370f3e9f42d074cd9575a0fa8df285e970dda741ae4200b54fb53f0a3145369e

Analysis

max time kernel
101s
max time network
149s
platform
windows10_x64
resource
win10v200722
submitted
28-07-2020 18:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Payment Slip.exe
Size

278KB
MD5

e2ac3d9facc2259a85c66087ff0b6a85
SHA1

b592f4eea4d6632f6f543c75d71c4749e8aa8b69
SHA256

370f3e9f42d074cd9575a0fa8df285e970dda741ae4200b54fb53f0a3145369e
SHA512

226bf723fc4094cf2ac6ca74ff9fdefc0daebe90de2d905b0b9c7acae8c9d3e3956c17f1df80d736bb2bae094d075d307c05534485eae6c51575b2939261ae4c

Score

8^/10

persistence spyware

Malware Config

Signatures

Suspicious use of SetThreadContext 193 IoCs

Processes:

Payment Slip.exeRegAsm.exePayment Slip.exePayment Slip.exeRegAsm.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exePayment Slip.exeRegAsm.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exemsdt.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exePayment Slip.exeRegAsm.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exePayment Slip.exeRegAsm.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exe

description	pid	process	target process
PID 416 set thread context of 644	416	Payment Slip.exe	RegAsm.exe
PID 644 set thread context of 3040	644	RegAsm.exe	Explorer.EXE
PID 916 set thread context of 732	916	Payment Slip.exe	RegAsm.exe
PID 1180 set thread context of 1484	1180	Payment Slip.exe	RegAsm.exe
PID 732 set thread context of 3040	732	RegAsm.exe	Explorer.EXE
PID 1484 set thread context of 3040	1484	RegAsm.exe	Explorer.EXE
PID 1784 set thread context of 2108	1784	Payment Slip.exe	RegAsm.exe
PID 2108 set thread context of 3040	2108	RegAsm.exe	Explorer.EXE
PID 2528 set thread context of 2580	2528	Payment Slip.exe	RegAsm.exe
PID 3500 set thread context of 3944	3500	Payment Slip.exe	RegAsm.exe
PID 2580 set thread context of 3040	2580	RegAsm.exe	Explorer.EXE
PID 3944 set thread context of 3040	3944	RegAsm.exe	Explorer.EXE
PID 3964 set thread context of 3900	3964	Payment Slip.exe	RegAsm.exe
PID 3900 set thread context of 3040	3900	RegAsm.exe	Explorer.EXE
PID 4032 set thread context of 3108	4032	Payment Slip.exe	RegAsm.exe
PID 644 set thread context of 3040	644	RegAsm.exe	Explorer.EXE
PID 3108 set thread context of 3040	3108	RegAsm.exe	Explorer.EXE
PID 3832 set thread context of 636	3832	Payment Slip.exe	RegAsm.exe
PID 636 set thread context of 3040	636	RegAsm.exe	Explorer.EXE
PID 1636 set thread context of 1136	1636	Payment Slip.exe	RegAsm.exe
PID 1136 set thread context of 3040	1136	RegAsm.exe	Explorer.EXE
PID 1780 set thread context of 2272	1780	Payment Slip.exe	RegAsm.exe
PID 2272 set thread context of 3040	2272	RegAsm.exe	Explorer.EXE
PID 3952 set thread context of 3736	3952	Payment Slip.exe	RegAsm.exe
PID 3736 set thread context of 3040	3736	RegAsm.exe	Explorer.EXE
PID 496 set thread context of 1176	496	Payment Slip.exe	RegAsm.exe
PID 1176 set thread context of 3040	1176	RegAsm.exe	Explorer.EXE
PID 424 set thread context of 1012	424	Payment Slip.exe	RegAsm.exe
PID 1668 set thread context of 3040	1668	msdt.exe	Explorer.EXE
PID 1012 set thread context of 3040	1012	RegAsm.exe	Explorer.EXE
PID 2792 set thread context of 1628	2792	Payment Slip.exe	RegAsm.exe
PID 1628 set thread context of 3040	1628	RegAsm.exe	Explorer.EXE
PID 1860 set thread context of 1780	1860	Payment Slip.exe	RegAsm.exe
PID 1780 set thread context of 3040	1780	RegAsm.exe	Explorer.EXE
PID 3436 set thread context of 3516	3436	Payment Slip.exe	RegAsm.exe
PID 3516 set thread context of 3040	3516	RegAsm.exe	Explorer.EXE
PID 1076 set thread context of 3848	1076	Payment Slip.exe	RegAsm.exe
PID 3848 set thread context of 3040	3848	RegAsm.exe	Explorer.EXE
PID 908 set thread context of 2592	908	Payment Slip.exe	RegAsm.exe
PID 2592 set thread context of 3040	2592	RegAsm.exe	Explorer.EXE
PID 424 set thread context of 3104	424	Payment Slip.exe	RegAsm.exe
PID 3712 set thread context of 3456	3712	Payment Slip.exe	RegAsm.exe
PID 3104 set thread context of 3040	3104	RegAsm.exe	Explorer.EXE
PID 3456 set thread context of 3040	3456	RegAsm.exe	Explorer.EXE
PID 2112 set thread context of 1120	2112	Payment Slip.exe	RegAsm.exe
PID 1120 set thread context of 3040	1120	RegAsm.exe	Explorer.EXE
PID 3436 set thread context of 3276	3436	Payment Slip.exe	RegAsm.exe
PID 1004 set thread context of 1216	1004	Payment Slip.exe	RegAsm.exe
PID 3276 set thread context of 3040	3276	RegAsm.exe	Explorer.EXE
PID 1216 set thread context of 3040	1216	RegAsm.exe	Explorer.EXE
PID 3516 set thread context of 3040	3516	RegAsm.exe	Explorer.EXE
PID 3284 set thread context of 728	3284	Payment Slip.exe	RegAsm.exe
PID 728 set thread context of 3040	728	RegAsm.exe	Explorer.EXE
PID 2512 set thread context of 1180	2512	Payment Slip.exe	RegAsm.exe
PID 1180 set thread context of 3040	1180	RegAsm.exe	Explorer.EXE
PID 3820 set thread context of 2720	3820	Payment Slip.exe	RegAsm.exe
PID 2720 set thread context of 3040	2720	RegAsm.exe	Explorer.EXE
PID 496 set thread context of 3436	496	Payment Slip.exe	RegAsm.exe
PID 3436 set thread context of 3040	3436	RegAsm.exe	Explorer.EXE
PID 1372 set thread context of 492	1372	Payment Slip.exe	RegAsm.exe
PID 492 set thread context of 3040	492	RegAsm.exe	Explorer.EXE
PID 3520 set thread context of 3544	3520	Payment Slip.exe	RegAsm.exe
PID 3544 set thread context of 3040	3544	RegAsm.exe	Explorer.EXE
PID 3928 set thread context of 1080	3928	Payment Slip.exe	RegAsm.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msdt.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	msdt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\K2KDZDMXCN = "C:\\Program Files (x86)\\Kc2mxv4c\\ypxpkxrxjrzpw.exe"	msdt.exe

Gathers network information 2 TTPs 8 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXEipconfig.exeNETSTAT.EXENETSTAT.EXENETSTAT.EXENETSTAT.EXENETSTAT.EXEipconfig.exe

pid process

2896 NETSTAT.EXE
3572 ipconfig.exe
3700 NETSTAT.EXE
4280 NETSTAT.EXE
4788 NETSTAT.EXE
3648 NETSTAT.EXE
1672 NETSTAT.EXE
3284 ipconfig.exe

pid	process
2896	NETSTAT.EXE
3572	ipconfig.exe
3700	NETSTAT.EXE
4280	NETSTAT.EXE
4788	NETSTAT.EXE
3648	NETSTAT.EXE
1672	NETSTAT.EXE
3284	ipconfig.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chkdsk.exechkdsk.exechkdsk.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Drops startup file 2 IoCs

Processes:

Payment Slip.exePayment Slip.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe	Payment Slip.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe	Payment Slip.exe

Suspicious use of WriteProcessMemory 1028 IoCs

Processes:

Payment Slip.exePayment Slip.exePayment Slip.exeExplorer.EXEPayment Slip.exePayment Slip.exePayment Slip.exe

description	pid	process	target process
PID 416 wrote to memory of 644	416	Payment Slip.exe	RegAsm.exe
PID 416 wrote to memory of 644	416	Payment Slip.exe	RegAsm.exe
PID 416 wrote to memory of 644	416	Payment Slip.exe	RegAsm.exe
PID 416 wrote to memory of 644	416	Payment Slip.exe	RegAsm.exe
PID 416 wrote to memory of 916	416	Payment Slip.exe	Payment Slip.exe
PID 416 wrote to memory of 916	416	Payment Slip.exe	Payment Slip.exe
PID 416 wrote to memory of 916	416	Payment Slip.exe	Payment Slip.exe
PID 916 wrote to memory of 732	916	Payment Slip.exe	RegAsm.exe
PID 916 wrote to memory of 732	916	Payment Slip.exe	RegAsm.exe
PID 916 wrote to memory of 732	916	Payment Slip.exe	RegAsm.exe
PID 916 wrote to memory of 732	916	Payment Slip.exe	RegAsm.exe
PID 916 wrote to memory of 1180	916	Payment Slip.exe	Payment Slip.exe
PID 916 wrote to memory of 1180	916	Payment Slip.exe	Payment Slip.exe
PID 916 wrote to memory of 1180	916	Payment Slip.exe	Payment Slip.exe
PID 1180 wrote to memory of 1392	1180	Payment Slip.exe	RegAsm.exe
PID 1180 wrote to memory of 1392	1180	Payment Slip.exe	RegAsm.exe
PID 1180 wrote to memory of 1392	1180	Payment Slip.exe	RegAsm.exe
PID 1180 wrote to memory of 1460	1180	Payment Slip.exe	RegAsm.exe
PID 1180 wrote to memory of 1460	1180	Payment Slip.exe	RegAsm.exe
PID 1180 wrote to memory of 1460	1180	Payment Slip.exe	RegAsm.exe
PID 1180 wrote to memory of 1484	1180	Payment Slip.exe	RegAsm.exe
PID 1180 wrote to memory of 1484	1180	Payment Slip.exe	RegAsm.exe
PID 1180 wrote to memory of 1484	1180	Payment Slip.exe	RegAsm.exe
PID 1180 wrote to memory of 1484	1180	Payment Slip.exe	RegAsm.exe
PID 3040 wrote to memory of 1668	3040	Explorer.EXE	msdt.exe
PID 3040 wrote to memory of 1668	3040	Explorer.EXE	msdt.exe
PID 3040 wrote to memory of 1668	3040	Explorer.EXE	msdt.exe
PID 1180 wrote to memory of 1784	1180	Payment Slip.exe	Payment Slip.exe
PID 1180 wrote to memory of 1784	1180	Payment Slip.exe	Payment Slip.exe
PID 1180 wrote to memory of 1784	1180	Payment Slip.exe	Payment Slip.exe
PID 3040 wrote to memory of 2044	3040	Explorer.EXE	control.exe
PID 3040 wrote to memory of 2044	3040	Explorer.EXE	control.exe
PID 3040 wrote to memory of 2044	3040	Explorer.EXE	control.exe
PID 1784 wrote to memory of 2052	1784	Payment Slip.exe	RegAsm.exe
PID 1784 wrote to memory of 2052	1784	Payment Slip.exe	RegAsm.exe
PID 1784 wrote to memory of 2052	1784	Payment Slip.exe	RegAsm.exe
PID 1784 wrote to memory of 2108	1784	Payment Slip.exe	RegAsm.exe
PID 1784 wrote to memory of 2108	1784	Payment Slip.exe	RegAsm.exe
PID 1784 wrote to memory of 2108	1784	Payment Slip.exe	RegAsm.exe
PID 1784 wrote to memory of 2108	1784	Payment Slip.exe	RegAsm.exe
PID 1784 wrote to memory of 2528	1784	Payment Slip.exe	Payment Slip.exe
PID 1784 wrote to memory of 2528	1784	Payment Slip.exe	Payment Slip.exe
PID 1784 wrote to memory of 2528	1784	Payment Slip.exe	Payment Slip.exe
PID 3040 wrote to memory of 2572	3040	Explorer.EXE	mstsc.exe
PID 3040 wrote to memory of 2572	3040	Explorer.EXE	mstsc.exe
PID 3040 wrote to memory of 2572	3040	Explorer.EXE	mstsc.exe
PID 2528 wrote to memory of 2576	2528	Payment Slip.exe	RegAsm.exe
PID 2528 wrote to memory of 2576	2528	Payment Slip.exe	RegAsm.exe
PID 2528 wrote to memory of 2576	2528	Payment Slip.exe	RegAsm.exe
PID 2528 wrote to memory of 2580	2528	Payment Slip.exe	RegAsm.exe
PID 2528 wrote to memory of 2580	2528	Payment Slip.exe	RegAsm.exe
PID 2528 wrote to memory of 2580	2528	Payment Slip.exe	RegAsm.exe
PID 2528 wrote to memory of 2580	2528	Payment Slip.exe	RegAsm.exe
PID 2528 wrote to memory of 3500	2528	Payment Slip.exe	Payment Slip.exe
PID 2528 wrote to memory of 3500	2528	Payment Slip.exe	Payment Slip.exe
PID 2528 wrote to memory of 3500	2528	Payment Slip.exe	Payment Slip.exe
PID 3500 wrote to memory of 3944	3500	Payment Slip.exe	RegAsm.exe
PID 3500 wrote to memory of 3944	3500	Payment Slip.exe	RegAsm.exe
PID 3500 wrote to memory of 3944	3500	Payment Slip.exe	RegAsm.exe
PID 3500 wrote to memory of 3944	3500	Payment Slip.exe	RegAsm.exe
PID 3040 wrote to memory of 3288	3040	Explorer.EXE	colorcpl.exe
PID 3040 wrote to memory of 3288	3040	Explorer.EXE	colorcpl.exe
PID 3040 wrote to memory of 3288	3040	Explorer.EXE	colorcpl.exe
PID 3500 wrote to memory of 3964	3500	Payment Slip.exe	Payment Slip.exe

Suspicious behavior: MapViewOfSection 409 IoCs

Processes:

Payment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exePayment Slip.exeRegAsm.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exemsdt.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exe

pid	process
416	Payment Slip.exe
644	RegAsm.exe
916	Payment Slip.exe
732	RegAsm.exe
1180	Payment Slip.exe
1180	Payment Slip.exe
1180	Payment Slip.exe
1484	RegAsm.exe
1784	Payment Slip.exe
1784	Payment Slip.exe
2108	RegAsm.exe
2528	Payment Slip.exe
2528	Payment Slip.exe
3500	Payment Slip.exe
2580	RegAsm.exe
3944	RegAsm.exe
3964	Payment Slip.exe
732	RegAsm.exe
732	RegAsm.exe
3900	RegAsm.exe
1484	RegAsm.exe
1484	RegAsm.exe
4032	Payment Slip.exe
4032	Payment Slip.exe
644	RegAsm.exe
2108	RegAsm.exe
2108	RegAsm.exe
3108	RegAsm.exe
2580	RegAsm.exe
2580	RegAsm.exe
3832	Payment Slip.exe
3944	RegAsm.exe
3944	RegAsm.exe
636	RegAsm.exe
3900	RegAsm.exe
3900	RegAsm.exe
1636	Payment Slip.exe
1636	Payment Slip.exe
644	RegAsm.exe
644	RegAsm.exe
1136	RegAsm.exe
3108	RegAsm.exe
3108	RegAsm.exe
1780	Payment Slip.exe
1668	msdt.exe
636	RegAsm.exe
636	RegAsm.exe
2272	RegAsm.exe
3952	Payment Slip.exe
3736	RegAsm.exe
496	Payment Slip.exe
1136	RegAsm.exe
1136	RegAsm.exe
1176	RegAsm.exe
2272	RegAsm.exe
2272	RegAsm.exe
424	Payment Slip.exe
3736	RegAsm.exe
3736	RegAsm.exe
1668	msdt.exe
1012	RegAsm.exe
1176	RegAsm.exe
1176	RegAsm.exe
1668	msdt.exe

Suspicious use of AdjustPrivilegeToken 280 IoCs

Processes:

Payment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exemsdt.exeRegAsm.execontrol.exemstsc.exePayment Slip.execolorcpl.exeRegAsm.exemstsc.exePayment Slip.exeRegAsm.exeexplorer.exeNETSTAT.EXEPayment Slip.exeexplorer.exeRegAsm.exePayment Slip.execolorcpl.exeRegAsm.exePayment Slip.exeRegAsm.exemsiexec.exePayment Slip.exemsdt.exeRegAsm.execmd.exePayment Slip.execmmon32.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.execscript.exePayment Slip.exeRegAsm.exePayment Slip.execmmon32.exeRegAsm.exeNETSTAT.EXEPayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exerundll32.exeRegAsm.exePayment Slip.exe

description	pid	process
Token: SeDebugPrivilege	416	Payment Slip.exe
Token: SeDebugPrivilege	644	RegAsm.exe
Token: SeDebugPrivilege	916	Payment Slip.exe
Token: SeDebugPrivilege	732	RegAsm.exe
Token: SeDebugPrivilege	1180	Payment Slip.exe
Token: SeDebugPrivilege	1484	RegAsm.exe
Token: SeDebugPrivilege	1784	Payment Slip.exe
Token: SeDebugPrivilege	2108	RegAsm.exe
Token: SeDebugPrivilege	2528	Payment Slip.exe
Token: SeDebugPrivilege	2580	RegAsm.exe
Token: SeDebugPrivilege	3500	Payment Slip.exe
Token: SeDebugPrivilege	3944	RegAsm.exe
Token: SeDebugPrivilege	3964	Payment Slip.exe
Token: SeDebugPrivilege	3900	RegAsm.exe
Token: SeDebugPrivilege	4032	Payment Slip.exe
Token: SeDebugPrivilege	1668	msdt.exe
Token: SeDebugPrivilege	3108	RegAsm.exe
Token: SeDebugPrivilege	2044	control.exe
Token: SeDebugPrivilege	2572	mstsc.exe
Token: SeDebugPrivilege	3832	Payment Slip.exe
Token: SeDebugPrivilege	3288	colorcpl.exe
Token: SeDebugPrivilege	636	RegAsm.exe
Token: SeDebugPrivilege	4012	mstsc.exe
Token: SeDebugPrivilege	1636	Payment Slip.exe
Token: SeDebugPrivilege	1136	RegAsm.exe
Token: SeDebugPrivilege	2176	explorer.exe
Token: SeDebugPrivilege	3648	NETSTAT.EXE
Token: SeDebugPrivilege	1780	Payment Slip.exe
Token: SeDebugPrivilege	3524	explorer.exe
Token: SeDebugPrivilege	2272	RegAsm.exe
Token: SeDebugPrivilege	3952	Payment Slip.exe
Token: SeDebugPrivilege	864	colorcpl.exe
Token: SeDebugPrivilege	3736	RegAsm.exe
Token: SeDebugPrivilege	496	Payment Slip.exe
Token: SeDebugPrivilege	1176	RegAsm.exe
Token: SeDebugPrivilege	1676	msiexec.exe
Token: SeDebugPrivilege	424	Payment Slip.exe
Token: SeDebugPrivilege	2612	msdt.exe
Token: SeDebugPrivilege	1012	RegAsm.exe
Token: SeDebugPrivilege	3836	cmd.exe
Token: SeDebugPrivilege	2792	Payment Slip.exe
Token: SeDebugPrivilege	3640	cmmon32.exe
Token: SeDebugPrivilege	1628	RegAsm.exe
Token: SeDebugPrivilege	1860	Payment Slip.exe
Token: SeDebugPrivilege	1780	RegAsm.exe
Token: SeDebugPrivilege	3436	Payment Slip.exe
Token: SeDebugPrivilege	3516	RegAsm.exe
Token: SeDebugPrivilege	1788	cscript.exe
Token: SeDebugPrivilege	1076	Payment Slip.exe
Token: SeDebugPrivilege	3848	RegAsm.exe
Token: SeDebugPrivilege	908	Payment Slip.exe
Token: SeDebugPrivilege	1156	cmmon32.exe
Token: SeDebugPrivilege	2592	RegAsm.exe
Token: SeDebugPrivilege	1672	NETSTAT.EXE
Token: SeDebugPrivilege	424	Payment Slip.exe
Token: SeDebugPrivilege	3104	RegAsm.exe
Token: SeDebugPrivilege	3712	Payment Slip.exe
Token: SeDebugPrivilege	3456	RegAsm.exe
Token: SeDebugPrivilege	2112	Payment Slip.exe
Token: SeDebugPrivilege	1120	RegAsm.exe
Token: SeDebugPrivilege	3436	Payment Slip.exe
Token: SeDebugPrivilege	3028	rundll32.exe
Token: SeDebugPrivilege	3276	RegAsm.exe
Token: SeDebugPrivilege	1004	Payment Slip.exe

Suspicious behavior: EnumeratesProcesses 25130 IoCs

Processes:

Payment Slip.exeRegAsm.exe

pid	process
416	Payment Slip.exe
416	Payment Slip.exe
416	Payment Slip.exe
416	Payment Slip.exe
416	Payment Slip.exe
416	Payment Slip.exe
416	Payment Slip.exe
416	Payment Slip.exe
416	Payment Slip.exe
416	Payment Slip.exe
416	Payment Slip.exe
416	Payment Slip.exe
416	Payment Slip.exe
416	Payment Slip.exe
416	Payment Slip.exe
416	Payment Slip.exe
416	Payment Slip.exe
416	Payment Slip.exe
416	Payment Slip.exe
416	Payment Slip.exe
416	Payment Slip.exe
416	Payment Slip.exe
416	Payment Slip.exe
416	Payment Slip.exe
416	Payment Slip.exe
416	Payment Slip.exe
416	Payment Slip.exe
416	Payment Slip.exe
416	Payment Slip.exe
416	Payment Slip.exe
416	Payment Slip.exe
416	Payment Slip.exe
416	Payment Slip.exe
416	Payment Slip.exe
416	Payment Slip.exe
416	Payment Slip.exe
416	Payment Slip.exe
416	Payment Slip.exe
416	Payment Slip.exe
416	Payment Slip.exe
416	Payment Slip.exe
416	Payment Slip.exe
416	Payment Slip.exe
416	Payment Slip.exe
416	Payment Slip.exe
416	Payment Slip.exe
416	Payment Slip.exe
416	Payment Slip.exe
416	Payment Slip.exe
416	Payment Slip.exe
416	Payment Slip.exe
416	Payment Slip.exe
416	Payment Slip.exe
416	Payment Slip.exe
416	Payment Slip.exe
416	Payment Slip.exe
416	Payment Slip.exe
416	Payment Slip.exe
644	RegAsm.exe
416	Payment Slip.exe
416	Payment Slip.exe
416	Payment Slip.exe
416	Payment Slip.exe
416	Payment Slip.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

msdt.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer msdt.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	msdt.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

msdt.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-1400429095-533421673-2598934218-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	msdt.exe

Drops file in Program Files directory 1 IoCs

Processes:

msdt.exe

description ioc process

File opened for modification C:\Program Files (x86)\Kc2mxv4c\ypxpkxrxjrzpw.exe msdt.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Kc2mxv4c\ypxpkxrxjrzpw.exe	msdt.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:3040

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
2⤵
- Suspicious use of SetThreadContext
- Drops startup file
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:416

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:644

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
3⤵
- Suspicious use of SetThreadContext
- Drops startup file
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:732

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
PID:1392

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
PID:1460

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1484

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
5⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
PID:2052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2108

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
6⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2528

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
7⤵
PID:2576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
7⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2580

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
7⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
8⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3944

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
8⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
9⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3900

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
9⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
10⤵
PID:4052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
10⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3108

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
10⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
11⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:636

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
11⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1636

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
12⤵
PID:700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
12⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1136

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
12⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2272

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
13⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
14⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3736

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
14⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:496

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
15⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1176

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
15⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:424

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
16⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1012

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
16⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
17⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1628

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
17⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
18⤵
PID:3104

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
18⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1780

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
18⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3436

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
19⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3516

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
19⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
20⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3848

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
20⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
21⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2592

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
21⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:424

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
22⤵
PID:3840

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
22⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3104

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
22⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3712

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
23⤵
PID:2508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
23⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3456

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
23⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2112

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
24⤵
PID:3664

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
24⤵
PID:2776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
24⤵
PID:3088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
24⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1120

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
24⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3436

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
25⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3276

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
25⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
26⤵
PID:496

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
26⤵
- Suspicious use of SetThreadContext
PID:1216

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
26⤵
- Suspicious use of SetThreadContext
PID:3284

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
27⤵
- Suspicious use of SetThreadContext
PID:728

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
27⤵
- Suspicious use of SetThreadContext
PID:2512

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
28⤵
- Suspicious use of SetThreadContext
PID:1180

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
28⤵
- Suspicious use of SetThreadContext
PID:3820

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
29⤵
- Suspicious use of SetThreadContext
PID:2720

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
29⤵
- Suspicious use of SetThreadContext
PID:496

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
30⤵
- Suspicious use of SetThreadContext
PID:3436

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
30⤵
- Suspicious use of SetThreadContext
PID:1372

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
31⤵
- Suspicious use of SetThreadContext
PID:492

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
31⤵
- Suspicious use of SetThreadContext
PID:3520

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
32⤵
PID:2140

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
32⤵
- Suspicious use of SetThreadContext
PID:3544

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
32⤵
- Suspicious use of SetThreadContext
PID:3928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
33⤵
PID:1080

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
33⤵
PID:3860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
34⤵
PID:1360

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
34⤵
PID:2764

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
34⤵
PID:3020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
35⤵
PID:3452

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
35⤵
PID:1476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
36⤵
PID:3052

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
36⤵
PID:1376

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
37⤵
PID:1256

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
37⤵
PID:2372

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
38⤵
PID:3880

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
38⤵
PID:1488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
39⤵
PID:2628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
39⤵
PID:1828

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
39⤵
PID:1000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
40⤵
PID:640

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
40⤵
PID:3348

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
41⤵
PID:1592

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
41⤵
PID:2632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
42⤵
PID:3980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
42⤵
PID:3664

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
43⤵
PID:4396

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
42⤵
PID:3964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
43⤵
PID:1488

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
43⤵
PID:2824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
44⤵
PID:3940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
44⤵
PID:1168

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
44⤵
PID:2792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
45⤵
PID:1948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
45⤵
PID:2268

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
45⤵
PID:3720

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
46⤵
PID:3924

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
46⤵
PID:3700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
47⤵
PID:3980

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
47⤵
PID:1992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
48⤵
PID:2824

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
48⤵
PID:3528

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
49⤵
PID:3776

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
49⤵
PID:2792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
50⤵
PID:1476

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
50⤵
PID:1048

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
51⤵
PID:944

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
51⤵
PID:4040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
52⤵
PID:1372

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
52⤵
PID:2632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
53⤵
PID:1632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
53⤵
PID:2784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
53⤵
PID:1440

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
53⤵
PID:4184

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
54⤵
PID:4216

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
54⤵
PID:4284

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
55⤵
PID:4336

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
55⤵
PID:4416

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
56⤵
PID:4484

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
56⤵
PID:4588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
57⤵
PID:4624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
57⤵
PID:4632

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
57⤵
PID:4700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
58⤵
PID:4752

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
58⤵
PID:4812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
59⤵
PID:4852

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
59⤵
PID:4928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
60⤵
PID:4960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
60⤵
PID:4968

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
60⤵
PID:5016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
61⤵
PID:5068

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
61⤵
PID:3860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
62⤵
PID:3020

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
62⤵
PID:4232

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
63⤵
PID:3820

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
63⤵
PID:1636

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
64⤵
PID:4148

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
64⤵
PID:4160

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
64⤵
PID:4168

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
64⤵
PID:2632

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
64⤵
PID:4460

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
65⤵
PID:4264

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
65⤵
PID:4272

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
66⤵
PID:5044

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
65⤵
PID:4220

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
66⤵
PID:4380

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
66⤵
PID:4448

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
67⤵
PID:4576

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
67⤵
PID:4820

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
68⤵
PID:4676

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
68⤵
PID:4884

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
69⤵
PID:4736

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
69⤵
PID:5024

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
70⤵
PID:4836

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
70⤵
PID:4932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
71⤵
PID:5000

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
71⤵
PID:5040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
72⤵
PID:3840

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
72⤵
PID:4224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
73⤵
PID:60

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
73⤵
PID:2784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
74⤵
PID:4516

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
74⤵
PID:4404

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
75⤵
PID:1992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
75⤵
PID:4368

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
75⤵
PID:4668

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
76⤵
PID:4468

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
76⤵
PID:4588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
77⤵
PID:4552

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
77⤵
PID:4600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
78⤵
PID:4384

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
78⤵
PID:5080

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
78⤵
PID:4960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
79⤵
PID:5036

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
79⤵
PID:812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
80⤵
PID:3032

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
80⤵
PID:4132

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
81⤵
PID:4296

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
81⤵
PID:4416

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
82⤵
PID:4040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
82⤵
PID:4240

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
82⤵
PID:4396

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
82⤵
PID:4764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
83⤵
PID:4748

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
83⤵
PID:4672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
84⤵
PID:4260

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
84⤵
PID:4500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
85⤵
PID:4472

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
85⤵
PID:4248

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
86⤵
PID:1804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
86⤵
PID:4504

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
86⤵
PID:4144

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
86⤵
PID:4104

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
87⤵
PID:2264

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
87⤵
PID:1300

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
88⤵
PID:5108

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
88⤵
PID:4264

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
89⤵
PID:2784

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
89⤵
PID:4684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
90⤵
PID:2688

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
90⤵
PID:3768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
91⤵
PID:4604

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
91⤵
PID:4640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
92⤵
PID:4528

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
92⤵
PID:2372

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
93⤵
PID:4344

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
93⤵
PID:5004

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
93⤵
PID:4612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
94⤵
PID:3808

C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
2⤵
- Suspicious use of SetThreadContext
- Adds policy Run key to start application
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- System policy modification
- Modifies Internet Explorer settings
- Drops file in Program Files directory
PID:1668

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:4028

C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
3⤵
PID:4308

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:3512

C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2044

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2572

C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\SysWOW64\colorcpl.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3288

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4012

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2176

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:3648

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3524

C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\SysWOW64\colorcpl.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:864

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1676

C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2612

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3836

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3640

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\SysWOW64\cscript.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1788

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1156

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:1672

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3028

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1168

C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\SysWOW64\colorcpl.exe"
2⤵
PID:2240

C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\SysWOW64\colorcpl.exe"
2⤵
PID:2204

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
2⤵
PID:4056

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
2⤵
PID:2576

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\SysWOW64\wscript.exe"
2⤵
PID:1224

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\SysWOW64\cscript.exe"
2⤵
PID:500

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\SysWOW64\cscript.exe"
2⤵
PID:3832

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe"
2⤵
PID:3084

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
2⤵
- Enumerates system info in registry
PID:2052

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:3348

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
2⤵
PID:808

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:3700

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\SysWOW64\wscript.exe"
2⤵
PID:2112

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
2⤵
PID:3904

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
2⤵
PID:1460

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\SysWOW64\cscript.exe"
2⤵
PID:1304

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
2⤵
PID:1680

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\SysWOW64\wscript.exe"
2⤵
PID:3060

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2512

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe"
2⤵
PID:1056

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\SysWOW64\wscript.exe"
2⤵
PID:424

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
2⤵
- Enumerates system info in registry
PID:2524

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:3712

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
2⤵
PID:2144

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
2⤵
PID:1396

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
2⤵
PID:4024

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:3284

C:\Windows\SysWOW64\systray.exe
"C:\Windows\SysWOW64\systray.exe"
2⤵
PID:912

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
2⤵
PID:3348

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
2⤵
PID:1116

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
2⤵
PID:2324

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2208

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\SysWOW64\cscript.exe"
2⤵
PID:3912

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\SysWOW64\ipconfig.exe"
2⤵
- Gathers network information
PID:3284

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Gathers network information
PID:2896

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\SysWOW64\cscript.exe"
2⤵
PID:3940

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\SysWOW64\ipconfig.exe"
2⤵
- Gathers network information
PID:3572

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
2⤵
PID:4136

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
2⤵
PID:4172

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\SysWOW64\wscript.exe"
2⤵
PID:4320

C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
2⤵
PID:4440

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
2⤵
PID:4568

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe"
2⤵
PID:4712

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
2⤵
PID:4824

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
2⤵
PID:4916

C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
2⤵
PID:5088

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
2⤵
PID:2308

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
2⤵
PID:1480

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Gathers network information
PID:3700

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Gathers network information
PID:4280

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
2⤵
PID:4624

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe"
2⤵
PID:4488

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Gathers network information
PID:4788

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
2⤵
PID:4896

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
2⤵
PID:4116

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
2⤵
PID:4124

C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\SysWOW64\colorcpl.exe"
2⤵
PID:4244

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
2⤵
PID:4536

C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
2⤵
PID:4580

C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\SysWOW64\colorcpl.exe"
2⤵
PID:4220

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
2⤵
PID:5008

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
2⤵
- Enumerates system info in registry
PID:4728

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
2⤵
PID:4112

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
2⤵
PID:4948

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
2⤵
PID:1948

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe"
2⤵
PID:4596

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
2⤵
PID:4352

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
2⤵
PID:4804

C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
2⤵
PID:4912

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
2⤵
PID:5084

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\SysWOW64\wscript.exe"
2⤵
PID:4348

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
2⤵
PID:4148

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
2⤵
PID:4240

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:4376

C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
2⤵
PID:4840

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
2⤵
PID:4808

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
2⤵
PID:4868

C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
2⤵
PID:4812

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:4364

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:5056

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:4548

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:4932

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1400

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:4760

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:4996

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:4992

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:3048

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:5096

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1000

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
2⤵
PID:4228

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
2⤵
PID:1852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DB1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe

Download Submit
memory/60-448-0x000000000041E300-mapping.dmp

Download
memory/424-249-0x00000000008F0000-0x0000000000917000-memory.dmp

Filesize
156KB

Download
memory/424-248-0x00000000008F0000-0x0000000000917000-memory.dmp

Filesize
156KB

Download
memory/424-247-0x0000000000000000-mapping.dmp

Download
memory/424-117-0x0000000000000000-mapping.dmp

Download
memory/424-78-0x0000000000000000-mapping.dmp

Download
memory/492-181-0x000000000041E300-mapping.dmp

Download
memory/496-173-0x0000000000000000-mapping.dmp

Download
memory/496-70-0x0000000000000000-mapping.dmp

Download
memory/500-167-0x0000000000000000-mapping.dmp

Download
memory/500-171-0x00000000008D0000-0x00000000008F7000-memory.dmp

Filesize
156KB

Download
memory/500-169-0x00000000008D0000-0x00000000008F7000-memory.dmp

Filesize
156KB

Download
memory/636-43-0x000000000041E300-mapping.dmp

Download
memory/640-234-0x000000000041E300-mapping.dmp

Download
memory/644-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/644-1-0x000000000041E300-mapping.dmp

Download
memory/728-148-0x000000000041E300-mapping.dmp

Download
memory/732-4-0x000000000041E300-mapping.dmp

Download
memory/808-202-0x00000000013D0000-0x00000000013D7000-memory.dmp

Filesize
28KB

Download
memory/808-200-0x0000000000000000-mapping.dmp

Download
memory/808-201-0x00000000013D0000-0x00000000013D7000-memory.dmp

Filesize
28KB

Download
memory/812-499-0x0000000000000000-mapping.dmp

Download
memory/864-65-0x00000000002A0000-0x00000000002B9000-memory.dmp

Filesize
100KB

Download
memory/864-64-0x0000000000000000-mapping.dmp

Download
memory/864-66-0x00000000002A0000-0x00000000002B9000-memory.dmp

Filesize
100KB

Download
memory/908-111-0x0000000000000000-mapping.dmp

Download
memory/912-279-0x0000000000000000-mapping.dmp

Download
memory/912-280-0x0000000000830000-0x0000000000836000-memory.dmp

Filesize
24KB

Download
memory/912-281-0x0000000000830000-0x0000000000836000-memory.dmp

Filesize
24KB

Download
memory/916-2-0x0000000000000000-mapping.dmp

Download
memory/944-302-0x000000000041E300-mapping.dmp

Download
memory/1000-231-0x0000000000000000-mapping.dmp

Download
memory/1004-134-0x0000000000000000-mapping.dmp

Download
memory/1012-83-0x000000000041E300-mapping.dmp

Download
memory/1048-300-0x0000000000000000-mapping.dmp

Download
memory/1056-241-0x0000000000830000-0x000000000084E000-memory.dmp

Filesize
120KB

Download
memory/1056-240-0x0000000000000000-mapping.dmp

Download
memory/1056-242-0x0000000000830000-0x000000000084E000-memory.dmp

Filesize
120KB

Download
memory/1076-105-0x0000000000000000-mapping.dmp

Download
memory/1080-191-0x000000000041E300-mapping.dmp

Download
memory/1116-293-0x0000000000DE0000-0x0000000000DF3000-memory.dmp

Filesize
76KB

Download
memory/1116-292-0x0000000000DE0000-0x0000000000DF3000-memory.dmp

Filesize
76KB

Download
memory/1116-291-0x0000000000000000-mapping.dmp

Download
memory/1120-127-0x000000000041E300-mapping.dmp

Download
memory/1136-52-0x000000000041E300-mapping.dmp

Download
memory/1156-110-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/1156-109-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/1156-108-0x0000000000000000-mapping.dmp

Download
memory/1168-263-0x000000000041E300-mapping.dmp

Download
memory/1176-73-0x000000000041E300-mapping.dmp

Download
memory/1180-158-0x000000000041E300-mapping.dmp

Download
memory/1180-5-0x0000000000000000-mapping.dmp

Download
memory/1216-140-0x000000000041E300-mapping.dmp

Download
memory/1224-159-0x0000000000000000-mapping.dmp

Download
memory/1224-162-0x00000000008F0000-0x0000000000917000-memory.dmp

Filesize
156KB

Download
memory/1224-161-0x00000000008F0000-0x0000000000917000-memory.dmp

Filesize
156KB

Download
memory/1256-213-0x000000000041E300-mapping.dmp

Download
memory/1300-560-0x0000000000000000-mapping.dmp

Download
memory/1304-225-0x0000000000000000-mapping.dmp

Download
memory/1304-226-0x00000000008D0000-0x00000000008F7000-memory.dmp

Filesize
156KB

Download
memory/1304-228-0x00000000008D0000-0x00000000008F7000-memory.dmp

Filesize
156KB

Download
memory/1372-307-0x000000000041E300-mapping.dmp

Download
memory/1372-179-0x0000000000000000-mapping.dmp

Download
memory/1376-210-0x0000000000000000-mapping.dmp

Download
memory/1396-262-0x0000000000180000-0x0000000000192000-memory.dmp

Filesize
72KB

Download
memory/1396-260-0x0000000000180000-0x0000000000192000-memory.dmp

Filesize
72KB

Download
memory/1396-259-0x0000000000000000-mapping.dmp

Download
memory/1440-313-0x000000000041E300-mapping.dmp

Download
memory/1460-220-0x0000000000000000-mapping.dmp

Download
memory/1460-224-0x0000000000C60000-0x0000000000CB9000-memory.dmp

Filesize
356KB

Download
memory/1460-223-0x0000000000C60000-0x0000000000CB9000-memory.dmp

Filesize
356KB

Download
memory/1476-296-0x000000000041E300-mapping.dmp

Download
memory/1476-204-0x0000000000000000-mapping.dmp

Download
memory/1480-407-0x0000000000180000-0x0000000000192000-memory.dmp

Filesize
72KB

Download
memory/1480-406-0x0000000000180000-0x0000000000192000-memory.dmp

Filesize
72KB

Download
memory/1480-404-0x0000000000000000-mapping.dmp

Download
memory/1484-8-0x000000000041E300-mapping.dmp

Download
memory/1488-227-0x0000000000000000-mapping.dmp

Download
memory/1488-257-0x000000000041E300-mapping.dmp

Download
memory/1592-245-0x000000000041E300-mapping.dmp

Download
memory/1628-95-0x000000000041E300-mapping.dmp

Download
memory/1636-389-0x0000000000000000-mapping.dmp

Download
memory/1636-49-0x0000000000000000-mapping.dmp

Download
memory/1668-85-0x0000000004EE0000-0x0000000004F9F000-memory.dmp

Filesize
764KB

Download
memory/1668-524-0x0000000006C00000-0x0000000006D49000-memory.dmp

Filesize
1.3MB

Download
memory/1668-27-0x0000000000AC0000-0x0000000000C33000-memory.dmp

Filesize
1.4MB

Download
memory/1668-25-0x0000000000AC0000-0x0000000000C33000-memory.dmp

Filesize
1.4MB

Download
memory/1668-24-0x0000000000000000-mapping.dmp

Download
memory/1672-115-0x00000000003D0000-0x00000000003DB000-memory.dmp

Filesize
44KB

Download
memory/1672-116-0x00000000003D0000-0x00000000003DB000-memory.dmp

Filesize
44KB

Download
memory/1672-114-0x0000000000000000-mapping.dmp

Download
memory/1676-74-0x0000000000000000-mapping.dmp

Download
memory/1676-75-0x0000000000180000-0x0000000000192000-memory.dmp

Filesize
72KB

Download
memory/1676-76-0x0000000000180000-0x0000000000192000-memory.dmp

Filesize
72KB

Download
memory/1680-232-0x0000000000000000-mapping.dmp

Download
memory/1680-236-0x00000000013D0000-0x00000000013D7000-memory.dmp

Filesize
28KB

Download
memory/1680-235-0x00000000013D0000-0x00000000013D7000-memory.dmp

Filesize
28KB

Download
memory/1780-60-0x0000000000000000-mapping.dmp

Download
memory/1780-98-0x000000000041E300-mapping.dmp

Download
memory/1784-9-0x0000000000000000-mapping.dmp

Download
memory/1788-103-0x00000000008D0000-0x00000000008F7000-memory.dmp

Filesize
156KB

Download
memory/1788-102-0x0000000000000000-mapping.dmp

Download
memory/1788-104-0x00000000008D0000-0x00000000008F7000-memory.dmp

Filesize
156KB

Download
memory/1828-230-0x000000000041E300-mapping.dmp

Download
memory/1860-96-0x0000000000000000-mapping.dmp

Download
memory/1948-533-0x0000000000000000-mapping.dmp

Download
memory/1948-534-0x0000000000C60000-0x0000000000CB9000-memory.dmp

Filesize
356KB

Download
memory/1948-535-0x0000000000C60000-0x0000000000CB9000-memory.dmp

Filesize
356KB

Download
memory/1992-282-0x0000000000000000-mapping.dmp

Download
memory/2044-32-0x0000000000A90000-0x0000000000AB0000-memory.dmp

Filesize
128KB

Download
memory/2044-30-0x0000000000A90000-0x0000000000AB0000-memory.dmp

Filesize
128KB

Download
memory/2044-28-0x0000000000000000-mapping.dmp

Download
memory/2052-184-0x0000000000850000-0x000000000085A000-memory.dmp

Filesize
40KB

Download
memory/2052-182-0x0000000000000000-mapping.dmp

Download
memory/2052-183-0x0000000000850000-0x000000000085A000-memory.dmp

Filesize
40KB

Download
memory/2108-11-0x000000000041E300-mapping.dmp

Download
memory/2112-206-0x00000000008F0000-0x0000000000917000-memory.dmp

Filesize
156KB

Download
memory/2112-205-0x0000000000000000-mapping.dmp

Download
memory/2112-208-0x00000000008F0000-0x0000000000917000-memory.dmp

Filesize
156KB

Download
memory/2112-125-0x0000000000000000-mapping.dmp

Download
memory/2144-264-0x0000000000000000-mapping.dmp

Download
memory/2144-266-0x0000000000180000-0x0000000000192000-memory.dmp

Filesize
72KB

Download
memory/2144-265-0x0000000000180000-0x0000000000192000-memory.dmp

Filesize
72KB

Download
memory/2176-50-0x0000000001090000-0x00000000014CF000-memory.dmp

Filesize
4.2MB

Download
memory/2176-53-0x0000000001090000-0x00000000014CF000-memory.dmp

Filesize
4.2MB

Download
memory/2176-48-0x0000000000000000-mapping.dmp

Download
memory/2204-145-0x00000000002A0000-0x00000000002B9000-memory.dmp

Filesize
100KB

Download
memory/2204-146-0x00000000002A0000-0x00000000002B9000-memory.dmp

Filesize
100KB

Download
memory/2204-144-0x0000000000000000-mapping.dmp

Download
memory/2240-135-0x0000000000000000-mapping.dmp

Download
memory/2240-136-0x00000000002A0000-0x00000000002B9000-memory.dmp

Filesize
100KB

Download
memory/2240-137-0x00000000002A0000-0x00000000002B9000-memory.dmp

Filesize
100KB

Download
memory/2264-555-0x000000000041E300-mapping.dmp

Download
memory/2268-272-0x000000000041E300-mapping.dmp

Download
memory/2272-63-0x000000000041E300-mapping.dmp

Download
memory/2308-401-0x0000000000180000-0x0000000000192000-memory.dmp

Filesize
72KB

Download
memory/2308-400-0x0000000000000000-mapping.dmp

Download
memory/2308-402-0x0000000000180000-0x0000000000192000-memory.dmp

Filesize
72KB

Download
memory/2324-298-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/2324-299-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/2324-297-0x0000000000000000-mapping.dmp

Download
memory/2372-219-0x0000000000000000-mapping.dmp

Download
memory/2372-590-0x0000000000000000-mapping.dmp

Download
memory/2512-153-0x0000000000000000-mapping.dmp

Download
memory/2524-254-0x0000000000850000-0x000000000085A000-memory.dmp

Filesize
40KB

Download
memory/2524-253-0x0000000000850000-0x000000000085A000-memory.dmp

Filesize
40KB

Download
memory/2524-252-0x0000000000000000-mapping.dmp

Download
memory/2528-12-0x0000000000000000-mapping.dmp

Download
memory/2572-37-0x00000000008A0000-0x0000000000B9C000-memory.dmp

Filesize
3.0MB

Download
memory/2572-34-0x0000000000000000-mapping.dmp

Download
memory/2572-36-0x00000000008A0000-0x0000000000B9C000-memory.dmp

Filesize
3.0MB

Download
memory/2576-157-0x0000000001090000-0x00000000014CF000-memory.dmp

Filesize
4.2MB

Download
memory/2576-154-0x0000000000000000-mapping.dmp

Download
memory/2576-155-0x0000000001090000-0x00000000014CF000-memory.dmp

Filesize
4.2MB

Download
memory/2580-15-0x000000000041E300-mapping.dmp

Download
memory/2592-113-0x000000000041E300-mapping.dmp

Download
memory/2612-82-0x0000000000AC0000-0x0000000000C33000-memory.dmp

Filesize
1.4MB

Download
memory/2612-80-0x0000000000AC0000-0x0000000000C33000-memory.dmp

Filesize
1.4MB

Download
memory/2612-79-0x0000000000000000-mapping.dmp

Download
memory/2632-311-0x0000000000000000-mapping.dmp

Download
memory/2632-246-0x0000000000000000-mapping.dmp

Download
memory/2632-392-0x000000000041E300-mapping.dmp

Download
memory/2688-578-0x000000000041E300-mapping.dmp

Download
memory/2720-165-0x000000000041E300-mapping.dmp

Download
memory/2764-194-0x000000000041E300-mapping.dmp

Download
memory/2784-453-0x0000000000000000-mapping.dmp

Download
memory/2784-572-0x000000000041E300-mapping.dmp

Download
memory/2792-91-0x0000000000000000-mapping.dmp

Download
memory/2792-294-0x0000000000000000-mapping.dmp

Download
memory/2792-269-0x0000000000000000-mapping.dmp

Download
memory/2824-284-0x000000000041E300-mapping.dmp

Download
memory/2824-258-0x0000000000000000-mapping.dmp

Download
memory/2896-319-0x0000000000000000-mapping.dmp

Download
memory/2896-322-0x00000000003D0000-0x00000000003DB000-memory.dmp

Filesize
44KB

Download
memory/2896-323-0x00000000003D0000-0x00000000003DB000-memory.dmp

Filesize
44KB

Download
memory/3020-196-0x0000000000000000-mapping.dmp

Download
memory/3020-383-0x000000000041E300-mapping.dmp

Download
memory/3028-131-0x0000000000DE0000-0x0000000000DF3000-memory.dmp

Filesize
76KB

Download
memory/3028-129-0x0000000000DE0000-0x0000000000DF3000-memory.dmp

Filesize
76KB

Download
memory/3028-128-0x0000000000000000-mapping.dmp

Download
memory/3032-502-0x000000000041E300-mapping.dmp

Download
memory/3040-417-0x000000000E530000-0x000000000E655000-memory.dmp

Filesize
1.1MB

Download
memory/3040-520-0x000000000F850000-0x000000000F9B5000-memory.dmp

Filesize
1.4MB

Download
memory/3040-325-0x000000000D370000-0x000000000D47B000-memory.dmp

Filesize
1.0MB

Download
memory/3040-514-0x000000000F730000-0x000000000F84B000-memory.dmp

Filesize
1.1MB

Download
memory/3040-397-0x000000000E040000-0x000000000E1E5000-memory.dmp

Filesize
1.6MB

Download
memory/3040-506-0x000000000F670000-0x000000000F723000-memory.dmp

Filesize
716KB

Download
memory/3040-214-0x000000000BA90000-0x000000000BBA2000-memory.dmp

Filesize
1.1MB

Download
memory/3040-211-0x000000000B970000-0x000000000BA86000-memory.dmp

Filesize
1.1MB

Download
memory/3040-47-0x00000000072B0000-0x00000000073E4000-memory.dmp

Filesize
1.2MB

Download
memory/3040-58-0x00000000073F0000-0x000000000758C000-memory.dmp

Filesize
1.6MB

Download
memory/3040-19-0x0000000003300000-0x00000000033E0000-memory.dmp

Filesize
896KB

Download
memory/3040-403-0x000000000E1F0000-0x000000000E374000-memory.dmp

Filesize
1.5MB

Download
memory/3040-361-0x000000000D8D0000-0x000000000DA4B000-memory.dmp

Filesize
1.5MB

Download
memory/3040-203-0x0000000009D00000-0x0000000009DC9000-memory.dmp

Filesize
804KB

Download
memory/3040-354-0x000000000D740000-0x000000000D8CD000-memory.dmp

Filesize
1.6MB

Download
memory/3040-218-0x000000000BBB0000-0x000000000BCF2000-memory.dmp

Filesize
1.3MB

Download
memory/3040-139-0x000000000A040000-0x000000000A14C000-memory.dmp

Filesize
1.0MB

Download
memory/3040-124-0x0000000009A80000-0x0000000009B80000-memory.dmp

Filesize
1024KB

Download
memory/3040-13-0x0000000006EE0000-0x000000000703B000-memory.dmp

Filesize
1.4MB

Download
memory/3040-310-0x000000000CF70000-0x000000000D086000-memory.dmp

Filesize
1.1MB

Download
memory/3040-461-0x000000000EF80000-0x000000000F087000-memory.dmp

Filesize
1.0MB

Download
memory/3040-526-0x000000000F9C0000-0x000000000FA98000-memory.dmp

Filesize
864KB

Download
memory/3040-303-0x000000000CE20000-0x000000000CF6E000-memory.dmp

Filesize
1.3MB

Download
memory/3040-197-0x000000000B860000-0x000000000B96F000-memory.dmp

Filesize
1.1MB

Download
memory/3040-195-0x000000000B6E0000-0x000000000B855000-memory.dmp

Filesize
1.5MB

Download
memory/3040-566-0x0000000010020000-0x0000000010102000-memory.dmp

Filesize
904KB

Download
memory/3040-552-0x000000000FD30000-0x000000000FED8000-memory.dmp

Filesize
1.7MB

Download
memory/3040-71-0x00000000076A0000-0x00000000077E1000-memory.dmp

Filesize
1.3MB

Download
memory/3040-186-0x000000000A980000-0x000000000AACF000-memory.dmp

Filesize
1.3MB

Download
memory/3040-496-0x000000000F590000-0x000000000F666000-memory.dmp

Filesize
856KB

Download
memory/3040-77-0x0000000006B60000-0x0000000006C4B000-memory.dmp

Filesize
940KB

Download
memory/3040-536-0x000000000FAA0000-0x000000000FBC2000-memory.dmp

Filesize
1.1MB

Download
memory/3040-583-0x0000000010360000-0x0000000010443000-memory.dmp

Filesize
908KB

Download
memory/3040-315-0x000000000D090000-0x000000000D231000-memory.dmp

Filesize
1.6MB

Download
memory/3040-33-0x0000000007170000-0x00000000072AE000-memory.dmp

Filesize
1.2MB

Download
memory/3040-123-0x0000000007AB0000-0x0000000007B66000-memory.dmp

Filesize
728KB

Download
memory/3040-559-0x000000000FEE0000-0x0000000010019000-memory.dmp

Filesize
1.2MB

Download
memory/3040-20-0x0000000007040000-0x0000000007164000-memory.dmp

Filesize
1.1MB

Download
memory/3040-152-0x000000000A240000-0x000000000A37E000-memory.dmp

Filesize
1.2MB

Download
memory/3040-172-0x000000000A620000-0x000000000A762000-memory.dmp

Filesize
1.3MB

Download
memory/3040-331-0x000000000D480000-0x000000000D5D0000-memory.dmp

Filesize
1.3MB

Download
memory/3040-86-0x00000000077F0000-0x000000000793E000-memory.dmp

Filesize
1.3MB

Download
memory/3040-483-0x000000000F2D0000-0x000000000F44F000-memory.dmp

Filesize
1.5MB

Download
memory/3040-347-0x000000000D5D0000-0x000000000D739000-memory.dmp

Filesize
1.4MB

Download
memory/3040-476-0x000000000F170000-0x000000000F2C9000-memory.dmp

Filesize
1.3MB

Download
memory/3040-427-0x000000000E7C0000-0x000000000E8D1000-memory.dmp

Filesize
1.1MB

Download
memory/3040-141-0x000000000A150000-0x000000000A231000-memory.dmp

Filesize
900KB

Download
memory/3040-160-0x000000000A490000-0x000000000A61C000-memory.dmp

Filesize
1.5MB

Download
memory/3040-445-0x000000000EC30000-0x000000000ED0B000-memory.dmp

Filesize
876KB

Download
memory/3040-376-0x000000000DB50000-0x000000000DC53000-memory.dmp

Filesize
1.0MB

Download
memory/3040-589-0x0000000010450000-0x0000000010555000-memory.dmp

Filesize
1.0MB

Download
memory/3052-209-0x000000000041E300-mapping.dmp

Download
memory/3060-239-0x00000000008F0000-0x0000000000917000-memory.dmp

Filesize
156KB

Download
memory/3060-238-0x00000000008F0000-0x0000000000917000-memory.dmp

Filesize
156KB

Download
memory/3060-237-0x0000000000000000-mapping.dmp

Download
memory/3084-174-0x0000000000000000-mapping.dmp

Download
memory/3084-175-0x0000000000830000-0x000000000084E000-memory.dmp

Filesize
120KB

Download
memory/3084-176-0x0000000000830000-0x000000000084E000-memory.dmp

Filesize
120KB

Download
memory/3104-119-0x000000000041E300-mapping.dmp

Download
memory/3108-31-0x000000000041E300-mapping.dmp

Download
memory/3276-133-0x000000000041E300-mapping.dmp

Download
memory/3284-316-0x0000000000290000-0x000000000029B000-memory.dmp

Filesize
44KB

Download
memory/3284-143-0x0000000000000000-mapping.dmp

Download
memory/3284-317-0x0000000000290000-0x000000000029B000-memory.dmp

Filesize
44KB

Download
memory/3284-314-0x0000000000000000-mapping.dmp

Download
memory/3288-41-0x00000000002A0000-0x00000000002B9000-memory.dmp

Filesize
100KB

Download
memory/3288-40-0x00000000002A0000-0x00000000002B9000-memory.dmp

Filesize
100KB

Download
memory/3288-39-0x0000000000000000-mapping.dmp

Download
memory/3348-243-0x0000000000000000-mapping.dmp

Download
memory/3348-287-0x0000000000DE0000-0x0000000000DF3000-memory.dmp

Filesize
76KB

Download
memory/3348-286-0x0000000000DE0000-0x0000000000DF3000-memory.dmp

Filesize
76KB

Download
memory/3348-285-0x0000000000000000-mapping.dmp

Download
memory/3436-130-0x0000000000000000-mapping.dmp

Download
memory/3436-178-0x000000000041E300-mapping.dmp

Download
memory/3436-99-0x0000000000000000-mapping.dmp

Download
memory/3452-199-0x000000000041E300-mapping.dmp

Download
memory/3456-122-0x000000000041E300-mapping.dmp

Download
memory/3500-16-0x0000000000000000-mapping.dmp

Download
memory/3512-529-0x00007FF7C6550000-0x00007FF7C65E3000-memory.dmp

Filesize
588KB

Download
memory/3512-532-0x00007FF7C6550000-0x00007FF7C65E3000-memory.dmp

Filesize
588KB

Download
memory/3512-528-0x00007FF7C6550000-0x00007FF7C65E3000-memory.dmp

Filesize
588KB

Download
memory/3512-525-0x0000000000000000-mapping.dmp

Download
memory/3516-101-0x000000000041E300-mapping.dmp

Download
memory/3520-185-0x0000000000000000-mapping.dmp

Download
memory/3524-61-0x0000000001090000-0x00000000014CF000-memory.dmp

Filesize
4.2MB

Download
memory/3524-57-0x0000000000000000-mapping.dmp

Download
memory/3524-59-0x0000000001090000-0x00000000014CF000-memory.dmp

Filesize
4.2MB

Download
memory/3528-288-0x0000000000000000-mapping.dmp

Download
memory/3544-188-0x000000000041E300-mapping.dmp

Download
memory/3572-336-0x0000000000000000-mapping.dmp

Download
memory/3572-338-0x0000000000290000-0x000000000029B000-memory.dmp

Filesize
44KB

Download
memory/3572-337-0x0000000000290000-0x000000000029B000-memory.dmp

Filesize
44KB

Download
memory/3640-90-0x0000000000000000-mapping.dmp

Download
memory/3640-93-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/3640-92-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/3648-55-0x00000000003D0000-0x00000000003DB000-memory.dmp

Filesize
44KB

Download
memory/3648-54-0x0000000000000000-mapping.dmp

Download
memory/3648-56-0x00000000003D0000-0x00000000003DB000-memory.dmp

Filesize
44KB

Download
memory/3664-251-0x000000000041E300-mapping.dmp

Download
memory/3700-410-0x0000000000000000-mapping.dmp

Download
memory/3700-276-0x0000000000000000-mapping.dmp

Download
memory/3700-412-0x00000000003D0000-0x00000000003DB000-memory.dmp

Filesize
44KB

Download
memory/3700-411-0x00000000003D0000-0x00000000003DB000-memory.dmp

Filesize
44KB

Download
memory/3712-120-0x0000000000000000-mapping.dmp

Download
memory/3720-273-0x0000000000000000-mapping.dmp

Download
memory/3736-69-0x000000000041E300-mapping.dmp

Download
memory/3768-579-0x0000000000000000-mapping.dmp

Download
memory/3776-290-0x000000000041E300-mapping.dmp

Download
memory/3808-599-0x000000000041E300-mapping.dmp

Download
memory/3820-386-0x000000000041E300-mapping.dmp

Download
memory/3820-163-0x0000000000000000-mapping.dmp

Download
memory/3832-168-0x00000000008D0000-0x00000000008F7000-memory.dmp

Filesize
156KB

Download
memory/3832-38-0x0000000000000000-mapping.dmp

Download
memory/3832-166-0x0000000000000000-mapping.dmp

Download
memory/3832-170-0x00000000008D0000-0x00000000008F7000-memory.dmp

Filesize
156KB

Download
memory/3836-84-0x0000000000000000-mapping.dmp

Download
memory/3836-88-0x0000000000C60000-0x0000000000CB9000-memory.dmp

Filesize
356KB

Download
memory/3836-87-0x0000000000C60000-0x0000000000CB9000-memory.dmp

Filesize
356KB

Download
memory/3840-441-0x000000000041E300-mapping.dmp

Download
memory/3848-107-0x000000000041E300-mapping.dmp

Download
memory/3860-192-0x0000000000000000-mapping.dmp

Download
memory/3860-378-0x0000000000000000-mapping.dmp

Download
memory/3880-222-0x000000000041E300-mapping.dmp

Download
memory/3900-23-0x000000000041E300-mapping.dmp

Download
memory/3904-217-0x0000000000F20000-0x0000000000F37000-memory.dmp

Filesize
92KB

Download
memory/3904-216-0x0000000000F20000-0x0000000000F37000-memory.dmp

Filesize
92KB

Download
memory/3904-215-0x0000000000000000-mapping.dmp

Download
memory/3912-305-0x0000000000000000-mapping.dmp

Download
memory/3912-308-0x00000000008D0000-0x00000000008F7000-memory.dmp

Filesize
156KB

Download
memory/3912-309-0x00000000008D0000-0x00000000008F7000-memory.dmp

Filesize
156KB

Download
memory/3924-275-0x000000000041E300-mapping.dmp

Download
memory/3928-189-0x0000000000000000-mapping.dmp

Download
memory/3940-326-0x0000000000000000-mapping.dmp

Download
memory/3940-329-0x00000000008D0000-0x00000000008F7000-memory.dmp

Filesize
156KB

Download
memory/3940-327-0x00000000008D0000-0x00000000008F7000-memory.dmp

Filesize
156KB

Download
memory/3944-18-0x000000000041E300-mapping.dmp

Download
memory/3952-67-0x0000000000000000-mapping.dmp

Download
memory/3964-21-0x0000000000000000-mapping.dmp

Download
memory/3964-255-0x0000000000000000-mapping.dmp

Download
memory/3980-278-0x000000000041E300-mapping.dmp

Download
memory/4012-45-0x00000000008A0000-0x0000000000B9C000-memory.dmp

Filesize
3.0MB

Download
memory/4012-44-0x0000000000000000-mapping.dmp

Download
memory/4012-46-0x00000000008A0000-0x0000000000B9C000-memory.dmp

Filesize
3.0MB

Download
memory/4024-270-0x0000000000180000-0x0000000000192000-memory.dmp

Filesize
72KB

Download
memory/4024-268-0x0000000000180000-0x0000000000192000-memory.dmp

Filesize
72KB

Download
memory/4024-267-0x0000000000000000-mapping.dmp

Download
memory/4028-35-0x0000000000000000-mapping.dmp

Download
memory/4032-26-0x0000000000000000-mapping.dmp

Download
memory/4040-304-0x0000000000000000-mapping.dmp

Download
memory/4056-149-0x0000000000000000-mapping.dmp

Download
memory/4056-150-0x0000000000DE0000-0x0000000000DF3000-memory.dmp

Filesize
76KB

Download
memory/4056-151-0x0000000000DE0000-0x0000000000DF3000-memory.dmp

Filesize
76KB

Download
memory/4104-553-0x0000000000000000-mapping.dmp

Download
memory/4112-508-0x0000000000000000-mapping.dmp

Download
memory/4112-509-0x00000000013D0000-0x00000000013D7000-memory.dmp

Filesize
28KB

Download
memory/4112-510-0x00000000013D0000-0x00000000013D7000-memory.dmp

Filesize
28KB

Download
memory/4116-452-0x0000000000000000-mapping.dmp

Download
memory/4116-454-0x0000000000DE0000-0x0000000000DF3000-memory.dmp

Filesize
76KB

Download
memory/4116-455-0x0000000000DE0000-0x0000000000DF3000-memory.dmp

Filesize
76KB

Download
memory/4124-466-0x0000000000F20000-0x0000000000F37000-memory.dmp

Filesize
92KB

Download
memory/4124-464-0x0000000000F20000-0x0000000000F37000-memory.dmp

Filesize
92KB

Download
memory/4124-463-0x0000000000000000-mapping.dmp

Download
memory/4132-507-0x0000000000000000-mapping.dmp

Download
memory/4136-343-0x0000000000C60000-0x0000000000CB9000-memory.dmp

Filesize
356KB

Download
memory/4136-341-0x0000000000000000-mapping.dmp

Download
memory/4136-342-0x0000000000C60000-0x0000000000CB9000-memory.dmp

Filesize
356KB

Download
memory/4144-548-0x000000000041E300-mapping.dmp

Download
memory/4148-576-0x00000000013D0000-0x00000000013D7000-memory.dmp

Filesize
28KB

Download
memory/4148-575-0x00000000013D0000-0x00000000013D7000-memory.dmp

Filesize
28KB

Download
memory/4148-574-0x0000000000000000-mapping.dmp

Download
memory/4172-344-0x0000000000000000-mapping.dmp

Download
memory/4172-345-0x00000000008A0000-0x0000000000B9C000-memory.dmp

Filesize
3.0MB

Download
memory/4172-346-0x00000000008A0000-0x0000000000B9C000-memory.dmp

Filesize
3.0MB

Download
memory/4184-318-0x0000000000000000-mapping.dmp

Download
memory/4216-321-0x000000000041E300-mapping.dmp

Download
memory/4220-494-0x00000000002A0000-0x00000000002B9000-memory.dmp

Filesize
100KB

Download
memory/4220-405-0x0000000000000000-mapping.dmp

Download
memory/4220-493-0x0000000000000000-mapping.dmp

Download
memory/4220-495-0x00000000002A0000-0x00000000002B9000-memory.dmp

Filesize
100KB

Download
memory/4224-446-0x0000000000000000-mapping.dmp

Download
memory/4232-384-0x0000000000000000-mapping.dmp

Download
memory/4240-586-0x0000000000000000-mapping.dmp

Download
memory/4240-588-0x0000000000180000-0x0000000000192000-memory.dmp

Filesize
72KB

Download
memory/4240-587-0x0000000000180000-0x0000000000192000-memory.dmp

Filesize
72KB

Download
memory/4244-472-0x00000000002A0000-0x00000000002B9000-memory.dmp

Filesize
100KB

Download
memory/4244-469-0x0000000000000000-mapping.dmp

Download
memory/4244-470-0x00000000002A0000-0x00000000002B9000-memory.dmp

Filesize
100KB

Download
memory/4248-545-0x0000000000000000-mapping.dmp

Download
memory/4260-531-0x000000000041E300-mapping.dmp

Download
memory/4264-568-0x0000000000000000-mapping.dmp

Download
memory/4272-399-0x000000000041E300-mapping.dmp

Download
memory/4280-420-0x00000000003D0000-0x00000000003DB000-memory.dmp

Filesize
44KB

Download
memory/4280-419-0x00000000003D0000-0x00000000003DB000-memory.dmp

Filesize
44KB

Download
memory/4280-418-0x0000000000000000-mapping.dmp

Download
memory/4284-324-0x0000000000000000-mapping.dmp

Download
memory/4296-512-0x000000000041E300-mapping.dmp

Download
memory/4308-468-0x0000000000000000-mapping.dmp

Download
memory/4320-350-0x00000000008F0000-0x0000000000917000-memory.dmp

Filesize
156KB

Download
memory/4320-352-0x00000000008F0000-0x0000000000917000-memory.dmp

Filesize
156KB

Download
memory/4320-349-0x0000000000000000-mapping.dmp

Download
memory/4336-330-0x000000000041E300-mapping.dmp

Download
memory/4348-570-0x00000000008F0000-0x0000000000917000-memory.dmp

Filesize
156KB

Download
memory/4348-569-0x00000000008F0000-0x0000000000917000-memory.dmp

Filesize
156KB

Download
memory/4348-567-0x0000000000000000-mapping.dmp

Download
memory/4352-543-0x0000000000000000-mapping.dmp

Download
memory/4352-546-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/4352-544-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/4368-460-0x000000000041E300-mapping.dmp

Download
memory/4380-409-0x000000000041E300-mapping.dmp

Download
memory/4396-333-0x0000000000C60000-0x0000000000CB9000-memory.dmp

Filesize
356KB

Download
memory/4396-332-0x0000000000000000-mapping.dmp

Download
memory/4396-516-0x000000000041E300-mapping.dmp

Download
memory/4396-335-0x0000000000C60000-0x0000000000CB9000-memory.dmp

Filesize
356KB

Download
memory/4404-458-0x0000000000000000-mapping.dmp

Download
memory/4416-334-0x0000000000000000-mapping.dmp

Download
memory/4416-513-0x0000000000000000-mapping.dmp

Download
memory/4440-359-0x0000000000AC0000-0x0000000000C33000-memory.dmp

Filesize
1.4MB

Download
memory/4440-357-0x0000000000AC0000-0x0000000000C33000-memory.dmp

Filesize
1.4MB

Download
memory/4440-356-0x0000000000000000-mapping.dmp

Download
memory/4448-413-0x0000000000000000-mapping.dmp

Download
memory/4460-395-0x0000000000000000-mapping.dmp

Download
memory/4468-467-0x000000000041E300-mapping.dmp

Download
memory/4472-539-0x000000000041E300-mapping.dmp

Download
memory/4484-340-0x000000000041E300-mapping.dmp

Download
memory/4488-438-0x0000000000830000-0x000000000084E000-memory.dmp

Filesize
120KB

Download
memory/4488-437-0x0000000000830000-0x000000000084E000-memory.dmp

Filesize
120KB

Download
memory/4488-436-0x0000000000000000-mapping.dmp

Download
memory/4500-537-0x0000000000000000-mapping.dmp

Download
memory/4516-457-0x000000000041E300-mapping.dmp

Download
memory/4528-585-0x000000000041E300-mapping.dmp

Download
memory/4536-481-0x00000000002B0000-0x00000000002C6000-memory.dmp

Filesize
88KB

Download
memory/4536-477-0x0000000000000000-mapping.dmp

Download
memory/4536-479-0x00000000002B0000-0x00000000002C6000-memory.dmp

Filesize
88KB

Download
memory/4552-474-0x000000000041E300-mapping.dmp

Download
memory/4568-367-0x0000000000D30000-0x0000000000D3C000-memory.dmp

Filesize
48KB

Download
memory/4568-366-0x0000000000D30000-0x0000000000D3C000-memory.dmp

Filesize
48KB

Download
memory/4568-365-0x0000000000000000-mapping.dmp

Download
memory/4576-415-0x000000000041E300-mapping.dmp

Download
memory/4580-484-0x0000000000000000-mapping.dmp

Download
memory/4580-486-0x0000000000AC0000-0x0000000000C33000-memory.dmp

Filesize
1.4MB

Download
memory/4580-485-0x0000000000AC0000-0x0000000000C33000-memory.dmp

Filesize
1.4MB

Download
memory/4588-348-0x0000000000000000-mapping.dmp

Download
memory/4588-471-0x0000000000000000-mapping.dmp

Download
memory/4596-542-0x0000000000830000-0x000000000084E000-memory.dmp

Filesize
120KB

Download
memory/4596-541-0x0000000000830000-0x000000000084E000-memory.dmp

Filesize
120KB

Download
memory/4596-540-0x0000000000000000-mapping.dmp

Download
memory/4600-475-0x0000000000000000-mapping.dmp

Download
memory/4604-581-0x000000000041E300-mapping.dmp

Download
memory/4612-596-0x0000000000000000-mapping.dmp

Download
memory/4624-431-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/4624-430-0x0000000000000000-mapping.dmp

Download
memory/4624-432-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/4632-353-0x000000000041E300-mapping.dmp

Download
memory/4640-582-0x0000000000000000-mapping.dmp

Download
memory/4668-462-0x0000000000000000-mapping.dmp

Download
memory/4672-527-0x0000000000000000-mapping.dmp

Download
memory/4676-422-0x000000000041E300-mapping.dmp

Download
memory/4684-573-0x0000000000000000-mapping.dmp

Download
memory/4700-355-0x0000000000000000-mapping.dmp

Download
memory/4712-372-0x0000000000000000-mapping.dmp

Download
memory/4712-373-0x0000000000830000-0x000000000084E000-memory.dmp

Filesize
120KB

Download
memory/4712-374-0x0000000000830000-0x000000000084E000-memory.dmp

Filesize
120KB

Download
memory/4728-503-0x0000000000000000-mapping.dmp

Download
memory/4728-504-0x0000000000850000-0x000000000085A000-memory.dmp

Filesize
40KB

Download
memory/4728-505-0x0000000000850000-0x000000000085A000-memory.dmp

Filesize
40KB

Download
memory/4736-425-0x000000000041E300-mapping.dmp

Download
memory/4748-519-0x000000000041E300-mapping.dmp

Download
memory/4752-360-0x000000000041E300-mapping.dmp

Download
memory/4764-517-0x0000000000000000-mapping.dmp

Download
memory/4788-444-0x00000000003D0000-0x00000000003DB000-memory.dmp

Filesize
44KB

Download
memory/4788-443-0x00000000003D0000-0x00000000003DB000-memory.dmp

Filesize
44KB

Download
memory/4788-442-0x0000000000000000-mapping.dmp

Download
memory/4804-549-0x0000000000000000-mapping.dmp

Download
memory/4804-550-0x0000000000C60000-0x0000000000CB9000-memory.dmp

Filesize
356KB

Download
memory/4804-551-0x0000000000C60000-0x0000000000CB9000-memory.dmp

Filesize
356KB

Download
memory/4808-598-0x0000000000000000-mapping.dmp

Download
memory/4808-601-0x00000000002B0000-0x00000000002C6000-memory.dmp

Filesize
88KB

Download
memory/4808-600-0x00000000002B0000-0x00000000002C6000-memory.dmp

Filesize
88KB

Download
memory/4812-362-0x0000000000000000-mapping.dmp

Download
memory/4820-416-0x0000000000000000-mapping.dmp

Download
memory/4824-380-0x00000000002B0000-0x00000000002C6000-memory.dmp

Filesize
88KB

Download
memory/4824-379-0x0000000000000000-mapping.dmp

Download
memory/4824-382-0x00000000002B0000-0x00000000002C6000-memory.dmp

Filesize
88KB

Download
memory/4836-429-0x000000000041E300-mapping.dmp

Download
memory/4840-595-0x0000000000A90000-0x0000000000AB0000-memory.dmp

Filesize
128KB

Download
memory/4840-593-0x0000000000000000-mapping.dmp

Download
memory/4840-594-0x0000000000A90000-0x0000000000AB0000-memory.dmp

Filesize
128KB

Download
memory/4852-364-0x000000000041E300-mapping.dmp

Download
memory/4868-602-0x0000000000000000-mapping.dmp

Download
memory/4868-603-0x0000000000F20000-0x0000000000F37000-memory.dmp

Filesize
92KB

Download
memory/4884-423-0x0000000000000000-mapping.dmp

Download
memory/4896-451-0x0000000000C60000-0x0000000000CB9000-memory.dmp

Filesize
356KB

Download
memory/4896-450-0x0000000000C60000-0x0000000000CB9000-memory.dmp

Filesize
356KB

Download
memory/4896-449-0x0000000000000000-mapping.dmp

Download
memory/4912-558-0x0000000000AC0000-0x0000000000C33000-memory.dmp

Filesize
1.4MB

Download
memory/4912-557-0x0000000000AC0000-0x0000000000C33000-memory.dmp

Filesize
1.4MB

Download
memory/4912-556-0x0000000000000000-mapping.dmp

Download
memory/4916-390-0x0000000000B50000-0x0000000000B6F000-memory.dmp

Filesize
124KB

Download
memory/4916-387-0x0000000000000000-mapping.dmp

Download
memory/4916-388-0x0000000000B50000-0x0000000000B6F000-memory.dmp

Filesize
124KB

Download
memory/4928-368-0x0000000000000000-mapping.dmp

Download
memory/4932-433-0x0000000000000000-mapping.dmp

Download
memory/4948-521-0x0000000000000000-mapping.dmp

Download
memory/4948-522-0x0000000000F20000-0x0000000000F37000-memory.dmp

Filesize
92KB

Download
memory/4948-523-0x0000000000F20000-0x0000000000F37000-memory.dmp

Filesize
92KB

Download
memory/4960-488-0x0000000000000000-mapping.dmp

Download
memory/4968-370-0x000000000041E300-mapping.dmp

Download
memory/5000-435-0x000000000041E300-mapping.dmp

Download
memory/5004-592-0x000000000041E300-mapping.dmp

Download
memory/5008-498-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/5008-500-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/5008-497-0x0000000000000000-mapping.dmp

Download
memory/5016-371-0x0000000000000000-mapping.dmp

Download
memory/5024-426-0x0000000000000000-mapping.dmp

Download
memory/5036-492-0x000000000041E300-mapping.dmp

Download
memory/5040-439-0x0000000000000000-mapping.dmp

Download
memory/5044-489-0x00000000013D0000-0x00000000013D7000-memory.dmp

Filesize
28KB

Download
memory/5044-490-0x00000000013D0000-0x00000000013D7000-memory.dmp

Filesize
28KB

Download
memory/5044-487-0x0000000000000000-mapping.dmp

Download
memory/5068-377-0x000000000041E300-mapping.dmp

Download
memory/5080-482-0x000000000041E300-mapping.dmp

Download
memory/5084-561-0x0000000000000000-mapping.dmp

Download
memory/5084-562-0x0000000000B50000-0x0000000000B6F000-memory.dmp

Filesize
124KB

Download
memory/5084-563-0x0000000000B50000-0x0000000000B6F000-memory.dmp

Filesize
124KB

Download
memory/5088-393-0x0000000000000000-mapping.dmp

Download
memory/5088-394-0x0000000000A90000-0x0000000000AB0000-memory.dmp

Filesize
128KB

Download
memory/5088-396-0x0000000000A90000-0x0000000000AB0000-memory.dmp

Filesize
128KB

Download
memory/5108-565-0x000000000041E300-mapping.dmp

Download