nanocore | 3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de

Analysis

max time kernel
174s
max time network
172s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
03-07-2022 08:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Size

774KB
MD5

da609eb2e4ff25c05db64c9a53a96c97
SHA1

99997f99d2a0250fe1e185ab0c157b5311a2c6c6
SHA256

3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de
SHA512

3b6408cc4f42e7caa95c5667604496e57d9778c65619b8b49caf4bcfe2c6b011a57c2338964ec59d989bceb6f5e1de74f4c38cab20fd0812a9efbebef343d6e4

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe

Drops startup file 2 IoCs

Processes:

3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RegAsm.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TCP Service = "C:\\Program Files (x86)\\TCP Service\\tcpsvc.exe"	RegAsm.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

RegAsm.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegAsm.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

description	pid	process	target process
PID 3988 set thread context of 3852	3988	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1876 set thread context of 884	1876	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 2916 set thread context of 3148	2916	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1908 set thread context of 2288	1908	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 3188 set thread context of 3104	3188	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 640 set thread context of 2756	640	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1584 set thread context of 3308	1584	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 2772 set thread context of 3216	2772	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 2012 set thread context of 2272	2012	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 2792 set thread context of 2024	2792	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1944 set thread context of 3684	1944	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 3256 set thread context of 1360	3256	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 2108 set thread context of 3376	2108	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1100 set thread context of 2300	1100	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 2520 set thread context of 3840	2520	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1444 set thread context of 1432	1444	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 2532 set thread context of 1648	2532	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 2752 set thread context of 4036	2752	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 420 set thread context of 2536	420	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 2488 set thread context of 4020	2488	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 2512 set thread context of 112	2512	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1120 set thread context of 3488	1120	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 3988 set thread context of 2268	3988	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 3872 set thread context of 4044	3872	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 4064 set thread context of 2028	4064	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 3968 set thread context of 788	3968	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 956 set thread context of 800	956	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 3900 set thread context of 2832	3900	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1500 set thread context of 4020	1500	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 876 set thread context of 1852	876	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 4084 set thread context of 1248	4084	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 636 set thread context of 3992	636	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 3460 set thread context of 3168	3460	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 980 set thread context of 3840	980	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1516 set thread context of 1652	1516	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 3736 set thread context of 2212	3736	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 2788 set thread context of 792	2788	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1764 set thread context of 3488	1764	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 2768 set thread context of 3516	2768	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1944 set thread context of 1500	1944	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1656 set thread context of 1584	1656	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 2852 set thread context of 736	2852	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 2756 set thread context of 1900	2756	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1028 set thread context of 3044	1028	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1436 set thread context of 552	1436	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 2284 set thread context of 1804	2284	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 3128 set thread context of 1604	3128	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 3812 set thread context of 1656	3812	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 792 set thread context of 3180	792	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 2112 set thread context of 3992	2112	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 2272 set thread context of 752	2272	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 3036 set thread context of 3056	3036	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 2628 set thread context of 3912	2628	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1908 set thread context of 3648	1908	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1416 set thread context of 2640	1416	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1456 set thread context of 3460	1456	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 3488 set thread context of 4044	3488	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 64 set thread context of 3412	64	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 3484 set thread context of 2284	3484	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 636 set thread context of 876	636	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 4020 set thread context of 3180	4020	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1768 set thread context of 3992	1768	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 2272 set thread context of 1464	2272	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 2600 set thread context of 3488	2600	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe

Drops file in Program Files directory 2 IoCs

Processes:

RegAsm.exe

description	ioc	process
File created	C:\Program Files (x86)\TCP Service\tcpsvc.exe	RegAsm.exe
File opened for modification	C:\Program Files (x86)\TCP Service\tcpsvc.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe

pid	process
3988	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
3988	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
3988	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
3988	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
3988	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
3988	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
3988	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
3988	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
3988	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
3988	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
3988	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
3988	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
3988	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
3988	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
3988	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
3988	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
3988	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
3988	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
3988	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
3988	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
3988	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
3988	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
3988	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
3988	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
3988	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
3988	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
3988	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
3988	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
3988	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
3988	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
3988	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
3988	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
3988	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
3988	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
3988	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
3988	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
3988	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
3988	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
3988	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
3988	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
3988	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
3988	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
3988	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
3988	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
3988	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
3988	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
3988	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
3988	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
3988	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
3988	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
3988	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
3988	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
3988	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
3988	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
3988	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
3988	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
3988	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
3988	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
3988	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
3988	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
3988	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
3988	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
3988	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
3988	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RegAsm.exe

pid process

884 RegAsm.exe

pid	process
884	RegAsm.exe

Suspicious behavior: MapViewOfSection 64 IoCs

Processes:

pid	process
3988	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
1876	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
2916	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
1908	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
1908	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
3188	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
3188	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
640	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
1584	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
1584	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
1584	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
2772	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
2012	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
2012	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
2012	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
2792	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
2792	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
1944	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
3256	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
3256	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
3256	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
2108	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
1100	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
2520	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
2520	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
1444	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
2532	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
2752	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
420	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
2488	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
2512	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
2512	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
1120	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
3988	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
3988	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
3872	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
4064	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
3968	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
956	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
3900	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
1500	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
876	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
4084	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
636	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
3460	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
980	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
1516	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
3736	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
3736	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
2788	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
1764	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
2768	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
1944	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
1656	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
2852	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
2756	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
1028	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
1028	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
1436	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
2284	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
3128	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
3812	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
792	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
2112	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exeRegAsm.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe

description	pid	process
Token: SeDebugPrivilege	3988	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	1876	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	2916	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	1908	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	884	RegAsm.exe
Token: SeDebugPrivilege	3188	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	640	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	1584	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	2772	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	2012	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	2792	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	1944	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	3256	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	2108	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	1100	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	2520	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	1444	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	2532	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	2752	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	420	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	2488	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	2512	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	1120	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	3988	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	3872	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	4064	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	3968	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	956	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	3900	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	1500	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	876	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	4084	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	636	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	3460	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	980	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	1516	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	3736	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	2788	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	1764	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	2768	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	1944	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	1656	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	2852	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	2756	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	1028	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	1436	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	2284	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	3128	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	3812	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	792	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	2112	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	2272	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	3036	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	2628	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	1908	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	1416	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	1456	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	3488	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	64	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	3484	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	636	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	4020	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	1768	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
Token: SeDebugPrivilege	2272	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 3988 wrote to memory of 3852	3988	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 3988 wrote to memory of 3852	3988	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 3988 wrote to memory of 3852	3988	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 3988 wrote to memory of 3852	3988	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 3988 wrote to memory of 1876	3988	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
PID 3988 wrote to memory of 1876	3988	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
PID 3988 wrote to memory of 1876	3988	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
PID 1876 wrote to memory of 884	1876	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1876 wrote to memory of 884	1876	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1876 wrote to memory of 884	1876	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1876 wrote to memory of 884	1876	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1876 wrote to memory of 2916	1876	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
PID 1876 wrote to memory of 2916	1876	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
PID 1876 wrote to memory of 2916	1876	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
PID 2916 wrote to memory of 3148	2916	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 2916 wrote to memory of 3148	2916	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 2916 wrote to memory of 3148	2916	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 2916 wrote to memory of 3148	2916	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 2916 wrote to memory of 1908	2916	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
PID 2916 wrote to memory of 1908	2916	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
PID 2916 wrote to memory of 1908	2916	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
PID 1908 wrote to memory of 2852	1908	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1908 wrote to memory of 2852	1908	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1908 wrote to memory of 2852	1908	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1908 wrote to memory of 2288	1908	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1908 wrote to memory of 2288	1908	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1908 wrote to memory of 2288	1908	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1908 wrote to memory of 2288	1908	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1908 wrote to memory of 3188	1908	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
PID 1908 wrote to memory of 3188	1908	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
PID 1908 wrote to memory of 3188	1908	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
PID 3188 wrote to memory of 1724	3188	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 3188 wrote to memory of 1724	3188	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 3188 wrote to memory of 1724	3188	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 3188 wrote to memory of 3104	3188	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 3188 wrote to memory of 3104	3188	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 3188 wrote to memory of 3104	3188	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 3188 wrote to memory of 3104	3188	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 3188 wrote to memory of 640	3188	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
PID 3188 wrote to memory of 640	3188	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
PID 3188 wrote to memory of 640	3188	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
PID 640 wrote to memory of 2756	640	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 640 wrote to memory of 2756	640	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 640 wrote to memory of 2756	640	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 640 wrote to memory of 2756	640	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 640 wrote to memory of 1584	640	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
PID 640 wrote to memory of 1584	640	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
PID 640 wrote to memory of 1584	640	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
PID 1584 wrote to memory of 3660	1584	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1584 wrote to memory of 3660	1584	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1584 wrote to memory of 3660	1584	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1584 wrote to memory of 2168	1584	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1584 wrote to memory of 2168	1584	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1584 wrote to memory of 2168	1584	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1584 wrote to memory of 3308	1584	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1584 wrote to memory of 3308	1584	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1584 wrote to memory of 3308	1584	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1584 wrote to memory of 3308	1584	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 1584 wrote to memory of 2772	1584	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
PID 1584 wrote to memory of 2772	1584	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
PID 1584 wrote to memory of 2772	1584	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
PID 2772 wrote to memory of 3216	2772	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 2772 wrote to memory of 3216	2772	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe
PID 2772 wrote to memory of 3216	2772	3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3988

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
PID:3852

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
2⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1876

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
3⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:884

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2916

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
4⤵
PID:3148

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1908

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
5⤵
PID:2852

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
5⤵
PID:2288

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3188

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
6⤵
PID:1724

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
6⤵
PID:3104

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:640

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
7⤵
PID:2756

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
7⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1584

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
8⤵
PID:3660

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
8⤵
PID:2168

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
8⤵
PID:3308

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
8⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2772

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
9⤵
PID:3216

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
9⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2012

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
10⤵
PID:3432

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
10⤵
PID:3436

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
10⤵
PID:2272

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
10⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2792

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
11⤵
PID:2024

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
11⤵
PID:1264

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
11⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1944

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
12⤵
PID:3684

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
12⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3256

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
13⤵
PID:1360

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
13⤵
PID:2556

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
13⤵
PID:2160

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
13⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2108

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
14⤵
PID:3376

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
14⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1100

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
15⤵
PID:2300

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
15⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2520

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
16⤵
PID:3068

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
16⤵
PID:3840

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
16⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1444

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
17⤵
PID:1432

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
17⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2532

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
18⤵
PID:1648

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
18⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2752

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
19⤵
PID:4036

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
19⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:420

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
20⤵
PID:2536

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
20⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2488

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
21⤵
PID:4020

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
21⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2512

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
22⤵
PID:2640

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
22⤵
PID:112

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
22⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1120

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
23⤵
PID:3488

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
23⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3988

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
24⤵
PID:3900

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
24⤵
PID:2268

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
24⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3872

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
25⤵
PID:4044

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
25⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4064

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
26⤵
PID:2028

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
26⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3968

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
27⤵
PID:788

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
27⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:956

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
28⤵
PID:800

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
28⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3900

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
29⤵
PID:2832

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
29⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1500

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
30⤵
PID:4020

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
30⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:876

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
31⤵
PID:1852

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
31⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4084

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
32⤵
PID:1248

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
32⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:636

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
33⤵
PID:3992

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
33⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3460

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
34⤵
PID:3168

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
34⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:980

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
35⤵
PID:3840

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
35⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1516

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
36⤵
PID:1652

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
36⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3736

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
37⤵
PID:2488

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
37⤵
PID:2212

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
37⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2788

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
38⤵
PID:792

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
38⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1764

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
39⤵
PID:3488

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
39⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2768

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
40⤵
PID:3516

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
40⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1944

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
41⤵
PID:1500

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
41⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
42⤵
PID:1584

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
42⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2852

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
43⤵
PID:736

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
43⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2756

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
44⤵
PID:1900

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
44⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1028

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
45⤵
PID:2600

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
45⤵
PID:3044

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
45⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1436

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
46⤵
PID:552

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
46⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2284

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
47⤵
PID:1804

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
47⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3128

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
48⤵
PID:1604

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
48⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3812

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
49⤵
PID:1656

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
49⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:792

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
50⤵
PID:3180

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
50⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2112

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
51⤵
PID:3992

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
51⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2272

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
52⤵
PID:752

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
52⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3036

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
53⤵
PID:3724

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
53⤵
PID:3056

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
53⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2628

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
54⤵
PID:2528

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
54⤵
PID:3912

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
54⤵
PID:1516

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
54⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1908

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
55⤵
PID:3648

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
55⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1416

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
56⤵
PID:2640

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
56⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1456

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
57⤵
PID:3460

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
57⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3488

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
58⤵
PID:3432

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
58⤵
PID:4044

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
58⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:64

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
59⤵
PID:3412

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
59⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3484

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
60⤵
PID:2284

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
60⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:636

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
61⤵
PID:876

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
61⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4020

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
62⤵
PID:3180

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
62⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1768

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
63⤵
PID:3992

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
63⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2272

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
64⤵
PID:1464

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
64⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:2600

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
65⤵
PID:3488

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
65⤵
- Checks computer location settings
PID:3056

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
66⤵
PID:2120

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
66⤵
- Checks computer location settings
PID:2844

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
67⤵
PID:3484

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
67⤵
PID:2832

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
67⤵
PID:1728

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
68⤵
PID:620

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
68⤵
- Checks computer location settings
PID:3440

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
69⤵
PID:2852

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
69⤵
PID:3724

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
70⤵
PID:2836

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
70⤵
- Checks computer location settings
PID:788

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
71⤵
PID:760

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
71⤵
PID:436

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
72⤵
PID:1120

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
72⤵
PID:1680

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
73⤵
PID:3736

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
73⤵
PID:1248

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
73⤵
PID:2232

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
73⤵
- Checks computer location settings
PID:3944

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
74⤵
PID:2996

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
74⤵
PID:3648

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
74⤵
PID:2404

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
75⤵
PID:2640

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
75⤵
PID:3352

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
76⤵
PID:3684

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
76⤵
- Checks computer location settings
PID:1100

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
77⤵
PID:2208

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
77⤵
- Checks computer location settings
PID:1492

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
78⤵
PID:112

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
78⤵
PID:3712

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
79⤵
PID:1780

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
79⤵
PID:1516

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
79⤵
PID:3968

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
79⤵
- Checks computer location settings
PID:3044

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
80⤵
PID:2752

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
80⤵
PID:3500

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
81⤵
PID:2928

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
81⤵
- Checks computer location settings
PID:3796

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
82⤵
PID:2112

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
82⤵
- Checks computer location settings
PID:3032

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
83⤵
PID:1676

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
83⤵
PID:316

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
84⤵
PID:1808

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
84⤵
PID:1584

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
85⤵
PID:1516

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
85⤵
- Checks computer location settings
PID:1248

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
86⤵
PID:3452

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
86⤵
- Checks computer location settings
PID:636

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
87⤵
PID:3620

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
87⤵
PID:3260

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
87⤵
- Checks computer location settings
PID:3180

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
88⤵
PID:3168

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
88⤵
PID:3536

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
89⤵
PID:3944

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
89⤵
- Checks computer location settings
PID:2208

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
90⤵
PID:112

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
90⤵
- Checks computer location settings
PID:1852

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
91⤵
PID:796

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
91⤵
- Checks computer location settings
PID:436

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
92⤵
PID:488

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
92⤵
- Checks computer location settings
PID:3036

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
93⤵
PID:1456

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
93⤵
PID:2104

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
93⤵
PID:2844

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
94⤵
PID:3516

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
94⤵
- Checks computer location settings
PID:1684

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
95⤵
PID:3992

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
95⤵
PID:3908

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
96⤵
PID:1648

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
96⤵
PID:4064

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
97⤵
PID:1876

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
97⤵
PID:2768

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
98⤵
PID:1444

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
98⤵
- Checks computer location settings
PID:1896

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
99⤵
PID:2224

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
99⤵
- Checks computer location settings
PID:2272

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
100⤵
PID:2416

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
100⤵
PID:1680

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
101⤵
PID:1144

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
101⤵
- Checks computer location settings
PID:3944

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
102⤵
PID:1800

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
102⤵
PID:876

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
102⤵
- Checks computer location settings
PID:3300

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
103⤵
PID:1728

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
103⤵
PID:1900

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
104⤵
PID:544

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
104⤵
- Checks computer location settings
PID:3920

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
105⤵
PID:3464

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
105⤵
PID:824

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
106⤵
PID:3168

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
106⤵
- Checks computer location settings
PID:3184

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
107⤵
PID:1464

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
107⤵
PID:2528

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
107⤵
PID:3052

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
107⤵
PID:2888

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
108⤵
PID:2012

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
108⤵
- Checks computer location settings
PID:760

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
109⤵
PID:1800

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
109⤵
PID:1964

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
110⤵
PID:2832

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
110⤵
PID:3468

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
111⤵
PID:3164

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
111⤵
PID:2652

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
112⤵
PID:2632

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
112⤵
PID:3952

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
113⤵
PID:3568

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
113⤵
PID:1808

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
113⤵
PID:1412

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
114⤵
PID:2628

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
114⤵
PID:3156

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
114⤵
PID:112

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
115⤵
PID:2852

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
115⤵
- Checks computer location settings
PID:1600

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
116⤵
PID:2284

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
116⤵
PID:2616

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
116⤵
PID:1904

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
117⤵
PID:3404

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
117⤵
- Checks computer location settings
PID:1448

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
118⤵
PID:1136

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
118⤵
- Checks computer location settings
PID:2600

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
119⤵
PID:3460

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
119⤵
- Checks computer location settings
PID:1484

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
120⤵
PID:3400

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
120⤵
PID:1140

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
120⤵
PID:3944

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
120⤵
- Checks computer location settings
PID:624

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
121⤵
PID:3568

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
121⤵
PID:1456

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
122⤵
PID:1580

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
122⤵
PID:1268

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
123⤵
PID:3412

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
123⤵
PID:1724

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
123⤵
- Checks computer location settings
PID:1992

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
124⤵
PID:3644

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
124⤵
PID:3664

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
124⤵
PID:1604

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
125⤵
PID:3112

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
125⤵
PID:1032

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
126⤵
PID:1500

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
126⤵
PID:2512

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
127⤵
PID:584

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
127⤵
- Checks computer location settings
PID:1684

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
128⤵
PID:1416

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
128⤵
PID:3052

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
128⤵
- Checks computer location settings
PID:2828

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
129⤵
PID:1464

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
129⤵
PID:1104

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
130⤵
PID:1852

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
130⤵
- Checks computer location settings
PID:956

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
131⤵
PID:2836

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
131⤵
- Checks computer location settings
PID:3444

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
132⤵
PID:1872

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
132⤵
PID:1984

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
133⤵
PID:2160

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
133⤵
PID:1412

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
134⤵
PID:484

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
134⤵
PID:2768

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
135⤵
PID:3752

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
135⤵
PID:3432

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
136⤵
PID:1088

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
136⤵
PID:1028

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
137⤵
PID:3168

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
137⤵
PID:1484

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
137⤵
PID:1544

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
138⤵
PID:3492

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
138⤵
- Checks computer location settings
PID:1732

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
139⤵
PID:1964

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
139⤵
PID:2088

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
140⤵
PID:3404

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
140⤵
PID:2608

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
141⤵
PID:3908

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
141⤵
PID:1116

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
141⤵
PID:456

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
141⤵
- Checks computer location settings
PID:544

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
142⤵
PID:3452

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
142⤵
PID:824

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
142⤵
PID:3052

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
142⤵
- Checks computer location settings
PID:1984

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
143⤵
PID:1464

C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe
"C:\Users\Admin\AppData\Local\Temp\3c094942e47ddfc79c9ffa196ad2537dbce8b97841fb01e1d62fbc803e3317de.exe"
143⤵
PID:1412

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
144⤵
PID:3932

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegAsm.exe.log
Filesize
496B

MD5
5b4789d01bb4d7483b71e1a35bce6a8b

SHA1
de083f2131c9a763c0d1810c97a38732146cffbf

SHA256
e248cef9500ed6e0c9f99d72a2a6a36955a5f0cfc0725748ef25a733cc8282f6

SHA512
357e18ef30430e4b9cc4f2569b9735b1cd12f934c83162e4de78ac29ba9703b63ddb624ccc22afd5a5868f6e9d91a3c64581846abac22e9625f5b2e3d80b3ede

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegAsm.exe.log
Filesize
496B

MD5
5b4789d01bb4d7483b71e1a35bce6a8b

SHA1
de083f2131c9a763c0d1810c97a38732146cffbf

SHA256
e248cef9500ed6e0c9f99d72a2a6a36955a5f0cfc0725748ef25a733cc8282f6

SHA512
357e18ef30430e4b9cc4f2569b9735b1cd12f934c83162e4de78ac29ba9703b63ddb624ccc22afd5a5868f6e9d91a3c64581846abac22e9625f5b2e3d80b3ede

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegAsm.exe.log
Filesize
496B

MD5
5b4789d01bb4d7483b71e1a35bce6a8b

SHA1
de083f2131c9a763c0d1810c97a38732146cffbf

SHA256
e248cef9500ed6e0c9f99d72a2a6a36955a5f0cfc0725748ef25a733cc8282f6

SHA512
357e18ef30430e4b9cc4f2569b9735b1cd12f934c83162e4de78ac29ba9703b63ddb624ccc22afd5a5868f6e9d91a3c64581846abac22e9625f5b2e3d80b3ede

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe
Filesize
776KB

MD5
ec28274a73ead48e813aa2501fa6193c

SHA1
d099d0610e33ae17c5f882d687cf2a79e35b7995

SHA256
e498b37b6f2aaad456500850259f4ebab274f5dfb0e23292c85acfe7dfac0c6b

SHA512
92c0a17e79756cfffb17f3c94d21ef50a6c9d31442127f1aeec3d94696c3f244514fe7713e13ed9167cdc961ff823397ccdff82df8a2271b60f04b762e254706

Download Submit
memory/112-235-0x0000000000000000-mapping.dmp

Download
memory/112-237-0x00000000712B0000-0x0000000071861000-memory.dmp

Filesize
5.7MB

Download
memory/420-227-0x0000000004630000-0x00000000046D0000-memory.dmp

Filesize
640KB

Download
memory/420-222-0x0000000000000000-mapping.dmp

Download
memory/420-228-0x0000000004FE0000-0x0000000005FE0000-memory.dmp

Filesize
16.0MB

Download
memory/636-281-0x0000000000000000-mapping.dmp

Download
memory/640-151-0x0000000000000000-mapping.dmp

Download
memory/788-257-0x0000000000000000-mapping.dmp

Download
memory/800-263-0x0000000000000000-mapping.dmp

Download
memory/876-272-0x0000000000000000-mapping.dmp

Download
memory/884-171-0x00000000712B0000-0x0000000071861000-memory.dmp

Filesize
5.7MB

Download
memory/884-141-0x00000000712B0000-0x0000000071861000-memory.dmp

Filesize
5.7MB

Download
memory/884-137-0x0000000000000000-mapping.dmp

Download
memory/956-261-0x0000000000000000-mapping.dmp

Download
memory/1100-200-0x00000000028D0000-0x0000000002970000-memory.dmp

Filesize
640KB

Download
memory/1100-195-0x0000000000000000-mapping.dmp

Download
memory/1120-238-0x0000000000000000-mapping.dmp

Download
memory/1248-280-0x0000000000000000-mapping.dmp

Download
memory/1360-213-0x00000000712B0000-0x0000000071861000-memory.dmp

Filesize
5.7MB

Download
memory/1360-189-0x0000000000000000-mapping.dmp

Download
memory/1360-192-0x00000000712B0000-0x0000000071861000-memory.dmp

Filesize
5.7MB

Download
memory/1432-212-0x00000000712B0000-0x0000000071861000-memory.dmp

Filesize
5.7MB

Download
memory/1432-233-0x00000000712B0000-0x0000000071861000-memory.dmp

Filesize
5.7MB

Download
memory/1432-208-0x0000000000000000-mapping.dmp

Download
memory/1444-207-0x0000000000000000-mapping.dmp

Download
memory/1444-211-0x0000000003260000-0x0000000003300000-memory.dmp

Filesize
640KB

Download
memory/1500-268-0x0000000000000000-mapping.dmp

Download
memory/1584-156-0x0000000000000000-mapping.dmp

Download
memory/1648-239-0x00000000712B0000-0x0000000071861000-memory.dmp

Filesize
5.7MB

Download
memory/1648-217-0x00000000712B0000-0x0000000071861000-memory.dmp

Filesize
5.7MB

Download
memory/1648-214-0x0000000000000000-mapping.dmp

Download
memory/1852-274-0x0000000000000000-mapping.dmp

Download
memory/1876-134-0x0000000000000000-mapping.dmp

Download
memory/1876-136-0x0000000002E30000-0x0000000002ED0000-memory.dmp

Filesize
640KB

Download
memory/1876-140-0x0000000002EE0000-0x0000000002EE3000-memory.dmp

Filesize
12KB

Download
memory/1908-144-0x0000000000000000-mapping.dmp

Download
memory/1908-147-0x0000000001570000-0x0000000001610000-memory.dmp

Filesize
640KB

Download
memory/1944-182-0x0000000000000000-mapping.dmp

Download
memory/1944-186-0x0000000002370000-0x0000000002410000-memory.dmp

Filesize
640KB

Download
memory/2012-168-0x0000000004D80000-0x0000000004E20000-memory.dmp

Filesize
640KB

Download
memory/2012-162-0x0000000000000000-mapping.dmp

Download
memory/2024-206-0x00000000712B0000-0x0000000071861000-memory.dmp

Filesize
5.7MB

Download
memory/2024-179-0x0000000000000000-mapping.dmp

Download
memory/2024-183-0x00000000712B0000-0x0000000071861000-memory.dmp

Filesize
5.7MB

Download
memory/2028-253-0x0000000000000000-mapping.dmp

Download
memory/2108-190-0x0000000000000000-mapping.dmp

Download
memory/2108-196-0x00000000024B0000-0x0000000002550000-memory.dmp

Filesize
640KB

Download
memory/2268-245-0x0000000000000000-mapping.dmp

Download
memory/2272-169-0x00000000712B0000-0x0000000071861000-memory.dmp

Filesize
5.7MB

Download
memory/2272-167-0x0000000000000000-mapping.dmp

Download
memory/2272-198-0x00000000712B0000-0x0000000071861000-memory.dmp

Filesize
5.7MB

Download
memory/2288-146-0x0000000000000000-mapping.dmp

Download
memory/2288-177-0x00000000712B0000-0x0000000071861000-memory.dmp

Filesize
5.7MB

Download
memory/2288-148-0x00000000712B0000-0x0000000071861000-memory.dmp

Filesize
5.7MB

Download
memory/2300-201-0x00000000712B0000-0x0000000071861000-memory.dmp

Filesize
5.7MB

Download
memory/2300-223-0x00000000712B0000-0x0000000071861000-memory.dmp

Filesize
5.7MB

Download
memory/2300-199-0x0000000000000000-mapping.dmp

Download
memory/2488-225-0x0000000000000000-mapping.dmp

Download
memory/2488-231-0x0000000004B90000-0x0000000004C30000-memory.dmp

Filesize
640KB

Download
memory/2512-234-0x0000000000000000-mapping.dmp

Download
memory/2512-236-0x0000000004A70000-0x0000000004B10000-memory.dmp

Filesize
640KB

Download
memory/2520-202-0x0000000000000000-mapping.dmp

Download
memory/2520-204-0x0000000002500000-0x00000000025A0000-memory.dmp

Filesize
640KB

Download
memory/2532-216-0x00000000046B0000-0x0000000004750000-memory.dmp

Filesize
640KB

Download
memory/2532-210-0x0000000000000000-mapping.dmp

Download
memory/2532-215-0x00000000046B0000-0x0000000004750000-memory.dmp

Filesize
640KB

Download
memory/2536-229-0x00000000712B0000-0x0000000071861000-memory.dmp

Filesize
5.7MB

Download
memory/2536-224-0x0000000000000000-mapping.dmp

Download
memory/2752-218-0x0000000000000000-mapping.dmp

Download
memory/2756-181-0x00000000712B0000-0x0000000071861000-memory.dmp

Filesize
5.7MB

Download
memory/2756-155-0x0000000000000000-mapping.dmp

Download
memory/2756-157-0x00000000712B0000-0x0000000071861000-memory.dmp

Filesize
5.7MB

Download
memory/2772-165-0x0000000001730000-0x00000000017D0000-memory.dmp

Filesize
640KB

Download
memory/2772-159-0x0000000000000000-mapping.dmp

Download
memory/2772-164-0x0000000001730000-0x00000000017D0000-memory.dmp

Filesize
640KB

Download
memory/2792-178-0x0000000002340000-0x00000000023E0000-memory.dmp

Filesize
640KB

Download
memory/2792-170-0x0000000000000000-mapping.dmp

Download
memory/2832-267-0x0000000000000000-mapping.dmp

Download
memory/2916-139-0x0000000000000000-mapping.dmp

Download
memory/3104-154-0x00000000712B0000-0x0000000071861000-memory.dmp

Filesize
5.7MB

Download
memory/3104-175-0x00000000712B0000-0x0000000071861000-memory.dmp

Filesize
5.7MB

Download
memory/3104-150-0x0000000000000000-mapping.dmp

Download
memory/3148-176-0x00000000712B0000-0x0000000071861000-memory.dmp

Filesize
5.7MB

Download
memory/3148-145-0x00000000712B0000-0x0000000071861000-memory.dmp

Filesize
5.7MB

Download
memory/3148-143-0x0000000000000000-mapping.dmp

Download
memory/3188-149-0x0000000000000000-mapping.dmp

Download
memory/3188-152-0x0000000002B80000-0x0000000002C20000-memory.dmp

Filesize
640KB

Download
memory/3188-153-0x0000000002B80000-0x0000000002C20000-memory.dmp

Filesize
640KB

Download
memory/3216-166-0x00000000712B0000-0x0000000071861000-memory.dmp

Filesize
5.7MB

Download
memory/3216-193-0x00000000712B0000-0x0000000071861000-memory.dmp

Filesize
5.7MB

Download
memory/3216-161-0x0000000000000000-mapping.dmp

Download
memory/3256-191-0x00000000014A0000-0x0000000001540000-memory.dmp

Filesize
640KB

Download
memory/3256-185-0x0000000000000000-mapping.dmp

Download
memory/3308-158-0x0000000000000000-mapping.dmp

Download
memory/3308-188-0x00000000712B0000-0x0000000071861000-memory.dmp

Filesize
5.7MB

Download
memory/3308-160-0x00000000712B0000-0x0000000071861000-memory.dmp

Filesize
5.7MB

Download
memory/3376-219-0x00000000712B0000-0x0000000071861000-memory.dmp

Filesize
5.7MB

Download
memory/3376-194-0x0000000000000000-mapping.dmp

Download
memory/3376-197-0x00000000712B0000-0x0000000071861000-memory.dmp

Filesize
5.7MB

Download
memory/3460-286-0x0000000000000000-mapping.dmp

Download
memory/3488-241-0x0000000000000000-mapping.dmp

Download
memory/3684-209-0x00000000712B0000-0x0000000071861000-memory.dmp

Filesize
5.7MB

Download
memory/3684-187-0x00000000712B0000-0x0000000071861000-memory.dmp

Filesize
5.7MB

Download
memory/3684-184-0x0000000000000000-mapping.dmp

Download
memory/3840-203-0x0000000000000000-mapping.dmp

Download
memory/3840-205-0x00000000712B0000-0x0000000071861000-memory.dmp

Filesize
5.7MB

Download
memory/3840-226-0x00000000712B0000-0x0000000071861000-memory.dmp

Filesize
5.7MB

Download
memory/3852-132-0x0000000000000000-mapping.dmp

Download
memory/3852-135-0x00000000712B0000-0x0000000071861000-memory.dmp

Filesize
5.7MB

Download
memory/3852-163-0x00000000712B0000-0x0000000071861000-memory.dmp

Filesize
5.7MB

Download
memory/3852-174-0x00000000712B0000-0x0000000071861000-memory.dmp

Filesize
5.7MB

Download
memory/3872-246-0x0000000000000000-mapping.dmp

Download
memory/3900-264-0x0000000000000000-mapping.dmp

Download
memory/3968-256-0x0000000000000000-mapping.dmp

Download
memory/3988-130-0x00000000000B0000-0x0000000000178000-memory.dmp

Filesize
800KB

Download
memory/3988-244-0x0000000000000000-mapping.dmp

Download
memory/3988-131-0x0000000002580000-0x0000000002583000-memory.dmp

Filesize
12KB

Download
memory/3988-133-0x00000000045A0000-0x0000000004640000-memory.dmp

Filesize
640KB

Download
memory/3988-138-0x00000000045A0000-0x000000000461A000-memory.dmp

Filesize
488KB

Download
memory/3992-285-0x0000000000000000-mapping.dmp

Download
memory/4020-271-0x0000000000000000-mapping.dmp

Download
memory/4020-230-0x0000000000000000-mapping.dmp

Download
memory/4020-232-0x00000000712B0000-0x0000000071861000-memory.dmp

Filesize
5.7MB

Download
memory/4036-221-0x00000000712B0000-0x0000000071861000-memory.dmp

Filesize
5.7MB

Download
memory/4036-220-0x0000000000000000-mapping.dmp

Download
memory/4044-250-0x0000000000000000-mapping.dmp

Download
memory/4064-251-0x0000000000000000-mapping.dmp

Download
memory/4084-278-0x0000000000000000-mapping.dmp

Download