370f3e9f42d074cd9575a0fa8df285e970dda741ae4200b54fb53f0a3145369e

Analysis

max time kernel
151s
max time network
152s
platform
windows7_x64
resource
win7
submitted
28-07-2020 18:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Payment Slip.exe
Size

278KB
MD5

e2ac3d9facc2259a85c66087ff0b6a85
SHA1

b592f4eea4d6632f6f543c75d71c4749e8aa8b69
SHA256

370f3e9f42d074cd9575a0fa8df285e970dda741ae4200b54fb53f0a3145369e
SHA512

226bf723fc4094cf2ac6ca74ff9fdefc0daebe90de2d905b0b9c7acae8c9d3e3956c17f1df80d736bb2bae094d075d307c05534485eae6c51575b2939261ae4c

Score

8^/10

persistence spyware evasion trojan

Malware Config

Signatures

Suspicious use of SetThreadContext 203 IoCs

Processes:

Payment Slip.exeRegAsm.exePayment Slip.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exeRegAsm.exePayment Slip.execmd.exePayment Slip.exeRegAsm.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exe

description	pid	process	target process
PID 900 set thread context of 1288	900	Payment Slip.exe	RegAsm.exe
PID 1288 set thread context of 1292	1288	RegAsm.exe	Explorer.EXE
PID 1516 set thread context of 304	1516	Payment Slip.exe	RegAsm.exe
PID 1068 set thread context of 1076	1068	Payment Slip.exe	RegAsm.exe
PID 304 set thread context of 1292	304	RegAsm.exe	Explorer.EXE
PID 1700 set thread context of 1824	1700	Payment Slip.exe	RegAsm.exe
PID 1076 set thread context of 1292	1076	RegAsm.exe	Explorer.EXE
PID 1780 set thread context of 1380	1780	Payment Slip.exe	RegAsm.exe
PID 1824 set thread context of 1292	1824	RegAsm.exe	Explorer.EXE
PID 1640 set thread context of 1652	1640	Payment Slip.exe	RegAsm.exe
PID 1380 set thread context of 1292	1380	RegAsm.exe	Explorer.EXE
PID 1956 set thread context of 2000	1956	Payment Slip.exe	RegAsm.exe
PID 1652 set thread context of 1292	1652	RegAsm.exe	Explorer.EXE
PID 1952 set thread context of 840	1952	Payment Slip.exe	RegAsm.exe
PID 2000 set thread context of 1292	2000	RegAsm.exe	Explorer.EXE
PID 1484 set thread context of 1324	1484	Payment Slip.exe	RegAsm.exe
PID 840 set thread context of 1292	840	RegAsm.exe	Explorer.EXE
PID 1056 set thread context of 456	1056	Payment Slip.exe	RegAsm.exe
PID 1324 set thread context of 1292	1324	RegAsm.exe	Explorer.EXE
PID 1084 set thread context of 1068	1084	Payment Slip.exe	RegAsm.exe
PID 456 set thread context of 1292	456	RegAsm.exe	Explorer.EXE
PID 1800 set thread context of 1944	1800	Payment Slip.exe	RegAsm.exe
PID 1068 set thread context of 1292	1068	RegAsm.exe	Explorer.EXE
PID 304 set thread context of 1292	304	RegAsm.exe	Explorer.EXE
PID 1996 set thread context of 1972	1996	Payment Slip.exe	RegAsm.exe
PID 1944 set thread context of 1292	1944	RegAsm.exe	Explorer.EXE
PID 1640 set thread context of 616	1640	Payment Slip.exe	RegAsm.exe
PID 1824 set thread context of 1292	1824	RegAsm.exe	Explorer.EXE
PID 1972 set thread context of 1292	1972	RegAsm.exe	Explorer.EXE
PID 108 set thread context of 2028	108	Payment Slip.exe	RegAsm.exe
PID 616 set thread context of 1292	616	RegAsm.exe	Explorer.EXE
PID 1380 set thread context of 1292	1380	RegAsm.exe	Explorer.EXE
PID 1652 set thread context of 1292	1652	RegAsm.exe	Explorer.EXE
PID 2028 set thread context of 1292	2028	RegAsm.exe	Explorer.EXE
PID 1432 set thread context of 1796	1432	Payment Slip.exe	RegAsm.exe
PID 1616 set thread context of 1292	1616	cmd.exe	Explorer.EXE
PID 2004 set thread context of 1700	2004	Payment Slip.exe	RegAsm.exe
PID 840 set thread context of 1292	840	RegAsm.exe	Explorer.EXE
PID 1796 set thread context of 1292	1796	RegAsm.exe	Explorer.EXE
PID 1700 set thread context of 1292	1700	RegAsm.exe	Explorer.EXE
PID 2040 set thread context of 1332	2040	Payment Slip.exe	RegAsm.exe
PID 1332 set thread context of 1292	1332	RegAsm.exe	Explorer.EXE
PID 1972 set thread context of 1292	1972	RegAsm.exe	Explorer.EXE
PID 1392 set thread context of 900	1392	Payment Slip.exe	RegAsm.exe
PID 616 set thread context of 1292	616	RegAsm.exe	Explorer.EXE
PID 1964 set thread context of 1080	1964	Payment Slip.exe	RegAsm.exe
PID 900 set thread context of 1292	900	RegAsm.exe	Explorer.EXE
PID 2028 set thread context of 1292	2028	RegAsm.exe	Explorer.EXE
PID 1312 set thread context of 1440	1312	Payment Slip.exe	RegAsm.exe
PID 1080 set thread context of 1292	1080	RegAsm.exe	Explorer.EXE
PID 1440 set thread context of 1292	1440	RegAsm.exe	Explorer.EXE
PID 976 set thread context of 884	976	Payment Slip.exe	RegAsm.exe
PID 1796 set thread context of 1292	1796	RegAsm.exe	Explorer.EXE
PID 884 set thread context of 1292	884	RegAsm.exe	Explorer.EXE
PID 1840 set thread context of 1684	1840	Payment Slip.exe	RegAsm.exe
PID 1868 set thread context of 1500	1868	Payment Slip.exe	RegAsm.exe
PID 1684 set thread context of 1292	1684	RegAsm.exe	Explorer.EXE
PID 1892 set thread context of 1392	1892	Payment Slip.exe	RegAsm.exe
PID 1500 set thread context of 1292	1500	RegAsm.exe	Explorer.EXE
PID 1332 set thread context of 1292	1332	RegAsm.exe	Explorer.EXE
PID 1392 set thread context of 1292	1392	RegAsm.exe	Explorer.EXE
PID 540 set thread context of 1812	540	Payment Slip.exe	RegAsm.exe
PID 1812 set thread context of 1292	1812	RegAsm.exe	Explorer.EXE
PID 2004 set thread context of 1836	2004	Payment Slip.exe	RegAsm.exe

Drops startup file 2 IoCs

Processes:

Payment Slip.exePayment Slip.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe	Payment Slip.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe	Payment Slip.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer cmd.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	cmd.exe

Enumerates system info in registry 2 TTPs 8 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chkdsk.exechkdsk.exechkdsk.exechkdsk.exechkdsk.exechkdsk.exechkdsk.exechkdsk.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of WriteProcessMemory 1397 IoCs

Processes:

Payment Slip.exeExplorer.EXEPayment Slip.exePayment Slip.exePayment Slip.exePayment Slip.exe

description	pid	process	target process
PID 900 wrote to memory of 1288	900	Payment Slip.exe	RegAsm.exe
PID 900 wrote to memory of 1288	900	Payment Slip.exe	RegAsm.exe
PID 900 wrote to memory of 1288	900	Payment Slip.exe	RegAsm.exe
PID 900 wrote to memory of 1288	900	Payment Slip.exe	RegAsm.exe
PID 900 wrote to memory of 1288	900	Payment Slip.exe	RegAsm.exe
PID 900 wrote to memory of 1288	900	Payment Slip.exe	RegAsm.exe
PID 900 wrote to memory of 1288	900	Payment Slip.exe	RegAsm.exe
PID 900 wrote to memory of 1288	900	Payment Slip.exe	RegAsm.exe
PID 900 wrote to memory of 1516	900	Payment Slip.exe	Payment Slip.exe
PID 900 wrote to memory of 1516	900	Payment Slip.exe	Payment Slip.exe
PID 900 wrote to memory of 1516	900	Payment Slip.exe	Payment Slip.exe
PID 900 wrote to memory of 1516	900	Payment Slip.exe	Payment Slip.exe
PID 1292 wrote to memory of 1616	1292	Explorer.EXE	cmd.exe
PID 1292 wrote to memory of 1616	1292	Explorer.EXE	cmd.exe
PID 1292 wrote to memory of 1616	1292	Explorer.EXE	cmd.exe
PID 1292 wrote to memory of 1616	1292	Explorer.EXE	cmd.exe
PID 1516 wrote to memory of 304	1516	Payment Slip.exe	RegAsm.exe
PID 1516 wrote to memory of 304	1516	Payment Slip.exe	RegAsm.exe
PID 1516 wrote to memory of 304	1516	Payment Slip.exe	RegAsm.exe
PID 1516 wrote to memory of 304	1516	Payment Slip.exe	RegAsm.exe
PID 1516 wrote to memory of 304	1516	Payment Slip.exe	RegAsm.exe
PID 1516 wrote to memory of 304	1516	Payment Slip.exe	RegAsm.exe
PID 1516 wrote to memory of 304	1516	Payment Slip.exe	RegAsm.exe
PID 1516 wrote to memory of 304	1516	Payment Slip.exe	RegAsm.exe
PID 1516 wrote to memory of 1068	1516	Payment Slip.exe	Payment Slip.exe
PID 1516 wrote to memory of 1068	1516	Payment Slip.exe	Payment Slip.exe
PID 1516 wrote to memory of 1068	1516	Payment Slip.exe	Payment Slip.exe
PID 1516 wrote to memory of 1068	1516	Payment Slip.exe	Payment Slip.exe
PID 1068 wrote to memory of 1076	1068	Payment Slip.exe	RegAsm.exe
PID 1068 wrote to memory of 1076	1068	Payment Slip.exe	RegAsm.exe
PID 1068 wrote to memory of 1076	1068	Payment Slip.exe	RegAsm.exe
PID 1068 wrote to memory of 1076	1068	Payment Slip.exe	RegAsm.exe
PID 1068 wrote to memory of 1076	1068	Payment Slip.exe	RegAsm.exe
PID 1068 wrote to memory of 1076	1068	Payment Slip.exe	RegAsm.exe
PID 1068 wrote to memory of 1076	1068	Payment Slip.exe	RegAsm.exe
PID 1068 wrote to memory of 1076	1068	Payment Slip.exe	RegAsm.exe
PID 1068 wrote to memory of 1700	1068	Payment Slip.exe	Payment Slip.exe
PID 1068 wrote to memory of 1700	1068	Payment Slip.exe	Payment Slip.exe
PID 1068 wrote to memory of 1700	1068	Payment Slip.exe	Payment Slip.exe
PID 1068 wrote to memory of 1700	1068	Payment Slip.exe	Payment Slip.exe
PID 1700 wrote to memory of 1824	1700	Payment Slip.exe	RegAsm.exe
PID 1700 wrote to memory of 1824	1700	Payment Slip.exe	RegAsm.exe
PID 1700 wrote to memory of 1824	1700	Payment Slip.exe	RegAsm.exe
PID 1700 wrote to memory of 1824	1700	Payment Slip.exe	RegAsm.exe
PID 1700 wrote to memory of 1824	1700	Payment Slip.exe	RegAsm.exe
PID 1700 wrote to memory of 1824	1700	Payment Slip.exe	RegAsm.exe
PID 1700 wrote to memory of 1824	1700	Payment Slip.exe	RegAsm.exe
PID 1700 wrote to memory of 1824	1700	Payment Slip.exe	RegAsm.exe
PID 1292 wrote to memory of 1848	1292	Explorer.EXE	colorcpl.exe
PID 1292 wrote to memory of 1848	1292	Explorer.EXE	colorcpl.exe
PID 1292 wrote to memory of 1848	1292	Explorer.EXE	colorcpl.exe
PID 1292 wrote to memory of 1848	1292	Explorer.EXE	colorcpl.exe
PID 1700 wrote to memory of 1780	1700	Payment Slip.exe	Payment Slip.exe
PID 1700 wrote to memory of 1780	1700	Payment Slip.exe	Payment Slip.exe
PID 1700 wrote to memory of 1780	1700	Payment Slip.exe	Payment Slip.exe
PID 1700 wrote to memory of 1780	1700	Payment Slip.exe	Payment Slip.exe
PID 1780 wrote to memory of 1380	1780	Payment Slip.exe	RegAsm.exe
PID 1780 wrote to memory of 1380	1780	Payment Slip.exe	RegAsm.exe
PID 1780 wrote to memory of 1380	1780	Payment Slip.exe	RegAsm.exe
PID 1780 wrote to memory of 1380	1780	Payment Slip.exe	RegAsm.exe
PID 1780 wrote to memory of 1380	1780	Payment Slip.exe	RegAsm.exe
PID 1780 wrote to memory of 1380	1780	Payment Slip.exe	RegAsm.exe
PID 1780 wrote to memory of 1380	1780	Payment Slip.exe	RegAsm.exe
PID 1780 wrote to memory of 1380	1780	Payment Slip.exe	RegAsm.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

cmd.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\LTXHXDZ00XI = "C:\\Program Files (x86)\\Tqlr\\configohzdlll.exe"	cmd.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

cmd.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-1131729243-447456001-3632642222-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	cmd.exe

Suspicious behavior: MapViewOfSection 383 IoCs

Processes:

pid	process
900	Payment Slip.exe
1288	RegAsm.exe
1516	Payment Slip.exe
1068	Payment Slip.exe
304	RegAsm.exe
1076	RegAsm.exe
1700	Payment Slip.exe
1824	RegAsm.exe
1780	Payment Slip.exe
1640	Payment Slip.exe
1288	RegAsm.exe
1288	RegAsm.exe
1380	RegAsm.exe
1652	RegAsm.exe
1956	Payment Slip.exe
1956	Payment Slip.exe
1952	Payment Slip.exe
2000	RegAsm.exe
1076	RegAsm.exe
1076	RegAsm.exe
840	RegAsm.exe
1484	Payment Slip.exe
1484	Payment Slip.exe
1616	cmd.exe
1324	RegAsm.exe
1056	Payment Slip.exe
1084	Payment Slip.exe
456	RegAsm.exe
1800	Payment Slip.exe
1068	RegAsm.exe
2000	RegAsm.exe
2000	RegAsm.exe
304	RegAsm.exe
1996	Payment Slip.exe
1944	RegAsm.exe
1640	Payment Slip.exe
1824	RegAsm.exe
1972	RegAsm.exe
108	Payment Slip.exe
616	RegAsm.exe
1380	RegAsm.exe
1324	RegAsm.exe
1324	RegAsm.exe
1652	RegAsm.exe
2028	RegAsm.exe
456	RegAsm.exe
456	RegAsm.exe
1432	Payment Slip.exe
1068	RegAsm.exe
1068	RegAsm.exe
304	RegAsm.exe
304	RegAsm.exe
1616	cmd.exe
1944	RegAsm.exe
1944	RegAsm.exe
2004	Payment Slip.exe
1796	RegAsm.exe
840	RegAsm.exe
1824	RegAsm.exe
1824	RegAsm.exe
1380	RegAsm.exe
1380	RegAsm.exe
1700	RegAsm.exe
1652	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 244 IoCs

Processes:

Payment Slip.exeRegAsm.exePayment Slip.exePayment Slip.exeRegAsm.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exePayment Slip.exeRegAsm.exeRegAsm.exePayment Slip.execmd.exePayment Slip.exeRegAsm.exeRegAsm.exePayment Slip.exeRegAsm.execolorcpl.exePayment Slip.exeRegAsm.exePayment Slip.exePayment Slip.exeRegAsm.exeRegAsm.exePayment Slip.exewlanext.exePayment Slip.exeRegAsm.exeRegAsm.exePayment Slip.exeRegAsm.execmmon32.exePayment Slip.exewininit.exeRegAsm.exePayment Slip.exenetsh.exechkdsk.exeRegAsm.exewininit.execmd.exePayment Slip.execmd.exeRegAsm.exemsiexec.exePayment Slip.exesvchost.exePayment Slip.exeRegAsm.exeRegAsm.exePayment Slip.exeRegAsm.exesvchost.exePayment Slip.exeRegAsm.exechkdsk.exePayment Slip.execontrol.exePayment Slip.exeRegAsm.exeRegAsm.exePayment Slip.exe

description	pid	process
Token: SeDebugPrivilege	900	Payment Slip.exe
Token: SeDebugPrivilege	1288	RegAsm.exe
Token: SeDebugPrivilege	1516	Payment Slip.exe
Token: SeDebugPrivilege	1068	Payment Slip.exe
Token: SeDebugPrivilege	304	RegAsm.exe
Token: SeDebugPrivilege	1076	RegAsm.exe
Token: SeDebugPrivilege	1700	Payment Slip.exe
Token: SeDebugPrivilege	1824	RegAsm.exe
Token: SeDebugPrivilege	1780	Payment Slip.exe
Token: SeDebugPrivilege	1640	Payment Slip.exe
Token: SeDebugPrivilege	1380	RegAsm.exe
Token: SeDebugPrivilege	1652	RegAsm.exe
Token: SeDebugPrivilege	1956	Payment Slip.exe
Token: SeDebugPrivilege	1616	cmd.exe
Token: SeDebugPrivilege	1952	Payment Slip.exe
Token: SeDebugPrivilege	2000	RegAsm.exe
Token: SeDebugPrivilege	840	RegAsm.exe
Token: SeDebugPrivilege	1484	Payment Slip.exe
Token: SeDebugPrivilege	1324	RegAsm.exe
Token: SeDebugPrivilege	1848	colorcpl.exe
Token: SeDebugPrivilege	1056	Payment Slip.exe
Token: SeDebugPrivilege	456	RegAsm.exe
Token: SeDebugPrivilege	1084	Payment Slip.exe
Token: SeDebugPrivilege	1800	Payment Slip.exe
Token: SeDebugPrivilege	1068	RegAsm.exe
Token: SeDebugPrivilege	1944	RegAsm.exe
Token: SeDebugPrivilege	1996	Payment Slip.exe
Token: SeDebugPrivilege	2036	wlanext.exe
Token: SeDebugPrivilege	1640	Payment Slip.exe
Token: SeDebugPrivilege	1972	RegAsm.exe
Token: SeDebugPrivilege	616	RegAsm.exe
Token: SeDebugPrivilege	108	Payment Slip.exe
Token: SeDebugPrivilege	2028	RegAsm.exe
Token: SeDebugPrivilege	1856	cmmon32.exe
Token: SeDebugPrivilege	1432	Payment Slip.exe
Token: SeDebugPrivilege	1820	wininit.exe
Token: SeDebugPrivilege	1796	RegAsm.exe
Token: SeDebugPrivilege	2004	Payment Slip.exe
Token: SeDebugPrivilege	1884	netsh.exe
Token: SeDebugPrivilege	1108	chkdsk.exe
Token: SeDebugPrivilege	1700	RegAsm.exe
Token: SeDebugPrivilege	2044	wininit.exe
Token: SeDebugPrivilege	1524	cmd.exe
Token: SeDebugPrivilege	2040	Payment Slip.exe
Token: SeDebugPrivilege	1936	cmd.exe
Token: SeDebugPrivilege	1332	RegAsm.exe
Token: SeDebugPrivilege	1908	msiexec.exe
Token: SeDebugPrivilege	1392	Payment Slip.exe
Token: SeDebugPrivilege	1028	svchost.exe
Token: SeDebugPrivilege	1964	Payment Slip.exe
Token: SeDebugPrivilege	900	RegAsm.exe
Token: SeDebugPrivilege	1080	RegAsm.exe
Token: SeDebugPrivilege	1312	Payment Slip.exe
Token: SeDebugPrivilege	1440	RegAsm.exe
Token: SeDebugPrivilege	1976	svchost.exe
Token: SeDebugPrivilege	976	Payment Slip.exe
Token: SeDebugPrivilege	884	RegAsm.exe
Token: SeDebugPrivilege	524	chkdsk.exe
Token: SeDebugPrivilege	1840	Payment Slip.exe
Token: SeDebugPrivilege	664	control.exe
Token: SeDebugPrivilege	1868	Payment Slip.exe
Token: SeDebugPrivilege	1684	RegAsm.exe
Token: SeDebugPrivilege	1500	RegAsm.exe
Token: SeDebugPrivilege	1892	Payment Slip.exe

Gathers network information 2 TTPs 4 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exeNETSTAT.EXENETSTAT.EXEipconfig.exe

pid process

1760 ipconfig.exe
976 NETSTAT.EXE
1584 NETSTAT.EXE
1052 ipconfig.exe
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Explorer.EXE

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Explorer.EXE

pid	process
1760	ipconfig.exe
976	NETSTAT.EXE
1584	NETSTAT.EXE
1052	ipconfig.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 16434 IoCs

Processes:

Payment Slip.exe

pid	process
900	Payment Slip.exe
900	Payment Slip.exe
900	Payment Slip.exe
900	Payment Slip.exe
900	Payment Slip.exe
900	Payment Slip.exe
900	Payment Slip.exe
900	Payment Slip.exe
900	Payment Slip.exe
900	Payment Slip.exe
900	Payment Slip.exe
900	Payment Slip.exe
900	Payment Slip.exe
900	Payment Slip.exe
900	Payment Slip.exe
900	Payment Slip.exe
900	Payment Slip.exe
900	Payment Slip.exe
900	Payment Slip.exe
900	Payment Slip.exe
900	Payment Slip.exe
900	Payment Slip.exe
900	Payment Slip.exe
900	Payment Slip.exe
900	Payment Slip.exe
900	Payment Slip.exe
900	Payment Slip.exe
900	Payment Slip.exe
900	Payment Slip.exe
900	Payment Slip.exe
900	Payment Slip.exe
900	Payment Slip.exe
900	Payment Slip.exe
900	Payment Slip.exe
900	Payment Slip.exe
900	Payment Slip.exe
900	Payment Slip.exe
900	Payment Slip.exe
900	Payment Slip.exe
900	Payment Slip.exe
900	Payment Slip.exe
900	Payment Slip.exe
900	Payment Slip.exe
900	Payment Slip.exe
900	Payment Slip.exe
900	Payment Slip.exe
900	Payment Slip.exe
900	Payment Slip.exe
900	Payment Slip.exe
900	Payment Slip.exe
900	Payment Slip.exe
900	Payment Slip.exe
900	Payment Slip.exe
900	Payment Slip.exe
900	Payment Slip.exe
900	Payment Slip.exe
900	Payment Slip.exe
900	Payment Slip.exe
900	Payment Slip.exe
900	Payment Slip.exe
900	Payment Slip.exe
900	Payment Slip.exe
900	Payment Slip.exe
900	Payment Slip.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

Explorer.EXE

pid process

1292 Explorer.EXE
1292 Explorer.EXE
1292 Explorer.EXE
1292 Explorer.EXE
1292 Explorer.EXE
Suspicious use of SendNotifyMessage 5 IoCs

Processes:

Explorer.EXE

pid process

1292 Explorer.EXE
1292 Explorer.EXE
1292 Explorer.EXE
1292 Explorer.EXE
1292 Explorer.EXE
Drops file in Program Files directory 1 IoCs

Processes:

cmd.exe

description ioc process

File opened for modification C:\Program Files (x86)\Tqlr\configohzdlll.exe cmd.exe

pid	process
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE

pid	process
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE

description	ioc	process
File opened for modification	C:\Program Files (x86)\Tqlr\configohzdlll.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
- Checks whether UAC is enabled
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1292

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
2⤵
- Suspicious use of SetThreadContext
- Drops startup file
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1288

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
3⤵
- Suspicious use of SetThreadContext
- Drops startup file
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1516

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:304

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1076

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
5⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1824

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
6⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
7⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1380

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
7⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
8⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1652

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
8⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
9⤵
PID:1904

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
9⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2000

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
9⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
10⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:840

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
10⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1484

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
11⤵
PID:836

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
11⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1324

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
11⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
12⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:456

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
12⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1084

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1068

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
13⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
14⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1944

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
14⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1996

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
15⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1972

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
15⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
16⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:616

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
16⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:108

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
17⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2028

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
17⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1432

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
18⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1796

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
18⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
19⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1700

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
19⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
20⤵
PID:1520

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
20⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1332

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe"
21⤵
PID:1472

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
20⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1392

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
21⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:900

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
21⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
22⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1080

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
22⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1312

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
23⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1440

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
23⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:976

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
24⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:884

C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\SysWOW64\colorcpl.exe"
25⤵
PID:908

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
24⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1840

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
25⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1684

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
26⤵
PID:1940

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
25⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
26⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1500

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
26⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1892

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
27⤵
- Suspicious use of SetThreadContext
PID:1392

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
27⤵
- Suspicious use of SetThreadContext
PID:540

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
28⤵
- Suspicious use of SetThreadContext
PID:1812

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
28⤵
- Suspicious use of SetThreadContext
PID:2004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
29⤵
PID:1836

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
29⤵
PID:316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
30⤵
PID:1640

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
30⤵
PID:1608

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
31⤵
PID:1116

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
31⤵
PID:1784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
32⤵
PID:1920

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
32⤵
PID:1892

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
33⤵
PID:760

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
33⤵
PID:1040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
34⤵
PID:1648

C:\Windows\SysWOW64\systray.exe
"C:\Windows\SysWOW64\systray.exe"
35⤵
PID:2148

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
34⤵
PID:316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
35⤵
PID:1988

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\SysWOW64\cscript.exe"
36⤵
PID:2316

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
35⤵
PID:1516

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
36⤵
PID:1540

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
36⤵
PID:744

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
37⤵
PID:1788

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
37⤵
PID:652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
38⤵
PID:564

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
38⤵
PID:1304

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
39⤵
PID:1508

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
39⤵
PID:1084

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
40⤵
PID:1784

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
40⤵
PID:1964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
41⤵
PID:1596

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
41⤵
PID:1628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
42⤵
PID:484

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
42⤵
PID:1608

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
42⤵
PID:1300

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
43⤵
PID:1072

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
43⤵
PID:1048

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
44⤵
PID:744

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
44⤵
PID:1964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
45⤵
PID:576

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
45⤵
PID:556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
46⤵
PID:108

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
46⤵
PID:316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
47⤵
PID:1528

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\SysWOW64\wscript.exe"
48⤵
PID:1084

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
47⤵
PID:1696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
48⤵
PID:1136

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
48⤵
PID:1568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
49⤵
PID:1432

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
49⤵
PID:1232

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
50⤵
PID:2052

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
50⤵
PID:2092

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
51⤵
PID:2128

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
51⤵
PID:2196

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
52⤵
PID:2252

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
52⤵
PID:2304

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
53⤵
PID:2352

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
53⤵
PID:2364

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
53⤵
PID:2420

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
54⤵
PID:2488

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
54⤵
PID:2568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
55⤵
PID:2600

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
55⤵
PID:2648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
56⤵
PID:2732

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
56⤵
PID:2780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
57⤵
PID:2840

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
57⤵
PID:2900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
58⤵
PID:2932

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
58⤵
PID:2964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
59⤵
PID:3004

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
59⤵
PID:3056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
60⤵
PID:1868

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
60⤵
PID:1660

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
61⤵
PID:2184

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
61⤵
PID:2088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
62⤵
PID:572

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
62⤵
PID:2392

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
63⤵
PID:2272

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
63⤵
PID:2404

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
64⤵
PID:2384

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
64⤵
PID:1040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
65⤵
PID:2620

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
65⤵
PID:2332

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
65⤵
PID:2640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
66⤵
PID:2552

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
66⤵
PID:2720

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
67⤵
PID:2652

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
68⤵
PID:2064

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
68⤵
PID:2468

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
67⤵
PID:2780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
68⤵
PID:652

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
68⤵
PID:2960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
69⤵
PID:2256

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
69⤵
PID:3052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
70⤵
PID:1056

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
70⤵
PID:2380

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
71⤵
PID:2140

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
71⤵
PID:1960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
72⤵
PID:2088

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
72⤵
PID:2292

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
73⤵
PID:2096

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
73⤵
PID:2124

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
73⤵
PID:2092

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
73⤵
PID:2696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
74⤵
PID:2496

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
74⤵
PID:2768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
75⤵
PID:2888

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
75⤵
PID:2572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
76⤵
PID:2800

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
76⤵
PID:2612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
77⤵
PID:2820

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
77⤵
PID:2640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
78⤵
PID:2016

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
78⤵
PID:2068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
79⤵
PID:2780

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
79⤵
PID:436

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
80⤵
PID:2428

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
80⤵
PID:1888

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
81⤵
PID:2936

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
82⤵
PID:2280

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
81⤵
PID:2532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
82⤵
PID:2620

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
82⤵
PID:2624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
83⤵
PID:2528

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
83⤵
PID:1696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
84⤵
PID:2132

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
84⤵
PID:2592

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
85⤵
PID:2276

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
2⤵
- Suspicious use of SetThreadContext
- System policy modification
- Adds policy Run key to start application
- Modifies Internet Explorer settings
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Drops file in Program Files directory
PID:1616

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1980

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:2084

C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\SysWOW64\colorcpl.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1848

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1856

C:\Windows\SysWOW64\wininit.exe
"C:\Windows\SysWOW64\wininit.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1820

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1884

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
2⤵
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:1108

C:\Windows\SysWOW64\wininit.exe
"C:\Windows\SysWOW64\wininit.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2044

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1936

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1908

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:744

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1028

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1976

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
2⤵
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:524

C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:664

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
2⤵
- Enumerates system info in registry
PID:1104

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:624

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Gathers network information
PID:1584

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\SysWOW64\ipconfig.exe"
2⤵
- Gathers network information
PID:1052

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
2⤵
PID:1588

C:\Windows\SysWOW64\systray.exe
"C:\Windows\SysWOW64\systray.exe"
2⤵
PID:1656

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\SysWOW64\ipconfig.exe"
2⤵
- Gathers network information
PID:1760

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
2⤵
PID:472

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
2⤵
PID:1176

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
2⤵
PID:1808

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
2⤵
- Enumerates system info in registry
PID:1544

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe"
2⤵
PID:1804

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\SysWOW64\wscript.exe"
2⤵
PID:540

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Gathers network information
PID:976

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:108

C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\SysWOW64\colorcpl.exe"
2⤵
PID:1620

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
2⤵
PID:1956

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
2⤵
PID:1708

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\SysWOW64\wscript.exe"
2⤵
PID:1516

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
2⤵
- Enumerates system info in registry
PID:2004

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:908

C:\Windows\SysWOW64\NAPSTAT.EXE
"C:\Windows\SysWOW64\NAPSTAT.EXE"
2⤵
PID:1564

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
2⤵
PID:640

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:556

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1320

C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\SysWOW64\colorcpl.exe"
2⤵
PID:1756

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
2⤵
- Enumerates system info in registry
PID:316

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe"
2⤵
PID:2072

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
2⤵
PID:2228

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
2⤵
PID:2236

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\SysWOW64\cscript.exe"
2⤵
PID:2296

C:\Windows\SysWOW64\NAPSTAT.EXE
"C:\Windows\SysWOW64\NAPSTAT.EXE"
2⤵
PID:2396

C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\SysWOW64\colorcpl.exe"
2⤵
PID:2516

C:\Windows\SysWOW64\systray.exe
"C:\Windows\SysWOW64\systray.exe"
2⤵
PID:2536

C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
2⤵
PID:2684

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2696

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2704

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2712

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2720

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\SysWOW64\wscript.exe"
2⤵
PID:2740

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
2⤵
PID:2860

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
2⤵
PID:3028

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
2⤵
PID:3036

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
2⤵
PID:2144

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
2⤵
PID:2168

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
2⤵
PID:2312

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
2⤵
- Enumerates system info in registry
PID:2372

C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
2⤵
PID:2480

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:2424

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:2440

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2420

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2728

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2788

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2848

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2852

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2584

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2592

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2644

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2568

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2692

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2772

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2896

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:2664

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:2680

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:2800

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
2⤵
PID:2972

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
2⤵
PID:3016

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe"
2⤵
PID:2996

C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
2⤵
PID:3008

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\SysWOW64\wscript.exe"
2⤵
PID:2712

C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\SysWOW64\colorcpl.exe"
2⤵
PID:2672

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
2⤵
PID:2136

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
2⤵
- Enumerates system info in registry
PID:2124

C:\Windows\SysWOW64\wuapp.exe
"C:\Windows\SysWOW64\wuapp.exe"
2⤵
PID:2440

C:\Windows\SysWOW64\wuapp.exe
"C:\Windows\SysWOW64\wuapp.exe"
2⤵
PID:2568

C:\Windows\SysWOW64\wuapp.exe
"C:\Windows\SysWOW64\wuapp.exe"
2⤵
PID:1664

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
2⤵
PID:2224

C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\SysWOW64\colorcpl.exe"
2⤵
PID:2656

C:\Windows\SysWOW64\wininit.exe
"C:\Windows\SysWOW64\wininit.exe"
2⤵
PID:2316

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
2⤵
PID:2524

C:\Windows\SysWOW64\wininit.exe
"C:\Windows\SysWOW64\wininit.exe"
2⤵
PID:2344

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\SysWOW64\cscript.exe"
2⤵
PID:2984

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\29R0QA-9\29Rlogim.jpeg

Download Submit
C:\Users\Admin\AppData\Roaming\29R0QA-9\29Rlogrf.ini

Download Submit
C:\Users\Admin\AppData\Roaming\29R0QA-9\29Rlogri.ini

Download Submit
C:\Users\Admin\AppData\Roaming\29R0QA-9\29Rlogrv.ini

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe

Download Submit
memory/108-55-0x0000000000000000-mapping.dmp

Download
memory/108-230-0x000000000041E300-mapping.dmp

Download
memory/304-4-0x000000000041E300-mapping.dmp

Download
memory/316-266-0x0000000000000000-mapping.dmp

Download
memory/316-231-0x0000000000000000-mapping.dmp

Download
memory/316-135-0x0000000000000000-mapping.dmp

Download
memory/316-162-0x0000000000000000-mapping.dmp

Download
memory/316-268-0x0000000000590000-0x0000000000597000-memory.dmp

Filesize
28KB

Download
memory/436-417-0x0000000000000000-mapping.dmp

Download
memory/456-38-0x000000000041E300-mapping.dmp

Download
memory/472-159-0x0000000000540000-0x00000000007C1000-memory.dmp

Filesize
2.5MB

Download
memory/472-156-0x0000000000000000-mapping.dmp

Download
memory/524-107-0x00000000009A0000-0x00000000009A7000-memory.dmp

Filesize
28KB

Download
memory/524-105-0x0000000000000000-mapping.dmp

Download
memory/540-126-0x0000000000000000-mapping.dmp

Download
memory/540-176-0x0000000000000000-mapping.dmp

Download
memory/540-177-0x0000000000980000-0x00000000009A6000-memory.dmp

Filesize
152KB

Download
memory/556-228-0x0000000000000000-mapping.dmp

Download
memory/564-189-0x000000000041E300-mapping.dmp

Download
memory/572-327-0x000000000041E300-mapping.dmp

Download
memory/576-227-0x000000000041E300-mapping.dmp

Download
memory/616-54-0x000000000041E300-mapping.dmp

Download
memory/640-254-0x0000000000000000-mapping.dmp

Download
memory/640-256-0x0000000000F40000-0x0000000000F4E000-memory.dmp

Filesize
56KB

Download
memory/652-362-0x000000000041E300-mapping.dmp

Download
memory/652-187-0x0000000000000000-mapping.dmp

Download
memory/664-108-0x00000000005B0000-0x00000000005CF000-memory.dmp

Filesize
124KB

Download
memory/664-106-0x0000000000000000-mapping.dmp

Download
memory/744-183-0x0000000000000000-mapping.dmp

Download
memory/744-222-0x000000000041E300-mapping.dmp

Download
memory/760-154-0x000000000041E300-mapping.dmp

Download
memory/840-29-0x000000000041E300-mapping.dmp

Download
memory/884-103-0x000000000041E300-mapping.dmp

Download
memory/900-91-0x000000000041E300-mapping.dmp

Download
memory/908-194-0x0000000000000000-mapping.dmp

Download
memory/908-195-0x00000000002D0000-0x00000000002E8000-memory.dmp

Filesize
96KB

Download
memory/976-101-0x0000000000000000-mapping.dmp

Download
memory/976-182-0x0000000000C50000-0x0000000000C59000-memory.dmp

Filesize
36KB

Download
memory/976-181-0x0000000000000000-mapping.dmp

Download
memory/1028-88-0x0000000000000000-mapping.dmp

Download
memory/1028-89-0x00000000006D0000-0x00000000006D8000-memory.dmp

Filesize
32KB

Download
memory/1040-347-0x0000000000000000-mapping.dmp

Download
memory/1040-155-0x0000000000000000-mapping.dmp

Download
memory/1048-218-0x0000000000000000-mapping.dmp

Download
memory/1052-123-0x00000000000A0000-0x00000000000AA000-memory.dmp

Filesize
40KB

Download
memory/1052-121-0x0000000000000000-mapping.dmp

Download
memory/1056-372-0x000000000041E300-mapping.dmp

Download
memory/1056-36-0x0000000000000000-mapping.dmp

Download
memory/1068-42-0x000000000041E300-mapping.dmp

Download
memory/1068-5-0x0000000000000000-mapping.dmp

Download
memory/1072-215-0x000000000041E300-mapping.dmp

Download
memory/1076-8-0x000000000041E300-mapping.dmp

Download
memory/1080-94-0x000000000041E300-mapping.dmp

Download
memory/1084-196-0x0000000000000000-mapping.dmp

Download
memory/1084-312-0x0000000000EC0000-0x0000000000EE6000-memory.dmp

Filesize
152KB

Download
memory/1084-40-0x0000000000000000-mapping.dmp

Download
memory/1084-311-0x0000000000000000-mapping.dmp

Download
memory/1104-116-0x00000000009A0000-0x00000000009A7000-memory.dmp

Filesize
28KB

Download
memory/1104-115-0x0000000000000000-mapping.dmp

Download
memory/1108-70-0x0000000000000000-mapping.dmp

Download
memory/1108-71-0x0000000000280000-0x0000000000287000-memory.dmp

Filesize
28KB

Download
memory/1116-140-0x000000000041E300-mapping.dmp

Download
memory/1136-236-0x000000000041E300-mapping.dmp

Download
memory/1176-160-0x0000000000000000-mapping.dmp

Download
memory/1176-161-0x00000000001C0000-0x00000000001D8000-memory.dmp

Filesize
96KB

Download
memory/1232-242-0x0000000000000000-mapping.dmp

Download
memory/1288-1-0x000000000041E300-mapping.dmp

Download
memory/1288-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1292-381-0x000000000EEC0000-0x000000000EFAB000-memory.dmp

Filesize
940KB

Download
memory/1292-465-0x00000000109B0000-0x0000000010A81000-memory.dmp

Filesize
836KB

Download
memory/1292-180-0x0000000006F60000-0x0000000007045000-memory.dmp

Filesize
916KB

Download
memory/1292-98-0x000000000A480000-0x000000000A54D000-memory.dmp

Filesize
820KB

Download
memory/1292-184-0x000000000BA90000-0x000000000BBDC000-memory.dmp

Filesize
1.3MB

Download
memory/1292-420-0x000000000FB60000-0x000000000FC3B000-memory.dmp

Filesize
876KB

Download
memory/1292-53-0x0000000007060000-0x0000000007111000-memory.dmp

Filesize
708KB

Download
memory/1292-104-0x000000000A7E0000-0x000000000A987000-memory.dmp

Filesize
1.7MB

Download
memory/1292-369-0x000000000ECA0000-0x000000000ED94000-memory.dmp

Filesize
976KB

Download
memory/1292-342-0x000000000E3E0000-0x000000000E574000-memory.dmp

Filesize
1.6MB

Download
memory/1292-410-0x000000000F670000-0x000000000F76A000-memory.dmp

Filesize
1000KB

Download
memory/1292-253-0x000000000CE50000-0x000000000CF63000-memory.dmp

Filesize
1.1MB

Download
memory/1292-429-0x000000000FF30000-0x000000001006A000-memory.dmp

Filesize
1.2MB

Download
memory/1292-12-0x0000000007ED0000-0x0000000007FE3000-memory.dmp

Filesize
1.1MB

Download
memory/1292-430-0x0000000004DE0000-0x0000000004EAD000-memory.dmp

Filesize
820KB

Download
memory/1292-475-0x0000000010B70000-0x0000000010C24000-memory.dmp

Filesize
720KB

Download
memory/1292-317-0x000000000DC30000-0x000000000DD25000-memory.dmp

Filesize
980KB

Download
memory/1292-403-0x000000000F3F0000-0x000000000F58D000-memory.dmp

Filesize
1.6MB

Download
memory/1292-259-0x000000000D0B0000-0x000000000D20A000-memory.dmp

Filesize
1.4MB

Download
memory/1292-244-0x000000000CCE0000-0x000000000CE45000-memory.dmp

Filesize
1.4MB

Download
memory/1292-119-0x000000000AAD0000-0x000000000AB94000-memory.dmp

Filesize
784KB

Download
memory/1292-241-0x000000000C8E0000-0x000000000C9AD000-memory.dmp

Filesize
820KB

Download
memory/1292-422-0x000000000FC40000-0x000000000FD90000-memory.dmp

Filesize
1.3MB

Download
memory/1292-399-0x000000000F270000-0x000000000F3E4000-memory.dmp

Filesize
1.5MB

Download
memory/1292-124-0x000000000ABA0000-0x000000000ACB0000-memory.dmp

Filesize
1.1MB

Download
memory/1292-193-0x000000000BD10000-0x000000000BE1D000-memory.dmp

Filesize
1.1MB

Download
memory/1292-393-0x000000000F160000-0x000000000F266000-memory.dmp

Filesize
1.0MB

Download
memory/1292-237-0x000000000C7B0000-0x000000000C8D7000-memory.dmp

Filesize
1.2MB

Download
memory/1292-21-0x0000000008180000-0x00000000082F3000-memory.dmp

Filesize
1.4MB

Download
memory/1292-129-0x000000000ADF0000-0x000000000AF60000-memory.dmp

Filesize
1.4MB

Download
memory/1292-440-0x0000000010320000-0x0000000010458000-memory.dmp

Filesize
1.2MB

Download
memory/1292-277-0x000000000D410000-0x000000000D4F0000-memory.dmp

Filesize
896KB

Download
memory/1292-442-0x0000000010460000-0x0000000010587000-memory.dmp

Filesize
1.2MB

Download
memory/1292-324-0x000000000E020000-0x000000000E1C0000-memory.dmp

Filesize
1.6MB

Download
memory/1292-470-0x0000000010A90000-0x0000000010B6E000-memory.dmp

Filesize
888KB

Download
memory/1292-368-0x000000000EA90000-0x000000000EB83000-memory.dmp

Filesize
972KB

Download
memory/1292-389-0x000000000F0A0000-0x000000000F15C000-memory.dmp

Filesize
752KB

Download
memory/1292-25-0x0000000008300000-0x0000000008440000-memory.dmp

Filesize
1.2MB

Download
memory/1292-348-0x000000000E580000-0x000000000E6BF000-memory.dmp

Filesize
1.2MB

Download
memory/1292-214-0x000000000C1D0000-0x000000000C2A5000-memory.dmp

Filesize
852KB

Download
memory/1292-144-0x000000000B370000-0x000000000B514000-memory.dmp

Filesize
1.6MB

Download
memory/1292-30-0x0000000008440000-0x00000000085BA000-memory.dmp

Filesize
1.5MB

Download
memory/1292-147-0x000000000B520000-0x000000000B693000-memory.dmp

Filesize
1.4MB

Download
memory/1292-461-0x0000000010840000-0x00000000109AA000-memory.dmp

Filesize
1.4MB

Download
memory/1292-39-0x0000000008770000-0x00000000088AB000-memory.dmp

Filesize
1.2MB

Download
memory/1292-151-0x000000000B6A0000-0x000000000B7A9000-memory.dmp

Filesize
1.0MB

Download
memory/1292-209-0x000000000C0A0000-0x000000000C1CF000-memory.dmp

Filesize
1.2MB

Download
memory/1292-385-0x000000000EFB0000-0x000000000F09C000-memory.dmp

Filesize
944KB

Download
memory/1292-456-0x0000000010650000-0x000000001075A000-memory.dmp

Filesize
1.0MB

Download
memory/1292-304-0x000000000DAC0000-0x000000000DC23000-memory.dmp

Filesize
1.4MB

Download
memory/1292-320-0x000000000DEA0000-0x000000000E01B000-memory.dmp

Filesize
1.5MB

Download
memory/1292-373-0x000000000EDA0000-0x000000000EEB5000-memory.dmp

Filesize
1.1MB

Download
memory/1292-63-0x00000000072B0000-0x000000000738F000-memory.dmp

Filesize
892KB

Download
memory/1292-354-0x000000000E6C0000-0x000000000E823000-memory.dmp

Filesize
1.4MB

Download
memory/1292-58-0x00000000097F0000-0x0000000009939000-memory.dmp

Filesize
1.3MB

Download
memory/1292-163-0x0000000006B40000-0x0000000006C52000-memory.dmp

Filesize
1.1MB

Download
memory/1292-447-0x0000000010590000-0x0000000010646000-memory.dmp

Filesize
728KB

Download
memory/1292-166-0x000000000B910000-0x000000000BA86000-memory.dmp

Filesize
1.5MB

Download
memory/1292-332-0x000000000E2B0000-0x000000000E3D7000-memory.dmp

Filesize
1.2MB

Download
memory/1300-211-0x0000000000000000-mapping.dmp

Download
memory/1304-190-0x0000000000000000-mapping.dmp

Download
memory/1312-97-0x0000000000000000-mapping.dmp

Download
memory/1324-35-0x000000000041E300-mapping.dmp

Download
memory/1332-86-0x000000000041E300-mapping.dmp

Download
memory/1380-15-0x000000000041E300-mapping.dmp

Download
memory/1392-125-0x000000000041E300-mapping.dmp

Download
memory/1392-87-0x0000000000000000-mapping.dmp

Download
memory/1432-62-0x0000000000000000-mapping.dmp

Download
memory/1432-240-0x000000000041E300-mapping.dmp

Download
memory/1440-100-0x000000000041E300-mapping.dmp

Download
memory/1472-173-0x0000000000C80000-0x0000000000C9B000-memory.dmp

Filesize
108KB

Download
memory/1472-171-0x0000000000000000-mapping.dmp

Download
memory/1484-31-0x0000000000000000-mapping.dmp

Download
memory/1500-114-0x000000000041E300-mapping.dmp

Download
memory/1508-192-0x000000000041E300-mapping.dmp

Download
memory/1516-175-0x0000000000000000-mapping.dmp

Download
memory/1516-2-0x0000000000000000-mapping.dmp

Download
memory/1516-220-0x00000000001A0000-0x00000000001C6000-memory.dmp

Filesize
152KB

Download
memory/1516-219-0x0000000000000000-mapping.dmp

Download
memory/1524-80-0x0000000000000000-mapping.dmp

Download
memory/1528-233-0x000000000041E300-mapping.dmp

Download
memory/1540-179-0x000000000041E300-mapping.dmp

Download
memory/1544-170-0x0000000000350000-0x0000000000357000-memory.dmp

Filesize
28KB

Download
memory/1544-169-0x0000000000000000-mapping.dmp

Download
memory/1564-250-0x0000000000FD0000-0x0000000001016000-memory.dmp

Filesize
280KB

Download
memory/1564-249-0x0000000000000000-mapping.dmp

Download
memory/1568-238-0x0000000000000000-mapping.dmp

Download
memory/1584-120-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/1584-118-0x0000000000000000-mapping.dmp

Download
memory/1588-127-0x0000000000000000-mapping.dmp

Download
memory/1588-128-0x0000000000B80000-0x0000000000B9C000-memory.dmp

Filesize
112KB

Download
memory/1596-201-0x000000000041E300-mapping.dmp

Download
memory/1608-204-0x000000000041E300-mapping.dmp

Download
memory/1608-138-0x0000000000000000-mapping.dmp

Download
memory/1616-19-0x0000000000000000-mapping.dmp

Download
memory/1616-273-0x00000000777C0000-0x00000000777CC000-memory.dmp

Filesize
48KB

Download
memory/1616-287-0x0000000075A30000-0x0000000075B8C000-memory.dmp

Filesize
1.4MB

Download
memory/1616-20-0x000000004AB10000-0x000000004AB5C000-memory.dmp

Filesize
304KB

Download
memory/1616-275-0x00000000765C0000-0x00000000766DD000-memory.dmp

Filesize
1.1MB

Download
memory/1616-73-0x0000000001DF0000-0x0000000001EA7000-memory.dmp

Filesize
732KB

Download
memory/1620-205-0x0000000000000000-mapping.dmp

Download
memory/1620-207-0x00000000002D0000-0x00000000002E8000-memory.dmp

Filesize
96KB

Download
memory/1628-202-0x0000000000000000-mapping.dmp

Download
memory/1640-16-0x0000000000000000-mapping.dmp

Download
memory/1640-137-0x000000000041E300-mapping.dmp

Download
memory/1640-51-0x0000000000000000-mapping.dmp

Download
memory/1648-158-0x000000000041E300-mapping.dmp

Download
memory/1652-18-0x000000000041E300-mapping.dmp

Download
memory/1656-142-0x0000000000000000-mapping.dmp

Download
memory/1656-143-0x0000000000450000-0x0000000000455000-memory.dmp

Filesize
20KB

Download
memory/1660-316-0x0000000000000000-mapping.dmp

Download
memory/1664-452-0x0000000000A50000-0x0000000000A5B000-memory.dmp

Filesize
44KB

Download
memory/1664-449-0x0000000000000000-mapping.dmp

Download
memory/1684-111-0x000000000041E300-mapping.dmp

Download
memory/1696-234-0x0000000000000000-mapping.dmp

Download
memory/1696-433-0x0000000000000000-mapping.dmp

Download
memory/1700-77-0x000000000041E300-mapping.dmp

Download
memory/1700-9-0x0000000000000000-mapping.dmp

Download
memory/1708-217-0x0000000000650000-0x0000000000658000-memory.dmp

Filesize
32KB

Download
memory/1708-216-0x0000000000000000-mapping.dmp

Download
memory/1756-263-0x0000000000F50000-0x0000000000F68000-memory.dmp

Filesize
96KB

Download
memory/1756-261-0x0000000000000000-mapping.dmp

Download
memory/1760-149-0x0000000000000000-mapping.dmp

Download
memory/1760-152-0x0000000000E80000-0x0000000000E8A000-memory.dmp

Filesize
40KB

Download
memory/1780-13-0x0000000000000000-mapping.dmp

Download
memory/1784-198-0x000000000041E300-mapping.dmp

Download
memory/1784-141-0x0000000000000000-mapping.dmp

Download
memory/1788-186-0x000000000041E300-mapping.dmp

Download
memory/1796-67-0x000000000041E300-mapping.dmp

Download
memory/1800-43-0x0000000000000000-mapping.dmp

Download
memory/1804-172-0x0000000000000000-mapping.dmp

Download
memory/1808-165-0x0000000000720000-0x0000000000736000-memory.dmp

Filesize
88KB

Download
memory/1808-164-0x0000000000000000-mapping.dmp

Download
memory/1812-131-0x000000000041E300-mapping.dmp

Download
memory/1820-66-0x0000000000330000-0x000000000034A000-memory.dmp

Filesize
104KB

Download
memory/1820-64-0x0000000000000000-mapping.dmp

Download
memory/1824-11-0x000000000041E300-mapping.dmp

Download
memory/1836-134-0x000000000041E300-mapping.dmp

Download
memory/1840-109-0x0000000000000000-mapping.dmp

Download
memory/1848-33-0x00000000006A0000-0x00000000006B8000-memory.dmp

Filesize
96KB

Download
memory/1848-32-0x0000000000000000-mapping.dmp

Download
memory/1856-61-0x0000000000710000-0x000000000071D000-memory.dmp

Filesize
52KB

Download
memory/1856-59-0x0000000000000000-mapping.dmp

Download
memory/1868-112-0x0000000000000000-mapping.dmp

Download
memory/1868-309-0x000000000041E300-mapping.dmp

Download
memory/1884-69-0x0000000000F90000-0x0000000000FAB000-memory.dmp

Filesize
108KB

Download
memory/1884-68-0x0000000000000000-mapping.dmp

Download
memory/1888-421-0x0000000000000000-mapping.dmp

Download
memory/1892-148-0x0000000000000000-mapping.dmp

Download
memory/1892-117-0x0000000000000000-mapping.dmp

Download
memory/1908-82-0x0000000000000000-mapping.dmp

Download
memory/1908-84-0x0000000000430000-0x0000000000444000-memory.dmp

Filesize
80KB

Download
memory/1920-146-0x000000000041E300-mapping.dmp

Download
memory/1936-78-0x0000000000000000-mapping.dmp

Download
memory/1936-79-0x000000004AB10000-0x000000004AB5C000-memory.dmp

Filesize
304KB

Download
memory/1940-208-0x0000000000650000-0x0000000000658000-memory.dmp

Filesize
32KB

Download
memory/1940-206-0x0000000000000000-mapping.dmp

Download
memory/1944-45-0x000000000041E300-mapping.dmp

Download
memory/1952-26-0x0000000000000000-mapping.dmp

Download
memory/1956-22-0x0000000000000000-mapping.dmp

Download
memory/1956-210-0x0000000000000000-mapping.dmp

Download
memory/1956-212-0x0000000000C20000-0x0000000000C3C000-memory.dmp

Filesize
112KB

Download
memory/1960-382-0x0000000000000000-mapping.dmp

Download
memory/1964-92-0x0000000000000000-mapping.dmp

Download
memory/1964-224-0x0000000000000000-mapping.dmp

Download
memory/1964-199-0x0000000000000000-mapping.dmp

Download
memory/1972-50-0x000000000041E300-mapping.dmp

Download
memory/1976-95-0x0000000000000000-mapping.dmp

Download
memory/1980-27-0x0000000000000000-mapping.dmp

Download
memory/1988-168-0x000000000041E300-mapping.dmp

Download
memory/1996-46-0x0000000000000000-mapping.dmp

Download
memory/2000-24-0x000000000041E300-mapping.dmp

Download
memory/2004-72-0x0000000000000000-mapping.dmp

Download
memory/2004-223-0x0000000000000000-mapping.dmp

Download
memory/2004-132-0x0000000000000000-mapping.dmp

Download
memory/2004-225-0x0000000000E50000-0x0000000000E57000-memory.dmp

Filesize
28KB

Download
memory/2016-413-0x000000000041E300-mapping.dmp

Download
memory/2028-57-0x000000000041E300-mapping.dmp

Download
memory/2036-47-0x0000000000000000-mapping.dmp

Download
memory/2036-48-0x0000000000A50000-0x0000000000A66000-memory.dmp

Filesize
88KB

Download
memory/2040-83-0x0000000000000000-mapping.dmp

Download
memory/2044-76-0x0000000000330000-0x000000000034A000-memory.dmp

Filesize
104KB

Download
memory/2044-74-0x0000000000000000-mapping.dmp

Download
memory/2052-245-0x000000000041E300-mapping.dmp

Download
memory/2068-414-0x0000000000000000-mapping.dmp

Download
memory/2072-270-0x0000000000B80000-0x0000000000B9B000-memory.dmp

Filesize
108KB

Download
memory/2072-269-0x0000000000000000-mapping.dmp

Download
memory/2084-345-0x000000013FBD0000-0x000000013FC63000-memory.dmp

Filesize
588KB

Download
memory/2084-343-0x0000000000000000-mapping.dmp

Download
memory/2088-323-0x0000000000000000-mapping.dmp

Download
memory/2088-384-0x000000000041E300-mapping.dmp

Download
memory/2092-246-0x0000000000000000-mapping.dmp

Download
memory/2092-388-0x000000000041E300-mapping.dmp

Download
memory/2124-445-0x0000000000000000-mapping.dmp

Download
memory/2124-446-0x0000000000320000-0x0000000000327000-memory.dmp

Filesize
28KB

Download
memory/2128-248-0x000000000041E300-mapping.dmp

Download
memory/2132-438-0x000000000041E300-mapping.dmp

Download
memory/2136-443-0x00000000005A0000-0x00000000005A6000-memory.dmp

Filesize
24KB

Download
memory/2136-441-0x0000000000000000-mapping.dmp

Download
memory/2140-380-0x000000000041E300-mapping.dmp

Download
memory/2144-336-0x0000000000620000-0x00000000008A1000-memory.dmp

Filesize
2.5MB

Download
memory/2144-335-0x0000000000000000-mapping.dmp

Download
memory/2148-252-0x0000000000D50000-0x0000000000D55000-memory.dmp

Filesize
20KB

Download
memory/2148-251-0x0000000000000000-mapping.dmp

Download
memory/2168-338-0x0000000000000000-mapping.dmp

Download
memory/2168-341-0x0000000000620000-0x00000000008A1000-memory.dmp

Filesize
2.5MB

Download
memory/2184-319-0x000000000041E300-mapping.dmp

Download
memory/2196-255-0x0000000000000000-mapping.dmp

Download
memory/2224-460-0x0000000000000000-mapping.dmp

Download
memory/2224-462-0x0000000000B90000-0x0000000000BA6000-memory.dmp

Filesize
88KB

Download
memory/2228-279-0x00000000007A0000-0x00000000007BC000-memory.dmp

Filesize
112KB

Download
memory/2228-276-0x0000000000000000-mapping.dmp

Download
memory/2236-274-0x00000000007A0000-0x00000000007BC000-memory.dmp

Filesize
112KB

Download
memory/2236-272-0x0000000000000000-mapping.dmp

Download
memory/2252-258-0x000000000041E300-mapping.dmp

Download
memory/2256-367-0x000000000041E300-mapping.dmp

Download
memory/2272-334-0x000000000041E300-mapping.dmp

Download
memory/2276-451-0x000000000041E300-mapping.dmp

Download
memory/2280-479-0x00000000004D0000-0x00000000005D4000-memory.dmp

Filesize
1.0MB

Download
memory/2280-478-0x0000000000000000-mapping.dmp

Download
memory/2292-386-0x0000000000000000-mapping.dmp

Download
memory/2296-283-0x00000000008C0000-0x00000000008E2000-memory.dmp

Filesize
136KB

Download
memory/2296-281-0x0000000000000000-mapping.dmp

Download
memory/2304-260-0x0000000000000000-mapping.dmp

Download
memory/2312-344-0x0000000000000000-mapping.dmp

Download
memory/2312-346-0x00000000004C0000-0x00000000004C8000-memory.dmp

Filesize
32KB

Download
memory/2316-467-0x0000000000AB0000-0x0000000000ACA000-memory.dmp

Filesize
104KB

Download
memory/2316-466-0x0000000000000000-mapping.dmp

Download
memory/2316-262-0x0000000000000000-mapping.dmp

Download
memory/2316-264-0x00000000008C0000-0x00000000008E2000-memory.dmp

Filesize
136KB

Download
memory/2332-350-0x000000000041E300-mapping.dmp

Download
memory/2344-477-0x0000000000600000-0x000000000061A000-memory.dmp

Filesize
104KB

Download
memory/2344-476-0x0000000000000000-mapping.dmp

Download
memory/2364-267-0x000000000041E300-mapping.dmp

Download
memory/2372-359-0x0000000000140000-0x0000000000147000-memory.dmp

Filesize
28KB

Download
memory/2372-358-0x0000000000000000-mapping.dmp

Download
memory/2380-374-0x0000000000000000-mapping.dmp

Download
memory/2384-340-0x000000000041E300-mapping.dmp

Download
memory/2392-331-0x0000000000000000-mapping.dmp

Download
memory/2396-284-0x0000000000000000-mapping.dmp

Download
memory/2396-285-0x0000000000DB0000-0x0000000000DF6000-memory.dmp

Filesize
280KB

Download
memory/2404-337-0x0000000000000000-mapping.dmp

Download
memory/2420-271-0x0000000000000000-mapping.dmp

Download
memory/2428-419-0x000000000041E300-mapping.dmp

Download
memory/2440-457-0x0000000000000000-mapping.dmp

Download
memory/2468-453-0x0000000000000000-mapping.dmp

Download
memory/2468-455-0x00000000004A0000-0x00000000004AD000-memory.dmp

Filesize
52KB

Download
memory/2480-365-0x0000000000910000-0x000000000092F000-memory.dmp

Filesize
124KB

Download
memory/2480-364-0x0000000000000000-mapping.dmp

Download
memory/2488-282-0x000000000041E300-mapping.dmp

Download
memory/2496-395-0x000000000041E300-mapping.dmp

Download
memory/2516-292-0x0000000000980000-0x0000000000998000-memory.dmp

Filesize
96KB

Download
memory/2516-291-0x0000000000000000-mapping.dmp

Download
memory/2524-469-0x0000000000090000-0x0000000000096000-memory.dmp

Filesize
24KB

Download
memory/2524-468-0x0000000000000000-mapping.dmp

Download
memory/2528-432-0x000000000041E300-mapping.dmp

Download
memory/2532-425-0x0000000000000000-mapping.dmp

Download
memory/2536-295-0x0000000000000000-mapping.dmp

Download
memory/2536-296-0x0000000000BA0000-0x0000000000BA5000-memory.dmp

Filesize
20KB

Download
memory/2552-353-0x000000000041E300-mapping.dmp

Download
memory/2568-458-0x0000000000A50000-0x0000000000A5B000-memory.dmp

Filesize
44KB

Download
memory/2568-286-0x0000000000000000-mapping.dmp

Download
memory/2568-454-0x0000000000000000-mapping.dmp

Download
memory/2572-402-0x0000000000000000-mapping.dmp

Download
memory/2592-444-0x0000000000000000-mapping.dmp

Download
memory/2600-289-0x000000000041E300-mapping.dmp

Download
memory/2612-407-0x0000000000000000-mapping.dmp

Download
memory/2620-427-0x000000000041E300-mapping.dmp

Download
memory/2624-428-0x0000000000000000-mapping.dmp

Download
memory/2640-351-0x0000000000000000-mapping.dmp

Download
memory/2640-411-0x0000000000000000-mapping.dmp

Download
memory/2648-290-0x0000000000000000-mapping.dmp

Download
memory/2652-357-0x000000000041E300-mapping.dmp

Download
memory/2656-463-0x0000000000000000-mapping.dmp

Download
memory/2656-464-0x00000000003A0000-0x00000000003B8000-memory.dmp

Filesize
96KB

Download
memory/2672-437-0x0000000000000000-mapping.dmp

Download
memory/2672-439-0x00000000003A0000-0x00000000003B8000-memory.dmp

Filesize
96KB

Download
memory/2684-313-0x0000000000D80000-0x0000000000E74000-memory.dmp

Filesize
976KB

Download
memory/2684-310-0x0000000000000000-mapping.dmp

Download
memory/2696-392-0x0000000000000000-mapping.dmp

Download
memory/2712-434-0x0000000000000000-mapping.dmp

Download
memory/2712-435-0x0000000000970000-0x0000000000996000-memory.dmp

Filesize
152KB

Download
memory/2720-355-0x0000000000000000-mapping.dmp

Download
memory/2732-294-0x000000000041E300-mapping.dmp

Download
memory/2740-314-0x0000000000000000-mapping.dmp

Download
memory/2768-396-0x0000000000000000-mapping.dmp

Download
memory/2780-416-0x000000000041E300-mapping.dmp

Download
memory/2780-297-0x0000000000000000-mapping.dmp

Download
memory/2780-360-0x0000000000000000-mapping.dmp

Download
memory/2800-406-0x000000000041E300-mapping.dmp

Download
memory/2820-409-0x000000000041E300-mapping.dmp

Download
memory/2840-299-0x000000000041E300-mapping.dmp

Download
memory/2860-321-0x0000000000000000-mapping.dmp

Download
memory/2860-322-0x0000000000820000-0x000000000082D000-memory.dmp

Filesize
52KB

Download
memory/2888-398-0x000000000041E300-mapping.dmp

Download
memory/2900-300-0x0000000000000000-mapping.dmp

Download
memory/2932-302-0x000000000041E300-mapping.dmp

Download
memory/2936-424-0x000000000041E300-mapping.dmp

Download
memory/2960-363-0x0000000000000000-mapping.dmp

Download
memory/2964-303-0x0000000000000000-mapping.dmp

Download
memory/2972-377-0x0000000000AE0000-0x0000000000AEE000-memory.dmp

Filesize
56KB

Download
memory/2972-375-0x0000000000000000-mapping.dmp

Download
memory/2984-481-0x0000000000FB0000-0x0000000000FD2000-memory.dmp

Filesize
136KB

Download
memory/2984-480-0x0000000000000000-mapping.dmp

Download
memory/2996-391-0x0000000001070000-0x000000000108B000-memory.dmp

Filesize
108KB

Download
memory/2996-390-0x0000000000000000-mapping.dmp

Download
memory/3004-306-0x000000000041E300-mapping.dmp

Download
memory/3008-400-0x0000000000000000-mapping.dmp

Download
memory/3008-401-0x0000000000640000-0x000000000065F000-memory.dmp

Filesize
124KB

Download
memory/3016-376-0x0000000000000000-mapping.dmp

Download
memory/3028-329-0x0000000000000000-mapping.dmp

Download
memory/3036-325-0x0000000000000000-mapping.dmp

Download
memory/3036-328-0x0000000000620000-0x00000000008A1000-memory.dmp

Filesize
2.5MB

Download
memory/3052-370-0x0000000000000000-mapping.dmp

Download
memory/3056-307-0x0000000000000000-mapping.dmp

Download