵
PID:1964

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
43⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
44⤵
PID:1512

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
44⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1484

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
45⤵
PID:1228

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
45⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1668

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
46⤵
PID:1408

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
46⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1548

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
47⤵
PID:1532

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
47⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1936

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
48⤵
PID:1080

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
48⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:752

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
49⤵
PID:1932

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
49⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:744

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
50⤵
PID:1700

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
50⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1324

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
51⤵
PID:1056

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
51⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:996

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
52⤵
PID:920

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
52⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:836

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
53⤵
PID:1888

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
53⤵
PID:1208

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
53⤵
PID:1156

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
53⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1956

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
54⤵
PID:1516

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
54⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1176

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
55⤵
PID:1628

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
55⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1972

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
56⤵
PID:1108

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
56⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1092

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
57⤵
PID:1708

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
57⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1832

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
58⤵
PID:1984

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
58⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1300

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
59⤵
PID:1152

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
59⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1052

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
60⤵
PID:832

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
60⤵
PID:680

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
60⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:904

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
61⤵
PID:900

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
61⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1740

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
62⤵
PID:1768

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
62⤵
PID:320

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
62⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1296

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
63⤵
PID:1064

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
63⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1096

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
64⤵
PID:1560

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
64⤵
- Suspicious use of SetThreadContext
PID:1428

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
65⤵
PID:1636

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
65⤵
PID:1348

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
66⤵
PID:1612

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
66⤵
PID:972

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
67⤵
PID:1604

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
67⤵
PID:1828

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
68⤵
PID:1056

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
68⤵
PID:1712

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
68⤵
PID:1080

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
68⤵
PID:1628

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
69⤵
PID:1888

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
69⤵
PID:1964

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
70⤵
PID:1704

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
70⤵
PID:1996

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
71⤵
PID:676

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
71⤵
PID:928

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
72⤵
PID:1904

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
72⤵
PID:1608

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
73⤵
PID:1344

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
73⤵
PID:1232

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
74⤵
PID:1544

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
74⤵
PID:612

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
75⤵
PID:1216

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
75⤵
PID:1152

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
76⤵
PID:1556

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
76⤵
PID:1496

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
77⤵
PID:992

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
77⤵
PID:240

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
78⤵
PID:2064

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
78⤵
PID:2100

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
79⤵
PID:2160

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
79⤵
PID:2196

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
80⤵
PID:2260

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
80⤵
PID:2268

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe
Filesize
776KB

MD5
ec28274a73ead48e813aa2501fa6193c

SHA1
d099d0610e33ae17c5f882d687cf2a79e35b7995

SHA256
e498b37b6f2aaad456500850259f4ebab274f5dfb0e23292c85acfe7dfac0c6b

SHA512
92c0a17e79756cfffb17f3c94d21ef50a6c9d31442127f1aeec3d94696c3f244514fe7713e13ed9167cdc961ff823397ccdff82df8a2271b60f04b762e254706

Download Submit
memory/304-54-0x0000000000930000-0x00000000009F8000-memory.dmp

Filesize
800KB

Download
memory/304-59-0x00000000002D0000-0x00000000002D3000-memory.dmp

Filesize
12KB

Download
memory/304-57-0x00000000022F0000-0x000000000236E000-memory.dmp

Filesize
504KB

Download
memory/304-58-0x0000000075311000-0x0000000075313000-memory.dmp

Filesize
8KB

Download
memory/304-55-0x0000000000230000-0x0000000000238000-memory.dmp

Filesize
32KB

Download
memory/304-56-0x00000000021D0000-0x000000000227E000-memory.dmp

Filesize
696KB

Download
memory/304-62-0x00000000002E0000-0x00000000002E3000-memory.dmp

Filesize
12KB

Download
memory/472-273-0x000000000041E792-mapping.dmp

Download
memory/560-160-0x0000000000420000-0x00000000004C0000-memory.dmp

Filesize
640KB

Download
memory/560-158-0x0000000000000000-mapping.dmp

Download
memory/580-197-0x0000000070DA0000-0x000000007134B000-memory.dmp

Filesize
5.7MB

Download
memory/580-190-0x000000000041E792-mapping.dmp

Download
memory/656-254-0x000000000041E792-mapping.dmp

Download
memory/784-210-0x0000000000000000-mapping.dmp

Download
memory/788-108-0x0000000000000000-mapping.dmp

Download
memory/788-113-0x0000000000270000-0x0000000000310000-memory.dmp

Filesize
640KB

Download
memory/792-180-0x0000000070DA0000-0x000000007134B000-memory.dmp

Filesize
5.7MB

Download
memory/792-187-0x0000000070DA0000-0x000000007134B000-memory.dmp

Filesize
5.7MB

Download
memory/792-112-0x0000000070DA0000-0x000000007134B000-memory.dmp

Filesize
5.7MB

Download
memory/792-110-0x000000000041E792-mapping.dmp

Download
memory/792-202-0x0000000000000000-mapping.dmp

Download
memory/816-248-0x000000000041E792-mapping.dmp

Download
memory/820-75-0x0000000000000000-mapping.dmp

Download
memory/820-80-0x00000000002B0000-0x0000000000350000-memory.dmp

Filesize
640KB

Download
memory/820-83-0x00000000002B0000-0x0000000000350000-memory.dmp

Filesize
640KB

Download
memory/836-151-0x0000000070DA0000-0x000000007134B000-memory.dmp

Filesize
5.7MB

Download
memory/836-77-0x000000000041E792-mapping.dmp

Download
memory/836-79-0x0000000070DA0000-0x000000007134B000-memory.dmp

Filesize
5.7MB

Download
memory/836-147-0x0000000070DA0000-0x000000007134B000-memory.dmp

Filesize
5.7MB

Download
memory/904-173-0x0000000070DA0000-0x000000007134B000-memory.dmp

Filesize
5.7MB

Download
memory/904-96-0x000000000041E792-mapping.dmp

Download
memory/904-171-0x0000000070DA0000-0x000000007134B000-memory.dmp

Filesize
5.7MB

Download
memory/904-98-0x0000000070DA0000-0x000000007134B000-memory.dmp

Filesize
5.7MB

Download
memory/916-264-0x0000000000000000-mapping.dmp

Download
memory/996-212-0x000000000041E792-mapping.dmp

Download
memory/1028-195-0x0000000000000000-mapping.dmp

Download
memory/1080-119-0x0000000070DA0000-0x000000007134B000-memory.dmp

Filesize
5.7MB

Download
memory/1080-116-0x000000000041E792-mapping.dmp

Download
memory/1080-193-0x0000000070DA0000-0x000000007134B000-memory.dmp

Filesize
5.7MB

Download
memory/1080-194-0x0000000070DA0000-0x000000007134B000-memory.dmp

Filesize
5.7MB

Download
memory/1124-174-0x0000000000000000-mapping.dmp

Download
memory/1140-133-0x0000000070DA0000-0x000000007134B000-memory.dmp

Filesize
5.7MB

Download
memory/1140-277-0x0000000000000000-mapping.dmp

Download
memory/1140-129-0x000000000041E792-mapping.dmp

Download
memory/1152-266-0x000000000041E792-mapping.dmp

Download
memory/1188-150-0x0000000000000000-mapping.dmp

Download
memory/1192-69-0x0000000000000000-mapping.dmp

Download
memory/1208-162-0x000000000041E792-mapping.dmp

Download
memory/1208-169-0x0000000070DA0000-0x000000007134B000-memory.dmp

Filesize
5.7MB

Download
memory/1216-198-0x000000000041E792-mapping.dmp

Download
memory/1224-107-0x0000000000360000-0x0000000000400000-memory.dmp

Filesize
640KB

Download
memory/1224-106-0x0000000000360000-0x0000000000400000-memory.dmp

Filesize
640KB

Download
memory/1224-100-0x0000000000000000-mapping.dmp

Download
memory/1232-177-0x0000000070DA0000-0x000000007134B000-memory.dmp

Filesize
5.7MB

Download
memory/1232-105-0x0000000070DA0000-0x000000007134B000-memory.dmp

Filesize
5.7MB

Download
memory/1232-181-0x0000000070DA0000-0x000000007134B000-memory.dmp

Filesize
5.7MB

Download
memory/1232-103-0x000000000041E792-mapping.dmp

Download
memory/1264-131-0x0000000070DA0000-0x000000007134B000-memory.dmp

Filesize
5.7MB

Download
memory/1264-66-0x000000000041E792-mapping.dmp

Download
memory/1264-68-0x0000000070DA0000-0x000000007134B000-memory.dmp

Filesize
5.7MB

Download
memory/1264-137-0x0000000070DA0000-0x000000007134B000-memory.dmp

Filesize
5.7MB

Download
memory/1280-139-0x0000000000000000-mapping.dmp

Download
memory/1308-144-0x0000000070DA0000-0x000000007134B000-memory.dmp

Filesize
5.7MB

Download
memory/1308-72-0x000000000041E792-mapping.dmp

Download
memory/1308-140-0x0000000070DA0000-0x000000007134B000-memory.dmp

Filesize
5.7MB

Download
memory/1308-74-0x0000000070DA0000-0x000000007134B000-memory.dmp

Filesize
5.7MB

Download
memory/1332-235-0x0000000000000000-mapping.dmp

Download
memory/1360-64-0x0000000000000000-mapping.dmp

Download
memory/1376-89-0x0000000000000000-mapping.dmp

Download
memory/1380-172-0x00000000001B0000-0x0000000000250000-memory.dmp

Filesize
640KB

Download
memory/1380-170-0x00000000001B0000-0x0000000000250000-memory.dmp

Filesize
640KB

Download
memory/1380-165-0x0000000000000000-mapping.dmp

Download
memory/1412-182-0x0000000000000000-mapping.dmp

Download
memory/1472-120-0x0000000000000000-mapping.dmp

Download
memory/1484-85-0x000000000041E792-mapping.dmp

Download
memory/1484-157-0x0000000070DA0000-0x000000007134B000-memory.dmp

Filesize
5.7MB

Download
memory/1484-156-0x0000000070DA0000-0x000000007134B000-memory.dmp

Filesize
5.7MB

Download
memory/1484-87-0x0000000070DA0000-0x000000007134B000-memory.dmp

Filesize
5.7MB

Download
memory/1520-185-0x000000000041E792-mapping.dmp

Download
memory/1520-192-0x0000000070DA0000-0x000000007134B000-memory.dmp

Filesize
5.7MB

Download
memory/1536-219-0x000000000041E792-mapping.dmp

Download
memory/1544-167-0x000000000041E792-mapping.dmp

Download
memory/1544-176-0x0000000070DA0000-0x000000007134B000-memory.dmp

Filesize
5.7MB

Download
memory/1568-257-0x0000000000000000-mapping.dmp

Download
memory/1584-230-0x0000000000000000-mapping.dmp

Download
memory/1612-161-0x0000000070DA0000-0x000000007134B000-memory.dmp

Filesize
5.7MB

Download
memory/1612-164-0x0000000070DA0000-0x000000007134B000-memory.dmp

Filesize
5.7MB

Download
memory/1612-91-0x000000000041E792-mapping.dmp

Download
memory/1612-93-0x0000000070DA0000-0x000000007134B000-memory.dmp

Filesize
5.7MB

Download
memory/1616-217-0x0000000000000000-mapping.dmp

Download
memory/1624-94-0x0000000000000000-mapping.dmp

Download
memory/1624-99-0x0000000000220000-0x00000000002C0000-memory.dmp

Filesize
640KB

Download
memory/1624-101-0x0000000000220000-0x00000000002C0000-memory.dmp

Filesize
640KB

Download
memory/1636-178-0x000000000041E792-mapping.dmp

Download
memory/1636-184-0x0000000070DA0000-0x000000007134B000-memory.dmp

Filesize
5.7MB

Download
memory/1640-114-0x0000000000000000-mapping.dmp

Download
memory/1640-122-0x0000000000240000-0x00000000002E0000-memory.dmp

Filesize
640KB

Download
memory/1640-121-0x0000000000240000-0x00000000002E0000-memory.dmp

Filesize
640KB

Download
memory/1644-126-0x0000000000000000-mapping.dmp

Download
memory/1648-270-0x0000000000000000-mapping.dmp

Download
memory/1664-223-0x0000000000000000-mapping.dmp

Download
memory/1748-232-0x000000000041E792-mapping.dmp

Download
memory/1768-199-0x0000000070DA0000-0x000000007134B000-memory.dmp

Filesize
5.7MB

Download
memory/1768-124-0x000000000041E792-mapping.dmp

Download
memory/1768-201-0x0000000070DA0000-0x000000007134B000-memory.dmp

Filesize
5.7MB

Download
memory/1768-127-0x0000000070DA0000-0x000000007134B000-memory.dmp

Filesize
5.7MB

Download
memory/1812-145-0x000000000041E792-mapping.dmp

Download
memory/1812-149-0x0000000070DA0000-0x000000007134B000-memory.dmp

Filesize
5.7MB

Download
memory/1832-207-0x000000000041E792-mapping.dmp

Download
memory/1880-250-0x0000000000000000-mapping.dmp

Download
memory/1896-155-0x0000000070DA0000-0x000000007134B000-memory.dmp

Filesize
5.7MB

Download
memory/1896-153-0x000000000041E792-mapping.dmp

Download
memory/1908-132-0x0000000000000000-mapping.dmp

Download
memory/1908-142-0x00000000004B0000-0x0000000000550000-memory.dmp

Filesize
640KB

Download
memory/1908-141-0x00000000004B0000-0x0000000000550000-memory.dmp

Filesize
640KB

Download
memory/1916-242-0x0000000000000000-mapping.dmp

Download
memory/1932-240-0x000000000041E792-mapping.dmp

Download
memory/1940-88-0x00000000003E0000-0x0000000000480000-memory.dmp

Filesize
640KB

Download
memory/1940-82-0x0000000000000000-mapping.dmp

Download
memory/1948-148-0x0000000000356000-0x0000000000367000-memory.dmp

Filesize
68KB

Download
memory/1948-118-0x0000000070DA0000-0x000000007134B000-memory.dmp

Filesize
5.7MB

Download
memory/1948-81-0x0000000000356000-0x0000000000367000-memory.dmp

Filesize
68KB

Download
memory/1948-63-0x0000000070DA0000-0x000000007134B000-memory.dmp

Filesize
5.7MB

Download
memory/1948-60-0x000000000041E792-mapping.dmp

Download
memory/1956-226-0x000000000041E792-mapping.dmp

Download
memory/2032-259-0x000000000041E792-mapping.dmp

Download
memory/2036-138-0x0000000070DA0000-0x000000007134B000-memory.dmp

Filesize
5.7MB

Download
memory/2036-135-0x000000000041E792-mapping.dmp

Download
memory/2044-188-0x0000000000000000-mapping.dmp

Download