6f03cb7c4d22e4580f919f348c2f35ec39efff0ac267c0e39833baf906c6bc06

Analysis

max time kernel
151s
max time network
6s
platform
windows7_x64
resource
win7
submitted
24-06-2020 15:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

proforma invoice.exe
Size

426KB
MD5

9e589779b1777914e2fd220aa90841c1
SHA1

94d8313b3769e059e11a73c122204f229403e823
SHA256

6f03cb7c4d22e4580f919f348c2f35ec39efff0ac267c0e39833baf906c6bc06
SHA512

e3e8eb235e898e5c413abc9faab86817bb65b3435f01895a4499c2e575a2dd9de8cdd94c3ffa24caeaeef8a6aa35012cfc078ba2c37804cbc62385a83f333379

Score

7^/10

persistence

Malware Config

Signatures

Suspicious use of WriteProcessMemory 4509 IoCs

Processes:

proforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exe

description	pid	process	target process
PID 616 wrote to memory of 1420	616	proforma invoice.exe	RegAsm.exe
PID 616 wrote to memory of 1420	616	proforma invoice.exe	RegAsm.exe
PID 616 wrote to memory of 1420	616	proforma invoice.exe	RegAsm.exe
PID 616 wrote to memory of 1420	616	proforma invoice.exe	RegAsm.exe
PID 616 wrote to memory of 1420	616	proforma invoice.exe	RegAsm.exe
PID 616 wrote to memory of 1420	616	proforma invoice.exe	RegAsm.exe
PID 616 wrote to memory of 1420	616	proforma invoice.exe	RegAsm.exe
PID 616 wrote to memory of 1420	616	proforma invoice.exe	RegAsm.exe
PID 616 wrote to memory of 1612	616	proforma invoice.exe	proforma invoice.exe
PID 616 wrote to memory of 1612	616	proforma invoice.exe	proforma invoice.exe
PID 616 wrote to memory of 1612	616	proforma invoice.exe	proforma invoice.exe
PID 616 wrote to memory of 1612	616	proforma invoice.exe	proforma invoice.exe
PID 1612 wrote to memory of 748	1612	proforma invoice.exe	RegAsm.exe
PID 1612 wrote to memory of 748	1612	proforma invoice.exe	RegAsm.exe
PID 1612 wrote to memory of 748	1612	proforma invoice.exe	RegAsm.exe
PID 1612 wrote to memory of 748	1612	proforma invoice.exe	RegAsm.exe
PID 1612 wrote to memory of 748	1612	proforma invoice.exe	RegAsm.exe
PID 1612 wrote to memory of 748	1612	proforma invoice.exe	RegAsm.exe
PID 1612 wrote to memory of 748	1612	proforma invoice.exe	RegAsm.exe
PID 1612 wrote to memory of 748	1612	proforma invoice.exe	RegAsm.exe
PID 1612 wrote to memory of 1524	1612	proforma invoice.exe	proforma invoice.exe
PID 1612 wrote to memory of 1524	1612	proforma invoice.exe	proforma invoice.exe
PID 1612 wrote to memory of 1524	1612	proforma invoice.exe	proforma invoice.exe
PID 1612 wrote to memory of 1524	1612	proforma invoice.exe	proforma invoice.exe
PID 1524 wrote to memory of 1404	1524	proforma invoice.exe	RegAsm.exe
PID 1524 wrote to memory of 1404	1524	proforma invoice.exe	RegAsm.exe
PID 1524 wrote to memory of 1404	1524	proforma invoice.exe	RegAsm.exe
PID 1524 wrote to memory of 1404	1524	proforma invoice.exe	RegAsm.exe
PID 1524 wrote to memory of 1404	1524	proforma invoice.exe	RegAsm.exe
PID 1524 wrote to memory of 1404	1524	proforma invoice.exe	RegAsm.exe
PID 1524 wrote to memory of 1404	1524	proforma invoice.exe	RegAsm.exe
PID 1524 wrote to memory of 1404	1524	proforma invoice.exe	RegAsm.exe
PID 1524 wrote to memory of 1856	1524	proforma invoice.exe	proforma invoice.exe
PID 1524 wrote to memory of 1856	1524	proforma invoice.exe	proforma invoice.exe
PID 1524 wrote to memory of 1856	1524	proforma invoice.exe	proforma invoice.exe
PID 1524 wrote to memory of 1856	1524	proforma invoice.exe	proforma invoice.exe
PID 1856 wrote to memory of 1184	1856	proforma invoice.exe	RegAsm.exe
PID 1856 wrote to memory of 1184	1856	proforma invoice.exe	RegAsm.exe
PID 1856 wrote to memory of 1184	1856	proforma invoice.exe	RegAsm.exe
PID 1856 wrote to memory of 1184	1856	proforma invoice.exe	RegAsm.exe
PID 1856 wrote to memory of 1184	1856	proforma invoice.exe	RegAsm.exe
PID 1856 wrote to memory of 1184	1856	proforma invoice.exe	RegAsm.exe
PID 1856 wrote to memory of 1184	1856	proforma invoice.exe	RegAsm.exe
PID 1856 wrote to memory of 1184	1856	proforma invoice.exe	RegAsm.exe
PID 1856 wrote to memory of 1680	1856	proforma invoice.exe	proforma invoice.exe
PID 1856 wrote to memory of 1680	1856	proforma invoice.exe	proforma invoice.exe
PID 1856 wrote to memory of 1680	1856	proforma invoice.exe	proforma invoice.exe
PID 1856 wrote to memory of 1680	1856	proforma invoice.exe	proforma invoice.exe
PID 1680 wrote to memory of 1584	1680	proforma invoice.exe	RegAsm.exe
PID 1680 wrote to memory of 1584	1680	proforma invoice.exe	RegAsm.exe
PID 1680 wrote to memory of 1584	1680	proforma invoice.exe	RegAsm.exe
PID 1680 wrote to memory of 1584	1680	proforma invoice.exe	RegAsm.exe
PID 1680 wrote to memory of 1584	1680	proforma invoice.exe	RegAsm.exe
PID 1680 wrote to memory of 1584	1680	proforma invoice.exe	RegAsm.exe
PID 1680 wrote to memory of 1584	1680	proforma invoice.exe	RegAsm.exe
PID 1680 wrote to memory of 1584	1680	proforma invoice.exe	RegAsm.exe
PID 1680 wrote to memory of 1616	1680	proforma invoice.exe	proforma invoice.exe
PID 1680 wrote to memory of 1616	1680	proforma invoice.exe	proforma invoice.exe
PID 1680 wrote to memory of 1616	1680	proforma invoice.exe	proforma invoice.exe
PID 1680 wrote to memory of 1616	1680	proforma invoice.exe	proforma invoice.exe
PID 1616 wrote to memory of 1916	1616	proforma invoice.exe	RegAsm.exe
PID 1616 wrote to memory of 1916	1616	proforma invoice.exe	RegAsm.exe
PID 1616 wrote to memory of 1916	1616	proforma invoice.exe	RegAsm.exe
PID 1616 wrote to memory of 1916	1616	proforma invoice.exe	RegAsm.exe

Suspicious behavior: MapViewOfSection 394 IoCs

Processes:

proforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exe

pid	process
616	proforma invoice.exe
1612	proforma invoice.exe
1524	proforma invoice.exe
1856	proforma invoice.exe
1680	proforma invoice.exe
1616	proforma invoice.exe
1988	proforma invoice.exe
1484	proforma invoice.exe
1804	proforma invoice.exe
288	proforma invoice.exe
1836	proforma invoice.exe
1884	proforma invoice.exe
1680	proforma invoice.exe
1212	proforma invoice.exe
1340	proforma invoice.exe
1780	proforma invoice.exe
1612	proforma invoice.exe
1580	proforma invoice.exe
1884	proforma invoice.exe
1812	proforma invoice.exe
1812	proforma invoice.exe
1812	proforma invoice.exe
1340	proforma invoice.exe
328	proforma invoice.exe
1804	proforma invoice.exe
2040	proforma invoice.exe
1780	proforma invoice.exe
1576	proforma invoice.exe
1520	proforma invoice.exe
1904	proforma invoice.exe
1532	proforma invoice.exe
1404	proforma invoice.exe
1404	proforma invoice.exe
1356	proforma invoice.exe
1356	proforma invoice.exe
828	proforma invoice.exe
1612	proforma invoice.exe
1612	proforma invoice.exe
1544	proforma invoice.exe
1988	proforma invoice.exe
564	proforma invoice.exe
1812	proforma invoice.exe
1916	proforma invoice.exe
324	proforma invoice.exe
1584	proforma invoice.exe
1792	proforma invoice.exe
1408	proforma invoice.exe
1624	proforma invoice.exe
1060	proforma invoice.exe
1948	proforma invoice.exe
1428	proforma invoice.exe
1916	proforma invoice.exe
1560	proforma invoice.exe
1356	proforma invoice.exe
1356	proforma invoice.exe
1564	proforma invoice.exe
2088	proforma invoice.exe
2180	proforma invoice.exe
2260	proforma invoice.exe
2348	proforma invoice.exe
2428	proforma invoice.exe
2508	proforma invoice.exe
2508	proforma invoice.exe
2628	proforma invoice.exe

Suspicious use of SetThreadContext 351 IoCs

Processes:

description	pid	process	target process
PID 616 set thread context of 1420	616	proforma invoice.exe	RegAsm.exe
PID 1612 set thread context of 748	1612	proforma invoice.exe	RegAsm.exe
PID 1524 set thread context of 1404	1524	proforma invoice.exe	RegAsm.exe
PID 1856 set thread context of 1184	1856	proforma invoice.exe	RegAsm.exe
PID 1680 set thread context of 1584	1680	proforma invoice.exe	RegAsm.exe
PID 1616 set thread context of 1916	1616	proforma invoice.exe	RegAsm.exe
PID 1988 set thread context of 2024	1988	proforma invoice.exe	RegAsm.exe
PID 1484 set thread context of 1428	1484	proforma invoice.exe	RegAsm.exe
PID 1804 set thread context of 864	1804	proforma invoice.exe	RegAsm.exe
PID 288 set thread context of 1768	288	proforma invoice.exe	RegAsm.exe
PID 1836 set thread context of 1936	1836	proforma invoice.exe	RegAsm.exe
PID 1884 set thread context of 1912	1884	proforma invoice.exe	RegAsm.exe
PID 1680 set thread context of 1440	1680	proforma invoice.exe	RegAsm.exe
PID 1212 set thread context of 1960	1212	proforma invoice.exe	RegAsm.exe
PID 1340 set thread context of 1640	1340	proforma invoice.exe	RegAsm.exe
PID 1780 set thread context of 792	1780	proforma invoice.exe	RegAsm.exe
PID 1612 set thread context of 1972	1612	proforma invoice.exe	RegAsm.exe
PID 1580 set thread context of 1908	1580	proforma invoice.exe	RegAsm.exe
PID 1884 set thread context of 1472	1884	proforma invoice.exe	RegAsm.exe
PID 1812 set thread context of 240	1812	proforma invoice.exe	RegAsm.exe
PID 1340 set thread context of 1328	1340	proforma invoice.exe	RegAsm.exe
PID 328 set thread context of 288	328	proforma invoice.exe	RegAsm.exe
PID 1804 set thread context of 1168	1804	proforma invoice.exe	RegAsm.exe
PID 2040 set thread context of 564	2040	proforma invoice.exe	RegAsm.exe
PID 1780 set thread context of 1340	1780	proforma invoice.exe	RegAsm.exe
PID 1576 set thread context of 1092	1576	proforma invoice.exe	RegAsm.exe
PID 1520 set thread context of 1548	1520	proforma invoice.exe	RegAsm.exe
PID 1904 set thread context of 1644	1904	proforma invoice.exe	RegAsm.exe
PID 1532 set thread context of 1784	1532	proforma invoice.exe	RegAsm.exe
PID 1404 set thread context of 1640	1404	proforma invoice.exe	RegAsm.exe
PID 1356 set thread context of 1636	1356	proforma invoice.exe	RegAsm.exe
PID 828 set thread context of 736	828	proforma invoice.exe	RegAsm.exe
PID 1612 set thread context of 688	1612	proforma invoice.exe	RegAsm.exe
PID 1544 set thread context of 680	1544	proforma invoice.exe	RegAsm.exe
PID 1988 set thread context of 1484	1988	proforma invoice.exe	RegAsm.exe
PID 564 set thread context of 1944	564	proforma invoice.exe	RegAsm.exe
PID 1812 set thread context of 1328	1812	proforma invoice.exe	RegAsm.exe
PID 1916 set thread context of 912	1916	proforma invoice.exe	RegAsm.exe
PID 324 set thread context of 1888	324	proforma invoice.exe	RegAsm.exe
PID 1584 set thread context of 764	1584	proforma invoice.exe	RegAsm.exe
PID 1792 set thread context of 1952	1792	proforma invoice.exe	RegAsm.exe
PID 1408 set thread context of 1768	1408	proforma invoice.exe	RegAsm.exe
PID 1624 set thread context of 1612	1624	proforma invoice.exe	RegAsm.exe
PID 1060 set thread context of 1816	1060	proforma invoice.exe	RegAsm.exe
PID 1948 set thread context of 1620	1948	proforma invoice.exe	RegAsm.exe
PID 1428 set thread context of 1804	1428	proforma invoice.exe	RegAsm.exe
PID 1916 set thread context of 1076	1916	proforma invoice.exe	RegAsm.exe
PID 1560 set thread context of 1780	1560	proforma invoice.exe	RegAsm.exe
PID 1356 set thread context of 1428	1356	proforma invoice.exe	RegAsm.exe
PID 1564 set thread context of 1988	1564	proforma invoice.exe	RegAsm.exe
PID 2088 set thread context of 2124	2088	proforma invoice.exe	RegAsm.exe
PID 2180 set thread context of 2208	2180	proforma invoice.exe	RegAsm.exe
PID 2260 set thread context of 2288	2260	proforma invoice.exe	RegAsm.exe
PID 2348 set thread context of 2376	2348	proforma invoice.exe	RegAsm.exe
PID 2428 set thread context of 2456	2428	proforma invoice.exe	RegAsm.exe
PID 2508 set thread context of 2576	2508	proforma invoice.exe	RegAsm.exe
PID 2628 set thread context of 2656	2628	proforma invoice.exe	RegAsm.exe
PID 2716 set thread context of 2744	2716	proforma invoice.exe	RegAsm.exe
PID 2796 set thread context of 2824	2796	proforma invoice.exe	RegAsm.exe
PID 2868 set thread context of 2908	2868	proforma invoice.exe	RegAsm.exe
PID 2956 set thread context of 2992	2956	proforma invoice.exe	RegAsm.exe
PID 3048 set thread context of 2056	3048	proforma invoice.exe	RegAsm.exe
PID 324 set thread context of 1960	324	proforma invoice.exe	RegAsm.exe
PID 2228 set thread context of 1564	2228	proforma invoice.exe	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 363 IoCs

Processes:

proforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeRegAsm.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeRegAsm.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exe

description	pid	process
Token: SeDebugPrivilege	616	proforma invoice.exe
Token: SeDebugPrivilege	1612	proforma invoice.exe
Token: SeDebugPrivilege	1524	proforma invoice.exe
Token: SeDebugPrivilege	1856	proforma invoice.exe
Token: SeDebugPrivilege	1680	proforma invoice.exe
Token: SeDebugPrivilege	1616	proforma invoice.exe
Token: SeDebugPrivilege	1988	proforma invoice.exe
Token: SeDebugPrivilege	1484	proforma invoice.exe
Token: SeDebugPrivilege	1804	proforma invoice.exe
Token: SeDebugPrivilege	288	proforma invoice.exe
Token: SeDebugPrivilege	1836	proforma invoice.exe
Token: SeDebugPrivilege	1884	proforma invoice.exe
Token: SeDebugPrivilege	1680	proforma invoice.exe
Token: SeDebugPrivilege	1212	proforma invoice.exe
Token: SeDebugPrivilege	1340	proforma invoice.exe
Token: SeDebugPrivilege	1780	proforma invoice.exe
Token: SeDebugPrivilege	1612	proforma invoice.exe
Token: SeDebugPrivilege	1580	proforma invoice.exe
Token: SeDebugPrivilege	1884	proforma invoice.exe
Token: SeDebugPrivilege	1812	proforma invoice.exe
Token: SeDebugPrivilege	1340	proforma invoice.exe
Token: SeDebugPrivilege	328	proforma invoice.exe
Token: SeDebugPrivilege	1804	proforma invoice.exe
Token: SeDebugPrivilege	2040	proforma invoice.exe
Token: SeDebugPrivilege	1420	RegAsm.exe
Token: SeDebugPrivilege	1780	proforma invoice.exe
Token: SeDebugPrivilege	1576	proforma invoice.exe
Token: SeDebugPrivilege	1520	proforma invoice.exe
Token: SeDebugPrivilege	1904	proforma invoice.exe
Token: SeDebugPrivilege	1532	proforma invoice.exe
Token: SeDebugPrivilege	1404	proforma invoice.exe
Token: SeDebugPrivilege	1356	proforma invoice.exe
Token: SeDebugPrivilege	828	proforma invoice.exe
Token: SeDebugPrivilege	1612	proforma invoice.exe
Token: SeDebugPrivilege	1544	proforma invoice.exe
Token: SeDebugPrivilege	1988	proforma invoice.exe
Token: SeDebugPrivilege	564	proforma invoice.exe
Token: SeDebugPrivilege	1812	proforma invoice.exe
Token: SeDebugPrivilege	1916	proforma invoice.exe
Token: SeDebugPrivilege	324	proforma invoice.exe
Token: SeDebugPrivilege	1584	proforma invoice.exe
Token: SeDebugPrivilege	1792	proforma invoice.exe
Token: SeDebugPrivilege	1408	proforma invoice.exe
Token: SeDebugPrivilege	1624	proforma invoice.exe
Token: SeDebugPrivilege	1060	proforma invoice.exe
Token: SeDebugPrivilege	1948	proforma invoice.exe
Token: SeDebugPrivilege	1428	proforma invoice.exe
Token: SeDebugPrivilege	1916	proforma invoice.exe
Token: SeDebugPrivilege	1560	proforma invoice.exe
Token: SeDebugPrivilege	1356	proforma invoice.exe
Token: SeDebugPrivilege	1564	proforma invoice.exe
Token: SeDebugPrivilege	2088	proforma invoice.exe
Token: SeDebugPrivilege	2180	proforma invoice.exe
Token: SeDebugPrivilege	2260	proforma invoice.exe
Token: SeDebugPrivilege	2348	proforma invoice.exe
Token: SeDebugPrivilege	2428	proforma invoice.exe
Token: SeDebugPrivilege	1340	RegAsm.exe
Token: SeDebugPrivilege	2508	proforma invoice.exe
Token: SeDebugPrivilege	2628	proforma invoice.exe
Token: SeDebugPrivilege	2716	proforma invoice.exe
Token: SeDebugPrivilege	2796	proforma invoice.exe
Token: SeDebugPrivilege	2868	proforma invoice.exe
Token: SeDebugPrivilege	2956	proforma invoice.exe
Token: SeDebugPrivilege	3048	proforma invoice.exe

Suspicious behavior: EnumeratesProcesses 54649 IoCs

Processes:

proforma invoice.exe

pid	process
616	proforma invoice.exe
616	proforma invoice.exe
616	proforma invoice.exe
616	proforma invoice.exe
616	proforma invoice.exe
616	proforma invoice.exe
616	proforma invoice.exe
616	proforma invoice.exe
616	proforma invoice.exe
616	proforma invoice.exe
616	proforma invoice.exe
616	proforma invoice.exe
616	proforma invoice.exe
616	proforma invoice.exe
616	proforma invoice.exe
616	proforma invoice.exe
616	proforma invoice.exe
616	proforma invoice.exe
616	proforma invoice.exe
616	proforma invoice.exe
616	proforma invoice.exe
616	proforma invoice.exe
616	proforma invoice.exe
616	proforma invoice.exe
616	proforma invoice.exe
616	proforma invoice.exe
616	proforma invoice.exe
616	proforma invoice.exe
616	proforma invoice.exe
616	proforma invoice.exe
616	proforma invoice.exe
616	proforma invoice.exe
616	proforma invoice.exe
616	proforma invoice.exe
616	proforma invoice.exe
616	proforma invoice.exe
616	proforma invoice.exe
616	proforma invoice.exe
616	proforma invoice.exe
616	proforma invoice.exe
616	proforma invoice.exe
616	proforma invoice.exe
616	proforma invoice.exe
616	proforma invoice.exe
616	proforma invoice.exe
616	proforma invoice.exe
616	proforma invoice.exe
616	proforma invoice.exe
616	proforma invoice.exe
616	proforma invoice.exe
616	proforma invoice.exe
616	proforma invoice.exe
616	proforma invoice.exe
616	proforma invoice.exe
616	proforma invoice.exe
616	proforma invoice.exe
616	proforma invoice.exe
616	proforma invoice.exe
616	proforma invoice.exe
616	proforma invoice.exe
616	proforma invoice.exe
616	proforma invoice.exe
616	proforma invoice.exe
616	proforma invoice.exe

Drops startup file 2 IoCs

Processes:

proforma invoice.exeproforma invoice.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe	proforma invoice.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe	proforma invoice.exe

Adds Run entry to start application 2 TTPs 11 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\DsWhv = "C:\\Users\\Admin\\AppData\\Roaming\\DsWhv\\DsWhv.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\DsWhv = "C:\\Users\\Admin\\AppData\\Roaming\\DsWhv\\DsWhv.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\DsWhv = "C:\\Users\\Admin\\AppData\\Roaming\\DsWhv\\DsWhv.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\DsWhv = "C:\\Users\\Admin\\AppData\\Roaming\\DsWhv\\DsWhv.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\DsWhv = "C:\\Users\\Admin\\AppData\\Roaming\\DsWhv\\DsWhv.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\DsWhv = "C:\\Users\\Admin\\AppData\\Roaming\\DsWhv\\DsWhv.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\DsWhv = "C:\\Users\\Admin\\AppData\\Roaming\\DsWhv\\DsWhv.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\DsWhv = "C:\\Users\\Admin\\AppData\\Roaming\\DsWhv\\DsWhv.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\DsWhv = "C:\\Users\\Admin\\AppData\\Roaming\\DsWhv\\DsWhv.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\DsWhv = "C:\\Users\\Admin\\AppData\\Roaming\\DsWhv\\DsWhv.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\DsWhv = "C:\\Users\\Admin\\AppData\\Roaming\\DsWhv\\DsWhv.exe"	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Drops startup file
PID:616

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Adds Run entry to start application
PID:1420

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
2⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Drops startup file
PID:1612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:748

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
3⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:1404

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
4⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1856

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
PID:1184

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
5⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
PID:1584

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
6⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
7⤵
PID:1916

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
7⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
8⤵
PID:2024

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
8⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1484

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
9⤵
PID:1428

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
9⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
10⤵
PID:864

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
10⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:288

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
11⤵
PID:1768

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
11⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1836

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
12⤵
PID:1936

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
12⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1884

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
PID:1912

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
13⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
14⤵
PID:1440

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
14⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
15⤵
PID:1960

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
15⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1340

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
16⤵
PID:1640

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
16⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
17⤵
PID:792

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
17⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
18⤵
PID:1972

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
18⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
19⤵
PID:1908

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
19⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1884

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
20⤵
PID:1472

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
20⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
21⤵
PID:680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
21⤵
PID:1212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
21⤵
PID:240

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
21⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1340

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
22⤵
PID:1328

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
22⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:328

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
23⤵
PID:288

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
23⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
24⤵
PID:1168

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
24⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
25⤵
PID:564

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
25⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
26⤵
- Suspicious use of AdjustPrivilegeToken
- Adds Run entry to start application
PID:1340

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
26⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
27⤵
PID:1092

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
27⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1520

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
28⤵
PID:1548

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
28⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1904

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
29⤵
PID:1644

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
29⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
30⤵
PID:1784

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
30⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1404

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
31⤵
PID:1184

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
31⤵
PID:1640

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
31⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1356

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
32⤵
PID:1808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
32⤵
PID:1636

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
32⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
33⤵
PID:736

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
33⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
34⤵
PID:860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
34⤵
PID:688

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
34⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
35⤵
PID:680

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
35⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
36⤵
PID:1484

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
36⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
37⤵
PID:1944

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
37⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
38⤵
PID:1328

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
38⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
39⤵
PID:912

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
39⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:324

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
40⤵
PID:1888

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
40⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
41⤵
PID:764

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
41⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
42⤵
PID:1952

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
42⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1408

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
43⤵
PID:1768

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
43⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
44⤵
PID:1612

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
44⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1060

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
45⤵
PID:1816

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
45⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
46⤵
PID:1620

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
46⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1428

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
47⤵
PID:1804

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
47⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
48⤵
PID:1076

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
48⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1560

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
49⤵
PID:1780

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
49⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1356

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
50⤵
PID:1624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
50⤵
PID:1428

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
50⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
51⤵
PID:1988

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
51⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
52⤵
PID:2124

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
52⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
53⤵
PID:2208

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
53⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2260

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
54⤵
PID:2288

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
54⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2348

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
55⤵
PID:2376

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
55⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2428

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
56⤵
PID:2456

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
56⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
57⤵
PID:2568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
57⤵
- Adds Run entry to start application
PID:2576

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
57⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
58⤵
PID:2656

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
58⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2716

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
59⤵
PID:2744

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
59⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2796

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
60⤵
PID:2824

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
60⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
61⤵
PID:2908

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
61⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
62⤵
PID:2992

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
62⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3048

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
63⤵
PID:2056

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
63⤵
- Suspicious use of SetThreadContext
PID:324

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
64⤵
PID:1960

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
64⤵
- Suspicious use of SetThreadContext
PID:2228

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
65⤵
PID:1564

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
65⤵
PID:2112

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
66⤵
PID:2384

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
66⤵
PID:2324

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
67⤵
PID:2276

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
67⤵
PID:1556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
68⤵
PID:528

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
68⤵
PID:2404

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
69⤵
PID:2168

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
69⤵
PID:1472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
70⤵
PID:1056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
70⤵
PID:1404

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
70⤵
PID:1044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
71⤵
PID:2072

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
71⤵
PID:2024

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
72⤵
PID:2288

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
72⤵
PID:1640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
73⤵
PID:800

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
73⤵
PID:1612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
74⤵
PID:524

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
74⤵
PID:1764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
75⤵
PID:1548

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
75⤵
PID:2492

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
76⤵
PID:2636

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
76⤵
PID:2600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
77⤵
PID:2552

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
77⤵
PID:2640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
78⤵
PID:2628

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
78⤵
PID:2792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
79⤵
PID:2936

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
79⤵
PID:3012

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
80⤵
PID:2900

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
80⤵
PID:2132

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
81⤵
PID:3032

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
81⤵
PID:2000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
82⤵
PID:2308

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
82⤵
PID:2184

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
83⤵
PID:2084

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
83⤵
PID:2260

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
84⤵
PID:2256

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
84⤵
PID:1168

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
85⤵
- Adds Run entry to start application
PID:1544

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
85⤵
PID:1860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
86⤵
PID:1912

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
86⤵
PID:2004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
87⤵
PID:1980

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
87⤵
PID:1044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
88⤵
PID:316

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
88⤵
PID:796

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
89⤵
PID:1636

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
89⤵
PID:1952

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
89⤵
PID:1528

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
90⤵
PID:2432

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
90⤵
PID:1764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
91⤵
PID:2648

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
91⤵
PID:2844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
92⤵
PID:2808

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
92⤵
PID:2948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
93⤵
PID:2700

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
93⤵
PID:2716

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
94⤵
PID:3008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
94⤵
PID:1884

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
94⤵
PID:3064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
95⤵
PID:2140

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
95⤵
PID:2176

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
96⤵
PID:2268

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
96⤵
PID:1072

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
96⤵
PID:2936

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
97⤵
PID:2428

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
97⤵
PID:2280

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
98⤵
PID:2056

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
98⤵
PID:2680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
99⤵
PID:2384

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
99⤵
PID:1576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
100⤵
PID:2908

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
100⤵
PID:2156

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
101⤵
PID:2072

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
101⤵
PID:2144

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
102⤵
PID:2152

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
102⤵
PID:3060

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
103⤵
PID:1904

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
103⤵
PID:1916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
104⤵
PID:1424

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
104⤵
PID:2260

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
105⤵
PID:1584

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
105⤵
PID:688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
106⤵
PID:1784

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
106⤵
PID:1800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
107⤵
PID:2004

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
107⤵
PID:1092

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
108⤵
PID:1640

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
108⤵
PID:1888

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
109⤵
PID:2676

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
109⤵
PID:2868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
110⤵
PID:2836

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
110⤵
PID:2732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
111⤵
PID:2844

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
111⤵
PID:2968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
112⤵
PID:2164

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
112⤵
PID:2716

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
113⤵
- Adds Run entry to start application
PID:1496

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
113⤵
PID:2796

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
114⤵
PID:1428

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
114⤵
PID:2628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
115⤵
PID:1948

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
115⤵
PID:2776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
116⤵
PID:648

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
116⤵
PID:3024

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
117⤵
PID:1832

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
117⤵
PID:2368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
118⤵
PID:1840

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
118⤵
PID:1188

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
118⤵
PID:1532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
119⤵
PID:1040

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
119⤵
PID:320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
120⤵
PID:1060

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
120⤵
PID:2260

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
121⤵
PID:1808

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
121⤵
PID:2512

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
122⤵
PID:1636

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
122⤵
PID:1460

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
123⤵
PID:1092

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
123⤵
PID:2736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
124⤵
PID:2564

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
124⤵
PID:2228

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
125⤵
PID:680

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
125⤵
PID:1076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
126⤵
PID:1468

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
126⤵
PID:2784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
127⤵
PID:2676

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
127⤵
PID:2252

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
128⤵
PID:528

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
128⤵
PID:1552

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
128⤵
PID:2236

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
129⤵
PID:1776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
129⤵
PID:2580

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
129⤵
PID:2704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
130⤵
PID:1424

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
130⤵
PID:316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
131⤵
PID:1684

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
131⤵
PID:2472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
132⤵
PID:564

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
132⤵
PID:2636

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
133⤵
PID:524

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
133⤵
PID:2280

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
134⤵
PID:1844

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
134⤵
PID:1548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
135⤵
PID:3036

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
135⤵
PID:744

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
136⤵
PID:1088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
136⤵
PID:2076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
136⤵
PID:2188

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
136⤵
PID:1520

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
137⤵
PID:740

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
137⤵
PID:1916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
138⤵
PID:320

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
138⤵
PID:660

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
139⤵
PID:2984

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
139⤵
PID:3004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
140⤵
PID:796

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
140⤵
PID:1116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
141⤵
PID:1048

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
141⤵
PID:1440

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
141⤵
PID:2924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
142⤵
PID:2384

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
142⤵
PID:2832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
143⤵
- Adds Run entry to start application
PID:2056

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
143⤵
PID:912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
144⤵
PID:1816

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
144⤵
PID:112

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
145⤵
PID:1788

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
145⤵
PID:2964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
146⤵
PID:2504

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
146⤵
PID:2316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
147⤵
PID:2828

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
147⤵
PID:1532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
148⤵
PID:792

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
148⤵
PID:1576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
149⤵
PID:2496

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
149⤵
PID:1476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
150⤵
PID:1460

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
150⤵
PID:3044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
151⤵
PID:2592

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
151⤵
PID:2688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
152⤵
PID:2988

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
152⤵
PID:2444

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
153⤵
PID:2604

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
153⤵
PID:1296

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
154⤵
PID:2856

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
154⤵
PID:288

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
155⤵
PID:2608

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
155⤵
PID:1568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
156⤵
PID:2196

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
156⤵
PID:1792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
157⤵
PID:796

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
157⤵
PID:1948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
157⤵
PID:1440

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
157⤵
PID:2188

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
158⤵
PID:2404

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
158⤵
PID:3036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
159⤵
PID:1592

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
159⤵
PID:1756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
160⤵
PID:2084

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
160⤵
PID:1356

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
161⤵
PID:2968

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
161⤵
PID:2416

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
162⤵
PID:3048

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
162⤵
PID:2392

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
163⤵
PID:2104

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
163⤵
PID:1820

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
164⤵
PID:2776

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
164⤵
PID:1596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
165⤵
PID:2076

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
165⤵
PID:2224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
166⤵
PID:688

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
166⤵
PID:1120

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
167⤵
PID:1328

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
167⤵
PID:2124

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
168⤵
- Adds Run entry to start application
PID:2128

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
168⤵
PID:2556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
169⤵
PID:2344

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
169⤵
PID:2208

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
170⤵
PID:2088

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
170⤵
PID:2984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
171⤵
PID:1936

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
171⤵
PID:1400

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
172⤵
PID:1808

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
172⤵
PID:2348

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
173⤵
PID:1116

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
173⤵
PID:2904

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
174⤵
PID:1684

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
174⤵
PID:1768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
175⤵
PID:1756

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
175⤵
PID:2924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
176⤵
PID:2768

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
176⤵
PID:2096

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
177⤵
PID:2000

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
177⤵
PID:2752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
178⤵
PID:1820

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
178⤵
PID:1088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
179⤵
PID:2584

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
179⤵
PID:2928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
180⤵
PID:2736

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
180⤵
PID:2732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
181⤵
PID:2172

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
181⤵
PID:1572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
182⤵
PID:2388

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
182⤵
PID:3000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
183⤵
PID:2716

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
183⤵
PID:2800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
184⤵
PID:3040

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
184⤵
PID:2084

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
185⤵
PID:2104

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
185⤵
PID:2456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
186⤵
PID:2368

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
186⤵
PID:1476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
187⤵
PID:1872

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
187⤵
PID:2788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
188⤵
PID:2216

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
188⤵
PID:2420

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
188⤵
PID:1852

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
188⤵
PID:368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
189⤵
PID:2564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
189⤵
PID:800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
189⤵
PID:1564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
189⤵
PID:1792

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
189⤵
PID:2148

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
190⤵
PID:740

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
190⤵
PID:3028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
191⤵
PID:2240

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
191⤵
PID:2684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
192⤵
PID:240

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
192⤵
PID:1644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
193⤵
PID:2416

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
193⤵
PID:2924

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
193⤵
PID:2976

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
194⤵
PID:836

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
194⤵
PID:2804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
195⤵
PID:660

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
195⤵
PID:1596

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
195⤵
PID:2616

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
196⤵
PID:1520

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
196⤵
PID:1256

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
197⤵
PID:2260

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
197⤵
PID:912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
198⤵
- Adds Run entry to start application
PID:2064

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
198⤵
PID:744

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
199⤵
PID:1880

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
199⤵
PID:2556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
200⤵
PID:2100

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
200⤵
PID:2216

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
201⤵
PID:2764

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
201⤵
PID:2628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
202⤵
PID:2356

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
202⤵
PID:2860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
203⤵
PID:2812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
203⤵
PID:2200

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
203⤵
PID:820

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
204⤵
PID:1848

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
204⤵
PID:3028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
205⤵
PID:2360

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
205⤵
PID:1780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
206⤵
PID:1776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
206⤵
PID:2760

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
206⤵
PID:2996

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
207⤵
PID:2752

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
207⤵
PID:3024

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
208⤵
PID:2660

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
208⤵
PID:2624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
209⤵
PID:2192

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
209⤵
PID:1768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
210⤵
PID:1852

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
210⤵
PID:1908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
211⤵
PID:1584

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
211⤵
PID:2196

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
212⤵
PID:2600

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
212⤵
PID:316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
213⤵
PID:2240

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
213⤵
PID:2540

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
214⤵
PID:1764

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
214⤵
PID:2000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
215⤵
PID:2908

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
215⤵
PID:2220

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
216⤵
PID:3048

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
216⤵
PID:1740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
217⤵
PID:2656

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
217⤵
PID:824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
218⤵
PID:1260

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
218⤵
PID:1328

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
219⤵
PID:2848

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
219⤵
PID:1516

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
220⤵
PID:1896

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
220⤵
PID:2680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
221⤵
PID:320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
221⤵
PID:2312

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
221⤵
PID:2364

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
221⤵
PID:2860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
221⤵
PID:2944

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
221⤵
PID:2380

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
222⤵
PID:2732

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
222⤵
PID:2912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
223⤵
PID:2072

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
223⤵
PID:660

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
224⤵
- Adds Run entry to start application
PID:2804

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
224⤵
PID:1200

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
225⤵
PID:1460

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
225⤵
PID:2264

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
226⤵
PID:2116

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
226⤵
PID:1296

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
227⤵
PID:1688

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
227⤵
PID:2560

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
228⤵
PID:2068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
228⤵
PID:1684

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
228⤵
PID:2916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
229⤵
PID:240

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
229⤵
PID:1512

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
229⤵
PID:1340

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
230⤵
PID:2052

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
230⤵
PID:2940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
231⤵
PID:2328

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
231⤵
PID:2228

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
232⤵
PID:1988

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
232⤵
PID:2756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
233⤵
PID:1772

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
233⤵
PID:1400

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
234⤵
PID:1516

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
234⤵
PID:1776

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
234⤵
PID:1612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
235⤵
PID:1068

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
235⤵
PID:892

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
236⤵
PID:1640

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
236⤵
PID:1528

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
237⤵
PID:1040

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
237⤵
PID:2272

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
238⤵
PID:800

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
238⤵
PID:2904

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
239⤵
PID:2084

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
239⤵
PID:3056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
240⤵
PID:2552

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
240⤵
PID:2732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
241⤵
PID:2360

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
241⤵
PID:3048

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
241⤵
PID:2120

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
242⤵
PID:2300

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
242⤵
PID:1088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
243⤵
PID:1072

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
243⤵
PID:1768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
244⤵
PID:1960

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
244⤵
PID:2884

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
245⤵
PID:2264

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
245⤵
PID:3012

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
246⤵
PID:2856

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
246⤵
PID:2768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
247⤵
PID:1104

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
247⤵
PID:2980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
248⤵
PID:2964

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
248⤵
PID:1608

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
249⤵
PID:1644

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
249⤵
PID:2872

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
250⤵
- Adds Run entry to start application
PID:1956

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
250⤵
PID:2424

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
251⤵
PID:1660

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
251⤵
PID:1860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
252⤵
PID:2512

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
252⤵
PID:1840

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
253⤵
PID:1964

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
253⤵
PID:3052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
254⤵
PID:2592

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
254⤵
PID:2124

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
255⤵
PID:1764

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
255⤵
PID:2200

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
256⤵
PID:2920

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
256⤵
PID:1116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
257⤵
PID:2132

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
257⤵
PID:2320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
258⤵
PID:1088

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
258⤵
PID:828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
259⤵
PID:1168

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
259⤵
PID:2948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
260⤵
PID:1296

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
260⤵
PID:3044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
261⤵
PID:2596

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
261⤵
PID:2256

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
262⤵
PID:2492

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
262⤵
PID:1872

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
263⤵
PID:2300

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
263⤵
PID:2232

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
264⤵
PID:368

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
264⤵
PID:1640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
265⤵
PID:2836

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
265⤵
PID:824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
266⤵
PID:2096

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
266⤵
PID:1260

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
267⤵
PID:436

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
267⤵
PID:1932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
268⤵
PID:2776

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
268⤵
PID:2548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
269⤵
PID:324

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
269⤵
PID:1092

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
270⤵
PID:2676

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
270⤵
PID:2476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
271⤵
PID:2388

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
271⤵
PID:1528

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
272⤵
PID:1804

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
272⤵
PID:1524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
273⤵
PID:2240

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
273⤵
PID:2568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
274⤵
PID:648

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
274⤵
PID:2044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
275⤵
- Adds Run entry to start application
PID:2316

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
275⤵
PID:1800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
276⤵
PID:2036

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
276⤵
PID:2208

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
277⤵
PID:1440

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
277⤵
PID:2204

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
278⤵
PID:564

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
278⤵
PID:2812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
279⤵
PID:360

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
279⤵
PID:1872

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
280⤵
PID:1548

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
280⤵
PID:240

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
281⤵
PID:2820

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
281⤵
PID:2852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
282⤵
PID:2808

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
282⤵
PID:2000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
283⤵
PID:2188

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
283⤵
PID:2960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
284⤵
PID:2216

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
284⤵
PID:1184

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
285⤵
PID:2280

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
285⤵
PID:1860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
286⤵
PID:2944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
286⤵
PID:2660

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
286⤵
PID:1864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
287⤵
PID:1152

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
287⤵
PID:1060

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
288⤵
PID:2836

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
288⤵
PID:1740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
289⤵
PID:2584

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
289⤵
PID:2436

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
290⤵
PID:2024

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
290⤵
PID:2720

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
291⤵
PID:2840

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
291⤵
PID:2776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
292⤵
PID:1764

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
292⤵
PID:2404

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
293⤵
PID:1592

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
293⤵
PID:1756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
294⤵
PID:2928

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
294⤵
PID:1884

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
295⤵
PID:2260

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
295⤵
PID:3028

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
295⤵
PID:2112

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
296⤵
PID:2864

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
296⤵
PID:792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
297⤵
PID:2312

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
297⤵
PID:1520

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
298⤵
PID:1640

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
298⤵
PID:2656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
299⤵
PID:2876

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
299⤵
PID:2824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
300⤵
PID:2832

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
300⤵
PID:1240

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
301⤵
PID:1484

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
301⤵
PID:2960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
302⤵
PID:2508

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
302⤵
PID:572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
303⤵
PID:2012

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
303⤵
PID:1200

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
304⤵
PID:2376

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
304⤵
PID:1400

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
305⤵
PID:1492

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
305⤵
PID:2492

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
306⤵
PID:1840

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
306⤵
PID:1880

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
306⤵
PID:2356

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
307⤵
PID:1056

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
307⤵
PID:2504

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
308⤵
PID:1508

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
308⤵
PID:2580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
309⤵
PID:2912

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
309⤵
PID:860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
310⤵
PID:1940

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
310⤵
PID:2116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
311⤵
PID:3048

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
311⤵
PID:792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
312⤵
PID:2812

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
312⤵
PID:2172

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
313⤵
PID:2328

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
313⤵
PID:2896

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
314⤵
PID:2980

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
314⤵
PID:1784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
315⤵
PID:1408

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
315⤵
PID:1116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
316⤵
PID:2748

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
316⤵
PID:1044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
317⤵
PID:1916

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
317⤵
PID:2088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
318⤵
PID:1956

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
318⤵
PID:2916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
319⤵
PID:2176

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
319⤵
PID:3020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
320⤵
PID:2876

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
320⤵
PID:1592

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
321⤵
PID:2180

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
321⤵
PID:1424

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
322⤵
PID:3032

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
322⤵
PID:388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
323⤵
PID:2908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
323⤵
PID:2608

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
323⤵
PID:1672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
324⤵
PID:2460

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
324⤵
PID:2484

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
325⤵
PID:1468

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
325⤵
PID:2512

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
326⤵
PID:316

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
326⤵
PID:1432

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
327⤵
PID:2696

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
327⤵
PID:2204

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
328⤵
PID:1828

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
328⤵
PID:2200

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
329⤵
PID:3000

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
329⤵
PID:240

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
330⤵
PID:1816

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
330⤵
PID:1384

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
330⤵
PID:2564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
331⤵
PID:2172

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
331⤵
PID:2156

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
332⤵
PID:1912

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
332⤵
PID:3012

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
333⤵
PID:1996

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
333⤵
PID:1964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
334⤵
PID:1044

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
334⤵
PID:2984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
335⤵
PID:1588

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
335⤵
PID:2308

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
336⤵
PID:3004

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
336⤵
PID:2476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
337⤵
PID:2312

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
337⤵
PID:1412

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
337⤵
PID:2864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
338⤵
PID:1200

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
338⤵
PID:2920

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
339⤵
PID:368

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
339⤵
PID:2356

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
340⤵
PID:1840

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
340⤵
PID:1188

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
341⤵
PID:2884

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
341⤵
PID:680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
342⤵
PID:2744

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
342⤵
PID:820

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
343⤵
PID:2552

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
343⤵
PID:1952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
344⤵
PID:2072

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
344⤵
PID:2684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
345⤵
PID:1116

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
345⤵
PID:2848

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
346⤵
PID:2132

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
346⤵
PID:2240

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
347⤵
PID:2616

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
347⤵
PID:1772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
348⤵
PID:1972

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
348⤵
PID:2808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
349⤵
PID:2816

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
349⤵
PID:1948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
350⤵
PID:2388

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
350⤵
PID:824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
351⤵
PID:3000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
351⤵
PID:1508

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
351⤵
PID:1880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
352⤵
PID:2812

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\DsWhv\DsWhv.exe

Download Submit
C:\Users\Admin\AppData\Roaming\DsWhv\DsWhv.exe

Download Submit
C:\Users\Admin\AppData\Roaming\DsWhv\DsWhv.exe

Download Submit
C:\Users\Admin\AppData\Roaming\DsWhv\DsWhv.exe

Download Submit
C:\Users\Admin\AppData\Roaming\DsWhv\DsWhv.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe

Download Submit
memory/112-717-0x0000000000000000-mapping.dmp

Download
memory/240-1399-0x0000000000000000-mapping.dmp

Download
memory/240-955-0x0000000000447BBE-mapping.dmp

Download
memory/240-1643-0x0000000000000000-mapping.dmp

Download
memory/240-97-0x0000000000447BBE-mapping.dmp

Download
memory/288-767-0x0000000000000000-mapping.dmp

Download
memory/288-107-0x0000000000447BBE-mapping.dmp

Download
memory/288-45-0x0000000000000000-mapping.dmp

Download
memory/316-646-0x0000000000000000-mapping.dmp

Download
memory/316-1625-0x0000000000447BBE-mapping.dmp

Download
memory/316-433-0x0000000000447BBE-mapping.dmp

Download
memory/316-1058-0x0000000000000000-mapping.dmp

Download
memory/320-684-0x0000000000447BBE-mapping.dmp

Download
memory/320-591-0x0000000000000000-mapping.dmp

Download
memory/324-1341-0x0000000000447BBE-mapping.dmp

Download
memory/324-310-0x0000000000000000-mapping.dmp

Download
memory/324-190-0x0000000000000000-mapping.dmp

Download
memory/328-105-0x0000000000000000-mapping.dmp

Download
memory/360-1391-0x0000000000447BBE-mapping.dmp

Download
memory/368-1316-0x0000000000447BBE-mapping.dmp

Download
memory/368-1690-0x0000000000447BBE-mapping.dmp

Download
memory/368-937-0x0000000000000000-mapping.dmp

Download
memory/388-1608-0x0000000000000000-mapping.dmp

Download
memory/436-1331-0x0000000000447BBE-mapping.dmp

Download
memory/524-658-0x0000000000447BBE-mapping.dmp

Download
memory/524-362-0x0000000000447BBE-mapping.dmp

Download
memory/528-332-0x0000000000447BBE-mapping.dmp

Download
memory/564-117-0x0000000000447BBE-mapping.dmp

Download
memory/564-1386-0x0000000000447BBE-mapping.dmp

Download
memory/564-175-0x0000000000000000-mapping.dmp

Download
memory/564-653-0x0000000000447BBE-mapping.dmp

Download
memory/572-1510-0x0000000000000000-mapping.dmp

Download
memory/648-573-0x0000000000447BBE-mapping.dmp

Download
memory/648-1366-0x0000000000447BBE-mapping.dmp

Download
memory/660-1113-0x0000000000000000-mapping.dmp

Download
memory/660-687-0x0000000000000000-mapping.dmp

Download
memory/680-167-0x0000000000447BBE-mapping.dmp

Download
memory/680-618-0x0000000000447BBE-mapping.dmp

Download
memory/680-1703-0x0000000000000000-mapping.dmp

Download
memory/688-162-0x0000000000447BBE-mapping.dmp

Download
memory/688-824-0x0000000000447BBE-mapping.dmp

Download
memory/688-521-0x0000000000000000-mapping.dmp

Download
memory/736-157-0x0000000000447BBE-mapping.dmp

Download
memory/740-944-0x0000000000447BBE-mapping.dmp

Download
memory/740-679-0x0000000000447BBE-mapping.dmp

Download
memory/744-671-0x0000000000000000-mapping.dmp

Download
memory/744-988-0x0000000000000000-mapping.dmp

Download
memory/748-6-0x0000000000447BBE-mapping.dmp

Download
memory/764-197-0x0000000000447BBE-mapping.dmp

Download
memory/792-77-0x0000000000447BBE-mapping.dmp

Download
memory/792-1480-0x0000000000000000-mapping.dmp

Download
memory/792-734-0x0000000000447BBE-mapping.dmp

Download
memory/792-1553-0x0000000000000000-mapping.dmp

Download
memory/796-694-0x0000000000447BBE-mapping.dmp

Download
memory/796-436-0x0000000000000000-mapping.dmp

Download
memory/800-1185-0x0000000000447BBE-mapping.dmp

Download
memory/800-357-0x0000000000447BBE-mapping.dmp

Download
memory/820-1708-0x0000000000000000-mapping.dmp

Download
memory/820-1013-0x0000000000000000-mapping.dmp

Download
memory/824-1748-0x0000000000000000-mapping.dmp

Download
memory/824-1083-0x0000000000000000-mapping.dmp

Download
memory/824-1324-0x0000000000000000-mapping.dmp

Download
memory/828-155-0x0000000000000000-mapping.dmp

Download
memory/828-1289-0x0000000000000000-mapping.dmp

Download
memory/836-965-0x0000000000447BBE-mapping.dmp

Download
memory/860-1543-0x0000000000000000-mapping.dmp

Download
memory/864-42-0x0000000000447BBE-mapping.dmp

Download
memory/892-1173-0x0000000000000000-mapping.dmp

Download
memory/912-712-0x0000000000000000-mapping.dmp

Download
memory/912-983-0x0000000000000000-mapping.dmp

Download
memory/912-187-0x0000000000447BBE-mapping.dmp

Download
memory/1040-1180-0x0000000000447BBE-mapping.dmp

Download
memory/1040-588-0x0000000000447BBE-mapping.dmp

Download
memory/1044-1578-0x0000000000000000-mapping.dmp

Download
memory/1044-1665-0x0000000000447BBE-mapping.dmp

Download
memory/1044-345-0x0000000000000000-mapping.dmp

Download
memory/1044-431-0x0000000000000000-mapping.dmp

Download
memory/1056-1530-0x0000000000447BBE-mapping.dmp

Download
memory/1060-215-0x0000000000000000-mapping.dmp

Download
memory/1060-1434-0x0000000000000000-mapping.dmp

Download
memory/1060-593-0x0000000000447BBE-mapping.dmp

Download
memory/1068-1170-0x0000000000447BBE-mapping.dmp

Download
memory/1072-473-0x0000000000447BBE-mapping.dmp

Download
memory/1072-1210-0x0000000000447BBE-mapping.dmp

Download
memory/1076-232-0x0000000000447BBE-mapping.dmp

Download
memory/1076-621-0x0000000000000000-mapping.dmp

Download
memory/1088-1208-0x0000000000000000-mapping.dmp

Download
memory/1088-887-0x0000000000000000-mapping.dmp

Download
memory/1088-1286-0x0000000000447BBE-mapping.dmp

Download
memory/1092-127-0x0000000000447BBE-mapping.dmp

Download
memory/1092-608-0x0000000000447BBE-mapping.dmp

Download
memory/1092-531-0x0000000000000000-mapping.dmp

Download
memory/1092-1344-0x0000000000000000-mapping.dmp

Download
memory/1104-1231-0x0000000000447BBE-mapping.dmp

Download
memory/1116-1720-0x0000000000447BBE-mapping.dmp

Download
memory/1116-1573-0x0000000000000000-mapping.dmp

Download
memory/1116-859-0x0000000000447BBE-mapping.dmp

Download
memory/1116-1279-0x0000000000000000-mapping.dmp

Download
memory/1116-697-0x0000000000000000-mapping.dmp

Download
memory/1120-827-0x0000000000000000-mapping.dmp

Download
memory/1152-1431-0x0000000000447BBE-mapping.dmp

Download
memory/1168-1291-0x0000000000447BBE-mapping.dmp

Download
memory/1168-416-0x0000000000000000-mapping.dmp

Download
memory/1168-112-0x0000000000447BBE-mapping.dmp

Download
memory/1184-17-0x0000000000447BBE-mapping.dmp

Download
memory/1184-1419-0x0000000000000000-mapping.dmp

Download
memory/1188-583-0x0000000000447BBE-mapping.dmp

Download
memory/1188-1698-0x0000000000000000-mapping.dmp

Download
memory/1200-1118-0x0000000000000000-mapping.dmp

Download
memory/1200-1685-0x0000000000447BBE-mapping.dmp

Download
memory/1200-1515-0x0000000000000000-mapping.dmp

Download
memory/1212-65-0x0000000000000000-mapping.dmp

Download
memory/1240-1500-0x0000000000000000-mapping.dmp

Download
memory/1256-978-0x0000000000000000-mapping.dmp

Download
memory/1260-1329-0x0000000000000000-mapping.dmp

Download
memory/1260-1085-0x0000000000447BBE-mapping.dmp

Download
memory/1296-1128-0x0000000000000000-mapping.dmp

Download
memory/1296-762-0x0000000000000000-mapping.dmp

Download
memory/1296-1296-0x0000000000447BBE-mapping.dmp

Download
memory/1328-182-0x0000000000447BBE-mapping.dmp

Download
memory/1328-1088-0x0000000000000000-mapping.dmp

Download
memory/1328-102-0x0000000000447BBE-mapping.dmp

Download
memory/1328-829-0x0000000000447BBE-mapping.dmp

Download
memory/1340-100-0x0000000000000000-mapping.dmp

Download
memory/1340-1143-0x0000000000000000-mapping.dmp

Download
memory/1340-122-0x0000000000447BBE-mapping.dmp

Download
memory/1340-70-0x0000000000000000-mapping.dmp

Download
memory/1356-240-0x0000000000000000-mapping.dmp

Download
memory/1356-150-0x0000000000000000-mapping.dmp

Download
memory/1356-797-0x0000000000000000-mapping.dmp

Download
memory/1384-1645-0x0000000000447BBE-mapping.dmp

Download
memory/1400-852-0x0000000000000000-mapping.dmp

Download
memory/1400-1163-0x0000000000000000-mapping.dmp

Download
memory/1400-1518-0x0000000000000000-mapping.dmp

Download
memory/1404-342-0x0000000000447BBE-mapping.dmp

Download
memory/1404-145-0x0000000000000000-mapping.dmp

Download
memory/1404-12-0x0000000000447BBE-mapping.dmp

Download
memory/1408-1570-0x0000000000447BBE-mapping.dmp

Download
memory/1408-205-0x0000000000000000-mapping.dmp

Download
memory/1412-1680-0x0000000000447BBE-mapping.dmp

Download
memory/1420-0-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1420-1-0x0000000000447BBE-mapping.dmp

Download
memory/1420-2-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1420-3-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1424-643-0x0000000000447BBE-mapping.dmp

Download
memory/1424-513-0x0000000000447BBE-mapping.dmp

Download
memory/1424-1603-0x0000000000000000-mapping.dmp

Download
memory/1428-225-0x0000000000000000-mapping.dmp

Download
memory/1428-563-0x0000000000447BBE-mapping.dmp

Download
memory/1428-242-0x0000000000447BBE-mapping.dmp

Download
memory/1428-37-0x0000000000447BBE-mapping.dmp

Download
memory/1432-1628-0x0000000000000000-mapping.dmp

Download
memory/1440-779-0x0000000000447BBE-mapping.dmp

Download
memory/1440-1381-0x0000000000447BBE-mapping.dmp

Download
memory/1440-699-0x0000000000447BBE-mapping.dmp

Download
memory/1440-62-0x0000000000447BBE-mapping.dmp

Download
memory/1460-606-0x0000000000000000-mapping.dmp

Download
memory/1460-744-0x0000000000447BBE-mapping.dmp

Download
memory/1460-1120-0x0000000000447BBE-mapping.dmp

Download
memory/1468-1620-0x0000000000447BBE-mapping.dmp

Download
memory/1468-623-0x0000000000447BBE-mapping.dmp

Download
memory/1472-340-0x0000000000000000-mapping.dmp

Download
memory/1472-92-0x0000000000447BBE-mapping.dmp

Download
memory/1476-742-0x0000000000000000-mapping.dmp

Download
memory/1476-927-0x0000000000000000-mapping.dmp

Download
memory/1484-172-0x0000000000447BBE-mapping.dmp

Download
memory/1484-1502-0x0000000000447BBE-mapping.dmp

Download
memory/1484-35-0x0000000000000000-mapping.dmp

Download
memory/1492-1520-0x0000000000447BBE-mapping.dmp

Download
memory/1496-558-0x0000000000447BBE-mapping.dmp

Download
memory/1508-1535-0x0000000000447BBE-mapping.dmp

Download
memory/1508-1750-0x0000000000447BBE-mapping.dmp

Download
memory/1512-1140-0x0000000000447BBE-mapping.dmp

Download
memory/1516-1093-0x0000000000000000-mapping.dmp

Download
memory/1520-676-0x0000000000000000-mapping.dmp

Download
memory/1520-975-0x0000000000447BBE-mapping.dmp

Download
memory/1520-130-0x0000000000000000-mapping.dmp

Download
memory/1520-1485-0x0000000000000000-mapping.dmp

Download
memory/1524-1359-0x0000000000000000-mapping.dmp

Download
memory/1524-9-0x0000000000000000-mapping.dmp

Download
memory/1528-441-0x0000000000000000-mapping.dmp

Download
memory/1528-1178-0x0000000000000000-mapping.dmp

Download
memory/1528-1354-0x0000000000000000-mapping.dmp

Download
memory/1532-586-0x0000000000000000-mapping.dmp

Download
memory/1532-140-0x0000000000000000-mapping.dmp

Download
memory/1532-732-0x0000000000000000-mapping.dmp

Download
memory/1544-165-0x0000000000000000-mapping.dmp

Download
memory/1544-418-0x0000000000447BBE-mapping.dmp

Download
memory/1548-367-0x0000000000447BBE-mapping.dmp

Download
memory/1548-132-0x0000000000447BBE-mapping.dmp

Download
memory/1548-1396-0x0000000000447BBE-mapping.dmp

Download
memory/1548-666-0x0000000000000000-mapping.dmp

Download
memory/1552-633-0x0000000000447BBE-mapping.dmp

Download
memory/1556-330-0x0000000000000000-mapping.dmp

Download
memory/1560-235-0x0000000000000000-mapping.dmp

Download
memory/1564-245-0x0000000000000000-mapping.dmp

Download
memory/1564-317-0x0000000000447BBE-mapping.dmp

Download
memory/1568-772-0x0000000000000000-mapping.dmp

Download
memory/1572-902-0x0000000000000000-mapping.dmp

Download
memory/1576-491-0x0000000000000000-mapping.dmp

Download
memory/1576-125-0x0000000000000000-mapping.dmp

Download
memory/1576-737-0x0000000000000000-mapping.dmp

Download
memory/1580-85-0x0000000000000000-mapping.dmp

Download
memory/1584-195-0x0000000000000000-mapping.dmp

Download
memory/1584-518-0x0000000000447BBE-mapping.dmp

Download
memory/1584-22-0x0000000000447BBE-mapping.dmp

Download
memory/1584-1050-0x0000000000447BBE-mapping.dmp

Download
memory/1588-1670-0x0000000000447BBE-mapping.dmp

Download
memory/1592-1461-0x0000000000447BBE-mapping.dmp

Download
memory/1592-1598-0x0000000000000000-mapping.dmp

Download
memory/1592-789-0x0000000000447BBE-mapping.dmp

Download
memory/1596-970-0x0000000000447BBE-mapping.dmp

Download
memory/1596-817-0x0000000000000000-mapping.dmp

Download
memory/1608-1239-0x0000000000000000-mapping.dmp

Download
memory/1612-1168-0x0000000000000000-mapping.dmp

Download
memory/1612-80-0x0000000000000000-mapping.dmp

Download
memory/1612-160-0x0000000000000000-mapping.dmp

Download
memory/1612-4-0x0000000000000000-mapping.dmp

Download
memory/1612-360-0x0000000000000000-mapping.dmp

Download
memory/1612-212-0x0000000000447BBE-mapping.dmp

Download
memory/1616-25-0x0000000000000000-mapping.dmp

Download
memory/1620-222-0x0000000000447BBE-mapping.dmp

Download
memory/1624-210-0x0000000000000000-mapping.dmp

Download
memory/1636-152-0x0000000000447BBE-mapping.dmp

Download
memory/1636-603-0x0000000000447BBE-mapping.dmp

Download
memory/1640-1487-0x0000000000447BBE-mapping.dmp

Download
memory/1640-147-0x0000000000447BBE-mapping.dmp

Download
memory/1640-533-0x0000000000447BBE-mapping.dmp

Download
memory/1640-1175-0x0000000000447BBE-mapping.dmp

Download
memory/1640-1319-0x0000000000000000-mapping.dmp

Download
memory/1640-355-0x0000000000000000-mapping.dmp

Download
memory/1640-72-0x0000000000447BBE-mapping.dmp

Download
memory/1644-1241-0x0000000000447BBE-mapping.dmp

Download
memory/1644-137-0x0000000000447BBE-mapping.dmp

Download
memory/1644-958-0x0000000000000000-mapping.dmp

Download
memory/1660-1251-0x0000000000447BBE-mapping.dmp

Download
memory/1672-1613-0x0000000000000000-mapping.dmp

Download
memory/1680-60-0x0000000000000000-mapping.dmp

Download
memory/1680-20-0x0000000000000000-mapping.dmp

Download
memory/1684-1135-0x0000000000447BBE-mapping.dmp

Download
memory/1684-864-0x0000000000447BBE-mapping.dmp

Download
memory/1684-648-0x0000000000447BBE-mapping.dmp

Download
memory/1688-1130-0x0000000000447BBE-mapping.dmp

Download
memory/1740-1078-0x0000000000000000-mapping.dmp

Download
memory/1740-1439-0x0000000000000000-mapping.dmp

Download
memory/1756-1464-0x0000000000000000-mapping.dmp

Download
memory/1756-792-0x0000000000000000-mapping.dmp

Download
memory/1756-869-0x0000000000447BBE-mapping.dmp

Download
memory/1764-1271-0x0000000000447BBE-mapping.dmp

Download
memory/1764-446-0x0000000000000000-mapping.dmp

Download
memory/1764-365-0x0000000000000000-mapping.dmp

Download
memory/1764-1065-0x0000000000447BBE-mapping.dmp

Download
memory/1764-1456-0x0000000000447BBE-mapping.dmp

Download
memory/1768-47-0x0000000000447BBE-mapping.dmp

Download
memory/1768-207-0x0000000000447BBE-mapping.dmp

Download
memory/1768-867-0x0000000000000000-mapping.dmp

Download
memory/1768-1214-0x0000000000000000-mapping.dmp

Download
memory/1768-1043-0x0000000000000000-mapping.dmp

Download
memory/1772-1733-0x0000000000000000-mapping.dmp

Download
memory/1772-1160-0x0000000000447BBE-mapping.dmp

Download
memory/1776-1165-0x0000000000447BBE-mapping.dmp

Download
memory/1780-1023-0x0000000000000000-mapping.dmp

Download
memory/1780-237-0x0000000000447BBE-mapping.dmp

Download
memory/1780-75-0x0000000000000000-mapping.dmp

Download
memory/1780-120-0x0000000000000000-mapping.dmp

Download
memory/1784-142-0x0000000000447BBE-mapping.dmp

Download
memory/1784-1568-0x0000000000000000-mapping.dmp

Download
memory/1784-523-0x0000000000447BBE-mapping.dmp

Download
memory/1788-719-0x0000000000447BBE-mapping.dmp

Download
memory/1792-200-0x0000000000000000-mapping.dmp

Download
memory/1792-939-0x0000000000447BBE-mapping.dmp

Download
memory/1792-777-0x0000000000000000-mapping.dmp

Download
memory/1800-1374-0x0000000000000000-mapping.dmp

Download
memory/1800-526-0x0000000000000000-mapping.dmp

Download
memory/1804-227-0x0000000000447BBE-mapping.dmp

Download
memory/1804-1356-0x0000000000447BBE-mapping.dmp

Download
memory/1804-40-0x0000000000000000-mapping.dmp

Download
memory/1804-110-0x0000000000000000-mapping.dmp

Download
memory/1808-854-0x0000000000447BBE-mapping.dmp

Download
memory/1808-598-0x0000000000447BBE-mapping.dmp

Download
memory/1812-180-0x0000000000000000-mapping.dmp

Download
memory/1812-95-0x0000000000000000-mapping.dmp

Download
memory/1816-714-0x0000000000447BBE-mapping.dmp

Download
memory/1816-217-0x0000000000447BBE-mapping.dmp

Download
memory/1820-812-0x0000000000000000-mapping.dmp

Download
memory/1820-884-0x0000000000447BBE-mapping.dmp

Download
memory/1828-1635-0x0000000000447BBE-mapping.dmp

Download
memory/1832-578-0x0000000000447BBE-mapping.dmp

Download
memory/1836-50-0x0000000000000000-mapping.dmp

Download
memory/1840-1695-0x0000000000447BBE-mapping.dmp

Download
memory/1840-1259-0x0000000000000000-mapping.dmp

Download
memory/1844-663-0x0000000000447BBE-mapping.dmp

Download
memory/1848-1015-0x0000000000447BBE-mapping.dmp

Download
memory/1852-1045-0x0000000000447BBE-mapping.dmp

Download
memory/1852-934-0x0000000000447BBE-mapping.dmp

Download
memory/1856-15-0x0000000000000000-mapping.dmp

Download
memory/1860-1424-0x0000000000000000-mapping.dmp

Download
memory/1860-1254-0x0000000000000000-mapping.dmp

Download
memory/1860-421-0x0000000000000000-mapping.dmp

Download
memory/1864-1429-0x0000000000000000-mapping.dmp

Download
memory/1872-929-0x0000000000447BBE-mapping.dmp

Download
memory/1872-1394-0x0000000000000000-mapping.dmp

Download
memory/1872-1309-0x0000000000000000-mapping.dmp

Download
memory/1880-990-0x0000000000447BBE-mapping.dmp

Download
memory/1880-1753-0x0000000000000000-mapping.dmp

Download
memory/1880-1525-0x0000000000447BBE-mapping.dmp

Download
memory/1884-1469-0x0000000000000000-mapping.dmp

Download
memory/1884-90-0x0000000000000000-mapping.dmp

Download
memory/1884-55-0x0000000000000000-mapping.dmp

Download
memory/1884-463-0x0000000000447BBE-mapping.dmp

Download
memory/1888-536-0x0000000000000000-mapping.dmp

Download
memory/1888-192-0x0000000000447BBE-mapping.dmp

Download
memory/1896-1095-0x0000000000447BBE-mapping.dmp

Download
memory/1904-135-0x0000000000000000-mapping.dmp

Download
memory/1904-508-0x0000000000447BBE-mapping.dmp

Download
memory/1908-87-0x0000000000447BBE-mapping.dmp

Download
memory/1908-1048-0x0000000000000000-mapping.dmp

Download
memory/1912-423-0x0000000000447BBE-mapping.dmp

Download
memory/1912-1655-0x0000000000447BBE-mapping.dmp

Download
memory/1912-57-0x0000000000447BBE-mapping.dmp

Download
memory/1916-1580-0x0000000000447BBE-mapping.dmp

Download
memory/1916-230-0x0000000000000000-mapping.dmp

Download
memory/1916-27-0x0000000000447BBE-mapping.dmp

Download
memory/1916-185-0x0000000000000000-mapping.dmp

Download
memory/1916-682-0x0000000000000000-mapping.dmp

Download
memory/1916-511-0x0000000000000000-mapping.dmp

Download
memory/1932-1334-0x0000000000000000-mapping.dmp

Download
memory/1936-52-0x0000000000447BBE-mapping.dmp

Download
memory/1936-849-0x0000000000447BBE-mapping.dmp

Download
memory/1940-1545-0x0000000000447BBE-mapping.dmp

Download
memory/1944-177-0x0000000000447BBE-mapping.dmp

Download
memory/1948-220-0x0000000000000000-mapping.dmp

Download
memory/1948-1743-0x0000000000000000-mapping.dmp

Download
memory/1948-568-0x0000000000447BBE-mapping.dmp

Download
memory/1952-1713-0x0000000000000000-mapping.dmp

Download
memory/1952-438-0x0000000000447BBE-mapping.dmp

Download
memory/1952-202-0x0000000000447BBE-mapping.dmp

Download
memory/1956-1585-0x0000000000447BBE-mapping.dmp

Download
memory/1956-1246-0x0000000000447BBE-mapping.dmp

Download
memory/1960-1216-0x0000000000447BBE-mapping.dmp

Download
memory/1960-67-0x0000000000447BBE-mapping.dmp

Download
memory/1960-312-0x0000000000447BBE-mapping.dmp

Download
memory/1964-1261-0x0000000000447BBE-mapping.dmp

Download
memory/1964-1663-0x0000000000000000-mapping.dmp

Download
memory/1972-1735-0x0000000000447BBE-mapping.dmp

Download
memory/1972-82-0x0000000000447BBE-mapping.dmp

Download
memory/1980-428-0x0000000000447BBE-mapping.dmp

Download
memory/1988-30-0x0000000000000000-mapping.dmp

Download
memory/1988-170-0x0000000000000000-mapping.dmp

Download
memory/1988-1155-0x0000000000447BBE-mapping.dmp

Download
memory/1988-247-0x0000000000447BBE-mapping.dmp

Download
memory/1996-1660-0x0000000000447BBE-mapping.dmp

Download
memory/2000-1409-0x0000000000000000-mapping.dmp

Download
memory/2000-879-0x0000000000447BBE-mapping.dmp

Download
memory/2000-1068-0x0000000000000000-mapping.dmp

Download
memory/2000-401-0x0000000000000000-mapping.dmp

Download
memory/2004-426-0x0000000000000000-mapping.dmp

Download
memory/2004-528-0x0000000000447BBE-mapping.dmp

Download
memory/2012-1512-0x0000000000447BBE-mapping.dmp

Download
memory/2024-32-0x0000000000447BBE-mapping.dmp

Download
memory/2024-1446-0x0000000000447BBE-mapping.dmp

Download
memory/2024-350-0x0000000000000000-mapping.dmp

Download
memory/2036-1376-0x0000000000447BBE-mapping.dmp

Download
memory/2040-115-0x0000000000000000-mapping.dmp

Download
memory/2044-1369-0x0000000000000000-mapping.dmp

Download
memory/2052-1145-0x0000000000447BBE-mapping.dmp

Download
memory/2056-709-0x0000000000447BBE-mapping.dmp

Download
memory/2056-483-0x0000000000447BBE-mapping.dmp

Download
memory/2056-307-0x0000000000447BBE-mapping.dmp

Download
memory/2064-985-0x0000000000447BBE-mapping.dmp

Download
memory/2072-1715-0x0000000000447BBE-mapping.dmp

Download
memory/2072-1110-0x0000000000447BBE-mapping.dmp

Download
memory/2072-347-0x0000000000447BBE-mapping.dmp

Download
memory/2072-498-0x0000000000447BBE-mapping.dmp

Download
memory/2076-819-0x0000000000447BBE-mapping.dmp

Download
memory/2084-917-0x0000000000000000-mapping.dmp

Download
memory/2084-1190-0x0000000000447BBE-mapping.dmp

Download
memory/2084-408-0x0000000000447BBE-mapping.dmp

Download
memory/2084-794-0x0000000000447BBE-mapping.dmp

Download
memory/2088-844-0x0000000000447BBE-mapping.dmp

Download
memory/2088-1583-0x0000000000000000-mapping.dmp

Download
memory/2088-250-0x0000000000000000-mapping.dmp

Download
memory/2096-877-0x0000000000000000-mapping.dmp

Download
memory/2096-1326-0x0000000000447BBE-mapping.dmp

Download
memory/2100-995-0x0000000000447BBE-mapping.dmp

Download
memory/2104-809-0x0000000000447BBE-mapping.dmp

Download
memory/2104-919-0x0000000000447BBE-mapping.dmp

Download
memory/2112-320-0x0000000000000000-mapping.dmp

Download
memory/2112-1475-0x0000000000000000-mapping.dmp

Download
memory/2116-1125-0x0000000000447BBE-mapping.dmp

Download
memory/2116-1548-0x0000000000000000-mapping.dmp

Download
memory/2120-1203-0x0000000000000000-mapping.dmp

Download
memory/2124-252-0x0000000000447BBE-mapping.dmp

Download
memory/2124-1269-0x0000000000000000-mapping.dmp

Download
memory/2124-832-0x0000000000000000-mapping.dmp

Download
memory/2128-834-0x0000000000447BBE-mapping.dmp

Download
memory/2132-1725-0x0000000000447BBE-mapping.dmp

Download
memory/2132-1281-0x0000000000447BBE-mapping.dmp

Download
memory/2132-396-0x0000000000000000-mapping.dmp

Download
memory/2140-468-0x0000000000447BBE-mapping.dmp

Download
memory/2144-501-0x0000000000000000-mapping.dmp

Download
memory/2148-942-0x0000000000000000-mapping.dmp

Download
memory/2152-503-0x0000000000447BBE-mapping.dmp

Download
memory/2156-496-0x0000000000000000-mapping.dmp

Download
memory/2156-1653-0x0000000000000000-mapping.dmp

Download
memory/2164-553-0x0000000000447BBE-mapping.dmp

Download
memory/2168-337-0x0000000000447BBE-mapping.dmp

Download
memory/2172-899-0x0000000000447BBE-mapping.dmp

Download
memory/2172-1650-0x0000000000447BBE-mapping.dmp

Download
memory/2172-1558-0x0000000000000000-mapping.dmp

Download
memory/2176-471-0x0000000000000000-mapping.dmp

Download
memory/2176-1590-0x0000000000447BBE-mapping.dmp

Download
memory/2180-255-0x0000000000000000-mapping.dmp

Download
memory/2180-1600-0x0000000000447BBE-mapping.dmp

Download
memory/2184-406-0x0000000000000000-mapping.dmp

Download
memory/2188-782-0x0000000000000000-mapping.dmp

Download
memory/2188-1411-0x0000000000447BBE-mapping.dmp

Download
memory/2188-673-0x0000000000447BBE-mapping.dmp

Download
memory/2192-1040-0x0000000000447BBE-mapping.dmp

Download
memory/2196-774-0x0000000000447BBE-mapping.dmp

Download
memory/2196-1053-0x0000000000000000-mapping.dmp

Download
memory/2200-1638-0x0000000000000000-mapping.dmp

Download
memory/2200-1274-0x0000000000000000-mapping.dmp

Download
memory/2200-1010-0x0000000000447BBE-mapping.dmp

Download
memory/2204-1384-0x0000000000000000-mapping.dmp

Download
memory/2204-1633-0x0000000000000000-mapping.dmp

Download
memory/2208-257-0x0000000000447BBE-mapping.dmp

Download
memory/2208-842-0x0000000000000000-mapping.dmp

Download
memory/2208-1379-0x0000000000000000-mapping.dmp

Download
memory/2216-1416-0x0000000000447BBE-mapping.dmp

Download
memory/2216-998-0x0000000000000000-mapping.dmp

Download
memory/2220-1073-0x0000000000000000-mapping.dmp

Download
memory/2224-822-0x0000000000000000-mapping.dmp

Download
memory/2228-616-0x0000000000000000-mapping.dmp

Download
memory/2228-315-0x0000000000000000-mapping.dmp

Download
memory/2228-1153-0x0000000000000000-mapping.dmp

Download
memory/2232-1314-0x0000000000000000-mapping.dmp

Download
memory/2236-636-0x0000000000000000-mapping.dmp

Download
memory/2240-1361-0x0000000000447BBE-mapping.dmp

Download
memory/2240-949-0x0000000000447BBE-mapping.dmp

Download
memory/2240-1728-0x0000000000000000-mapping.dmp

Download
memory/2240-1060-0x0000000000447BBE-mapping.dmp

Download
memory/2252-631-0x0000000000000000-mapping.dmp

Download
memory/2256-1304-0x0000000000000000-mapping.dmp

Download
memory/2256-413-0x0000000000447BBE-mapping.dmp

Download
memory/2260-596-0x0000000000000000-mapping.dmp

Download
memory/2260-516-0x0000000000000000-mapping.dmp

Download
memory/2260-411-0x0000000000000000-mapping.dmp

Download
memory/2260-980-0x0000000000447BBE-mapping.dmp

Download
memory/2260-260-0x0000000000000000-mapping.dmp

Download
memory/2264-1123-0x0000000000000000-mapping.dmp

Download
memory/2264-1221-0x0000000000447BBE-mapping.dmp

Download
memory/2272-1183-0x0000000000000000-mapping.dmp

Download
memory/2276-327-0x0000000000447BBE-mapping.dmp

Download
memory/2280-661-0x0000000000000000-mapping.dmp

Download
memory/2280-481-0x0000000000000000-mapping.dmp

Download
memory/2280-1421-0x0000000000447BBE-mapping.dmp

Download
memory/2288-262-0x0000000000447BBE-mapping.dmp

Download
memory/2288-352-0x0000000000447BBE-mapping.dmp

Download
memory/2300-1205-0x0000000000447BBE-mapping.dmp

Download
memory/2300-1311-0x0000000000447BBE-mapping.dmp

Download
memory/2308-1673-0x0000000000000000-mapping.dmp

Download
memory/2308-403-0x0000000000447BBE-mapping.dmp

Download
memory/2312-1482-0x0000000000447BBE-mapping.dmp

Download
memory/2316-727-0x0000000000000000-mapping.dmp

Download
memory/2316-1371-0x0000000000447BBE-mapping.dmp

Download
memory/2320-1284-0x0000000000000000-mapping.dmp

Download
memory/2324-325-0x0000000000000000-mapping.dmp

Download
memory/2328-1560-0x0000000000447BBE-mapping.dmp

Download
memory/2328-1150-0x0000000000447BBE-mapping.dmp

Download
memory/2344-839-0x0000000000447BBE-mapping.dmp

Download
memory/2348-857-0x0000000000000000-mapping.dmp

Download
memory/2348-265-0x0000000000000000-mapping.dmp

Download
memory/2356-1005-0x0000000000447BBE-mapping.dmp

Download
memory/2356-1528-0x0000000000000000-mapping.dmp

Download
memory/2356-1693-0x0000000000000000-mapping.dmp

Download
memory/2360-1020-0x0000000000447BBE-mapping.dmp

Download
memory/2368-924-0x0000000000447BBE-mapping.dmp

Download
memory/2368-581-0x0000000000000000-mapping.dmp

Download
memory/2376-267-0x0000000000447BBE-mapping.dmp

Download
memory/2376-1517-0x0000000000447BBE-mapping.dmp

Download
memory/2380-1103-0x0000000000000000-mapping.dmp

Download
memory/2384-704-0x0000000000447BBE-mapping.dmp

Download
memory/2384-488-0x0000000000447BBE-mapping.dmp

Download
memory/2384-322-0x0000000000447BBE-mapping.dmp

Download
memory/2388-904-0x0000000000447BBE-mapping.dmp

Download
memory/2388-1745-0x0000000000447BBE-mapping.dmp

Download
memory/2388-1351-0x0000000000447BBE-mapping.dmp

Download
memory/2392-807-0x0000000000000000-mapping.dmp

Download
memory/2404-784-0x0000000000447BBE-mapping.dmp

Download
memory/2404-335-0x0000000000000000-mapping.dmp

Download
memory/2404-1459-0x0000000000000000-mapping.dmp

Download
memory/2416-802-0x0000000000000000-mapping.dmp

Download
memory/2424-1249-0x0000000000000000-mapping.dmp

Download
memory/2428-478-0x0000000000447BBE-mapping.dmp

Download
memory/2428-270-0x0000000000000000-mapping.dmp

Download
memory/2432-443-0x0000000000447BBE-mapping.dmp

Download
memory/2436-1444-0x0000000000000000-mapping.dmp

Download
memory/2444-757-0x0000000000000000-mapping.dmp

Download
memory/2456-922-0x0000000000000000-mapping.dmp

Download
memory/2456-272-0x0000000000447BBE-mapping.dmp

Download
memory/2460-1615-0x0000000000447BBE-mapping.dmp

Download
memory/2472-651-0x0000000000000000-mapping.dmp

Download
memory/2476-1349-0x0000000000000000-mapping.dmp

Download
memory/2476-1678-0x0000000000000000-mapping.dmp

Download
memory/2484-1618-0x0000000000000000-mapping.dmp

Download
memory/2492-1306-0x0000000000447BBE-mapping.dmp

Download
memory/2492-1523-0x0000000000000000-mapping.dmp

Download
memory/2492-370-0x0000000000000000-mapping.dmp

Download
memory/2496-739-0x0000000000447BBE-mapping.dmp

Download
memory/2504-1533-0x0000000000000000-mapping.dmp

Download
memory/2504-724-0x0000000000447BBE-mapping.dmp

Download
memory/2508-275-0x0000000000000000-mapping.dmp

Download
memory/2508-1507-0x0000000000447BBE-mapping.dmp

Download
memory/2512-1256-0x0000000000447BBE-mapping.dmp

Download
memory/2512-1623-0x0000000000000000-mapping.dmp

Download
memory/2512-601-0x0000000000000000-mapping.dmp

Download
memory/2540-1063-0x0000000000000000-mapping.dmp

Download
memory/2548-1339-0x0000000000000000-mapping.dmp

Download
memory/2552-1195-0x0000000000447BBE-mapping.dmp

Download
memory/2552-377-0x0000000000447BBE-mapping.dmp

Download
memory/2552-1710-0x0000000000447BBE-mapping.dmp

Download
memory/2556-993-0x0000000000000000-mapping.dmp

Download
memory/2556-837-0x0000000000000000-mapping.dmp

Download
memory/2560-1133-0x0000000000000000-mapping.dmp

Download
memory/2564-1648-0x0000000000000000-mapping.dmp

Download
memory/2564-613-0x0000000000447BBE-mapping.dmp

Download
memory/2568-1364-0x0000000000000000-mapping.dmp

Download
memory/2576-277-0x0000000000447BBE-mapping.dmp

Download
memory/2580-638-0x0000000000447BBE-mapping.dmp

Download
memory/2580-1538-0x0000000000000000-mapping.dmp

Download
memory/2584-889-0x0000000000447BBE-mapping.dmp

Download
memory/2584-1441-0x0000000000447BBE-mapping.dmp

Download
memory/2592-1266-0x0000000000447BBE-mapping.dmp

Download
memory/2592-749-0x0000000000447BBE-mapping.dmp

Download
memory/2596-1301-0x0000000000447BBE-mapping.dmp

Download
memory/2600-1055-0x0000000000447BBE-mapping.dmp

Download
memory/2600-375-0x0000000000000000-mapping.dmp

Download
memory/2604-759-0x0000000000447BBE-mapping.dmp

Download
memory/2608-1610-0x0000000000447BBE-mapping.dmp

Download
memory/2608-769-0x0000000000447BBE-mapping.dmp

Download
memory/2616-973-0x0000000000000000-mapping.dmp

Download
memory/2616-1730-0x0000000000447BBE-mapping.dmp

Download
memory/2624-1038-0x0000000000000000-mapping.dmp

Download
memory/2628-566-0x0000000000000000-mapping.dmp

Download
memory/2628-280-0x0000000000000000-mapping.dmp

Download
memory/2628-383-0x0000000000447BBE-mapping.dmp

Download
memory/2628-1003-0x0000000000000000-mapping.dmp

Download
memory/2636-656-0x0000000000000000-mapping.dmp

Download
memory/2636-372-0x0000000000447BBE-mapping.dmp

Download
memory/2640-381-0x0000000000000000-mapping.dmp

Download
memory/2648-448-0x0000000000447BBE-mapping.dmp

Download
memory/2656-1080-0x0000000000447BBE-mapping.dmp

Download
memory/2656-282-0x0000000000447BBE-mapping.dmp

Download
memory/2656-1490-0x0000000000000000-mapping.dmp

Download
memory/2660-1035-0x0000000000447BBE-mapping.dmp

Download
memory/2660-1426-0x0000000000447BBE-mapping.dmp

Download
memory/2676-1346-0x0000000000447BBE-mapping.dmp

Download
memory/2676-628-0x0000000000447BBE-mapping.dmp

Download
memory/2676-538-0x0000000000447BBE-mapping.dmp

Download
memory/2680-1098-0x0000000000000000-mapping.dmp

Download
memory/2680-486-0x0000000000000000-mapping.dmp

Download
memory/2684-953-0x0000000000000000-mapping.dmp

Download
memory/2684-1718-0x0000000000000000-mapping.dmp

Download
memory/2688-752-0x0000000000000000-mapping.dmp

Download
memory/2696-1630-0x0000000000447BBE-mapping.dmp

Download
memory/2700-458-0x0000000000447BBE-mapping.dmp

Download
memory/2704-641-0x0000000000000000-mapping.dmp

Download
memory/2716-909-0x0000000000447BBE-mapping.dmp

Download
memory/2716-285-0x0000000000000000-mapping.dmp

Download
memory/2716-461-0x0000000000000000-mapping.dmp

Download
memory/2716-556-0x0000000000000000-mapping.dmp

Download
memory/2720-1449-0x0000000000000000-mapping.dmp

Download
memory/2732-1105-0x0000000000447BBE-mapping.dmp

Download
memory/2732-1198-0x0000000000000000-mapping.dmp

Download
memory/2732-546-0x0000000000000000-mapping.dmp

Download
memory/2732-897-0x0000000000000000-mapping.dmp

Download
memory/2736-611-0x0000000000000000-mapping.dmp

Download
memory/2736-894-0x0000000000447BBE-mapping.dmp

Download
memory/2744-1705-0x0000000000447BBE-mapping.dmp

Download
memory/2744-287-0x0000000000447BBE-mapping.dmp

Download
memory/2748-1575-0x0000000000447BBE-mapping.dmp

Download
memory/2752-882-0x0000000000000000-mapping.dmp

Download
memory/2752-1030-0x0000000000447BBE-mapping.dmp

Download
memory/2756-1158-0x0000000000000000-mapping.dmp

Download
memory/2760-1025-0x0000000000447BBE-mapping.dmp

Download
memory/2764-1000-0x0000000000447BBE-mapping.dmp

Download
memory/2768-874-0x0000000000447BBE-mapping.dmp

Download
memory/2768-1229-0x0000000000000000-mapping.dmp

Download
memory/2776-1336-0x0000000000447BBE-mapping.dmp

Download
memory/2776-571-0x0000000000000000-mapping.dmp

Download
memory/2776-1454-0x0000000000000000-mapping.dmp

Download
memory/2776-814-0x0000000000447BBE-mapping.dmp

Download
memory/2784-626-0x0000000000000000-mapping.dmp

Download
memory/2788-932-0x0000000000000000-mapping.dmp

Download
memory/2792-386-0x0000000000000000-mapping.dmp

Download
memory/2796-561-0x0000000000000000-mapping.dmp

Download
memory/2796-290-0x0000000000000000-mapping.dmp

Download
memory/2800-912-0x0000000000000000-mapping.dmp

Download
memory/2804-968-0x0000000000000000-mapping.dmp

Download
memory/2804-1115-0x0000000000447BBE-mapping.dmp

Download
memory/2808-453-0x0000000000447BBE-mapping.dmp

Download
memory/2808-1738-0x0000000000000000-mapping.dmp

Download
memory/2808-1406-0x0000000000447BBE-mapping.dmp

Download
memory/2812-1389-0x0000000000000000-mapping.dmp

Download
memory/2812-1755-0x0000000000447BBE-mapping.dmp

Download
memory/2812-1555-0x0000000000447BBE-mapping.dmp

Download
memory/2816-1740-0x0000000000447BBE-mapping.dmp

Download
memory/2820-1401-0x0000000000447BBE-mapping.dmp

Download
memory/2824-292-0x0000000000447BBE-mapping.dmp

Download
memory/2824-1495-0x0000000000000000-mapping.dmp

Download
memory/2828-729-0x0000000000447BBE-mapping.dmp

Download
memory/2832-707-0x0000000000000000-mapping.dmp

Download
memory/2832-1497-0x0000000000447BBE-mapping.dmp

Download
memory/2836-1321-0x0000000000447BBE-mapping.dmp

Download
memory/2836-1436-0x0000000000447BBE-mapping.dmp

Download
memory/2836-543-0x0000000000447BBE-mapping.dmp

Download
memory/2840-1451-0x0000000000447BBE-mapping.dmp

Download
memory/2844-548-0x0000000000447BBE-mapping.dmp

Download
memory/2844-451-0x0000000000000000-mapping.dmp

Download
memory/2848-1090-0x0000000000447BBE-mapping.dmp

Download
memory/2848-1723-0x0000000000000000-mapping.dmp

Download
memory/2852-1404-0x0000000000000000-mapping.dmp

Download
memory/2856-1226-0x0000000000447BBE-mapping.dmp

Download
memory/2856-764-0x0000000000447BBE-mapping.dmp

Download
memory/2860-1008-0x0000000000000000-mapping.dmp

Download
memory/2864-1477-0x0000000000447BBE-mapping.dmp

Download
memory/2864-1683-0x0000000000000000-mapping.dmp

Download
memory/2868-541-0x0000000000000000-mapping.dmp

Download
memory/2868-295-0x0000000000000000-mapping.dmp

Download
memory/2872-1244-0x0000000000000000-mapping.dmp

Download
memory/2876-1595-0x0000000000447BBE-mapping.dmp

Download
memory/2876-1492-0x0000000000447BBE-mapping.dmp

Download
memory/2884-1700-0x0000000000447BBE-mapping.dmp

Download
memory/2884-1219-0x0000000000000000-mapping.dmp

Download
memory/2896-1563-0x0000000000000000-mapping.dmp

Download
memory/2900-393-0x0000000000447BBE-mapping.dmp

Download
memory/2904-862-0x0000000000000000-mapping.dmp

Download
memory/2904-1188-0x0000000000000000-mapping.dmp

Download
memory/2908-297-0x0000000000447BBE-mapping.dmp

Download
memory/2908-1070-0x0000000000447BBE-mapping.dmp

Download
memory/2908-493-0x0000000000447BBE-mapping.dmp

Download
memory/2912-1540-0x0000000000447BBE-mapping.dmp

Download
memory/2912-1108-0x0000000000000000-mapping.dmp

Download
memory/2916-1138-0x0000000000000000-mapping.dmp

Download
memory/2916-1588-0x0000000000000000-mapping.dmp

Download
memory/2920-1276-0x0000000000447BBE-mapping.dmp

Download
memory/2920-1688-0x0000000000000000-mapping.dmp

Download
memory/2924-702-0x0000000000000000-mapping.dmp

Download
memory/2924-872-0x0000000000000000-mapping.dmp

Download
memory/2924-960-0x0000000000447BBE-mapping.dmp

Download
memory/2928-892-0x0000000000000000-mapping.dmp

Download
memory/2928-1466-0x0000000000447BBE-mapping.dmp

Download
memory/2936-388-0x0000000000447BBE-mapping.dmp

Download
memory/2936-476-0x0000000000000000-mapping.dmp

Download
memory/2940-1148-0x0000000000000000-mapping.dmp

Download
memory/2944-1100-0x0000000000447BBE-mapping.dmp

Download
memory/2948-1294-0x0000000000000000-mapping.dmp

Download
memory/2948-456-0x0000000000000000-mapping.dmp

Download
memory/2956-300-0x0000000000000000-mapping.dmp

Download
memory/2960-1414-0x0000000000000000-mapping.dmp

Download
memory/2960-1505-0x0000000000000000-mapping.dmp

Download
memory/2964-1236-0x0000000000447BBE-mapping.dmp

Download
memory/2964-722-0x0000000000000000-mapping.dmp

Download
memory/2968-551-0x0000000000000000-mapping.dmp

Download
memory/2968-799-0x0000000000447BBE-mapping.dmp

Download
memory/2976-963-0x0000000000000000-mapping.dmp

Download
memory/2980-1234-0x0000000000000000-mapping.dmp

Download
memory/2980-1565-0x0000000000447BBE-mapping.dmp

Download
memory/2984-847-0x0000000000000000-mapping.dmp

Download
memory/2984-1668-0x0000000000000000-mapping.dmp

Download
memory/2984-689-0x0000000000447BBE-mapping.dmp

Download
memory/2988-754-0x0000000000447BBE-mapping.dmp

Download
memory/2992-302-0x0000000000447BBE-mapping.dmp

Download
memory/2996-1028-0x0000000000000000-mapping.dmp

Download
memory/3000-1640-0x0000000000447BBE-mapping.dmp

Download
memory/3000-907-0x0000000000000000-mapping.dmp

Download
memory/3004-1675-0x0000000000447BBE-mapping.dmp

Download
memory/3004-692-0x0000000000000000-mapping.dmp

Download
memory/3012-391-0x0000000000000000-mapping.dmp

Download
memory/3012-1658-0x0000000000000000-mapping.dmp

Download
memory/3012-1224-0x0000000000000000-mapping.dmp

Download
memory/3020-1593-0x0000000000000000-mapping.dmp

Download
memory/3024-576-0x0000000000000000-mapping.dmp

Download
memory/3024-1033-0x0000000000000000-mapping.dmp

Download
memory/3028-947-0x0000000000000000-mapping.dmp

Download
memory/3028-1471-0x0000000000447BBE-mapping.dmp

Download
memory/3028-1018-0x0000000000000000-mapping.dmp

Download
memory/3032-398-0x0000000000447BBE-mapping.dmp

Download
memory/3032-1605-0x0000000000447BBE-mapping.dmp

Download
memory/3036-668-0x0000000000447BBE-mapping.dmp

Download
memory/3036-787-0x0000000000000000-mapping.dmp

Download
memory/3040-914-0x0000000000447BBE-mapping.dmp

Download
memory/3044-747-0x0000000000000000-mapping.dmp

Download
memory/3044-1299-0x0000000000000000-mapping.dmp

Download
memory/3048-804-0x0000000000447BBE-mapping.dmp

Download
memory/3048-1075-0x0000000000447BBE-mapping.dmp

Download
memory/3048-1200-0x0000000000447BBE-mapping.dmp

Download
memory/3048-305-0x0000000000000000-mapping.dmp

Download
memory/3048-1550-0x0000000000447BBE-mapping.dmp

Download
memory/3052-1264-0x0000000000000000-mapping.dmp

Download
memory/3056-1193-0x0000000000000000-mapping.dmp

Download
memory/3060-506-0x0000000000000000-mapping.dmp

Download
memory/3064-466-0x0000000000000000-mapping.dmp

Download