formbook | d28a86bcfc1a16880fcf3e42f04a4a840f92086ae386d180a5c22e7f354c74a3

Analysis

max time kernel
148s
max time network
162s
platform
windows7_x64
resource
win7-20220414-en
submitted
21-05-2022 11:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Payment Slip.exe
Size

278KB
MD5

e2ac3d9facc2259a85c66087ff0b6a85
SHA1

b592f4eea4d6632f6f543c75d71c4749e8aa8b69
SHA256

370f3e9f42d074cd9575a0fa8df285e970dda741ae4200b54fb53f0a3145369e
SHA512

226bf723fc4094cf2ac6ca74ff9fdefc0daebe90de2d905b0b9c7acae8c9d3e3956c17f1df80d736bb2bae094d075d307c05534485eae6c51575b2939261ae4c

Score

10^/10

formbook kfr persistence rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

kfr

Decoy

pensight.com

in4rac-acc3es-re7unds1.com

iznjreb.com

globalqled.com

njzscy.com

763bifa.com

coinpatent.com

tipsfoorti.com

lukusabusiness.com

tokaminerale.com

jinshavip74.com

idbcc.com

maxfacto.com

graffititheworld.com

connecticutwatercooler.com

matroofing.com

route-ceram.com

redwaterservices.com

bracifyritugupta.com

discoverfrenchtown.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Formbook Payload 12 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/956-61-0x0000000000400000-0x000000000042D000-memory.dmp	formbook
behavioral1/memory/1408-70-0x00000000000F0000-0x000000000011D000-memory.dmp	formbook
behavioral1/memory/568-81-0x0000000000400000-0x000000000042D000-memory.dmp	formbook
behavioral1/memory/1824-96-0x0000000000400000-0x000000000042D000-memory.dmp	formbook
behavioral1/memory/1076-114-0x0000000000080000-0x00000000000AD000-memory.dmp	formbook
behavioral1/memory/1264-116-0x0000000000400000-0x000000000042D000-memory.dmp	formbook
behavioral1/memory/1660-131-0x0000000000400000-0x000000000042D000-memory.dmp	formbook
behavioral1/memory/588-150-0x0000000000090000-0x00000000000BD000-memory.dmp	formbook
behavioral1/memory/468-153-0x0000000000080000-0x00000000000AD000-memory.dmp	formbook
behavioral1/memory/1820-159-0x0000000000400000-0x000000000042D000-memory.dmp	formbook
behavioral1/memory/1540-171-0x0000000000400000-0x000000000042D000-memory.dmp	formbook
behavioral1/memory/1740-172-0x0000000000090000-0x00000000000BD000-memory.dmp	formbook

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wuapp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wuapp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\JRKTND2XAB9 = "C:\\Program Files (x86)\\R4hjx_rnh\\systraylro8.exe"	wuapp.exe

Drops startup file 2 IoCs

Processes:

Payment Slip.exePayment Slip.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe	Payment Slip.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe	Payment Slip.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

Payment Slip.exeRegAsm.exePayment Slip.exePayment Slip.exeRegAsm.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exewuapp.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exePayment Slip.exeRegAsm.exePayment Slip.exe

description	pid	process	target process
PID 1212 set thread context of 956	1212	Payment Slip.exe	RegAsm.exe
PID 956 set thread context of 1300	956	RegAsm.exe	Explorer.EXE
PID 956 set thread context of 1300	956	RegAsm.exe	Explorer.EXE
PID 1392 set thread context of 568	1392	Payment Slip.exe	RegAsm.exe
PID 904 set thread context of 764	904	Payment Slip.exe	RegAsm.exe
PID 568 set thread context of 1300	568	RegAsm.exe	Explorer.EXE
PID 764 set thread context of 1300	764	RegAsm.exe	Explorer.EXE
PID 1224 set thread context of 1824	1224	Payment Slip.exe	RegAsm.exe
PID 1824 set thread context of 1300	1824	RegAsm.exe	Explorer.EXE
PID 1484 set thread context of 1176	1484	Payment Slip.exe	RegAsm.exe
PID 1176 set thread context of 1300	1176	RegAsm.exe	Explorer.EXE
PID 1780 set thread context of 1264	1780	Payment Slip.exe	RegAsm.exe
PID 1264 set thread context of 1300	1264	RegAsm.exe	Explorer.EXE
PID 1712 set thread context of 1692	1712	Payment Slip.exe	RegAsm.exe
PID 1692 set thread context of 1300	1692	RegAsm.exe	Explorer.EXE
PID 1408 set thread context of 1300	1408	wuapp.exe	Explorer.EXE
PID 1200 set thread context of 1660	1200	Payment Slip.exe	RegAsm.exe
PID 1660 set thread context of 1300	1660	RegAsm.exe	Explorer.EXE
PID 308 set thread context of 288	308	Payment Slip.exe	RegAsm.exe
PID 288 set thread context of 1300	288	RegAsm.exe	Explorer.EXE
PID 764 set thread context of 1300	764	RegAsm.exe	Explorer.EXE
PID 1824 set thread context of 1300	1824	RegAsm.exe	Explorer.EXE
PID 1176 set thread context of 1300	1176	RegAsm.exe	Explorer.EXE
PID 1264 set thread context of 1300	1264	RegAsm.exe	Explorer.EXE
PID 1152 set thread context of 1820	1152	Payment Slip.exe	RegAsm.exe
PID 1820 set thread context of 1300	1820	RegAsm.exe	Explorer.EXE
PID 576 set thread context of 1540	576	Payment Slip.exe	RegAsm.exe
PID 1540 set thread context of 1300	1540	RegAsm.exe	Explorer.EXE
PID 2004 set thread context of 1004	2004	Payment Slip.exe	RegAsm.exe
PID 1004 set thread context of 1300	1004	RegAsm.exe	Explorer.EXE
PID 1220 set thread context of 2024	1220	Payment Slip.exe	RegAsm.exe
PID 2024 set thread context of 1300	2024	RegAsm.exe	Explorer.EXE
PID 868 set thread context of 688	868	Payment Slip.exe	RegAsm.exe
PID 688 set thread context of 1300	688	RegAsm.exe	Explorer.EXE
PID 1972 set thread context of 1476	1972	Payment Slip.exe	RegAsm.exe
PID 1476 set thread context of 1300	1476	RegAsm.exe	Explorer.EXE
PID 1192 set thread context of 804	1192	Payment Slip.exe	RegAsm.exe
PID 804 set thread context of 1300	804	RegAsm.exe	Explorer.EXE
PID 632 set thread context of 700	632	Payment Slip.exe	RegAsm.exe
PID 700 set thread context of 1300	700	RegAsm.exe	Explorer.EXE
PID 1576 set thread context of 1216	1576	Payment Slip.exe	RegAsm.exe
PID 1216 set thread context of 1300	1216	RegAsm.exe	Explorer.EXE
PID 1732 set thread context of 1528	1732	Payment Slip.exe	RegAsm.exe
PID 2024 set thread context of 1300	2024	RegAsm.exe	Explorer.EXE
PID 1528 set thread context of 1300	1528	RegAsm.exe	Explorer.EXE
PID 688 set thread context of 1300	688	RegAsm.exe	Explorer.EXE
PID 1832 set thread context of 1492	1832	Payment Slip.exe	RegAsm.exe
PID 1492 set thread context of 1300	1492	RegAsm.exe	Explorer.EXE
PID 1688 set thread context of 1456	1688	Payment Slip.exe	RegAsm.exe
PID 700 set thread context of 1300	700	RegAsm.exe	Explorer.EXE
PID 1456 set thread context of 1300	1456	RegAsm.exe	Explorer.EXE
PID 432 set thread context of 892	432	Payment Slip.exe	RegAsm.exe
PID 892 set thread context of 1300	892	RegAsm.exe	Explorer.EXE
PID 1700 set thread context of 604	1700	Payment Slip.exe	RegAsm.exe
PID 604 set thread context of 1300	604	RegAsm.exe	Explorer.EXE
PID 916 set thread context of 428	916	Payment Slip.exe	RegAsm.exe
PID 428 set thread context of 1300	428	RegAsm.exe	Explorer.EXE
PID 1736 set thread context of 980	1736	Payment Slip.exe	RegAsm.exe
PID 968 set thread context of 636	968	Payment Slip.exe	RegAsm.exe
PID 636 set thread context of 1300	636	RegAsm.exe	Explorer.EXE
PID 1456 set thread context of 1300	1456	RegAsm.exe	Explorer.EXE
PID 1528 set thread context of 1300	1528	RegAsm.exe	Explorer.EXE
PID 520 set thread context of 1748	520	Payment Slip.exe	RegAsm.exe
PID 892 set thread context of 1300	892	RegAsm.exe	Explorer.EXE

Drops file in Program Files directory 1 IoCs

Processes:

wuapp.exe

description ioc process

File opened for modification C:\Program Files (x86)\R4hjx_rnh\systraylro8.exe wuapp.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Program Files (x86)\R4hjx_rnh\systraylro8.exe	wuapp.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chkdsk.exechkdsk.exechkdsk.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe

Gathers network information 2 TTPs 6 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXENETSTAT.EXEipconfig.exeNETSTAT.EXENETSTAT.EXENETSTAT.EXE

pid process

1036 NETSTAT.EXE
1880 NETSTAT.EXE
3012 ipconfig.exe
2928 NETSTAT.EXE
2064 NETSTAT.EXE
2448 NETSTAT.EXE

pid	process
1036	NETSTAT.EXE
1880	NETSTAT.EXE
3012	ipconfig.exe
2928	NETSTAT.EXE
2064	NETSTAT.EXE
2448	NETSTAT.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

wuapp.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-1083475884-596052423-1669053738-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	wuapp.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Payment Slip.exe

pid	process
1212	Payment Slip.exe
1212	Payment Slip.exe
1212	Payment Slip.exe
1212	Payment Slip.exe
1212	Payment Slip.exe
1212	Payment Slip.exe
1212	Payment Slip.exe
1212	Payment Slip.exe
1212	Payment Slip.exe
1212	Payment Slip.exe
1212	Payment Slip.exe
1212	Payment Slip.exe
1212	Payment Slip.exe
1212	Payment Slip.exe
1212	Payment Slip.exe
1212	Payment Slip.exe
1212	Payment Slip.exe
1212	Payment Slip.exe
1212	Payment Slip.exe
1212	Payment Slip.exe
1212	Payment Slip.exe
1212	Payment Slip.exe
1212	Payment Slip.exe
1212	Payment Slip.exe
1212	Payment Slip.exe
1212	Payment Slip.exe
1212	Payment Slip.exe
1212	Payment Slip.exe
1212	Payment Slip.exe
1212	Payment Slip.exe
1212	Payment Slip.exe
1212	Payment Slip.exe
1212	Payment Slip.exe
1212	Payment Slip.exe
1212	Payment Slip.exe
1212	Payment Slip.exe
1212	Payment Slip.exe
1212	Payment Slip.exe
1212	Payment Slip.exe
1212	Payment Slip.exe
1212	Payment Slip.exe
1212	Payment Slip.exe
1212	Payment Slip.exe
1212	Payment Slip.exe
1212	Payment Slip.exe
1212	Payment Slip.exe
1212	Payment Slip.exe
1212	Payment Slip.exe
1212	Payment Slip.exe
1212	Payment Slip.exe
1212	Payment Slip.exe
1212	Payment Slip.exe
1212	Payment Slip.exe
1212	Payment Slip.exe
1212	Payment Slip.exe
1212	Payment Slip.exe
1212	Payment Slip.exe
1212	Payment Slip.exe
1212	Payment Slip.exe
1212	Payment Slip.exe
1212	Payment Slip.exe
1212	Payment Slip.exe
1212	Payment Slip.exe
1212	Payment Slip.exe

Suspicious behavior: MapViewOfSection 64 IoCs

Processes:

Payment Slip.exeRegAsm.exePayment Slip.exewuapp.exePayment Slip.exeRegAsm.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exe

pid	process
1212	Payment Slip.exe
956	RegAsm.exe
956	RegAsm.exe
956	RegAsm.exe
956	RegAsm.exe
1392	Payment Slip.exe
1408	wuapp.exe
904	Payment Slip.exe
568	RegAsm.exe
764	RegAsm.exe
1224	Payment Slip.exe
1824	RegAsm.exe
1484	Payment Slip.exe
1176	RegAsm.exe
1780	Payment Slip.exe
1264	RegAsm.exe
1712	Payment Slip.exe
568	RegAsm.exe
568	RegAsm.exe
1692	RegAsm.exe
1408	wuapp.exe
1200	Payment Slip.exe
1660	RegAsm.exe
308	Payment Slip.exe
308	Payment Slip.exe
288	RegAsm.exe
764	RegAsm.exe
1692	RegAsm.exe
1692	RegAsm.exe
1824	RegAsm.exe
1660	RegAsm.exe
1660	RegAsm.exe
1176	RegAsm.exe
1264	RegAsm.exe
1152	Payment Slip.exe
1820	RegAsm.exe
288	RegAsm.exe
288	RegAsm.exe
576	Payment Slip.exe
1540	RegAsm.exe
2004	Payment Slip.exe
1264	RegAsm.exe
1264	RegAsm.exe
1004	RegAsm.exe
1220	Payment Slip.exe
2024	RegAsm.exe
1820	RegAsm.exe
1820	RegAsm.exe
868	Payment Slip.exe
688	RegAsm.exe
1972	Payment Slip.exe
1540	RegAsm.exe
1540	RegAsm.exe
1476	RegAsm.exe
1192	Payment Slip.exe
1004	RegAsm.exe
1004	RegAsm.exe
804	RegAsm.exe
632	Payment Slip.exe
764	RegAsm.exe
1824	RegAsm.exe
764	RegAsm.exe
1824	RegAsm.exe
1176	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Payment Slip.exeRegAsm.exewuapp.exePayment Slip.exePayment Slip.exeRegAsm.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exesystray.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exesvchost.exePayment Slip.exesystray.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exemsiexec.exeRegAsm.exesystray.exePayment Slip.exeRegAsm.exePayment Slip.exemstsc.exeRegAsm.exePayment Slip.exemsdt.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exerundll32.exerundll32.exerundll32.exeRegAsm.exePayment Slip.exewininit.exeRegAsm.exePayment Slip.exesvchost.exeRegAsm.exeNAPSTAT.EXENETSTAT.EXEPayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exewlanext.exePayment Slip.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	1212	Payment Slip.exe
Token: SeDebugPrivilege	956	RegAsm.exe
Token: SeDebugPrivilege	1408	wuapp.exe
Token: SeDebugPrivilege	1392	Payment Slip.exe
Token: SeDebugPrivilege	904	Payment Slip.exe
Token: SeDebugPrivilege	568	RegAsm.exe
Token: SeDebugPrivilege	764	RegAsm.exe
Token: SeDebugPrivilege	1224	Payment Slip.exe
Token: SeDebugPrivilege	1824	RegAsm.exe
Token: SeDebugPrivilege	1484	Payment Slip.exe
Token: SeDebugPrivilege	1176	RegAsm.exe
Token: SeDebugPrivilege	1780	Payment Slip.exe
Token: SeDebugPrivilege	1264	RegAsm.exe
Token: SeDebugPrivilege	1712	Payment Slip.exe
Token: SeDebugPrivilege	1076	systray.exe
Token: SeDebugPrivilege	1692	RegAsm.exe
Token: SeDebugPrivilege	1200	Payment Slip.exe
Token: SeDebugPrivilege	1660	RegAsm.exe
Token: SeDebugPrivilege	308	Payment Slip.exe
Token: SeDebugPrivilege	288	RegAsm.exe
Token: SeDebugPrivilege	588	svchost.exe
Token: SeDebugPrivilege	1152	Payment Slip.exe
Token: SeDebugPrivilege	468	systray.exe
Token: SeDebugPrivilege	1820	RegAsm.exe
Token: SeDebugPrivilege	576	Payment Slip.exe
Token: SeDebugPrivilege	1540	RegAsm.exe
Token: SeDebugPrivilege	2004	Payment Slip.exe
Token: SeDebugPrivilege	1740	msiexec.exe
Token: SeDebugPrivilege	1004	RegAsm.exe
Token: SeDebugPrivilege	1500	systray.exe
Token: SeDebugPrivilege	1220	Payment Slip.exe
Token: SeDebugPrivilege	2024	RegAsm.exe
Token: SeDebugPrivilege	868	Payment Slip.exe
Token: SeDebugPrivilege	268	mstsc.exe
Token: SeDebugPrivilege	688	RegAsm.exe
Token: SeDebugPrivilege	1972	Payment Slip.exe
Token: SeDebugPrivilege	1644	msdt.exe
Token: SeDebugPrivilege	1476	RegAsm.exe
Token: SeDebugPrivilege	1192	Payment Slip.exe
Token: SeDebugPrivilege	804	RegAsm.exe
Token: SeDebugPrivilege	632	Payment Slip.exe
Token: SeDebugPrivilege	700	RegAsm.exe
Token: SeDebugPrivilege	1576	Payment Slip.exe
Token: SeDebugPrivilege	1716	rundll32.exe
Token: SeDebugPrivilege	1952	rundll32.exe
Token: SeDebugPrivilege	1092	rundll32.exe
Token: SeDebugPrivilege	1216	RegAsm.exe
Token: SeDebugPrivilege	1732	Payment Slip.exe
Token: SeDebugPrivilege	1460	wininit.exe
Token: SeDebugPrivilege	1528	RegAsm.exe
Token: SeDebugPrivilege	1832	Payment Slip.exe
Token: SeDebugPrivilege	328	svchost.exe
Token: SeDebugPrivilege	1492	RegAsm.exe
Token: SeDebugPrivilege	1288	NAPSTAT.EXE
Token: SeDebugPrivilege	1036	NETSTAT.EXE
Token: SeDebugPrivilege	1688	Payment Slip.exe
Token: SeDebugPrivilege	1456	RegAsm.exe
Token: SeDebugPrivilege	432	Payment Slip.exe
Token: SeDebugPrivilege	892	RegAsm.exe
Token: SeDebugPrivilege	1700	Payment Slip.exe
Token: SeDebugPrivilege	604	RegAsm.exe
Token: SeDebugPrivilege	952	wlanext.exe
Token: SeDebugPrivilege	916	Payment Slip.exe
Token: SeDebugPrivilege	428	RegAsm.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1300 Explorer.EXE
1300 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1300 Explorer.EXE
1300 Explorer.EXE

pid	process
1300	Explorer.EXE
1300	Explorer.EXE

pid	process
1300	Explorer.EXE
1300	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Payment Slip.exeExplorer.EXERegAsm.exewuapp.exePayment Slip.exePayment Slip.exePayment Slip.exe

description	pid	process	target process
PID 1212 wrote to memory of 956	1212	Payment Slip.exe	RegAsm.exe
PID 1212 wrote to memory of 956	1212	Payment Slip.exe	RegAsm.exe
PID 1212 wrote to memory of 956	1212	Payment Slip.exe	RegAsm.exe
PID 1212 wrote to memory of 956	1212	Payment Slip.exe	RegAsm.exe
PID 1212 wrote to memory of 956	1212	Payment Slip.exe	RegAsm.exe
PID 1212 wrote to memory of 956	1212	Payment Slip.exe	RegAsm.exe
PID 1212 wrote to memory of 956	1212	Payment Slip.exe	RegAsm.exe
PID 1212 wrote to memory of 956	1212	Payment Slip.exe	RegAsm.exe
PID 1300 wrote to memory of 1604	1300	Explorer.EXE	help.exe
PID 1300 wrote to memory of 1604	1300	Explorer.EXE	help.exe
PID 1300 wrote to memory of 1604	1300	Explorer.EXE	help.exe
PID 1300 wrote to memory of 1604	1300	Explorer.EXE	help.exe
PID 956 wrote to memory of 1408	956	RegAsm.exe	wuapp.exe
PID 956 wrote to memory of 1408	956	RegAsm.exe	wuapp.exe
PID 956 wrote to memory of 1408	956	RegAsm.exe	wuapp.exe
PID 956 wrote to memory of 1408	956	RegAsm.exe	wuapp.exe
PID 956 wrote to memory of 1408	956	RegAsm.exe	wuapp.exe
PID 956 wrote to memory of 1408	956	RegAsm.exe	wuapp.exe
PID 956 wrote to memory of 1408	956	RegAsm.exe	wuapp.exe
PID 1212 wrote to memory of 1392	1212	Payment Slip.exe	Payment Slip.exe
PID 1212 wrote to memory of 1392	1212	Payment Slip.exe	Payment Slip.exe
PID 1212 wrote to memory of 1392	1212	Payment Slip.exe	Payment Slip.exe
PID 1212 wrote to memory of 1392	1212	Payment Slip.exe	Payment Slip.exe
PID 1408 wrote to memory of 540	1408	wuapp.exe	cmd.exe
PID 1408 wrote to memory of 540	1408	wuapp.exe	cmd.exe
PID 1408 wrote to memory of 540	1408	wuapp.exe	cmd.exe
PID 1408 wrote to memory of 540	1408	wuapp.exe	cmd.exe
PID 1392 wrote to memory of 568	1392	Payment Slip.exe	RegAsm.exe
PID 1392 wrote to memory of 568	1392	Payment Slip.exe	RegAsm.exe
PID 1392 wrote to memory of 568	1392	Payment Slip.exe	RegAsm.exe
PID 1392 wrote to memory of 568	1392	Payment Slip.exe	RegAsm.exe
PID 1392 wrote to memory of 568	1392	Payment Slip.exe	RegAsm.exe
PID 1392 wrote to memory of 568	1392	Payment Slip.exe	RegAsm.exe
PID 1392 wrote to memory of 568	1392	Payment Slip.exe	RegAsm.exe
PID 1392 wrote to memory of 568	1392	Payment Slip.exe	RegAsm.exe
PID 1392 wrote to memory of 904	1392	Payment Slip.exe	Payment Slip.exe
PID 1392 wrote to memory of 904	1392	Payment Slip.exe	Payment Slip.exe
PID 1392 wrote to memory of 904	1392	Payment Slip.exe	Payment Slip.exe
PID 1392 wrote to memory of 904	1392	Payment Slip.exe	Payment Slip.exe
PID 904 wrote to memory of 764	904	Payment Slip.exe	RegAsm.exe
PID 904 wrote to memory of 764	904	Payment Slip.exe	RegAsm.exe
PID 904 wrote to memory of 764	904	Payment Slip.exe	RegAsm.exe
PID 904 wrote to memory of 764	904	Payment Slip.exe	RegAsm.exe
PID 904 wrote to memory of 764	904	Payment Slip.exe	RegAsm.exe
PID 904 wrote to memory of 764	904	Payment Slip.exe	RegAsm.exe
PID 904 wrote to memory of 764	904	Payment Slip.exe	RegAsm.exe
PID 904 wrote to memory of 764	904	Payment Slip.exe	RegAsm.exe
PID 1300 wrote to memory of 1076	1300	Explorer.EXE	systray.exe
PID 1300 wrote to memory of 1076	1300	Explorer.EXE	systray.exe
PID 1300 wrote to memory of 1076	1300	Explorer.EXE	systray.exe
PID 1300 wrote to memory of 1076	1300	Explorer.EXE	systray.exe
PID 904 wrote to memory of 1224	904	Payment Slip.exe	Payment Slip.exe
PID 904 wrote to memory of 1224	904	Payment Slip.exe	Payment Slip.exe
PID 904 wrote to memory of 1224	904	Payment Slip.exe	Payment Slip.exe
PID 904 wrote to memory of 1224	904	Payment Slip.exe	Payment Slip.exe
PID 1224 wrote to memory of 1824	1224	Payment Slip.exe	RegAsm.exe
PID 1224 wrote to memory of 1824	1224	Payment Slip.exe	RegAsm.exe
PID 1224 wrote to memory of 1824	1224	Payment Slip.exe	RegAsm.exe
PID 1224 wrote to memory of 1824	1224	Payment Slip.exe	RegAsm.exe
PID 1224 wrote to memory of 1824	1224	Payment Slip.exe	RegAsm.exe
PID 1224 wrote to memory of 1824	1224	Payment Slip.exe	RegAsm.exe
PID 1224 wrote to memory of 1824	1224	Payment Slip.exe	RegAsm.exe
PID 1224 wrote to memory of 1824	1224	Payment Slip.exe	RegAsm.exe
PID 1224 wrote to memory of 1484	1224	Payment Slip.exe	Payment Slip.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1300

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
2⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:956

C:\Windows\SysWOW64\wuapp.exe
"C:\Windows\SysWOW64\wuapp.exe"
4⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1408

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
PID:540

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
3⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1392

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:568

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:904

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:764

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
6⤵
PID:768

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1716

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1824

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
7⤵
PID:1884

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:1092

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1484

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
7⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1176

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
8⤵
PID:1072

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:1952

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
7⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
8⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1264

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
8⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
9⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1692

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
9⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1200

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
10⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1660

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
10⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:308

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
11⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:288

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
11⤵
PID:428

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
11⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1152

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
12⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1820

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
12⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1540

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
13⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
14⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1004

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
14⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1220

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
15⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2024

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
15⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
16⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:688

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
17⤵
PID:1720

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
16⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1972

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
17⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1476

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
17⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1192

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
18⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:804

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
18⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
19⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:700

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
20⤵
PID:1368

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
19⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
20⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1216

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
20⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
21⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1528

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
22⤵
PID:1676

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
21⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
22⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1492

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
22⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
23⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1456

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
24⤵
PID:1836

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
23⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:432

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
24⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:892

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
24⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
25⤵
PID:1032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
25⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:604

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
25⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
26⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:428

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
26⤵
- Suspicious use of SetThreadContext
PID:1736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
27⤵
PID:980

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
27⤵
- Suspicious use of SetThreadContext
PID:968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
28⤵
- Suspicious use of SetThreadContext
PID:636

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
28⤵
- Suspicious use of SetThreadContext
PID:520

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
29⤵
PID:1748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
29⤵
PID:1472

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
29⤵
PID:300

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
30⤵
PID:1940

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
30⤵
PID:1840

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
31⤵
PID:1808

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
31⤵
PID:2128

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
32⤵
PID:2156

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
32⤵
PID:2196

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
33⤵
PID:2240

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
33⤵
PID:2296

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
34⤵
PID:2332

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
34⤵
PID:2420

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
35⤵
PID:2460

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
35⤵
PID:2508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
36⤵
PID:2540

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
36⤵
PID:2608

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
37⤵
PID:2664

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
37⤵
PID:2720

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
38⤵
PID:2752

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
38⤵
PID:2808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
39⤵
PID:2852

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
40⤵
PID:1636

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
39⤵
PID:2904

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
40⤵
PID:2936

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
40⤵
PID:2984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
41⤵
PID:3024

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
41⤵
PID:960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
42⤵
PID:2068

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
42⤵
PID:2108

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
43⤵
PID:580

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
43⤵
PID:2136

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
44⤵
PID:2364

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
45⤵
PID:2256

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
45⤵
PID:896

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
44⤵
PID:2652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
45⤵
PID:2440

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
45⤵
PID:2692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
46⤵
PID:2844

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
46⤵
PID:2784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
47⤵
PID:2888

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
47⤵
PID:2976

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
48⤵
PID:2840

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
48⤵
PID:2756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
49⤵
PID:2120

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
49⤵
PID:3064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
50⤵
PID:1948

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
50⤵
PID:2948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
51⤵
PID:2088

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
51⤵
PID:2216

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
52⤵
PID:2304

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
52⤵
PID:2432

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
53⤵
PID:1664

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
53⤵
PID:2144

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
54⤵
PID:2764

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
54⤵
PID:2824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
55⤵
PID:2556

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
55⤵
PID:1032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
56⤵
PID:2212

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
57⤵
- Enumerates system info in registry
PID:2232

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
56⤵
PID:2260

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
57⤵
PID:316

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
57⤵
PID:2500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
58⤵
PID:2056

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
58⤵
PID:2204

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
59⤵
PID:2536

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
59⤵
PID:1472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
60⤵
PID:2832

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
60⤵
PID:2160

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
61⤵
PID:2632

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
61⤵
PID:2912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
62⤵
PID:1812

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
62⤵
PID:560

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
63⤵
PID:2052

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
63⤵
PID:1496

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
64⤵
PID:900

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
64⤵
PID:1120

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
65⤵
PID:2112

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
65⤵
PID:2496

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
65⤵
PID:2472

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
65⤵
PID:2464

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
66⤵
PID:2644

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
66⤵
PID:2660

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
67⤵
PID:2820

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
67⤵
PID:2452

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
68⤵
PID:3032

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
68⤵
PID:2080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
69⤵
PID:2920

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
69⤵
PID:624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
69⤵
PID:3028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
69⤵
PID:1652

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
2⤵
PID:1604

C:\Windows\SysWOW64\systray.exe
"C:\Windows\SysWOW64\systray.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1076

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:588

C:\Windows\SysWOW64\systray.exe
"C:\Windows\SysWOW64\systray.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:468

C:\Windows\SysWOW64\systray.exe
"C:\Windows\SysWOW64\systray.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1500

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1740

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:268

C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1644

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:1036

C:\Windows\SysWOW64\NAPSTAT.EXE
"C:\Windows\SysWOW64\NAPSTAT.EXE"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1288

C:\Windows\SysWOW64\wininit.exe
"C:\Windows\SysWOW64\wininit.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1460

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:328

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:952

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Gathers network information
PID:1880

C:\Windows\SysWOW64\wuapp.exe
"C:\Windows\SysWOW64\wuapp.exe"
2⤵
PID:324

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
2⤵
PID:1784

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
2⤵
- Enumerates system info in registry
PID:1292

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\SysWOW64\cscript.exe"
2⤵
PID:1980

C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
2⤵
PID:1924

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
2⤵
PID:1616

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
2⤵
PID:1232

C:\Windows\SysWOW64\wininit.exe
"C:\Windows\SysWOW64\wininit.exe"
2⤵
PID:2100

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
2⤵
PID:2312

C:\Windows\SysWOW64\systray.exe
"C:\Windows\SysWOW64\systray.exe"
2⤵
PID:2352

C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\SysWOW64\colorcpl.exe"
2⤵
PID:2480

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
2⤵
PID:2488

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe"
2⤵
PID:2560

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
2⤵
PID:2708

C:\Windows\SysWOW64\NAPSTAT.EXE
"C:\Windows\SysWOW64\NAPSTAT.EXE"
2⤵
PID:2788

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
2⤵
PID:2952

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
2⤵
PID:3068

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:2380

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:2416

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:2444

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:2456

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:2204

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:2216

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:2292

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:2376

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:2500

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:2300

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:2308

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:2324

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:2404

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:2548

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:2244

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:2576

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:2588

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:2584

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:2596

C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
2⤵
PID:2688

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\SysWOW64\cscript.exe"
2⤵
PID:2620

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe"
2⤵
PID:3036

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\SysWOW64\ipconfig.exe"
2⤵
- Gathers network information
PID:3012

C:\Windows\SysWOW64\systray.exe
"C:\Windows\SysWOW64\systray.exe"
2⤵
PID:2172

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
2⤵
PID:2220

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
2⤵
PID:2180

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
2⤵
PID:2388

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
2⤵
PID:2396

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:2464

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:2892

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Gathers network information
PID:2928

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Gathers network information
PID:2064

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Gathers network information
PID:2448

C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
2⤵
PID:3008

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
2⤵
- Enumerates system info in registry
PID:2900

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
2⤵
PID:2244

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
2⤵
PID:2512

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\SysWOW64\wscript.exe"
2⤵
PID:2800

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
2⤵
PID:2896

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
2⤵
PID:3056

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\SysWOW64\wscript.exe"
2⤵
PID:2872

C:\Windows\SysWOW64\wininit.exe
"C:\Windows\SysWOW64\wininit.exe"
2⤵
PID:2424

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
2⤵
PID:2328

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\SysWOW64\wscript.exe"
2⤵
PID:2796

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe
Filesize
280KB

MD5
68e007ea8531cb464fd73f2e176dacfd

SHA1
a142d189e8f0bb45913fd1f7e17262a7d251c661

SHA256
6439b96e92b8836d32905f3ab41b3684d7f972f2e455d48d88dce702f3b4c2a9

SHA512
3f412125b25c14985c91011d8673b30cd371b5f56db84bc73ca1b5e053f42739c1e4725788d15e5000d7bf1a4f8abdc59d896bd87d7e62978a9e50fe2fa0052e

Download Submit
memory/268-185-0x0000000000000000-mapping.dmp

Download
memory/288-135-0x0000000000360000-0x0000000000374000-memory.dmp

Filesize
80KB

Download
memory/288-133-0x0000000000D90000-0x0000000001093000-memory.dmp

Filesize
3.0MB

Download
memory/288-129-0x000000000041E300-mapping.dmp

Download
memory/308-127-0x0000000000000000-mapping.dmp

Download
memory/328-268-0x0000000000000000-mapping.dmp

Download
memory/428-313-0x000000000041E300-mapping.dmp

Download
memory/432-290-0x0000000000000000-mapping.dmp

Download
memory/468-154-0x0000000002130000-0x0000000002433000-memory.dmp

Filesize
3.0MB

Download
memory/468-152-0x0000000000A50000-0x0000000000A55000-memory.dmp

Filesize
20KB

Download
memory/468-153-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/468-141-0x0000000000000000-mapping.dmp

Download
memory/540-72-0x0000000000000000-mapping.dmp

Download
memory/568-84-0x0000000000210000-0x0000000000224000-memory.dmp

Filesize
80KB

Download
memory/568-81-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/568-82-0x0000000000CE0000-0x0000000000FE3000-memory.dmp

Filesize
3.0MB

Download
memory/568-74-0x000000000041E300-mapping.dmp

Download
memory/576-161-0x0000000000000000-mapping.dmp

Download
memory/588-139-0x0000000000000000-mapping.dmp

Download
memory/588-151-0x00000000006A0000-0x00000000009A3000-memory.dmp

Filesize
3.0MB

Download
memory/588-149-0x0000000000030000-0x0000000000038000-memory.dmp

Filesize
32KB

Download
memory/588-150-0x0000000000090000-0x00000000000BD000-memory.dmp

Filesize
180KB

Download
memory/604-305-0x000000000041E300-mapping.dmp

Download
memory/632-222-0x0000000000000000-mapping.dmp

Download
memory/688-190-0x000000000041E300-mapping.dmp

Download
memory/700-227-0x000000000041E300-mapping.dmp

Download
memory/764-79-0x000000000041E300-mapping.dmp

Download
memory/764-140-0x0000000000280000-0x0000000000294000-memory.dmp

Filesize
80KB

Download
memory/764-83-0x0000000000230000-0x0000000000244000-memory.dmp

Filesize
80KB

Download
memory/764-86-0x0000000000CC0000-0x0000000000FC3000-memory.dmp

Filesize
3.0MB

Download
memory/804-212-0x000000000041E300-mapping.dmp

Download
memory/868-187-0x0000000000000000-mapping.dmp

Download
memory/892-292-0x000000000041E300-mapping.dmp

Download
memory/904-76-0x0000000000000000-mapping.dmp

Download
memory/916-311-0x0000000000000000-mapping.dmp

Download
memory/952-307-0x0000000000000000-mapping.dmp

Download
memory/956-62-0x0000000000EC0000-0x00000000011C3000-memory.dmp

Filesize
3.0MB

Download
memory/956-58-0x000000000041E300-mapping.dmp

Download
memory/956-61-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/956-63-0x00000000002C0000-0x00000000002D4000-memory.dmp

Filesize
80KB

Download
memory/956-65-0x0000000000380000-0x0000000000394000-memory.dmp

Filesize
80KB

Download
memory/1004-168-0x000000000041E300-mapping.dmp

Download
memory/1036-220-0x0000000000000000-mapping.dmp

Download
memory/1076-112-0x0000000000130000-0x0000000000135000-memory.dmp

Filesize
20KB

Download
memory/1076-113-0x0000000001F50000-0x0000000002253000-memory.dmp

Filesize
3.0MB

Download
memory/1076-114-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/1076-109-0x0000000000000000-mapping.dmp

Download
memory/1092-230-0x0000000000000000-mapping.dmp

Download
memory/1152-145-0x0000000000000000-mapping.dmp

Download
memory/1176-110-0x00000000001C0000-0x00000000001D4000-memory.dmp

Filesize
80KB

Download
memory/1176-143-0x0000000000200000-0x0000000000214000-memory.dmp

Filesize
80KB

Download
memory/1176-99-0x0000000000E90000-0x0000000001193000-memory.dmp

Filesize
3.0MB

Download
memory/1176-93-0x000000000041E300-mapping.dmp

Download
memory/1192-210-0x0000000000000000-mapping.dmp

Download
memory/1200-123-0x0000000000000000-mapping.dmp

Download
memory/1212-60-0x0000000000430000-0x0000000000433000-memory.dmp

Filesize
12KB

Download
memory/1212-55-0x00000000004C0000-0x00000000004FC000-memory.dmp

Filesize
240KB

Download
memory/1212-56-0x00000000755C1000-0x00000000755C3000-memory.dmp

Filesize
8KB

Download
memory/1212-57-0x0000000000420000-0x0000000000423000-memory.dmp

Filesize
12KB

Download
memory/1212-54-0x00000000001E0000-0x000000000022C000-memory.dmp

Filesize
304KB

Download
memory/1216-238-0x000000000041E300-mapping.dmp

Download
memory/1220-178-0x0000000000000000-mapping.dmp

Download
memory/1224-87-0x0000000000000000-mapping.dmp

Download
memory/1264-103-0x000000000041E300-mapping.dmp

Download
memory/1264-119-0x0000000000340000-0x0000000000354000-memory.dmp

Filesize
80KB

Download
memory/1264-116-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1264-144-0x0000000000380000-0x0000000000394000-memory.dmp

Filesize
80KB

Download
memory/1264-117-0x0000000000CA0000-0x0000000000FA3000-memory.dmp

Filesize
3.0MB

Download
memory/1288-237-0x0000000000000000-mapping.dmp

Download
memory/1300-134-0x0000000006D50000-0x0000000006EB1000-memory.dmp

Filesize
1.4MB

Download
memory/1300-66-0x0000000006F60000-0x00000000070F1000-memory.dmp

Filesize
1.6MB

Download
memory/1300-138-0x0000000007C40000-0x0000000007DDD000-memory.dmp

Filesize
1.6MB

Download
memory/1300-137-0x00000000088C0000-0x0000000008A53000-memory.dmp

Filesize
1.6MB

Download
memory/1300-95-0x00000000044E0000-0x00000000045D5000-memory.dmp

Filesize
980KB

Download
memory/1300-64-0x0000000005F90000-0x0000000006123000-memory.dmp

Filesize
1.6MB

Download
memory/1300-85-0x00000000076F0000-0x0000000007897000-memory.dmp

Filesize
1.7MB

Download
memory/1300-111-0x00000000064B0000-0x00000000065F9000-memory.dmp

Filesize
1.3MB

Download
memory/1300-100-0x0000000006220000-0x000000000635A000-memory.dmp

Filesize
1.2MB

Download
memory/1300-157-0x0000000008D10000-0x0000000008DFF000-memory.dmp

Filesize
956KB

Download
memory/1300-122-0x00000000067E0000-0x00000000068C0000-memory.dmp

Filesize
896KB

Download
memory/1300-120-0x0000000006AA0000-0x0000000006B56000-memory.dmp

Filesize
728KB

Download
memory/1300-155-0x0000000008BA0000-0x0000000008D0B000-memory.dmp

Filesize
1.4MB

Download
memory/1392-68-0x0000000000000000-mapping.dmp

Download
memory/1408-70-0x00000000000F0000-0x000000000011D000-memory.dmp

Filesize
180KB

Download
memory/1408-121-0x0000000001D00000-0x0000000001D93000-memory.dmp

Filesize
588KB

Download
memory/1408-67-0x0000000000000000-mapping.dmp

Download
memory/1408-71-0x0000000001E40000-0x0000000002143000-memory.dmp

Filesize
3.0MB

Download
memory/1408-69-0x0000000000210000-0x000000000021B000-memory.dmp

Filesize
44KB

Download
memory/1456-288-0x000000000041E300-mapping.dmp

Download
memory/1460-252-0x0000000000000000-mapping.dmp

Download
memory/1476-203-0x000000000041E300-mapping.dmp

Download
memory/1484-91-0x0000000000000000-mapping.dmp

Download
memory/1492-271-0x000000000041E300-mapping.dmp

Download
memory/1500-177-0x0000000000000000-mapping.dmp

Download
memory/1528-254-0x000000000041E300-mapping.dmp

Download
memory/1540-163-0x000000000041E300-mapping.dmp

Download
memory/1540-171-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1576-232-0x0000000000000000-mapping.dmp

Download
memory/1644-204-0x0000000000000000-mapping.dmp

Download
memory/1660-125-0x000000000041E300-mapping.dmp

Download
memory/1660-131-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1660-132-0x0000000000EF0000-0x00000000011F3000-memory.dmp

Filesize
3.0MB

Download
memory/1660-136-0x0000000000380000-0x0000000000394000-memory.dmp

Filesize
80KB

Download
memory/1688-286-0x0000000000000000-mapping.dmp

Download
memory/1692-107-0x000000000041E300-mapping.dmp

Download
memory/1692-115-0x0000000000DD0000-0x00000000010D3000-memory.dmp

Filesize
3.0MB

Download
memory/1692-118-0x0000000000340000-0x0000000000354000-memory.dmp

Filesize
80KB

Download
memory/1700-303-0x0000000000000000-mapping.dmp

Download
memory/1712-105-0x0000000000000000-mapping.dmp

Download
memory/1716-229-0x0000000000000000-mapping.dmp

Download
memory/1732-251-0x0000000000000000-mapping.dmp

Download
memory/1740-160-0x0000000000000000-mapping.dmp

Download
memory/1740-170-0x0000000000600000-0x0000000000614000-memory.dmp

Filesize
80KB

Download
memory/1740-172-0x0000000000090000-0x00000000000BD000-memory.dmp

Filesize
180KB

Download
memory/1780-101-0x0000000000000000-mapping.dmp

Download
memory/1820-147-0x000000000041E300-mapping.dmp

Download
memory/1820-159-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1820-156-0x00000000002E0000-0x00000000002F4000-memory.dmp

Filesize
80KB

Download
memory/1820-158-0x0000000000DA0000-0x00000000010A3000-memory.dmp

Filesize
3.0MB

Download
memory/1824-98-0x00000000001F0000-0x0000000000204000-memory.dmp

Filesize
80KB

Download
memory/1824-142-0x0000000000240000-0x0000000000254000-memory.dmp

Filesize
80KB

Download
memory/1824-89-0x000000000041E300-mapping.dmp

Download
memory/1824-96-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1824-97-0x0000000000D00000-0x0000000001003000-memory.dmp

Filesize
3.0MB

Download
memory/1832-269-0x0000000000000000-mapping.dmp

Download
memory/1952-231-0x0000000000000000-mapping.dmp

Download
memory/1972-201-0x0000000000000000-mapping.dmp

Download
memory/2004-166-0x0000000000000000-mapping.dmp

Download
memory/2024-180-0x000000000041E300-mapping.dmp

Download