6f03cb7c4d22e4580f919f348c2f35ec39efff0ac267c0e39833baf906c6bc06

Analysis

max time kernel
150s
max time network
52s
platform
windows10_x64
resource
win10v200430
submitted
24-06-2020 15:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

proforma invoice.exe
Size

426KB
MD5

9e589779b1777914e2fd220aa90841c1
SHA1

94d8313b3769e059e11a73c122204f229403e823
SHA256

6f03cb7c4d22e4580f919f348c2f35ec39efff0ac267c0e39833baf906c6bc06
SHA512

e3e8eb235e898e5c413abc9faab86817bb65b3435f01895a4499c2e575a2dd9de8cdd94c3ffa24caeaeef8a6aa35012cfc078ba2c37804cbc62385a83f333379

Score

7^/10

persistence

Malware Config

Signatures

Drops startup file 2 IoCs

Processes:

proforma invoice.exeproforma invoice.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe	proforma invoice.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe	proforma invoice.exe

Suspicious use of WriteProcessMemory 2069 IoCs

Processes:

proforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exe

description	pid	process	target process
PID 644 wrote to memory of 1916	644	proforma invoice.exe	RegAsm.exe
PID 644 wrote to memory of 1916	644	proforma invoice.exe	RegAsm.exe
PID 644 wrote to memory of 1916	644	proforma invoice.exe	RegAsm.exe
PID 644 wrote to memory of 1916	644	proforma invoice.exe	RegAsm.exe
PID 644 wrote to memory of 2424	644	proforma invoice.exe	proforma invoice.exe
PID 644 wrote to memory of 2424	644	proforma invoice.exe	proforma invoice.exe
PID 644 wrote to memory of 2424	644	proforma invoice.exe	proforma invoice.exe
PID 2424 wrote to memory of 3792	2424	proforma invoice.exe	RegAsm.exe
PID 2424 wrote to memory of 3792	2424	proforma invoice.exe	RegAsm.exe
PID 2424 wrote to memory of 3792	2424	proforma invoice.exe	RegAsm.exe
PID 2424 wrote to memory of 3436	2424	proforma invoice.exe	RegAsm.exe
PID 2424 wrote to memory of 3436	2424	proforma invoice.exe	RegAsm.exe
PID 2424 wrote to memory of 3436	2424	proforma invoice.exe	RegAsm.exe
PID 2424 wrote to memory of 3436	2424	proforma invoice.exe	RegAsm.exe
PID 2424 wrote to memory of 2728	2424	proforma invoice.exe	proforma invoice.exe
PID 2424 wrote to memory of 2728	2424	proforma invoice.exe	proforma invoice.exe
PID 2424 wrote to memory of 2728	2424	proforma invoice.exe	proforma invoice.exe
PID 2728 wrote to memory of 3644	2728	proforma invoice.exe	RegAsm.exe
PID 2728 wrote to memory of 3644	2728	proforma invoice.exe	RegAsm.exe
PID 2728 wrote to memory of 3644	2728	proforma invoice.exe	RegAsm.exe
PID 2728 wrote to memory of 3644	2728	proforma invoice.exe	RegAsm.exe
PID 2728 wrote to memory of 4024	2728	proforma invoice.exe	proforma invoice.exe
PID 2728 wrote to memory of 4024	2728	proforma invoice.exe	proforma invoice.exe
PID 2728 wrote to memory of 4024	2728	proforma invoice.exe	proforma invoice.exe
PID 4024 wrote to memory of 3800	4024	proforma invoice.exe	RegAsm.exe
PID 4024 wrote to memory of 3800	4024	proforma invoice.exe	RegAsm.exe
PID 4024 wrote to memory of 3800	4024	proforma invoice.exe	RegAsm.exe
PID 4024 wrote to memory of 1700	4024	proforma invoice.exe	RegAsm.exe
PID 4024 wrote to memory of 1700	4024	proforma invoice.exe	RegAsm.exe
PID 4024 wrote to memory of 1700	4024	proforma invoice.exe	RegAsm.exe
PID 4024 wrote to memory of 1700	4024	proforma invoice.exe	RegAsm.exe
PID 4024 wrote to memory of 800	4024	proforma invoice.exe	proforma invoice.exe
PID 4024 wrote to memory of 800	4024	proforma invoice.exe	proforma invoice.exe
PID 4024 wrote to memory of 800	4024	proforma invoice.exe	proforma invoice.exe
PID 800 wrote to memory of 1648	800	proforma invoice.exe	RegAsm.exe
PID 800 wrote to memory of 1648	800	proforma invoice.exe	RegAsm.exe
PID 800 wrote to memory of 1648	800	proforma invoice.exe	RegAsm.exe
PID 800 wrote to memory of 1648	800	proforma invoice.exe	RegAsm.exe
PID 800 wrote to memory of 3672	800	proforma invoice.exe	proforma invoice.exe
PID 800 wrote to memory of 3672	800	proforma invoice.exe	proforma invoice.exe
PID 800 wrote to memory of 3672	800	proforma invoice.exe	proforma invoice.exe
PID 3672 wrote to memory of 640	3672	proforma invoice.exe	RegAsm.exe
PID 3672 wrote to memory of 640	3672	proforma invoice.exe	RegAsm.exe
PID 3672 wrote to memory of 640	3672	proforma invoice.exe	RegAsm.exe
PID 3672 wrote to memory of 640	3672	proforma invoice.exe	RegAsm.exe
PID 3672 wrote to memory of 3512	3672	proforma invoice.exe	proforma invoice.exe
PID 3672 wrote to memory of 3512	3672	proforma invoice.exe	proforma invoice.exe
PID 3672 wrote to memory of 3512	3672	proforma invoice.exe	proforma invoice.exe
PID 3512 wrote to memory of 3744	3512	proforma invoice.exe	RegAsm.exe
PID 3512 wrote to memory of 3744	3512	proforma invoice.exe	RegAsm.exe
PID 3512 wrote to memory of 3744	3512	proforma invoice.exe	RegAsm.exe
PID 3512 wrote to memory of 3764	3512	proforma invoice.exe	RegAsm.exe
PID 3512 wrote to memory of 3764	3512	proforma invoice.exe	RegAsm.exe
PID 3512 wrote to memory of 3764	3512	proforma invoice.exe	RegAsm.exe
PID 3512 wrote to memory of 3764	3512	proforma invoice.exe	RegAsm.exe
PID 3512 wrote to memory of 2280	3512	proforma invoice.exe	proforma invoice.exe
PID 3512 wrote to memory of 2280	3512	proforma invoice.exe	proforma invoice.exe
PID 3512 wrote to memory of 2280	3512	proforma invoice.exe	proforma invoice.exe
PID 2280 wrote to memory of 804	2280	proforma invoice.exe	RegAsm.exe
PID 2280 wrote to memory of 804	2280	proforma invoice.exe	RegAsm.exe
PID 2280 wrote to memory of 804	2280	proforma invoice.exe	RegAsm.exe
PID 2280 wrote to memory of 804	2280	proforma invoice.exe	RegAsm.exe
PID 2280 wrote to memory of 848	2280	proforma invoice.exe	proforma invoice.exe
PID 2280 wrote to memory of 848	2280	proforma invoice.exe	proforma invoice.exe

Suspicious behavior: MapViewOfSection 343 IoCs

Processes:

proforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exe

pid	process
644	proforma invoice.exe
2424	proforma invoice.exe
2424	proforma invoice.exe
2728	proforma invoice.exe
4024	proforma invoice.exe
4024	proforma invoice.exe
800	proforma invoice.exe
3672	proforma invoice.exe
3512	proforma invoice.exe
3512	proforma invoice.exe
2280	proforma invoice.exe
848	proforma invoice.exe
848	proforma invoice.exe
3340	proforma invoice.exe
1260	proforma invoice.exe
3084	proforma invoice.exe
2944	proforma invoice.exe
2944	proforma invoice.exe
2088	proforma invoice.exe
3996	proforma invoice.exe
3816	proforma invoice.exe
4016	proforma invoice.exe
3100	proforma invoice.exe
1264	proforma invoice.exe
1120	proforma invoice.exe
3900	proforma invoice.exe
496	proforma invoice.exe
3104	proforma invoice.exe
3888	proforma invoice.exe
3836	proforma invoice.exe
3392	proforma invoice.exe
1456	proforma invoice.exe
1456	proforma invoice.exe
1052	proforma invoice.exe
1052	proforma invoice.exe
3796	proforma invoice.exe
3796	proforma invoice.exe
3796	proforma invoice.exe
2624	proforma invoice.exe
2112	proforma invoice.exe
2112	proforma invoice.exe
2548	proforma invoice.exe
2748	proforma invoice.exe
3796	proforma invoice.exe
2652	proforma invoice.exe
4028	proforma invoice.exe
1648	proforma invoice.exe
4140	proforma invoice.exe
4240	proforma invoice.exe
4364	proforma invoice.exe
4480	proforma invoice.exe
4480	proforma invoice.exe
4600	proforma invoice.exe
4696	proforma invoice.exe
4792	proforma invoice.exe
4888	proforma invoice.exe
4992	proforma invoice.exe
5088	proforma invoice.exe
4148	proforma invoice.exe
1852	proforma invoice.exe
1336	proforma invoice.exe
4008	proforma invoice.exe
4296	proforma invoice.exe
4296	proforma invoice.exe

Suspicious use of SetThreadContext 260 IoCs

Processes:

description	pid	process	target process
PID 644 set thread context of 1916	644	proforma invoice.exe	RegAsm.exe
PID 2424 set thread context of 3436	2424	proforma invoice.exe	RegAsm.exe
PID 2728 set thread context of 3644	2728	proforma invoice.exe	RegAsm.exe
PID 4024 set thread context of 1700	4024	proforma invoice.exe	RegAsm.exe
PID 800 set thread context of 1648	800	proforma invoice.exe	RegAsm.exe
PID 3672 set thread context of 640	3672	proforma invoice.exe	RegAsm.exe
PID 3512 set thread context of 3764	3512	proforma invoice.exe	RegAsm.exe
PID 2280 set thread context of 804	2280	proforma invoice.exe	RegAsm.exe
PID 848 set thread context of 2428	848	proforma invoice.exe	RegAsm.exe
PID 3340 set thread context of 2828	3340	proforma invoice.exe	RegAsm.exe
PID 1260 set thread context of 3796	1260	proforma invoice.exe	RegAsm.exe
PID 3084 set thread context of 800	3084	proforma invoice.exe	RegAsm.exe
PID 2944 set thread context of 2112	2944	proforma invoice.exe	RegAsm.exe
PID 2088 set thread context of 3812	2088	proforma invoice.exe	RegAsm.exe
PID 3996 set thread context of 988	3996	proforma invoice.exe	RegAsm.exe
PID 3816 set thread context of 3152	3816	proforma invoice.exe	RegAsm.exe
PID 4016 set thread context of 1260	4016	proforma invoice.exe	RegAsm.exe
PID 3100 set thread context of 2120	3100	proforma invoice.exe	RegAsm.exe
PID 1264 set thread context of 1524	1264	proforma invoice.exe	RegAsm.exe
PID 1120 set thread context of 4024	1120	proforma invoice.exe	RegAsm.exe
PID 3900 set thread context of 1948	3900	proforma invoice.exe	RegAsm.exe
PID 496 set thread context of 4032	496	proforma invoice.exe	RegAsm.exe
PID 3104 set thread context of 3844	3104	proforma invoice.exe	RegAsm.exe
PID 3888 set thread context of 3512	3888	proforma invoice.exe	RegAsm.exe
PID 3836 set thread context of 3760	3836	proforma invoice.exe	RegAsm.exe
PID 3392 set thread context of 2500	3392	proforma invoice.exe	RegAsm.exe
PID 1456 set thread context of 3764	1456	proforma invoice.exe	RegAsm.exe
PID 1052 set thread context of 2468	1052	proforma invoice.exe	RegAsm.exe
PID 3796 set thread context of 3852	3796	proforma invoice.exe	RegAsm.exe
PID 2624 set thread context of 1676	2624	proforma invoice.exe	RegAsm.exe
PID 2112 set thread context of 2864	2112	proforma invoice.exe	RegAsm.exe
PID 2548 set thread context of 1456	2548	proforma invoice.exe	RegAsm.exe
PID 2748 set thread context of 3064	2748	proforma invoice.exe	RegAsm.exe
PID 3796 set thread context of 3920	3796	proforma invoice.exe	RegAsm.exe
PID 2652 set thread context of 1804	2652	proforma invoice.exe	RegAsm.exe
PID 4028 set thread context of 1120	4028	proforma invoice.exe	RegAsm.exe
PID 1648 set thread context of 3392	1648	proforma invoice.exe	RegAsm.exe
PID 4140 set thread context of 4172	4140	proforma invoice.exe	RegAsm.exe
PID 4240 set thread context of 4272	4240	proforma invoice.exe	RegAsm.exe
PID 4364 set thread context of 4408	4364	proforma invoice.exe	RegAsm.exe
PID 4480 set thread context of 4536	4480	proforma invoice.exe	RegAsm.exe
PID 4600 set thread context of 4632	4600	proforma invoice.exe	RegAsm.exe
PID 4696 set thread context of 4728	4696	proforma invoice.exe	RegAsm.exe
PID 4792 set thread context of 4824	4792	proforma invoice.exe	RegAsm.exe
PID 4888 set thread context of 4928	4888	proforma invoice.exe	RegAsm.exe
PID 4992 set thread context of 5024	4992	proforma invoice.exe	RegAsm.exe
PID 5088 set thread context of 1516	5088	proforma invoice.exe	RegAsm.exe
PID 4148 set thread context of 3676	4148	proforma invoice.exe	RegAsm.exe
PID 1852 set thread context of 4132	1852	proforma invoice.exe	RegAsm.exe
PID 1336 set thread context of 2424	1336	proforma invoice.exe	RegAsm.exe
PID 4008 set thread context of 4172	4008	proforma invoice.exe	RegAsm.exe
PID 4296 set thread context of 4084	4296	proforma invoice.exe	RegAsm.exe
PID 1688 set thread context of 2112	1688	proforma invoice.exe	RegAsm.exe
PID 3764 set thread context of 928	3764	proforma invoice.exe	RegAsm.exe
PID 4276 set thread context of 4224	4276	proforma invoice.exe	RegAsm.exe
PID 3096 set thread context of 4544	3096	proforma invoice.exe	RegAsm.exe
PID 4572 set thread context of 4396	4572	proforma invoice.exe	RegAsm.exe
PID 4504 set thread context of 4480	4504	proforma invoice.exe	RegAsm.exe
PID 4684 set thread context of 4700	4684	proforma invoice.exe	RegAsm.exe
PID 5000 set thread context of 4820	5000	proforma invoice.exe	RegAsm.exe
PID 4908 set thread context of 4888	4908	proforma invoice.exe	RegAsm.exe
PID 1648 set thread context of 4016	1648	proforma invoice.exe	RegAsm.exe
PID 4212 set thread context of 3852	4212	proforma invoice.exe	RegAsm.exe
PID 2732 set thread context of 3156	2732	proforma invoice.exe	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 272 IoCs

Processes:

proforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeRegAsm.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeRegAsm.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeproforma invoice.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	644	proforma invoice.exe
Token: SeDebugPrivilege	2424	proforma invoice.exe
Token: SeDebugPrivilege	2728	proforma invoice.exe
Token: SeDebugPrivilege	4024	proforma invoice.exe
Token: SeDebugPrivilege	800	proforma invoice.exe
Token: SeDebugPrivilege	3672	proforma invoice.exe
Token: SeDebugPrivilege	3512	proforma invoice.exe
Token: SeDebugPrivilege	2280	proforma invoice.exe
Token: SeDebugPrivilege	848	proforma invoice.exe
Token: SeDebugPrivilege	3340	proforma invoice.exe
Token: SeDebugPrivilege	1260	proforma invoice.exe
Token: SeDebugPrivilege	3084	proforma invoice.exe
Token: SeDebugPrivilege	2944	proforma invoice.exe
Token: SeDebugPrivilege	2088	proforma invoice.exe
Token: SeDebugPrivilege	3996	proforma invoice.exe
Token: SeDebugPrivilege	3816	proforma invoice.exe
Token: SeDebugPrivilege	4016	proforma invoice.exe
Token: SeDebugPrivilege	1916	RegAsm.exe
Token: SeDebugPrivilege	3100	proforma invoice.exe
Token: SeDebugPrivilege	1264	proforma invoice.exe
Token: SeDebugPrivilege	1120	proforma invoice.exe
Token: SeDebugPrivilege	3900	proforma invoice.exe
Token: SeDebugPrivilege	496	proforma invoice.exe
Token: SeDebugPrivilege	3104	proforma invoice.exe
Token: SeDebugPrivilege	3888	proforma invoice.exe
Token: SeDebugPrivilege	3836	proforma invoice.exe
Token: SeDebugPrivilege	3392	proforma invoice.exe
Token: SeDebugPrivilege	1456	proforma invoice.exe
Token: SeDebugPrivilege	1052	proforma invoice.exe
Token: SeDebugPrivilege	3796	proforma invoice.exe
Token: SeDebugPrivilege	2624	proforma invoice.exe
Token: SeDebugPrivilege	2112	proforma invoice.exe
Token: SeDebugPrivilege	2548	proforma invoice.exe
Token: SeDebugPrivilege	2748	proforma invoice.exe
Token: SeDebugPrivilege	3796	proforma invoice.exe
Token: SeDebugPrivilege	2652	proforma invoice.exe
Token: SeDebugPrivilege	4028	proforma invoice.exe
Token: SeDebugPrivilege	1648	proforma invoice.exe
Token: SeDebugPrivilege	4140	proforma invoice.exe
Token: SeDebugPrivilege	4240	proforma invoice.exe
Token: SeDebugPrivilege	2120	RegAsm.exe
Token: SeDebugPrivilege	4364	proforma invoice.exe
Token: SeDebugPrivilege	4480	proforma invoice.exe
Token: SeDebugPrivilege	4600	proforma invoice.exe
Token: SeDebugPrivilege	4696	proforma invoice.exe
Token: SeDebugPrivilege	4792	proforma invoice.exe
Token: SeDebugPrivilege	4888	proforma invoice.exe
Token: SeDebugPrivilege	4992	proforma invoice.exe
Token: SeDebugPrivilege	5088	proforma invoice.exe
Token: SeDebugPrivilege	4148	proforma invoice.exe
Token: SeDebugPrivilege	1852	proforma invoice.exe
Token: SeDebugPrivilege	1336	proforma invoice.exe
Token: SeDebugPrivilege	4008	proforma invoice.exe
Token: SeDebugPrivilege	4296	proforma invoice.exe
Token: SeDebugPrivilege	1688	proforma invoice.exe
Token: SeDebugPrivilege	3764	proforma invoice.exe
Token: SeDebugPrivilege	4276	proforma invoice.exe
Token: SeDebugPrivilege	3096	proforma invoice.exe
Token: SeDebugPrivilege	4572	proforma invoice.exe
Token: SeDebugPrivilege	4504	proforma invoice.exe
Token: SeDebugPrivilege	4684	proforma invoice.exe
Token: SeDebugPrivilege	5000	proforma invoice.exe
Token: SeDebugPrivilege	4908	proforma invoice.exe
Token: SeDebugPrivilege	4408	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 73856 IoCs

Processes:

proforma invoice.exe

pid	process
644	proforma invoice.exe
644	proforma invoice.exe
644	proforma invoice.exe
644	proforma invoice.exe
644	proforma invoice.exe
644	proforma invoice.exe
644	proforma invoice.exe
644	proforma invoice.exe
644	proforma invoice.exe
644	proforma invoice.exe
644	proforma invoice.exe
644	proforma invoice.exe
644	proforma invoice.exe
644	proforma invoice.exe
644	proforma invoice.exe
644	proforma invoice.exe
644	proforma invoice.exe
644	proforma invoice.exe
644	proforma invoice.exe
644	proforma invoice.exe
644	proforma invoice.exe
644	proforma invoice.exe
644	proforma invoice.exe
644	proforma invoice.exe
644	proforma invoice.exe
644	proforma invoice.exe
644	proforma invoice.exe
644	proforma invoice.exe
644	proforma invoice.exe
644	proforma invoice.exe
644	proforma invoice.exe
644	proforma invoice.exe
644	proforma invoice.exe
644	proforma invoice.exe
644	proforma invoice.exe
644	proforma invoice.exe
644	proforma invoice.exe
644	proforma invoice.exe
644	proforma invoice.exe
644	proforma invoice.exe
644	proforma invoice.exe
644	proforma invoice.exe
644	proforma invoice.exe
644	proforma invoice.exe
644	proforma invoice.exe
644	proforma invoice.exe
644	proforma invoice.exe
644	proforma invoice.exe
644	proforma invoice.exe
644	proforma invoice.exe
644	proforma invoice.exe
644	proforma invoice.exe
644	proforma invoice.exe
644	proforma invoice.exe
644	proforma invoice.exe
644	proforma invoice.exe
644	proforma invoice.exe
644	proforma invoice.exe
644	proforma invoice.exe
644	proforma invoice.exe
644	proforma invoice.exe
644	proforma invoice.exe
644	proforma invoice.exe
644	proforma invoice.exe

Adds Run entry to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\DsWhv = "C:\\Users\\Admin\\AppData\\Roaming\\DsWhv\\DsWhv.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\DsWhv = "C:\\Users\\Admin\\AppData\\Roaming\\DsWhv\\DsWhv.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\DsWhv = "C:\\Users\\Admin\\AppData\\Roaming\\DsWhv\\DsWhv.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\DsWhv = "C:\\Users\\Admin\\AppData\\Roaming\\DsWhv\\DsWhv.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\DsWhv = "C:\\Users\\Admin\\AppData\\Roaming\\DsWhv\\DsWhv.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\DsWhv = "C:\\Users\\Admin\\AppData\\Roaming\\DsWhv\\DsWhv.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\DsWhv = "C:\\Users\\Admin\\AppData\\Roaming\\DsWhv\\DsWhv.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\DsWhv = "C:\\Users\\Admin\\AppData\\Roaming\\DsWhv\\DsWhv.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\DsWhv = "C:\\Users\\Admin\\AppData\\Roaming\\DsWhv\\DsWhv.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\DsWhv = "C:\\Users\\Admin\\AppData\\Roaming\\DsWhv\\DsWhv.exe"	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1916

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
2⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2424

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:3792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:3436

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
3⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2728

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:3644

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
4⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4024

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
PID:3800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
PID:1700

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
5⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
PID:1648

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
6⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
7⤵
PID:640

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
7⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3512

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
8⤵
PID:3744

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
8⤵
PID:3764

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
8⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2280

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
9⤵
PID:804

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
9⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:848

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
10⤵
PID:3732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
10⤵
PID:2428

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
10⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3340

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
11⤵
PID:2828

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
11⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1260

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
12⤵
PID:3796

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
12⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3084

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
PID:800

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
13⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
14⤵
PID:1948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
14⤵
PID:2112

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
14⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
15⤵
PID:3812

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
15⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3996

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
16⤵
PID:988

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
16⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3816

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
17⤵
PID:3152

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
17⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
18⤵
PID:1260

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
18⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3100

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
19⤵
- Suspicious use of AdjustPrivilegeToken
- Adds Run entry to start application
PID:2120

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
19⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1264

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
20⤵
PID:1524

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
20⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1120

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
21⤵
PID:4024

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
21⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
22⤵
PID:1948

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
22⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:496

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
23⤵
PID:4032

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
23⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3104

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
24⤵
PID:3844

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
24⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3888

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
25⤵
PID:3512

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
25⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3836

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
26⤵
PID:3760

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
26⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3392

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
27⤵
PID:2500

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
27⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
28⤵
PID:2112

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
28⤵
PID:3764

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
28⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
29⤵
PID:3612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
29⤵
PID:2468

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
29⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3796

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
30⤵
PID:560

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
30⤵
PID:3100

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
30⤵
PID:3852

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
30⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
31⤵
PID:1676

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
31⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2112

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
32⤵
PID:848

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
32⤵
PID:2864

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
32⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
33⤵
PID:1456

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
33⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
34⤵
PID:3064

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
34⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3796

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
35⤵
PID:3920

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
35⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
36⤵
PID:1804

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
36⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
37⤵
PID:1120

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
37⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
38⤵
PID:3392

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
38⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4140

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
39⤵
PID:4172

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
39⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4240

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
40⤵
PID:4272

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
40⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4364

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
41⤵
- Suspicious use of AdjustPrivilegeToken
- Adds Run entry to start application
PID:4408

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
41⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4480

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
42⤵
PID:4528

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
42⤵
PID:4536

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
42⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
43⤵
PID:4632

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
43⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
44⤵
PID:4728

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
44⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
45⤵
PID:4824

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
45⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4888

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
46⤵
PID:4928

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
46⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
47⤵
PID:5024

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
47⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:5088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
48⤵
PID:1516

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
48⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4148

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
49⤵
PID:3676

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
49⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
50⤵
PID:4132

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
50⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1336

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
51⤵
PID:2424

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
51⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
52⤵
PID:4172

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
52⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4296

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
53⤵
PID:2884

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
53⤵
PID:4084

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
53⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
54⤵
PID:2112

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
54⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
55⤵
PID:1620

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
55⤵
PID:928

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
55⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4276

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
56⤵
PID:4216

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
56⤵
PID:4224

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
56⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3096

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
57⤵
PID:4544

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
57⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
58⤵
PID:4384

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
58⤵
PID:4396

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
58⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4504

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
59⤵
PID:4592

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
59⤵
PID:4480

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
59⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
60⤵
PID:4700

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
60⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:5000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
61⤵
PID:4820

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
61⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
62⤵
PID:4984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
62⤵
PID:4888

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
62⤵
- Suspicious use of SetThreadContext
PID:1648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
63⤵
- Adds Run entry to start application
PID:4016

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
63⤵
- Suspicious use of SetThreadContext
PID:4212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
64⤵
PID:3852

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
64⤵
- Suspicious use of SetThreadContext
PID:2732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
65⤵
PID:3156

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
65⤵
PID:2092

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
66⤵
PID:4176

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
66⤵
PID:3736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
66⤵
PID:4300

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
66⤵
PID:3044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
67⤵
PID:4232

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
67⤵
PID:1688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
68⤵
PID:4220

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
68⤵
PID:3720

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
68⤵
PID:4404

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
69⤵
PID:4332

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
69⤵
PID:4328

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
70⤵
PID:4440

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
70⤵
PID:4668

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
71⤵
PID:4780

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
71⤵
PID:4776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
72⤵
PID:4836

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
72⤵
PID:4480

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
72⤵
PID:4732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
73⤵
PID:3612

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
73⤵
PID:4792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
74⤵
PID:4228

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
74⤵
PID:3168

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
75⤵
PID:4852

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
75⤵
PID:4052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
76⤵
PID:1184

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
76⤵
PID:3104

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
77⤵
PID:4948

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
77⤵
PID:4788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
78⤵
PID:5016

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
78⤵
PID:4900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
79⤵
PID:4444

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
79⤵
PID:996

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
80⤵
PID:2652

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
80⤵
PID:808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
81⤵
PID:3748

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
81⤵
PID:3844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
82⤵
PID:3948

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
82⤵
PID:3904

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
83⤵
PID:1432

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
83⤵
PID:4336

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
84⤵
PID:4244

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
84⤵
PID:4152

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
85⤵
- Adds Run entry to start application
PID:4404

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
85⤵
PID:4724

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
86⤵
PID:4484

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
86⤵
PID:4572

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
86⤵
PID:4920

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
87⤵
PID:4756

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
87⤵
PID:3964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
88⤵
PID:4396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
88⤵
PID:2044

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
88⤵
PID:4916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
89⤵
PID:4544

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
89⤵
PID:4636

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
90⤵
PID:4052

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
90⤵
PID:4860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
91⤵
PID:4696

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
91⤵
PID:4148

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
92⤵
PID:4280

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
92⤵
PID:5108

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
93⤵
PID:4284

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
93⤵
PID:576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
94⤵
PID:4420

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
94⤵
PID:1052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
95⤵
PID:560

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
95⤵
PID:4432

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
96⤵
PID:4748

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
96⤵
PID:4500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
97⤵
PID:724

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
97⤵
PID:644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
98⤵
PID:4464

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
98⤵
PID:4524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
99⤵
PID:3764

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
99⤵
PID:2980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
100⤵
PID:1676

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
100⤵
PID:3084

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
101⤵
PID:952

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
101⤵
PID:4868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
102⤵
PID:4752

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
102⤵
PID:4152

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
103⤵
PID:4664

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
103⤵
PID:3776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
104⤵
PID:3788

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
104⤵
PID:4020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
105⤵
PID:4928

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
105⤵
PID:2576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
106⤵
PID:4632

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
106⤵
PID:1620

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
107⤵
- Adds Run entry to start application
PID:5020

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
107⤵
PID:5092

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
108⤵
PID:1252

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
108⤵
PID:4196

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
109⤵
PID:4304

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
109⤵
PID:4288

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
110⤵
PID:4228

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
110⤵
PID:3732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
111⤵
PID:4596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
111⤵
PID:4344

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
111⤵
PID:3748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
112⤵
PID:4848

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
112⤵
PID:4692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
112⤵
PID:1992

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
112⤵
PID:852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
113⤵
PID:4456

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
113⤵
PID:4476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
114⤵
PID:1124

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
114⤵
PID:4508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
115⤵
PID:4368

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
115⤵
PID:4884

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
116⤵
PID:4916

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
116⤵
PID:1672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
117⤵
PID:5040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
117⤵
PID:4880

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
117⤵
PID:3960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
118⤵
PID:3100

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
118⤵
PID:4900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
119⤵
PID:3752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
119⤵
PID:4844

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
119⤵
PID:2944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
120⤵
PID:3672

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
120⤵
PID:3168

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
121⤵
PID:4168

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
121⤵
PID:4016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
122⤵
PID:4296

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
122⤵
PID:3964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
123⤵
PID:4944

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
123⤵
PID:5116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
124⤵
PID:4180

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
124⤵
PID:1052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
125⤵
PID:2068

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
125⤵
PID:808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
126⤵
PID:4196

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
126⤵
PID:848

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
127⤵
PID:4484

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
127⤵
PID:5032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
128⤵
PID:3740

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
128⤵
PID:4360

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
129⤵
- Adds Run entry to start application
PID:4244

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
129⤵
PID:4328

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
130⤵
PID:4624

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
130⤵
PID:4812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
131⤵
PID:4260

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
131⤵
PID:3716

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
132⤵
PID:4564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
132⤵
PID:4964

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
132⤵
PID:4116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
133⤵
PID:3960

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
133⤵
PID:1432

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
134⤵
PID:4560

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
134⤵
PID:4548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
135⤵
PID:4164

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
135⤵
PID:3044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
136⤵
PID:4792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
136⤵
PID:4016

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
136⤵
PID:4636

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
137⤵
PID:3080

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
137⤵
PID:2088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
138⤵
PID:1716

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
138⤵
PID:3032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
139⤵
PID:5084

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
139⤵
PID:4480

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
140⤵
PID:4580

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
140⤵
PID:984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
141⤵
PID:4656

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
141⤵
PID:3100

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
142⤵
PID:4764

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
142⤵
PID:4276

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
143⤵
PID:4456

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
143⤵
PID:4796

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
144⤵
PID:2080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
144⤵
PID:4720

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
144⤵
PID:392

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
145⤵
PID:4080

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
145⤵
PID:4668

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
146⤵
PID:2816

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
146⤵
PID:4524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
147⤵
PID:4360

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
147⤵
PID:4536

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
148⤵
PID:4804

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
148⤵
PID:636

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
149⤵
PID:4820

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
149⤵
PID:4284

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
150⤵
PID:4752

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
150⤵
PID:1676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
151⤵
PID:2052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
151⤵
- Adds Run entry to start application
PID:4400

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
151⤵
PID:952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
152⤵
PID:4020

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
152⤵
PID:576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
153⤵
PID:4444

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
153⤵
PID:2088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
154⤵
PID:5048

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
154⤵
PID:4224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
154⤵
PID:1992

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
154⤵
PID:496

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
155⤵
PID:4480

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
155⤵
PID:5108

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
155⤵
PID:640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
156⤵
PID:3844

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
156⤵
PID:4180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
157⤵
PID:2644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
157⤵
PID:2820

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
157⤵
PID:2588

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
157⤵
PID:4168

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
158⤵
PID:2908

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
158⤵
PID:3992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
159⤵
PID:4640

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
159⤵
PID:4252

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
160⤵
PID:4472

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
160⤵
PID:4972

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
161⤵
PID:4628

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
161⤵
PID:2104

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
162⤵
PID:4824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
162⤵
PID:1456

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
162⤵
PID:4716

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
163⤵
PID:1264

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
163⤵
PID:4264

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
163⤵
PID:3752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
164⤵
PID:4860

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
164⤵
PID:1936

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
165⤵
PID:900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
165⤵
PID:672

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
165⤵
PID:4404

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
166⤵
PID:4580

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
166⤵
PID:4772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
167⤵
PID:4888

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
167⤵
PID:3764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
168⤵
PID:4436

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
168⤵
PID:4848

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
169⤵
PID:976

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
169⤵
PID:800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
170⤵
PID:4048

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
170⤵
PID:4316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
171⤵
PID:68

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
171⤵
PID:2424

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
172⤵
PID:984

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
172⤵
PID:4312

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
173⤵
PID:5092

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
173⤵
- Adds Run entry to start application
PID:4176

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
173⤵
PID:4664

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
174⤵
PID:2980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
174⤵
PID:4784

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
174⤵
PID:5056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
175⤵
PID:4012

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
175⤵
PID:5016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
176⤵
PID:2232

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
176⤵
PID:1716

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
177⤵
PID:4424

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
177⤵
PID:4080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
177⤵
PID:560

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
177⤵
PID:4204

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
177⤵
PID:2072

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
178⤵
PID:1920

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
178⤵
PID:4968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
179⤵
PID:5068

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
179⤵
PID:4084

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
180⤵
PID:4360

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
180⤵
PID:3680

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
180⤵
PID:5004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
181⤵
PID:3636

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
181⤵
PID:3964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
182⤵
PID:4556

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
182⤵
PID:4340

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
183⤵
PID:4816

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
183⤵
PID:4280

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
183⤵
PID:1932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
184⤵
PID:4748

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
184⤵
PID:5052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
185⤵
PID:4460

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
185⤵
PID:5028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
185⤵
PID:5076

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
185⤵
PID:3512

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
186⤵
PID:5012

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
186⤵
PID:3900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
187⤵
PID:1456

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
187⤵
PID:4840

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
188⤵
PID:1252

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
188⤵
PID:4692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
189⤵
PID:4272

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
189⤵
PID:4024

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
190⤵
PID:4212

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
190⤵
PID:4576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
191⤵
PID:4992

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
191⤵
PID:2704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
192⤵
PID:4484

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
192⤵
PID:1052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
193⤵
PID:560

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
193⤵
PID:2468

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
193⤵
PID:2576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
194⤵
PID:3996

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
194⤵
PID:4256

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
195⤵
PID:4360

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
195⤵
- Adds Run entry to start application
PID:2112

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
195⤵
PID:4492

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
196⤵
PID:4740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
196⤵
PID:4924

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
196⤵
PID:4584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
197⤵
PID:4156

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
197⤵
PID:4708

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
197⤵
PID:4344

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
198⤵
PID:1960

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
198⤵
PID:4712

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
199⤵
PID:4132

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
199⤵
PID:5080

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
199⤵
PID:4332

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
200⤵
PID:4508

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
200⤵
PID:4964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
201⤵
PID:4568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
201⤵
PID:5088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
201⤵
PID:2428

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
201⤵
PID:4960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
202⤵
PID:4104

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
202⤵
PID:4180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
203⤵
PID:4900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
203⤵
PID:5092

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
203⤵
PID:4512

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
203⤵
PID:4824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
204⤵
PID:3592

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
204⤵
PID:2624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
204⤵
PID:4728

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
204⤵
PID:4100

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
204⤵
PID:2732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
205⤵
PID:5044

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
205⤵
PID:3680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
206⤵
PID:2232

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
206⤵
PID:4776

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
206⤵
PID:1948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
207⤵
PID:3844

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
207⤵
PID:4572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
208⤵
PID:3604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
208⤵
PID:4396

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
208⤵
PID:4224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
209⤵
PID:4264

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
209⤵
PID:4536

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
210⤵
PID:2652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
210⤵
PID:3080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
210⤵
PID:2756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
210⤵
PID:4272

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
210⤵
PID:5016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
211⤵
PID:1124

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
211⤵
PID:4560

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
211⤵
PID:4084

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
212⤵
PID:5020

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
212⤵
PID:4392

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
213⤵
PID:3776

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
213⤵
PID:3764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
214⤵
PID:4584

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
214⤵
PID:4340

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
215⤵
PID:2944

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
215⤵
PID:4472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
216⤵
PID:5088

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
216⤵
PID:1176

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
217⤵
- Adds Run entry to start application
PID:4144

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
217⤵
PID:984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
218⤵
PID:4336

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
218⤵
PID:4032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
219⤵
PID:4564

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
219⤵
PID:4824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
220⤵
PID:4192

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
220⤵
PID:4884

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
221⤵
PID:5012

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
221⤵
PID:4952

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
221⤵
PID:4552

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
222⤵
PID:4204

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
222⤵
PID:1716

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
223⤵
PID:4604

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
223⤵
PID:952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
224⤵
PID:4996

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
224⤵
PID:4704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
225⤵
PID:1936

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
225⤵
PID:4196

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
226⤵
PID:1676

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
226⤵
PID:4956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
227⤵
PID:3152

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
227⤵
PID:4152

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
228⤵
PID:5052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
228⤵
PID:4312

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
228⤵
PID:4328

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
228⤵
PID:4484

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
229⤵
PID:2120

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
229⤵
PID:4292

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
229⤵
PID:3776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
230⤵
PID:4372

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
230⤵
PID:2256

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
231⤵
PID:2280

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
231⤵
PID:1804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
232⤵
PID:2068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
232⤵
PID:2880

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
232⤵
PID:4344

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
233⤵
PID:4712

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
233⤵
PID:4332

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
234⤵
PID:1268

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
234⤵
PID:4124

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
234⤵
PID:4544

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
234⤵
PID:4316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
235⤵
PID:4680

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
235⤵
PID:4528

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
236⤵
PID:3760

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
236⤵
PID:3948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
237⤵
PID:3484

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
237⤵
PID:1256

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
238⤵
PID:576

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
238⤵
PID:5024

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
239⤵
PID:3996

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
239⤵
PID:4672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
240⤵
PID:4780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
240⤵
PID:852

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
240⤵
PID:5000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
241⤵
PID:4260

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
241⤵
PID:4412

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
242⤵
PID:5020

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
242⤵
PID:4708

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
243⤵
PID:4904

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
243⤵
PID:1112

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
244⤵
PID:1260

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
244⤵
PID:3776

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
244⤵
PID:884

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
245⤵
PID:4516

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
245⤵
PID:1176

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
246⤵
PID:4616

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
246⤵
PID:1592

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
247⤵
PID:5040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
247⤵
PID:4592

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
247⤵
PID:3108

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
247⤵
PID:4664

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
248⤵
PID:4936

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
248⤵
PID:1184

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
249⤵
PID:4868

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
249⤵
PID:3484

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
250⤵
PID:4404

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
250⤵
PID:4680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
251⤵
PID:3680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
251⤵
PID:4112

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
251⤵
PID:4304

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
252⤵
PID:2704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
252⤵
PID:5076

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
252⤵
PID:4896

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
253⤵
PID:4324

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
253⤵
PID:3040

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
253⤵
PID:800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
254⤵
PID:4588

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
254⤵
PID:1920

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
255⤵
PID:4704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
255⤵
PID:5096

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
255⤵
PID:1420

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
256⤵
PID:4912

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
256⤵
PID:4140

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
257⤵
PID:4980

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
257⤵
PID:5072

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
258⤵
PID:4848

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
258⤵
PID:588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
259⤵
PID:3672

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
259⤵
PID:4580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
260⤵
PID:2588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
260⤵
PID:4188

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
260⤵
PID:4524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
261⤵
PID:2424

C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe
"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"
261⤵
PID:3096

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\DsWhv\DsWhv.exe

Download Submit
C:\Users\Admin\AppData\Roaming\DsWhv\DsWhv.exe

Download Submit
C:\Users\Admin\AppData\Roaming\DsWhv\DsWhv.exe

Download Submit
C:\Users\Admin\AppData\Roaming\DsWhv\DsWhv.exe

Download Submit
C:\Users\Admin\AppData\Roaming\DsWhv\DsWhv.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe

Download Submit
memory/68-512-0x0000000000447BBE-mapping.dmp

Download
memory/392-431-0x0000000000000000-mapping.dmp

Download
memory/496-461-0x0000000000000000-mapping.dmp

Download
memory/496-63-0x0000000000000000-mapping.dmp

Download
memory/560-282-0x0000000000447BBE-mapping.dmp

Download
memory/576-455-0x0000000000000000-mapping.dmp

Download
memory/576-714-0x0000000000447BBE-mapping.dmp

Download
memory/576-277-0x0000000000000000-mapping.dmp

Download
memory/588-776-0x0000000000000000-mapping.dmp

Download
memory/636-443-0x0000000000000000-mapping.dmp

Download
memory/640-17-0x0000000000447BBE-mapping.dmp

Download
memory/640-464-0x0000000000000000-mapping.dmp

Download
memory/644-289-0x0000000000000000-mapping.dmp

Download
memory/672-493-0x0000000000447BBE-mapping.dmp

Download
memory/724-288-0x0000000000447BBE-mapping.dmp

Download
memory/800-12-0x0000000000000000-mapping.dmp

Download
memory/800-760-0x0000000000000000-mapping.dmp

Download
memory/800-507-0x0000000000000000-mapping.dmp

Download
memory/800-35-0x0000000000447BBE-mapping.dmp

Download
memory/804-23-0x0000000000447BBE-mapping.dmp

Download
memory/808-238-0x0000000000000000-mapping.dmp

Download
memory/808-374-0x0000000000000000-mapping.dmp

Download
memory/848-377-0x0000000000000000-mapping.dmp

Download
memory/848-24-0x0000000000000000-mapping.dmp

Download
memory/852-720-0x0000000000447BBE-mapping.dmp

Download
memory/852-334-0x0000000000000000-mapping.dmp

Download
memory/884-733-0x0000000000000000-mapping.dmp

Download
memory/928-161-0x0000000000447BBE-mapping.dmp

Download
memory/952-300-0x0000000000447BBE-mapping.dmp

Download
memory/952-670-0x0000000000000000-mapping.dmp

Download
memory/952-452-0x0000000000000000-mapping.dmp

Download
memory/976-506-0x0000000000447BBE-mapping.dmp

Download
memory/984-419-0x0000000000000000-mapping.dmp

Download
memory/984-515-0x0000000000447BBE-mapping.dmp

Download
memory/984-652-0x0000000000000000-mapping.dmp

Download
memory/988-44-0x0000000000447BBE-mapping.dmp

Download
memory/996-235-0x0000000000000000-mapping.dmp

Download
memory/1052-371-0x0000000000000000-mapping.dmp

Download
memory/1052-280-0x0000000000000000-mapping.dmp

Download
memory/1052-576-0x0000000000000000-mapping.dmp

Download
memory/1052-81-0x0000000000000000-mapping.dmp

Download
memory/1112-730-0x0000000000000000-mapping.dmp

Download
memory/1120-107-0x0000000000447BBE-mapping.dmp

Download
memory/1120-57-0x0000000000000000-mapping.dmp

Download
memory/1124-339-0x0000000000447BBE-mapping.dmp

Download
memory/1176-649-0x0000000000000000-mapping.dmp

Download
memory/1176-736-0x0000000000000000-mapping.dmp

Download
memory/1184-224-0x0000000000447BBE-mapping.dmp

Download
memory/1184-745-0x0000000000000000-mapping.dmp

Download
memory/1252-563-0x0000000000447BBE-mapping.dmp

Download
memory/1252-321-0x0000000000447BBE-mapping.dmp

Download
memory/1256-712-0x0000000000000000-mapping.dmp

Download
memory/1260-30-0x0000000000000000-mapping.dmp

Download
memory/1260-50-0x0000000000447BBE-mapping.dmp

Download
memory/1264-54-0x0000000000000000-mapping.dmp

Download
memory/1336-147-0x0000000000000000-mapping.dmp

Download
memory/1420-767-0x0000000000000000-mapping.dmp

Download
memory/1432-398-0x0000000000000000-mapping.dmp

Download
memory/1432-246-0x0000000000447BBE-mapping.dmp

Download
memory/1456-95-0x0000000000447BBE-mapping.dmp

Download
memory/1456-560-0x0000000000447BBE-mapping.dmp

Download
memory/1456-78-0x0000000000000000-mapping.dmp

Download
memory/1456-484-0x0000000000447BBE-mapping.dmp

Download
memory/1516-140-0x0000000000447BBE-mapping.dmp

Download
memory/1524-56-0x0000000000447BBE-mapping.dmp

Download
memory/1592-739-0x0000000000000000-mapping.dmp

Download
memory/1620-316-0x0000000000000000-mapping.dmp

Download
memory/1648-183-0x0000000000000000-mapping.dmp

Download
memory/1648-108-0x0000000000000000-mapping.dmp

Download
memory/1648-14-0x0000000000447BBE-mapping.dmp

Download
memory/1672-346-0x0000000000000000-mapping.dmp

Download
memory/1676-449-0x0000000000000000-mapping.dmp

Download
memory/1676-89-0x0000000000447BBE-mapping.dmp

Download
memory/1676-297-0x0000000000447BBE-mapping.dmp

Download
memory/1676-678-0x0000000000447BBE-mapping.dmp

Download
memory/1688-156-0x0000000000000000-mapping.dmp

Download
memory/1688-198-0x0000000000000000-mapping.dmp

Download
memory/1700-11-0x0000000000447BBE-mapping.dmp

Download
memory/1716-667-0x0000000000000000-mapping.dmp

Download
memory/1716-528-0x0000000000000000-mapping.dmp

Download
memory/1716-412-0x0000000000447BBE-mapping.dmp

Download
memory/1804-694-0x0000000000000000-mapping.dmp

Download
memory/1804-104-0x0000000000447BBE-mapping.dmp

Download
memory/1852-144-0x0000000000000000-mapping.dmp

Download
memory/1916-1-0x0000000000447BBE-mapping.dmp

Download
memory/1916-0-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1920-533-0x0000000000447BBE-mapping.dmp

Download
memory/1920-764-0x0000000000000000-mapping.dmp

Download
memory/1932-549-0x0000000000000000-mapping.dmp

Download
memory/1936-675-0x0000000000447BBE-mapping.dmp

Download
memory/1936-491-0x0000000000000000-mapping.dmp

Download
memory/1948-62-0x0000000000447BBE-mapping.dmp

Download
memory/1948-618-0x0000000000000000-mapping.dmp

Download
memory/1960-593-0x0000000000447BBE-mapping.dmp

Download
memory/1992-333-0x0000000000447BBE-mapping.dmp

Download
memory/1992-460-0x0000000000447BBE-mapping.dmp

Download
memory/2044-261-0x0000000000447BBE-mapping.dmp

Download
memory/2068-373-0x0000000000447BBE-mapping.dmp

Download
memory/2072-531-0x0000000000000000-mapping.dmp

Download
memory/2088-39-0x0000000000000000-mapping.dmp

Download
memory/2088-410-0x0000000000000000-mapping.dmp

Download
memory/2088-458-0x0000000000000000-mapping.dmp

Download
memory/2092-192-0x0000000000000000-mapping.dmp

Download
memory/2104-482-0x0000000000000000-mapping.dmp

Download
memory/2112-38-0x0000000000447BBE-mapping.dmp

Download
memory/2112-584-0x0000000000447BBE-mapping.dmp

Download
memory/2112-158-0x0000000000447BBE-mapping.dmp

Download
memory/2112-90-0x0000000000000000-mapping.dmp

Download
memory/2120-53-0x0000000000447BBE-mapping.dmp

Download
memory/2232-527-0x0000000000447BBE-mapping.dmp

Download
memory/2256-691-0x0000000000000000-mapping.dmp

Download
memory/2280-21-0x0000000000000000-mapping.dmp

Download
memory/2280-693-0x0000000000447BBE-mapping.dmp

Download
memory/2424-513-0x0000000000000000-mapping.dmp

Download
memory/2424-2-0x0000000000000000-mapping.dmp

Download
memory/2424-784-0x0000000000447BBE-mapping.dmp

Download
memory/2424-149-0x0000000000447BBE-mapping.dmp

Download
memory/2428-602-0x0000000000447BBE-mapping.dmp

Download
memory/2428-26-0x0000000000447BBE-mapping.dmp

Download
memory/2468-578-0x0000000000447BBE-mapping.dmp

Download
memory/2468-83-0x0000000000447BBE-mapping.dmp

Download
memory/2500-77-0x0000000000447BBE-mapping.dmp

Download
memory/2548-93-0x0000000000000000-mapping.dmp

Download
memory/2576-313-0x0000000000000000-mapping.dmp

Download
memory/2576-579-0x0000000000000000-mapping.dmp

Download
memory/2588-469-0x0000000000447BBE-mapping.dmp

Download
memory/2624-87-0x0000000000000000-mapping.dmp

Download
memory/2652-102-0x0000000000000000-mapping.dmp

Download
memory/2652-237-0x0000000000447BBE-mapping.dmp

Download
memory/2704-573-0x0000000000000000-mapping.dmp

Download
memory/2728-5-0x0000000000000000-mapping.dmp

Download
memory/2732-612-0x0000000000000000-mapping.dmp

Download
memory/2732-189-0x0000000000000000-mapping.dmp

Download
memory/2748-96-0x0000000000000000-mapping.dmp

Download
memory/2816-436-0x0000000000447BBE-mapping.dmp

Download
memory/2828-29-0x0000000000447BBE-mapping.dmp

Download
memory/2864-92-0x0000000000447BBE-mapping.dmp

Download
memory/2880-696-0x0000000000447BBE-mapping.dmp

Download
memory/2908-472-0x0000000000447BBE-mapping.dmp

Download
memory/2944-36-0x0000000000000000-mapping.dmp

Download
memory/2944-355-0x0000000000000000-mapping.dmp

Download
memory/2944-645-0x0000000000447BBE-mapping.dmp

Download
memory/2980-295-0x0000000000000000-mapping.dmp

Download
memory/3032-413-0x0000000000000000-mapping.dmp

Download
memory/3040-759-0x0000000000447BBE-mapping.dmp

Download
memory/3044-404-0x0000000000000000-mapping.dmp

Download
memory/3044-195-0x0000000000000000-mapping.dmp

Download
memory/3064-98-0x0000000000447BBE-mapping.dmp

Download
memory/3080-409-0x0000000000447BBE-mapping.dmp

Download
memory/3084-33-0x0000000000000000-mapping.dmp

Download
memory/3084-298-0x0000000000000000-mapping.dmp

Download
memory/3096-165-0x0000000000000000-mapping.dmp

Download
memory/3100-51-0x0000000000000000-mapping.dmp

Download
memory/3100-351-0x0000000000447BBE-mapping.dmp

Download
memory/3100-422-0x0000000000000000-mapping.dmp

Download
memory/3104-225-0x0000000000000000-mapping.dmp

Download
memory/3104-66-0x0000000000000000-mapping.dmp

Download
memory/3108-741-0x0000000000447BBE-mapping.dmp

Download
memory/3152-681-0x0000000000447BBE-mapping.dmp

Download
memory/3152-47-0x0000000000447BBE-mapping.dmp

Download
memory/3156-191-0x0000000000447BBE-mapping.dmp

Download
memory/3168-358-0x0000000000000000-mapping.dmp

Download
memory/3168-219-0x0000000000000000-mapping.dmp

Download
memory/3340-27-0x0000000000000000-mapping.dmp

Download
memory/3392-110-0x0000000000447BBE-mapping.dmp

Download
memory/3392-75-0x0000000000000000-mapping.dmp

Download
memory/3436-4-0x0000000000447BBE-mapping.dmp

Download
memory/3484-711-0x0000000000447BBE-mapping.dmp

Download
memory/3484-748-0x0000000000000000-mapping.dmp

Download
memory/3512-555-0x0000000000000000-mapping.dmp

Download
memory/3512-71-0x0000000000447BBE-mapping.dmp

Download
memory/3512-18-0x0000000000000000-mapping.dmp

Download
memory/3612-215-0x0000000000447BBE-mapping.dmp

Download
memory/3636-542-0x0000000000447BBE-mapping.dmp

Download
memory/3644-8-0x0000000000447BBE-mapping.dmp

Download
memory/3672-15-0x0000000000000000-mapping.dmp

Download
memory/3672-778-0x0000000000447BBE-mapping.dmp

Download
memory/3672-357-0x0000000000447BBE-mapping.dmp

Download
memory/3676-143-0x0000000000447BBE-mapping.dmp

Download
memory/3680-539-0x0000000000447BBE-mapping.dmp

Download
memory/3680-615-0x0000000000000000-mapping.dmp

Download
memory/3716-392-0x0000000000000000-mapping.dmp

Download
memory/3720-200-0x0000000000447BBE-mapping.dmp

Download
memory/3732-328-0x0000000000000000-mapping.dmp

Download
memory/3740-382-0x0000000000447BBE-mapping.dmp

Download
memory/3748-331-0x0000000000000000-mapping.dmp

Download
memory/3748-240-0x0000000000447BBE-mapping.dmp

Download
memory/3752-488-0x0000000000000000-mapping.dmp

Download
memory/3760-74-0x0000000000447BBE-mapping.dmp

Download
memory/3760-708-0x0000000000447BBE-mapping.dmp

Download
memory/3764-294-0x0000000000447BBE-mapping.dmp

Download
memory/3764-501-0x0000000000000000-mapping.dmp

Download
memory/3764-20-0x0000000000447BBE-mapping.dmp

Download
memory/3764-159-0x0000000000000000-mapping.dmp

Download
memory/3764-640-0x0000000000000000-mapping.dmp

Download
memory/3764-80-0x0000000000447BBE-mapping.dmp

Download
memory/3776-307-0x0000000000000000-mapping.dmp

Download
memory/3776-639-0x0000000000447BBE-mapping.dmp

Download
memory/3776-732-0x0000000000447BBE-mapping.dmp

Download
memory/3776-688-0x0000000000000000-mapping.dmp

Download
memory/3788-309-0x0000000000447BBE-mapping.dmp

Download
memory/3796-99-0x0000000000000000-mapping.dmp

Download
memory/3796-84-0x0000000000000000-mapping.dmp

Download
memory/3796-32-0x0000000000447BBE-mapping.dmp

Download
memory/3812-41-0x0000000000447BBE-mapping.dmp

Download
memory/3816-45-0x0000000000000000-mapping.dmp

Download
memory/3836-72-0x0000000000000000-mapping.dmp

Download
memory/3844-241-0x0000000000000000-mapping.dmp

Download
memory/3844-620-0x0000000000447BBE-mapping.dmp

Download
memory/3844-68-0x0000000000447BBE-mapping.dmp

Download
memory/3844-466-0x0000000000447BBE-mapping.dmp

Download
memory/3852-188-0x0000000000447BBE-mapping.dmp

Download
memory/3852-86-0x0000000000447BBE-mapping.dmp

Download
memory/3888-69-0x0000000000000000-mapping.dmp

Download
memory/3900-558-0x0000000000000000-mapping.dmp

Download
memory/3900-60-0x0000000000000000-mapping.dmp

Download
memory/3904-244-0x0000000000000000-mapping.dmp

Download
memory/3920-101-0x0000000000447BBE-mapping.dmp

Download
memory/3948-243-0x0000000000447BBE-mapping.dmp

Download
memory/3948-709-0x0000000000000000-mapping.dmp

Download
memory/3960-397-0x0000000000447BBE-mapping.dmp

Download
memory/3960-349-0x0000000000000000-mapping.dmp

Download
memory/3964-259-0x0000000000000000-mapping.dmp

Download
memory/3964-364-0x0000000000000000-mapping.dmp

Download
memory/3964-543-0x0000000000000000-mapping.dmp

Download
memory/3992-473-0x0000000000000000-mapping.dmp

Download
memory/3996-717-0x0000000000447BBE-mapping.dmp

Download
memory/3996-42-0x0000000000000000-mapping.dmp

Download
memory/3996-581-0x0000000000447BBE-mapping.dmp

Download
memory/4008-150-0x0000000000000000-mapping.dmp

Download
memory/4012-524-0x0000000000447BBE-mapping.dmp

Download
memory/4016-361-0x0000000000000000-mapping.dmp

Download
memory/4016-48-0x0000000000000000-mapping.dmp

Download
memory/4016-406-0x0000000000447BBE-mapping.dmp

Download
memory/4016-185-0x0000000000447BBE-mapping.dmp

Download
memory/4020-310-0x0000000000000000-mapping.dmp

Download
memory/4020-454-0x0000000000447BBE-mapping.dmp

Download
memory/4024-59-0x0000000000447BBE-mapping.dmp

Download
memory/4024-567-0x0000000000000000-mapping.dmp

Download
memory/4024-9-0x0000000000000000-mapping.dmp

Download
memory/4028-105-0x0000000000000000-mapping.dmp

Download
memory/4032-65-0x0000000000447BBE-mapping.dmp

Download
memory/4032-655-0x0000000000000000-mapping.dmp

Download
memory/4048-509-0x0000000000447BBE-mapping.dmp

Download
memory/4052-222-0x0000000000000000-mapping.dmp

Download
memory/4052-267-0x0000000000447BBE-mapping.dmp

Download
memory/4080-433-0x0000000000447BBE-mapping.dmp

Download
memory/4084-634-0x0000000000000000-mapping.dmp

Download
memory/4084-537-0x0000000000000000-mapping.dmp

Download
memory/4084-155-0x0000000000447BBE-mapping.dmp

Download
memory/4100-611-0x0000000000447BBE-mapping.dmp

Download
memory/4104-605-0x0000000000447BBE-mapping.dmp

Download
memory/4112-753-0x0000000000447BBE-mapping.dmp

Download
memory/4116-395-0x0000000000000000-mapping.dmp

Download
memory/4132-146-0x0000000000447BBE-mapping.dmp

Download
memory/4140-770-0x0000000000000000-mapping.dmp

Download
memory/4140-111-0x0000000000000000-mapping.dmp

Download
memory/4144-651-0x0000000000447BBE-mapping.dmp

Download
memory/4148-141-0x0000000000000000-mapping.dmp

Download
memory/4148-271-0x0000000000000000-mapping.dmp

Download
memory/4152-682-0x0000000000000000-mapping.dmp

Download
memory/4152-304-0x0000000000000000-mapping.dmp

Download
memory/4152-250-0x0000000000000000-mapping.dmp

Download
memory/4164-403-0x0000000000447BBE-mapping.dmp

Download
memory/4168-470-0x0000000000000000-mapping.dmp

Download
memory/4168-360-0x0000000000447BBE-mapping.dmp

Download
memory/4172-113-0x0000000000447BBE-mapping.dmp

Download
memory/4172-152-0x0000000000447BBE-mapping.dmp

Download
memory/4176-518-0x0000000000447BBE-mapping.dmp

Download
memory/4180-606-0x0000000000000000-mapping.dmp

Download
memory/4180-467-0x0000000000000000-mapping.dmp

Download
memory/4180-370-0x0000000000447BBE-mapping.dmp

Download
memory/4188-781-0x0000000000447BBE-mapping.dmp

Download
memory/4192-660-0x0000000000447BBE-mapping.dmp

Download
memory/4196-322-0x0000000000000000-mapping.dmp

Download
memory/4196-676-0x0000000000000000-mapping.dmp

Download
memory/4196-376-0x0000000000447BBE-mapping.dmp

Download
memory/4204-666-0x0000000000447BBE-mapping.dmp

Download
memory/4204-530-0x0000000000447BBE-mapping.dmp

Download
memory/4212-569-0x0000000000447BBE-mapping.dmp

Download
memory/4212-186-0x0000000000000000-mapping.dmp

Download
memory/4224-624-0x0000000000000000-mapping.dmp

Download
memory/4224-164-0x0000000000447BBE-mapping.dmp

Download
memory/4228-218-0x0000000000447BBE-mapping.dmp

Download
memory/4228-327-0x0000000000447BBE-mapping.dmp

Download
memory/4232-197-0x0000000000447BBE-mapping.dmp

Download
memory/4240-114-0x0000000000000000-mapping.dmp

Download
memory/4244-385-0x0000000000447BBE-mapping.dmp

Download
memory/4244-249-0x0000000000447BBE-mapping.dmp

Download
memory/4252-476-0x0000000000000000-mapping.dmp

Download
memory/4256-582-0x0000000000000000-mapping.dmp

Download
memory/4260-391-0x0000000000447BBE-mapping.dmp

Download
memory/4260-723-0x0000000000447BBE-mapping.dmp

Download
memory/4264-487-0x0000000000447BBE-mapping.dmp

Download
memory/4264-626-0x0000000000447BBE-mapping.dmp

Download
memory/4272-116-0x0000000000447BBE-mapping.dmp

Download
memory/4272-566-0x0000000000447BBE-mapping.dmp

Download
memory/4272-629-0x0000000000447BBE-mapping.dmp

Download
memory/4276-162-0x0000000000000000-mapping.dmp

Download
memory/4276-425-0x0000000000000000-mapping.dmp

Download
memory/4280-273-0x0000000000447BBE-mapping.dmp

Download
memory/4280-548-0x0000000000447BBE-mapping.dmp

Download
memory/4284-446-0x0000000000000000-mapping.dmp

Download
memory/4284-276-0x0000000000447BBE-mapping.dmp

Download
memory/4288-325-0x0000000000000000-mapping.dmp

Download
memory/4292-687-0x0000000000447BBE-mapping.dmp

Download
memory/4296-153-0x0000000000000000-mapping.dmp

Download
memory/4296-363-0x0000000000447BBE-mapping.dmp

Download
memory/4300-194-0x0000000000447BBE-mapping.dmp

Download
memory/4304-324-0x0000000000447BBE-mapping.dmp

Download
memory/4304-754-0x0000000000000000-mapping.dmp

Download
memory/4312-516-0x0000000000000000-mapping.dmp

Download
memory/4316-510-0x0000000000000000-mapping.dmp

Download
memory/4316-703-0x0000000000000000-mapping.dmp

Download
memory/4328-386-0x0000000000000000-mapping.dmp

Download
memory/4328-684-0x0000000000447BBE-mapping.dmp

Download
memory/4328-204-0x0000000000000000-mapping.dmp

Download
memory/4332-700-0x0000000000000000-mapping.dmp

Download
memory/4332-597-0x0000000000000000-mapping.dmp

Download
memory/4332-203-0x0000000000447BBE-mapping.dmp

Download
memory/4336-247-0x0000000000000000-mapping.dmp

Download
memory/4336-654-0x0000000000447BBE-mapping.dmp

Download
memory/4340-643-0x0000000000000000-mapping.dmp

Download
memory/4340-546-0x0000000000000000-mapping.dmp

Download
memory/4344-697-0x0000000000000000-mapping.dmp

Download
memory/4344-330-0x0000000000447BBE-mapping.dmp

Download
memory/4344-591-0x0000000000000000-mapping.dmp

Download
memory/4360-439-0x0000000000447BBE-mapping.dmp

Download
memory/4360-383-0x0000000000000000-mapping.dmp

Download
memory/4364-117-0x0000000000000000-mapping.dmp

Download
memory/4368-342-0x0000000000447BBE-mapping.dmp

Download
memory/4372-690-0x0000000000447BBE-mapping.dmp

Download
memory/4392-637-0x0000000000000000-mapping.dmp

Download
memory/4396-623-0x0000000000447BBE-mapping.dmp

Download
memory/4396-170-0x0000000000447BBE-mapping.dmp

Download
memory/4400-451-0x0000000000447BBE-mapping.dmp

Download
memory/4404-201-0x0000000000000000-mapping.dmp

Download
memory/4404-494-0x0000000000000000-mapping.dmp

Download
memory/4404-252-0x0000000000447BBE-mapping.dmp

Download
memory/4404-750-0x0000000000447BBE-mapping.dmp

Download
memory/4408-119-0x0000000000447BBE-mapping.dmp

Download
memory/4412-724-0x0000000000000000-mapping.dmp

Download
memory/4420-279-0x0000000000447BBE-mapping.dmp

Download
memory/4432-283-0x0000000000000000-mapping.dmp

Download
memory/4436-503-0x0000000000447BBE-mapping.dmp

Download
memory/4440-206-0x0000000000447BBE-mapping.dmp

Download
memory/4444-457-0x0000000000447BBE-mapping.dmp

Download
memory/4444-234-0x0000000000447BBE-mapping.dmp

Download
memory/4456-336-0x0000000000447BBE-mapping.dmp

Download
memory/4456-427-0x0000000000447BBE-mapping.dmp

Download
memory/4464-291-0x0000000000447BBE-mapping.dmp

Download
memory/4472-646-0x0000000000000000-mapping.dmp

Download
memory/4472-478-0x0000000000447BBE-mapping.dmp

Download
memory/4476-337-0x0000000000000000-mapping.dmp

Download
memory/4480-120-0x0000000000000000-mapping.dmp

Download
memory/4480-416-0x0000000000000000-mapping.dmp

Download
memory/4480-212-0x0000000000447BBE-mapping.dmp

Download
memory/4480-173-0x0000000000447BBE-mapping.dmp

Download
memory/4484-685-0x0000000000000000-mapping.dmp

Download
memory/4484-575-0x0000000000447BBE-mapping.dmp

Download
memory/4484-379-0x0000000000447BBE-mapping.dmp

Download
memory/4492-585-0x0000000000000000-mapping.dmp

Download
memory/4500-286-0x0000000000000000-mapping.dmp

Download
memory/4504-171-0x0000000000000000-mapping.dmp

Download
memory/4508-340-0x0000000000000000-mapping.dmp

Download
memory/4508-599-0x0000000000447BBE-mapping.dmp

Download
memory/4512-608-0x0000000000447BBE-mapping.dmp

Download
memory/4516-735-0x0000000000447BBE-mapping.dmp

Download
memory/4524-292-0x0000000000000000-mapping.dmp

Download
memory/4524-437-0x0000000000000000-mapping.dmp

Download
memory/4524-782-0x0000000000000000-mapping.dmp

Download
memory/4528-706-0x0000000000000000-mapping.dmp

Download
memory/4536-122-0x0000000000447BBE-mapping.dmp

Download
memory/4536-440-0x0000000000000000-mapping.dmp

Download
memory/4536-627-0x0000000000000000-mapping.dmp

Download
memory/4544-702-0x0000000000447BBE-mapping.dmp

Download
memory/4544-167-0x0000000000447BBE-mapping.dmp

Download
memory/4544-264-0x0000000000447BBE-mapping.dmp

Download
memory/4548-401-0x0000000000000000-mapping.dmp

Download
memory/4552-664-0x0000000000000000-mapping.dmp

Download
memory/4556-545-0x0000000000447BBE-mapping.dmp

Download
memory/4560-400-0x0000000000447BBE-mapping.dmp

Download
memory/4560-633-0x0000000000447BBE-mapping.dmp

Download
memory/4564-657-0x0000000000447BBE-mapping.dmp

Download
memory/4572-621-0x0000000000000000-mapping.dmp

Download
memory/4572-168-0x0000000000000000-mapping.dmp

Download
memory/4572-255-0x0000000000447BBE-mapping.dmp

Download
memory/4576-570-0x0000000000000000-mapping.dmp

Download
memory/4580-418-0x0000000000447BBE-mapping.dmp

Download
memory/4580-496-0x0000000000447BBE-mapping.dmp

Download
memory/4580-779-0x0000000000000000-mapping.dmp

Download
memory/4584-588-0x0000000000000000-mapping.dmp

Download
memory/4584-642-0x0000000000447BBE-mapping.dmp

Download
memory/4588-762-0x0000000000447BBE-mapping.dmp

Download
memory/4600-123-0x0000000000000000-mapping.dmp

Download
memory/4604-669-0x0000000000447BBE-mapping.dmp

Download
memory/4616-738-0x0000000000447BBE-mapping.dmp

Download
memory/4624-388-0x0000000000447BBE-mapping.dmp

Download
memory/4628-481-0x0000000000447BBE-mapping.dmp

Download
memory/4632-315-0x0000000000447BBE-mapping.dmp

Download
memory/4632-125-0x0000000000447BBE-mapping.dmp

Download
memory/4636-265-0x0000000000000000-mapping.dmp

Download
memory/4636-407-0x0000000000000000-mapping.dmp

Download
memory/4640-475-0x0000000000447BBE-mapping.dmp

Download
memory/4656-421-0x0000000000447BBE-mapping.dmp

Download
memory/4664-742-0x0000000000000000-mapping.dmp

Download
memory/4664-306-0x0000000000447BBE-mapping.dmp

Download
memory/4664-519-0x0000000000000000-mapping.dmp

Download
memory/4668-207-0x0000000000000000-mapping.dmp

Download
memory/4668-434-0x0000000000000000-mapping.dmp

Download
memory/4672-718-0x0000000000000000-mapping.dmp

Download
memory/4680-751-0x0000000000000000-mapping.dmp

Download
memory/4680-705-0x0000000000447BBE-mapping.dmp

Download
memory/4684-174-0x0000000000000000-mapping.dmp

Download
memory/4692-564-0x0000000000000000-mapping.dmp

Download
memory/4696-270-0x0000000000447BBE-mapping.dmp

Download
memory/4696-126-0x0000000000000000-mapping.dmp

Download
memory/4700-176-0x0000000000447BBE-mapping.dmp

Download
memory/4704-673-0x0000000000000000-mapping.dmp

Download
memory/4708-590-0x0000000000447BBE-mapping.dmp

Download
memory/4708-727-0x0000000000000000-mapping.dmp

Download
memory/4712-699-0x0000000000447BBE-mapping.dmp

Download
memory/4712-594-0x0000000000000000-mapping.dmp

Download
memory/4716-485-0x0000000000000000-mapping.dmp

Download
memory/4720-430-0x0000000000447BBE-mapping.dmp

Download
memory/4724-253-0x0000000000000000-mapping.dmp

Download
memory/4728-128-0x0000000000447BBE-mapping.dmp

Download
memory/4732-213-0x0000000000000000-mapping.dmp

Download
memory/4748-285-0x0000000000447BBE-mapping.dmp

Download
memory/4748-551-0x0000000000447BBE-mapping.dmp

Download
memory/4752-303-0x0000000000447BBE-mapping.dmp

Download
memory/4752-448-0x0000000000447BBE-mapping.dmp

Download
memory/4756-258-0x0000000000447BBE-mapping.dmp

Download
memory/4764-424-0x0000000000447BBE-mapping.dmp

Download
memory/4772-497-0x0000000000000000-mapping.dmp

Download
memory/4776-617-0x0000000000447BBE-mapping.dmp

Download
memory/4776-210-0x0000000000000000-mapping.dmp

Download
memory/4780-209-0x0000000000447BBE-mapping.dmp

Download
memory/4784-521-0x0000000000447BBE-mapping.dmp

Download
memory/4788-228-0x0000000000000000-mapping.dmp

Download
memory/4792-129-0x0000000000000000-mapping.dmp

Download
memory/4792-216-0x0000000000000000-mapping.dmp

Download
memory/4796-428-0x0000000000000000-mapping.dmp

Download
memory/4804-442-0x0000000000447BBE-mapping.dmp

Download
memory/4812-389-0x0000000000000000-mapping.dmp

Download
memory/4820-445-0x0000000000447BBE-mapping.dmp

Download
memory/4820-179-0x0000000000447BBE-mapping.dmp

Download
memory/4824-609-0x0000000000000000-mapping.dmp

Download
memory/4824-658-0x0000000000000000-mapping.dmp

Download
memory/4824-131-0x0000000000447BBE-mapping.dmp

Download
memory/4840-561-0x0000000000000000-mapping.dmp

Download
memory/4844-354-0x0000000000447BBE-mapping.dmp

Download
memory/4848-775-0x0000000000447BBE-mapping.dmp

Download
memory/4848-504-0x0000000000000000-mapping.dmp

Download
memory/4852-221-0x0000000000447BBE-mapping.dmp

Download
memory/4860-268-0x0000000000000000-mapping.dmp

Download
memory/4860-490-0x0000000000447BBE-mapping.dmp

Download
memory/4868-301-0x0000000000000000-mapping.dmp

Download
memory/4868-747-0x0000000000447BBE-mapping.dmp

Download
memory/4880-348-0x0000000000447BBE-mapping.dmp

Download
memory/4884-343-0x0000000000000000-mapping.dmp

Download
memory/4884-661-0x0000000000000000-mapping.dmp

Download
memory/4888-499-0x0000000000447BBE-mapping.dmp

Download
memory/4888-132-0x0000000000000000-mapping.dmp

Download
memory/4888-182-0x0000000000447BBE-mapping.dmp

Download
memory/4896-757-0x0000000000000000-mapping.dmp

Download
memory/4900-352-0x0000000000000000-mapping.dmp

Download
memory/4900-232-0x0000000000000000-mapping.dmp

Download
memory/4904-729-0x0000000000447BBE-mapping.dmp

Download
memory/4908-180-0x0000000000000000-mapping.dmp

Download
memory/4912-769-0x0000000000447BBE-mapping.dmp

Download
memory/4916-262-0x0000000000000000-mapping.dmp

Download
memory/4916-345-0x0000000000447BBE-mapping.dmp

Download
memory/4920-256-0x0000000000000000-mapping.dmp

Download
memory/4924-587-0x0000000000447BBE-mapping.dmp

Download
memory/4928-312-0x0000000000447BBE-mapping.dmp

Download
memory/4928-134-0x0000000000447BBE-mapping.dmp

Download
memory/4936-744-0x0000000000447BBE-mapping.dmp

Download
memory/4944-366-0x0000000000447BBE-mapping.dmp

Download
memory/4948-227-0x0000000000447BBE-mapping.dmp

Download
memory/4952-663-0x0000000000447BBE-mapping.dmp

Download
memory/4956-679-0x0000000000000000-mapping.dmp

Download
memory/4960-603-0x0000000000000000-mapping.dmp

Download
memory/4964-600-0x0000000000000000-mapping.dmp

Download
memory/4964-394-0x0000000000447BBE-mapping.dmp

Download
memory/4968-534-0x0000000000000000-mapping.dmp

Download
memory/4972-479-0x0000000000000000-mapping.dmp

Download
memory/4980-772-0x0000000000447BBE-mapping.dmp

Download
memory/4992-572-0x0000000000447BBE-mapping.dmp

Download
memory/4992-135-0x0000000000000000-mapping.dmp

Download
memory/4996-672-0x0000000000447BBE-mapping.dmp

Download
memory/5000-177-0x0000000000000000-mapping.dmp

Download
memory/5000-721-0x0000000000000000-mapping.dmp

Download
memory/5004-540-0x0000000000000000-mapping.dmp

Download
memory/5012-557-0x0000000000447BBE-mapping.dmp

Download
memory/5016-230-0x0000000000447BBE-mapping.dmp

Download
memory/5016-631-0x0000000000000000-mapping.dmp

Download
memory/5016-525-0x0000000000000000-mapping.dmp

Download
memory/5020-318-0x0000000000447BBE-mapping.dmp

Download
memory/5020-636-0x0000000000447BBE-mapping.dmp

Download
memory/5020-726-0x0000000000447BBE-mapping.dmp

Download
memory/5024-715-0x0000000000000000-mapping.dmp

Download
memory/5024-137-0x0000000000447BBE-mapping.dmp

Download
memory/5032-380-0x0000000000000000-mapping.dmp

Download
memory/5044-614-0x0000000000447BBE-mapping.dmp

Download
memory/5052-552-0x0000000000000000-mapping.dmp

Download
memory/5056-522-0x0000000000000000-mapping.dmp

Download
memory/5068-536-0x0000000000447BBE-mapping.dmp

Download
memory/5072-773-0x0000000000000000-mapping.dmp

Download
memory/5076-554-0x0000000000447BBE-mapping.dmp

Download
memory/5076-756-0x0000000000447BBE-mapping.dmp

Download
memory/5080-596-0x0000000000447BBE-mapping.dmp

Download
memory/5084-415-0x0000000000447BBE-mapping.dmp

Download
memory/5088-648-0x0000000000447BBE-mapping.dmp

Download
memory/5088-138-0x0000000000000000-mapping.dmp

Download
memory/5092-319-0x0000000000000000-mapping.dmp

Download
memory/5096-766-0x0000000000447BBE-mapping.dmp

Download
memory/5108-463-0x0000000000447BBE-mapping.dmp

Download
memory/5108-274-0x0000000000000000-mapping.dmp

Download
memory/5116-368-0x0000000000000000-mapping.dmp

Download