formbook | d28a86bcfc1a16880fcf3e42f04a4a840f92086ae386d180a5c22e7f354c74a3

Analysis

max time kernel
170s
max time network
207s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
21-05-2022 11:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Payment Slip.exe
Size

278KB
MD5

e2ac3d9facc2259a85c66087ff0b6a85
SHA1

b592f4eea4d6632f6f543c75d71c4749e8aa8b69
SHA256

370f3e9f42d074cd9575a0fa8df285e970dda741ae4200b54fb53f0a3145369e
SHA512

226bf723fc4094cf2ac6ca74ff9fdefc0daebe90de2d905b0b9c7acae8c9d3e3956c17f1df80d736bb2bae094d075d307c05534485eae6c51575b2939261ae4c

Score

10^/10

formbook kfr rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

kfr

Decoy

pensight.com

in4rac-acc3es-re7unds1.com

iznjreb.com

globalqled.com

njzscy.com

763bifa.com

coinpatent.com

tipsfoorti.com

lukusabusiness.com

tokaminerale.com

jinshavip74.com

idbcc.com

maxfacto.com

graffititheworld.com

connecticutwatercooler.com

matroofing.com

route-ceram.com

redwaterservices.com

bracifyritugupta.com

discoverfrenchtown.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Formbook Payload 13 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4688-135-0x0000000000400000-0x000000000042D000-memory.dmp	formbook
behavioral2/memory/4864-140-0x0000000000400000-0x000000000042D000-memory.dmp	formbook
behavioral2/memory/1300-147-0x0000000000400000-0x000000000042D000-memory.dmp	formbook
behavioral2/memory/3324-164-0x0000000000400000-0x000000000042D000-memory.dmp	formbook
behavioral2/memory/4180-167-0x0000000000930000-0x000000000095D000-memory.dmp	formbook
behavioral2/memory/5084-174-0x00000000011C0000-0x00000000011ED000-memory.dmp	formbook
behavioral2/memory/1336-180-0x0000000001060000-0x000000000108D000-memory.dmp	formbook
behavioral2/memory/4016-190-0x0000000000F70000-0x0000000000F9D000-memory.dmp	formbook
behavioral2/memory/4452-192-0x0000000000A90000-0x0000000000ABD000-memory.dmp	formbook
behavioral2/memory/2200-204-0x0000000000400000-0x000000000042D000-memory.dmp	formbook
behavioral2/memory/1772-213-0x0000000000400000-0x000000000042D000-memory.dmp	formbook
behavioral2/memory/976-223-0x0000000000400000-0x000000000042D000-memory.dmp	formbook
behavioral2/memory/4180-225-0x0000000002990000-0x0000000002AB0000-memory.dmp	formbook

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Payment Slip.exePayment Slip.exePayment Slip.exePayment Slip.exePayment Slip.exePayment Slip.exePayment Slip.exePayment Slip.exePayment Slip.exePayment Slip.exePayment Slip.exePayment Slip.exePayment Slip.exePayment Slip.exePayment Slip.exePayment Slip.exePayment Slip.exePayment Slip.exePayment Slip.exePayment Slip.exePayment Slip.exePayment Slip.exePayment Slip.exePayment Slip.exePayment Slip.exePayment Slip.exePayment Slip.exePayment Slip.exePayment Slip.exePayment Slip.exePayment Slip.exePayment Slip.exePayment Slip.exePayment Slip.exePayment Slip.exePayment Slip.exePayment Slip.exePayment Slip.exePayment Slip.exePayment Slip.exePayment Slip.exePayment Slip.exePayment Slip.exePayment Slip.exePayment Slip.exeRegAsm.exePayment Slip.exePayment Slip.exePayment Slip.exePayment Slip.exePayment Slip.exePayment Slip.exePayment Slip.exePayment Slip.exePayment Slip.exePayment Slip.exePayment Slip.exePayment Slip.exeRegAsm.exePayment Slip.exePayment Slip.exePayment Slip.exePayment Slip.exePayment Slip.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Payment Slip.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Payment Slip.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Payment Slip.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Payment Slip.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Payment Slip.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Payment Slip.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Payment Slip.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Payment Slip.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Payment Slip.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Payment Slip.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Payment Slip.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Payment Slip.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Payment Slip.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Payment Slip.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Payment Slip.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Payment Slip.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Payment Slip.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Payment Slip.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Payment Slip.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Payment Slip.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Payment Slip.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Payment Slip.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Payment Slip.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Payment Slip.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Payment Slip.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Payment Slip.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Payment Slip.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Payment Slip.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Payment Slip.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Payment Slip.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Payment Slip.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Payment Slip.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Payment Slip.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Payment Slip.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Payment Slip.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Payment Slip.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Payment Slip.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Payment Slip.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Payment Slip.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Payment Slip.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Payment Slip.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Payment Slip.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Payment Slip.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Payment Slip.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Payment Slip.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Payment Slip.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Payment Slip.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Payment Slip.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Payment Slip.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Payment Slip.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Payment Slip.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Payment Slip.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Payment Slip.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Payment Slip.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Payment Slip.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Payment Slip.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Payment Slip.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Payment Slip.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Payment Slip.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Payment Slip.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Payment Slip.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Payment Slip.exe

Drops startup file 2 IoCs

Processes:

Payment Slip.exePayment Slip.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe	Payment Slip.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe	Payment Slip.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

Payment Slip.exeRegAsm.exePayment Slip.exePayment Slip.exeRegAsm.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exePayment Slip.exeRegAsm.exeRegAsm.exePayment Slip.exePayment Slip.exeRegAsm.exeRegAsm.exePayment Slip.exePayment Slip.exeRegAsm.exeRegAsm.exePayment Slip.exeRegAsm.exeexplorer.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exePayment Slip.exeRegAsm.exeRegAsm.exePayment Slip.exePayment Slip.exeRegAsm.exeRegAsm.exePayment Slip.exePayment Slip.exeRegAsm.exeRegAsm.exePayment Slip.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exe

description	pid	process	target process
PID 2224 set thread context of 4688	2224	Payment Slip.exe	RegAsm.exe
PID 4688 set thread context of 1124	4688	RegAsm.exe	Explorer.EXE
PID 4236 set thread context of 4864	4236	Payment Slip.exe	RegAsm.exe
PID 4364 set thread context of 1300	4364	Payment Slip.exe	RegAsm.exe
PID 4864 set thread context of 1124	4864	RegAsm.exe	Explorer.EXE
PID 1300 set thread context of 1124	1300	RegAsm.exe	Explorer.EXE
PID 1468 set thread context of 756	1468	Payment Slip.exe	RegAsm.exe
PID 756 set thread context of 1124	756	RegAsm.exe	Explorer.EXE
PID 2004 set thread context of 3324	2004	Payment Slip.exe	RegAsm.exe
PID 3324 set thread context of 1124	3324	RegAsm.exe	Explorer.EXE
PID 4780 set thread context of 1824	4780	Payment Slip.exe	RegAsm.exe
PID 1824 set thread context of 1124	1824	RegAsm.exe	Explorer.EXE
PID 3068 set thread context of 3632	3068	Payment Slip.exe	RegAsm.exe
PID 3632 set thread context of 1124	3632	RegAsm.exe	Explorer.EXE
PID 4692 set thread context of 4472	4692	Payment Slip.exe	RegAsm.exe
PID 756 set thread context of 4180	756	RegAsm.exe	explorer.exe
PID 4472 set thread context of 1124	4472	RegAsm.exe	Explorer.EXE
PID 3980 set thread context of 2200	3980	Payment Slip.exe	RegAsm.exe
PID 4548 set thread context of 1492	4548	Payment Slip.exe	RegAsm.exe
PID 2200 set thread context of 1124	2200	RegAsm.exe	Explorer.EXE
PID 1492 set thread context of 1124	1492	RegAsm.exe	Explorer.EXE
PID 4272 set thread context of 1772	4272	Payment Slip.exe	RegAsm.exe
PID 3212 set thread context of 3352	3212	Payment Slip.exe	RegAsm.exe
PID 1772 set thread context of 1124	1772	RegAsm.exe	Explorer.EXE
PID 3352 set thread context of 1124	3352	RegAsm.exe	Explorer.EXE
PID 3532 set thread context of 976	3532	Payment Slip.exe	RegAsm.exe
PID 4444 set thread context of 3944	4444	Payment Slip.exe	RegAsm.exe
PID 976 set thread context of 1124	976	RegAsm.exe	Explorer.EXE
PID 3944 set thread context of 1124	3944	RegAsm.exe	Explorer.EXE
PID 756 set thread context of 1124	756	RegAsm.exe	Explorer.EXE
PID 2200 set thread context of 4180	2200	RegAsm.exe	explorer.exe
PID 1492 set thread context of 4180	1492	RegAsm.exe	explorer.exe
PID 1872 set thread context of 1588	1872	Payment Slip.exe	RegAsm.exe
PID 1772 set thread context of 4180	1772	RegAsm.exe	explorer.exe
PID 3352 set thread context of 4180	3352	RegAsm.exe	explorer.exe
PID 1588 set thread context of 1124	1588	RegAsm.exe	Explorer.EXE
PID 4180 set thread context of 1124	4180	explorer.exe	Explorer.EXE
PID 4540 set thread context of 2520	4540	Payment Slip.exe	RegAsm.exe
PID 2520 set thread context of 1124	2520	RegAsm.exe	Explorer.EXE
PID 4140 set thread context of 1976	4140	Payment Slip.exe	RegAsm.exe
PID 1492 set thread context of 1124	1492	RegAsm.exe	Explorer.EXE
PID 1772 set thread context of 1124	1772	RegAsm.exe	Explorer.EXE
PID 1976 set thread context of 1124	1976	RegAsm.exe	Explorer.EXE
PID 2080 set thread context of 4792	2080	Payment Slip.exe	RegAsm.exe
PID 4792 set thread context of 1124	4792	RegAsm.exe	Explorer.EXE
PID 3148 set thread context of 2044	3148	Payment Slip.exe	RegAsm.exe
PID 4392 set thread context of 1960	4392	Payment Slip.exe	RegAsm.exe
PID 2044 set thread context of 1124	2044	RegAsm.exe	Explorer.EXE
PID 1960 set thread context of 1124	1960	RegAsm.exe	Explorer.EXE
PID 820 set thread context of 1220	820	Payment Slip.exe	RegAsm.exe
PID 2412 set thread context of 2096	2412	Payment Slip.exe	RegAsm.exe
PID 1220 set thread context of 1124	1220	RegAsm.exe	Explorer.EXE
PID 2096 set thread context of 1124	2096	RegAsm.exe	Explorer.EXE
PID 4612 set thread context of 1908	4612	Payment Slip.exe	RegAsm.exe
PID 2624 set thread context of 444	2624	Payment Slip.exe	RegAsm.exe
PID 1908 set thread context of 1124	1908	RegAsm.exe	Explorer.EXE
PID 444 set thread context of 1124	444	RegAsm.exe	Explorer.EXE
PID 4180 set thread context of 2588	4180	explorer.exe	explorer.exe
PID 4432 set thread context of 3860	4432	Payment Slip.exe	RegAsm.exe
PID 1220 set thread context of 4180	1220	RegAsm.exe	explorer.exe
PID 1640 set thread context of 3716	1640	Payment Slip.exe	RegAsm.exe
PID 3860 set thread context of 1124	3860	RegAsm.exe	Explorer.EXE
PID 2640 set thread context of 2256	2640	Payment Slip.exe	RegAsm.exe
PID 3716 set thread context of 1124	3716	RegAsm.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chkdsk.exechkdsk.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe

Gathers network information 2 TTPs 8 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exeNETSTAT.EXENETSTAT.EXEipconfig.exeNETSTAT.EXENETSTAT.EXENETSTAT.EXENETSTAT.EXE

pid process

5876 ipconfig.exe
3912 NETSTAT.EXE
5112 NETSTAT.EXE
4352 ipconfig.exe
3976 NETSTAT.EXE
3080 NETSTAT.EXE
4748 NETSTAT.EXE
1444 NETSTAT.EXE

pid	process
5876	ipconfig.exe
3912	NETSTAT.EXE
5112	NETSTAT.EXE
4352	ipconfig.exe
3976	NETSTAT.EXE
3080	NETSTAT.EXE
4748	NETSTAT.EXE
1444	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Payment Slip.exe

pid	process
2224	Payment Slip.exe
2224	Payment Slip.exe
2224	Payment Slip.exe
2224	Payment Slip.exe
2224	Payment Slip.exe
2224	Payment Slip.exe
2224	Payment Slip.exe
2224	Payment Slip.exe
2224	Payment Slip.exe
2224	Payment Slip.exe
2224	Payment Slip.exe
2224	Payment Slip.exe
2224	Payment Slip.exe
2224	Payment Slip.exe
2224	Payment Slip.exe
2224	Payment Slip.exe
2224	Payment Slip.exe
2224	Payment Slip.exe
2224	Payment Slip.exe
2224	Payment Slip.exe
2224	Payment Slip.exe
2224	Payment Slip.exe
2224	Payment Slip.exe
2224	Payment Slip.exe
2224	Payment Slip.exe
2224	Payment Slip.exe
2224	Payment Slip.exe
2224	Payment Slip.exe
2224	Payment Slip.exe
2224	Payment Slip.exe
2224	Payment Slip.exe
2224	Payment Slip.exe
2224	Payment Slip.exe
2224	Payment Slip.exe
2224	Payment Slip.exe
2224	Payment Slip.exe
2224	Payment Slip.exe
2224	Payment Slip.exe
2224	Payment Slip.exe
2224	Payment Slip.exe
2224	Payment Slip.exe
2224	Payment Slip.exe
2224	Payment Slip.exe
2224	Payment Slip.exe
2224	Payment Slip.exe
2224	Payment Slip.exe
2224	Payment Slip.exe
2224	Payment Slip.exe
2224	Payment Slip.exe
2224	Payment Slip.exe
2224	Payment Slip.exe
2224	Payment Slip.exe
2224	Payment Slip.exe
2224	Payment Slip.exe
2224	Payment Slip.exe
2224	Payment Slip.exe
2224	Payment Slip.exe
2224	Payment Slip.exe
2224	Payment Slip.exe
2224	Payment Slip.exe
2224	Payment Slip.exe
2224	Payment Slip.exe
2224	Payment Slip.exe
2224	Payment Slip.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1124 Explorer.EXE

pid	process
1124	Explorer.EXE

Suspicious behavior: MapViewOfSection 64 IoCs

Processes:

pid	process
2224	Payment Slip.exe
4688	RegAsm.exe
4236	Payment Slip.exe
4364	Payment Slip.exe
4864	RegAsm.exe
1300	RegAsm.exe
1468	Payment Slip.exe
1468	Payment Slip.exe
756	RegAsm.exe
2004	Payment Slip.exe
4688	RegAsm.exe
4688	RegAsm.exe
3324	RegAsm.exe
4780	Payment Slip.exe
4864	RegAsm.exe
4864	RegAsm.exe
1824	RegAsm.exe
1300	RegAsm.exe
1300	RegAsm.exe
3068	Payment Slip.exe
3632	RegAsm.exe
4180	explorer.exe
3324	RegAsm.exe
3324	RegAsm.exe
1824	RegAsm.exe
1824	RegAsm.exe
4692	Payment Slip.exe
756	RegAsm.exe
4472	RegAsm.exe
3980	Payment Slip.exe
4548	Payment Slip.exe
4548	Payment Slip.exe
2200	RegAsm.exe
1492	RegAsm.exe
4272	Payment Slip.exe
3212	Payment Slip.exe
1772	RegAsm.exe
3352	RegAsm.exe
3532	Payment Slip.exe
4444	Payment Slip.exe
4444	Payment Slip.exe
4444	Payment Slip.exe
976	RegAsm.exe
3944	RegAsm.exe
756	RegAsm.exe
3632	RegAsm.exe
4472	RegAsm.exe
3632	RegAsm.exe
4472	RegAsm.exe
2200	RegAsm.exe
1492	RegAsm.exe
1872	Payment Slip.exe
1588	RegAsm.exe
1772	RegAsm.exe
3352	RegAsm.exe
756	RegAsm.exe
756	RegAsm.exe
4180	explorer.exe
976	RegAsm.exe
976	RegAsm.exe
4540	Payment Slip.exe
2200	RegAsm.exe
2200	RegAsm.exe
3352	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Payment Slip.exeRegAsm.exePayment Slip.exePayment Slip.exeRegAsm.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exeexplorer.exePayment Slip.exeRegAsm.exePayment Slip.exewscript.execmstp.exeRegAsm.exePayment Slip.exenetsh.exeRegAsm.exechkdsk.exePayment Slip.exePayment Slip.exeRegAsm.exeRegAsm.exePayment Slip.exePayment Slip.exeRegAsm.exeRegAsm.exePayment Slip.exePayment Slip.exeRegAsm.exeRegAsm.exePayment Slip.exesystray.exeRegAsm.exeNETSTAT.EXEsvchost.exePayment Slip.exeexplorer.exeRegAsm.exePayment Slip.execscript.execscript.exeexplorer.exeRegAsm.execolorcpl.exeraserver.exePayment Slip.exeraserver.exeRegAsm.execmmon32.execmmon32.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exeRegAsm.exePayment Slip.exe

description	pid	process
Token: SeDebugPrivilege	2224	Payment Slip.exe
Token: SeDebugPrivilege	4688	RegAsm.exe
Token: SeDebugPrivilege	4236	Payment Slip.exe
Token: SeDebugPrivilege	4364	Payment Slip.exe
Token: SeDebugPrivilege	4864	RegAsm.exe
Token: SeDebugPrivilege	1300	RegAsm.exe
Token: SeDebugPrivilege	1468	Payment Slip.exe
Token: SeDebugPrivilege	756	RegAsm.exe
Token: SeDebugPrivilege	2004	Payment Slip.exe
Token: SeDebugPrivilege	3324	RegAsm.exe
Token: SeDebugPrivilege	4180	explorer.exe
Token: SeDebugPrivilege	4780	Payment Slip.exe
Token: SeDebugPrivilege	1824	RegAsm.exe
Token: SeDebugPrivilege	3068	Payment Slip.exe
Token: SeDebugPrivilege	5084	wscript.exe
Token: SeDebugPrivilege	1336	cmstp.exe
Token: SeDebugPrivilege	3632	RegAsm.exe
Token: SeDebugPrivilege	4692	Payment Slip.exe
Token: SeDebugPrivilege	4016	netsh.exe
Token: SeDebugPrivilege	4472	RegAsm.exe
Token: SeDebugPrivilege	4452	chkdsk.exe
Token: SeDebugPrivilege	3980	Payment Slip.exe
Token: SeDebugPrivilege	4548	Payment Slip.exe
Token: SeDebugPrivilege	2200	RegAsm.exe
Token: SeDebugPrivilege	1492	RegAsm.exe
Token: SeDebugPrivilege	4272	Payment Slip.exe
Token: SeDebugPrivilege	3212	Payment Slip.exe
Token: SeDebugPrivilege	1772	RegAsm.exe
Token: SeDebugPrivilege	3352	RegAsm.exe
Token: SeDebugPrivilege	3532	Payment Slip.exe
Token: SeDebugPrivilege	4444	Payment Slip.exe
Token: SeDebugPrivilege	976	RegAsm.exe
Token: SeDebugPrivilege	3944	RegAsm.exe
Token: SeDebugPrivilege	1872	Payment Slip.exe
Token: SeDebugPrivilege	2164	systray.exe
Token: SeDebugPrivilege	1588	RegAsm.exe
Token: SeDebugPrivilege	3912	NETSTAT.EXE
Token: SeDebugPrivilege	544	svchost.exe
Token: SeDebugPrivilege	4540	Payment Slip.exe
Token: SeDebugPrivilege	64	explorer.exe
Token: SeDebugPrivilege	2520	RegAsm.exe
Token: SeDebugPrivilege	4140	Payment Slip.exe
Token: SeDebugPrivilege	1536	cscript.exe
Token: SeDebugPrivilege	2900	cscript.exe
Token: SeDebugPrivilege	1584	explorer.exe
Token: SeDebugPrivilege	1976	RegAsm.exe
Token: SeDebugPrivilege	3048	colorcpl.exe
Token: SeDebugPrivilege	4160	raserver.exe
Token: SeDebugPrivilege	2080	Payment Slip.exe
Token: SeDebugPrivilege	4284	raserver.exe
Token: SeDebugPrivilege	4792	RegAsm.exe
Token: SeDebugPrivilege	1576	cmmon32.exe
Token: SeDebugPrivilege	3956	cmmon32.exe
Token: SeDebugPrivilege	3148	Payment Slip.exe
Token: SeDebugPrivilege	2044	RegAsm.exe
Token: SeDebugPrivilege	4392	Payment Slip.exe
Token: SeDebugPrivilege	1960	RegAsm.exe
Token: SeDebugPrivilege	820	Payment Slip.exe
Token: SeDebugPrivilege	1220	RegAsm.exe
Token: SeDebugPrivilege	2412	Payment Slip.exe
Token: SeDebugPrivilege	2096	RegAsm.exe
Token: SeDebugPrivilege	4612	Payment Slip.exe
Token: SeDebugPrivilege	1908	RegAsm.exe
Token: SeDebugPrivilege	2624	Payment Slip.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Payment Slip.exeExplorer.EXEPayment Slip.exePayment Slip.exePayment Slip.exePayment Slip.exeexplorer.exePayment Slip.exePayment Slip.exe

description	pid	process	target process
PID 2224 wrote to memory of 4688	2224	Payment Slip.exe	RegAsm.exe
PID 2224 wrote to memory of 4688	2224	Payment Slip.exe	RegAsm.exe
PID 2224 wrote to memory of 4688	2224	Payment Slip.exe	RegAsm.exe
PID 2224 wrote to memory of 4688	2224	Payment Slip.exe	RegAsm.exe
PID 2224 wrote to memory of 4236	2224	Payment Slip.exe	Payment Slip.exe
PID 2224 wrote to memory of 4236	2224	Payment Slip.exe	Payment Slip.exe
PID 2224 wrote to memory of 4236	2224	Payment Slip.exe	Payment Slip.exe
PID 1124 wrote to memory of 4180	1124	Explorer.EXE	explorer.exe
PID 1124 wrote to memory of 4180	1124	Explorer.EXE	explorer.exe
PID 1124 wrote to memory of 4180	1124	Explorer.EXE	explorer.exe
PID 4236 wrote to memory of 4864	4236	Payment Slip.exe	RegAsm.exe
PID 4236 wrote to memory of 4864	4236	Payment Slip.exe	RegAsm.exe
PID 4236 wrote to memory of 4864	4236	Payment Slip.exe	RegAsm.exe
PID 4236 wrote to memory of 4864	4236	Payment Slip.exe	RegAsm.exe
PID 4236 wrote to memory of 4364	4236	Payment Slip.exe	Payment Slip.exe
PID 4236 wrote to memory of 4364	4236	Payment Slip.exe	Payment Slip.exe
PID 4236 wrote to memory of 4364	4236	Payment Slip.exe	Payment Slip.exe
PID 4364 wrote to memory of 1300	4364	Payment Slip.exe	RegAsm.exe
PID 4364 wrote to memory of 1300	4364	Payment Slip.exe	RegAsm.exe
PID 4364 wrote to memory of 1300	4364	Payment Slip.exe	RegAsm.exe
PID 4364 wrote to memory of 1300	4364	Payment Slip.exe	RegAsm.exe
PID 1124 wrote to memory of 5084	1124	Explorer.EXE	wscript.exe
PID 1124 wrote to memory of 5084	1124	Explorer.EXE	wscript.exe
PID 1124 wrote to memory of 5084	1124	Explorer.EXE	wscript.exe
PID 4364 wrote to memory of 1468	4364	Payment Slip.exe	Payment Slip.exe
PID 4364 wrote to memory of 1468	4364	Payment Slip.exe	Payment Slip.exe
PID 4364 wrote to memory of 1468	4364	Payment Slip.exe	Payment Slip.exe
PID 1124 wrote to memory of 1336	1124	Explorer.EXE	cmstp.exe
PID 1124 wrote to memory of 1336	1124	Explorer.EXE	cmstp.exe
PID 1124 wrote to memory of 1336	1124	Explorer.EXE	cmstp.exe
PID 1468 wrote to memory of 4072	1468	Payment Slip.exe	RegAsm.exe
PID 1468 wrote to memory of 4072	1468	Payment Slip.exe	RegAsm.exe
PID 1468 wrote to memory of 4072	1468	Payment Slip.exe	RegAsm.exe
PID 1468 wrote to memory of 756	1468	Payment Slip.exe	RegAsm.exe
PID 1468 wrote to memory of 756	1468	Payment Slip.exe	RegAsm.exe
PID 1468 wrote to memory of 756	1468	Payment Slip.exe	RegAsm.exe
PID 1468 wrote to memory of 756	1468	Payment Slip.exe	RegAsm.exe
PID 1468 wrote to memory of 2004	1468	Payment Slip.exe	Payment Slip.exe
PID 1468 wrote to memory of 2004	1468	Payment Slip.exe	Payment Slip.exe
PID 1468 wrote to memory of 2004	1468	Payment Slip.exe	Payment Slip.exe
PID 2004 wrote to memory of 3324	2004	Payment Slip.exe	RegAsm.exe
PID 2004 wrote to memory of 3324	2004	Payment Slip.exe	RegAsm.exe
PID 2004 wrote to memory of 3324	2004	Payment Slip.exe	RegAsm.exe
PID 2004 wrote to memory of 3324	2004	Payment Slip.exe	RegAsm.exe
PID 2004 wrote to memory of 4780	2004	Payment Slip.exe	Payment Slip.exe
PID 2004 wrote to memory of 4780	2004	Payment Slip.exe	Payment Slip.exe
PID 2004 wrote to memory of 4780	2004	Payment Slip.exe	Payment Slip.exe
PID 1124 wrote to memory of 4016	1124	Explorer.EXE	netsh.exe
PID 1124 wrote to memory of 4016	1124	Explorer.EXE	netsh.exe
PID 1124 wrote to memory of 4016	1124	Explorer.EXE	netsh.exe
PID 4180 wrote to memory of 216	4180	explorer.exe	cmd.exe
PID 4180 wrote to memory of 216	4180	explorer.exe	cmd.exe
PID 4180 wrote to memory of 216	4180	explorer.exe	cmd.exe
PID 4780 wrote to memory of 1824	4780	Payment Slip.exe	RegAsm.exe
PID 4780 wrote to memory of 1824	4780	Payment Slip.exe	RegAsm.exe
PID 4780 wrote to memory of 1824	4780	Payment Slip.exe	RegAsm.exe
PID 4780 wrote to memory of 1824	4780	Payment Slip.exe	RegAsm.exe
PID 4780 wrote to memory of 3068	4780	Payment Slip.exe	Payment Slip.exe
PID 4780 wrote to memory of 3068	4780	Payment Slip.exe	Payment Slip.exe
PID 4780 wrote to memory of 3068	4780	Payment Slip.exe	Payment Slip.exe
PID 1124 wrote to memory of 4452	1124	Explorer.EXE	chkdsk.exe
PID 1124 wrote to memory of 4452	1124	Explorer.EXE	chkdsk.exe
PID 1124 wrote to memory of 4452	1124	Explorer.EXE	chkdsk.exe
PID 3068 wrote to memory of 3632	3068	Payment Slip.exe	RegAsm.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1124

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
2⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4688

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
3⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4236

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4864

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4364

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1300

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
PID:4072

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:756

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
6⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
7⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3324

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
7⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
8⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1824

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
8⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
9⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3632

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
9⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
10⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4472

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
10⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
11⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2200

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
11⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
12⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1492

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
12⤵
PID:4984

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
12⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4272

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1772

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
13⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
14⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3352

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
14⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
15⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:976

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
15⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4444

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
16⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
16⤵
PID:1640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
16⤵
PID:1092

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
16⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1872

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
17⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1588

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
17⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4540

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
18⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2520

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
18⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4140

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
19⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1976

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
19⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
20⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4792

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
20⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3148

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
21⤵
PID:4424

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
21⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2044

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
21⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4392

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
22⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
22⤵
PID:2116

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
22⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:820

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
23⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1220

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
23⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2412

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
24⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2096

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
24⤵
PID:1332

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
24⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
25⤵
PID:3980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
25⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1908

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
25⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
26⤵
- Suspicious use of SetThreadContext
PID:444

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
26⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:4432

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
27⤵
- Suspicious use of SetThreadContext
PID:3860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
27⤵
PID:3644

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
27⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:1640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
28⤵
- Suspicious use of SetThreadContext
PID:3716

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
28⤵
PID:2240

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
28⤵
PID:1192

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
28⤵
- Suspicious use of SetThreadContext
PID:2640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
29⤵
PID:636

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
29⤵
PID:2256

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
29⤵
- Checks computer location settings
PID:4436

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
30⤵
PID:460

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
30⤵
- Checks computer location settings
PID:4752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
31⤵
PID:3604

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
31⤵
- Checks computer location settings
PID:4256

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
32⤵
PID:4504

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
32⤵
PID:4668

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
32⤵
PID:3968

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
32⤵
- Checks computer location settings
PID:1380

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
33⤵
PID:4040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
33⤵
PID:1580

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
33⤵
- Checks computer location settings
PID:4540

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
34⤵
PID:4080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
34⤵
PID:1396

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
34⤵
- Checks computer location settings
PID:5088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
35⤵
PID:888

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
35⤵
- Checks computer location settings
PID:4736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
36⤵
PID:1376

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
36⤵
- Checks computer location settings
PID:2188

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
37⤵
PID:4808

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
37⤵
- Checks computer location settings
PID:4996

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
38⤵
PID:4348

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
38⤵
- Checks computer location settings
PID:4612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
39⤵
PID:3548

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
39⤵
- Checks computer location settings
PID:3688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
40⤵
PID:1372

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
40⤵
- Checks computer location settings
PID:1640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
41⤵
PID:3560

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
41⤵
PID:1700

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
41⤵
PID:4912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
42⤵
PID:4436

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
42⤵
PID:4920

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
42⤵
- Checks computer location settings
PID:4264

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
43⤵
PID:972

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
43⤵
PID:432

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
43⤵
PID:4100

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
43⤵
- Checks computer location settings
PID:1856

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
44⤵
PID:4152

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
44⤵
PID:3588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
45⤵
PID:4788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
45⤵
PID:2592

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
45⤵
- Checks computer location settings
PID:2244

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
46⤵
PID:4784

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
46⤵
- Checks computer location settings
PID:1684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
47⤵
PID:3336

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
47⤵
- Checks computer location settings
PID:780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
48⤵
PID:1268

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
48⤵
- Checks computer location settings
PID:4856

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
49⤵
PID:2576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
49⤵
PID:3948

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
49⤵
- Checks computer location settings
PID:4748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
50⤵
PID:4756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
50⤵
PID:2364

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
50⤵
- Checks computer location settings
PID:1056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
51⤵
PID:4548

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
51⤵
- Checks computer location settings
PID:4776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
52⤵
PID:1988

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
52⤵
- Checks computer location settings
PID:1184

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
53⤵
PID:2276

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
53⤵
PID:2020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
54⤵
PID:1096

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
54⤵
- Checks computer location settings
PID:3872

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
55⤵
PID:1876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
55⤵
PID:2676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
55⤵
PID:1216

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
55⤵
- Checks computer location settings
PID:1304

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
56⤵
PID:1264

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
56⤵
PID:4000

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
56⤵
- Checks computer location settings
PID:1656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
57⤵
PID:5016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
57⤵
PID:4068

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
57⤵
PID:4736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
58⤵
PID:2484

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
58⤵
PID:1292

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
59⤵
PID:2572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
59⤵
PID:1604

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
59⤵
- Checks computer location settings
PID:4856

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
60⤵
PID:4828

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
60⤵
- Checks computer location settings
PID:4168

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
61⤵
PID:724

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
61⤵
- Checks computer location settings
PID:1724

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
62⤵
PID:3028

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
62⤵
- Checks computer location settings
PID:3368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
63⤵
PID:984

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
63⤵
PID:556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
64⤵
PID:4812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
64⤵
PID:1320

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
64⤵
- Checks computer location settings
PID:2676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
65⤵
PID:4764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
65⤵
PID:3568

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
65⤵
PID:1264

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
66⤵
PID:4932

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
66⤵
PID:4376

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
67⤵
PID:4416

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
67⤵
PID:1392

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
68⤵
PID:2404

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
68⤵
PID:60

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
68⤵
PID:780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
69⤵
PID:1292

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
69⤵
- Checks computer location settings
PID:5072

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
70⤵
PID:4700

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
70⤵
- Checks computer location settings
PID:1948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
71⤵
PID:432

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
71⤵
- Checks computer location settings
PID:652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
72⤵
PID:4668

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
72⤵
PID:4728

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
73⤵
PID:3368

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
73⤵
- Checks computer location settings
PID:2808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
74⤵
PID:4540

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
74⤵
- Checks computer location settings
PID:1484

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
75⤵
PID:1956

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
75⤵
PID:3132

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
76⤵
PID:3068

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
76⤵
PID:4736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
77⤵
PID:2356

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
77⤵
- Checks computer location settings
PID:2188

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
78⤵
PID:1380

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
78⤵
PID:2060

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
79⤵
PID:4244

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
79⤵
- Checks computer location settings
PID:3272

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
80⤵
PID:4408

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
80⤵
PID:4012

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
80⤵
PID:4220

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
80⤵
PID:376

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
81⤵
PID:4696

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
81⤵
- Checks computer location settings
PID:1876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
82⤵
PID:4552

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
82⤵
PID:4728

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
83⤵
PID:2800

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
83⤵
PID:2724

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
84⤵
PID:3700

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
84⤵
- Checks computer location settings
PID:1580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
85⤵
PID:3612

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
85⤵
- Checks computer location settings
PID:2244

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
86⤵
PID:924

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
86⤵
- Checks computer location settings
PID:3736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
87⤵
PID:1880

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
87⤵
- Checks computer location settings
PID:3512

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
88⤵
PID:2116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
88⤵
PID:1872

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
88⤵
- Checks computer location settings
PID:1180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
89⤵
PID:4600

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
89⤵
PID:1724

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
90⤵
- Checks computer location settings
PID:2060

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
90⤵
PID:3876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
91⤵
PID:4652

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
91⤵
PID:1008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
92⤵
PID:2508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
92⤵
PID:376

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
92⤵
PID:1920

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
92⤵
PID:1460

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
93⤵
PID:1648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
93⤵
PID:4216

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
93⤵
PID:3816

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
94⤵
PID:400

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
94⤵
PID:4732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
95⤵
- Checks computer location settings
PID:2724

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
95⤵
PID:4376

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
96⤵
PID:1392

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
96⤵
PID:1968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
97⤵
PID:676

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
97⤵
PID:384

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
98⤵
PID:1260

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
98⤵
PID:2300

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
98⤵
PID:3024

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
98⤵
PID:4412

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
99⤵
PID:2860

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
99⤵
- Checks computer location settings
PID:376

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
100⤵
PID:1948

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
100⤵
PID:4836

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
101⤵
PID:3584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
101⤵
PID:3888

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
101⤵
PID:4728

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
102⤵
PID:556

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
102⤵
PID:4936

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
103⤵
PID:4664

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
103⤵
PID:4376

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
104⤵
PID:2300

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
104⤵
PID:932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
105⤵
PID:3824

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
105⤵
PID:1316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
106⤵
PID:384

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
106⤵
PID:1184

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
106⤵
PID:1136

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
107⤵
PID:5072

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
107⤵
PID:2808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
108⤵
PID:3272

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
108⤵
PID:2680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
109⤵
PID:1980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
109⤵
PID:1204

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
109⤵
PID:4672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
110⤵
PID:2624

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
110⤵
PID:1704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
111⤵
PID:1672

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
111⤵
PID:2240

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
112⤵
PID:1920

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
112⤵
PID:4216

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
113⤵
PID:3268

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
113⤵
PID:3888

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
114⤵
PID:4612

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
114⤵
PID:2272

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
115⤵
PID:4420

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
115⤵
PID:2676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
115⤵
PID:4044

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
115⤵
PID:2344

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
116⤵
PID:1852

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
116⤵
PID:5392

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
117⤵
PID:5432

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
117⤵
PID:5588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
118⤵
PID:5640

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
118⤵
PID:5680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
119⤵
PID:5712

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
119⤵
PID:5820

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
120⤵
PID:5864

C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"
120⤵
PID:6064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
121⤵
PID:6120

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
121⤵
PID:6112

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4180

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:216

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\SysWOW64\cscript.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2900

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\SysWOW64\cscript.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1536

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
3⤵
PID:3464

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
3⤵
PID:3064

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\SysWOW64\ipconfig.exe"
3⤵
- Gathers network information
PID:4352

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\SysWOW64\wscript.exe"
3⤵
PID:1192

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
3⤵
PID:856

C:\Windows\SysWOW64\WWAHost.exe
"C:\Windows\SysWOW64\WWAHost.exe"
3⤵
PID:4912

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
3⤵
PID:4208

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
3⤵
PID:2072

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
3⤵
- Gathers network information
PID:4748

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
3⤵
PID:4408

C:\Windows\SysWOW64\systray.exe
"C:\Windows\SysWOW64\systray.exe"
3⤵
PID:780

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
3⤵
PID:3332

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
3⤵
- Gathers network information
PID:1444

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
3⤵
PID:2648

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
3⤵
PID:1872

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
3⤵
PID:680

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
3⤵
PID:1968

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
3⤵
PID:1752

C:\Windows\SysWOW64\systray.exe
"C:\Windows\SysWOW64\systray.exe"
3⤵
PID:1696

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
3⤵
PID:4736

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
3⤵
PID:1952

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
3⤵
PID:1120

C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\SysWOW64\colorcpl.exe"
3⤵
PID:3140

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
3⤵
PID:2068

C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\SysWOW64\colorcpl.exe"
3⤵
PID:4140

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
3⤵
PID:2244

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
3⤵
PID:2404

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
3⤵
PID:1056

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
3⤵
PID:3472

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
3⤵
PID:2988

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
3⤵
PID:5160

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\SysWOW64\wscript.exe"
3⤵
PID:1640

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
3⤵
PID:5812

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\SysWOW64\ipconfig.exe"
3⤵
- Gathers network information
PID:5876

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
3⤵
PID:5896

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
3⤵
PID:5908

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
3⤵
PID:5924

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
3⤵
PID:5936

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\SysWOW64\wscript.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5084

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1336

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4016

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
2⤵
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:4452

C:\Windows\SysWOW64\systray.exe
"C:\Windows\SysWOW64\systray.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2164

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:3912

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:984

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:544

C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\SysWOW64\colorcpl.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3048

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
2⤵
PID:2296

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
2⤵
PID:1104

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
2⤵
PID:2588

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:64

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Gathers network information
PID:5112

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4160

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4284

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3956

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1576

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
2⤵
PID:5104

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
2⤵
PID:220

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
2⤵
PID:2236

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
2⤵
PID:4716

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2320

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
2⤵
PID:1692

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
2⤵
PID:3076

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
2⤵
PID:2260

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
2⤵
PID:4584

C:\Windows\SysWOW64\systray.exe
"C:\Windows\SysWOW64\systray.exe"
2⤵
PID:1384

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe"
2⤵
PID:3480

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\SysWOW64\cscript.exe"
2⤵
PID:4248

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
2⤵
PID:2128

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
2⤵
PID:2684

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
2⤵
PID:2192

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
2⤵
PID:3192

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
2⤵
PID:4556

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
2⤵
PID:3468

C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
2⤵
PID:3292

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\SysWOW64\wscript.exe"
2⤵
PID:624

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Gathers network information
PID:3976

C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\SysWOW64\colorcpl.exe"
2⤵
PID:4876

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
2⤵
- Enumerates system info in registry
PID:4276

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
2⤵
PID:3540

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
2⤵
PID:5100

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
2⤵
PID:452

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
2⤵
PID:2608

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
2⤵
PID:4640

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Gathers network information
PID:3080

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
2⤵
PID:1140

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
2⤵
PID:1964

C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
2⤵
PID:3424

C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
2⤵
PID:4824

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
2⤵
PID:2812

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\SysWOW64\wscript.exe"
2⤵
PID:1572

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
2⤵
PID:3428

C:\Windows\SysWOW64\WWAHost.exe
"C:\Windows\SysWOW64\WWAHost.exe"
2⤵
PID:3396

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
2⤵
PID:2548

C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\SysWOW64\colorcpl.exe"
2⤵
PID:3640

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
2⤵
PID:4436

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
2⤵
PID:2516

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
2⤵
PID:5108

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
2⤵
PID:908

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:3888

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:3536

C:\Windows\SysWOW64\systray.exe
"C:\Windows\SysWOW64\systray.exe"
2⤵
PID:1100

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
2⤵
PID:840

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe"
2⤵
PID:4168

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
2⤵
PID:5032

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
2⤵
PID:3460

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
2⤵
PID:1144

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
2⤵
PID:4068

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
2⤵
PID:5056

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:4892

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe"
2⤵
PID:5116

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
2⤵
PID:2656

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
2⤵
PID:2324

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\SysWOW64\cscript.exe"
2⤵
PID:3568

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
2⤵
PID:3320

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
2⤵
PID:3016

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
2⤵
PID:3948

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
2⤵
PID:3748

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
2⤵
PID:1652

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
2⤵
PID:4772

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\SysWOW64\cscript.exe"
2⤵
PID:2560

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\SysWOW64\cscript.exe"
2⤵
PID:4012

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
2⤵
PID:1540

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
2⤵
PID:1264

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
2⤵
PID:2696

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\SysWOW64\cscript.exe"
2⤵
PID:1700

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\SysWOW64\cscript.exe"
2⤵
PID:1320

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
2⤵
PID:3644

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
2⤵
PID:4460

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\SysWOW64\cscript.exe"
2⤵
PID:1684

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\SysWOW64\cscript.exe"
2⤵
PID:3908

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\SysWOW64\cscript.exe"
2⤵
PID:4996

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
2⤵
PID:2808

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
2⤵
PID:4836

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
2⤵
PID:4148

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
2⤵
PID:2024

C:\Windows\SysWOW64\WWAHost.exe
"C:\Windows\SysWOW64\WWAHost.exe"
2⤵
PID:4732

C:\Windows\SysWOW64\WWAHost.exe
"C:\Windows\SysWOW64\WWAHost.exe"
2⤵
PID:3432

C:\Windows\SysWOW64\WWAHost.exe
"C:\Windows\SysWOW64\WWAHost.exe"
2⤵
PID:4456

C:\Windows\SysWOW64\WWAHost.exe
"C:\Windows\SysWOW64\WWAHost.exe"
2⤵
PID:652

C:\Windows\SysWOW64\WWAHost.exe
"C:\Windows\SysWOW64\WWAHost.exe"
2⤵
PID:3448

C:\Windows\SysWOW64\WWAHost.exe
"C:\Windows\SysWOW64\WWAHost.exe"
2⤵
PID:1600

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
2⤵
PID:4224

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
2⤵
PID:3024

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
2⤵
PID:1596

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
2⤵
PID:3416

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
2⤵
PID:1500

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1256

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
2⤵
PID:2028

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
2⤵
PID:2844

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
2⤵
PID:5344

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:5540

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:5548

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:5560

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:5568

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\SysWOW64\wscript.exe"
2⤵
PID:5612

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
2⤵
PID:5724

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
2⤵
PID:5780

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
2⤵
PID:6024

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
2⤵
PID:6016

C:\Windows\SysWOW64\systray.exe
"C:\Windows\SysWOW64\systray.exe"
2⤵
PID:3916

C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\SysWOW64\colorcpl.exe"
2⤵
PID:3472

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
2⤵
PID:5152

C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\SysWOW64\colorcpl.exe"
2⤵
PID:4256

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe
Filesize
280KB

MD5
68e007ea8531cb464fd73f2e176dacfd

SHA1
a142d189e8f0bb45913fd1f7e17262a7d251c661

SHA256
6439b96e92b8836d32905f3ab41b3684d7f972f2e455d48d88dce702f3b4c2a9

SHA512
3f412125b25c14985c91011d8673b30cd371b5f56db84bc73ca1b5e053f42739c1e4725788d15e5000d7bf1a4f8abdc59d896bd87d7e62978a9e50fe2fa0052e

Download Submit
memory/64-242-0x0000000000000000-mapping.dmp

Download
memory/216-162-0x0000000000000000-mapping.dmp

Download
memory/544-238-0x0000000000000000-mapping.dmp

Download
memory/756-227-0x0000000002F30000-0x0000000002F44000-memory.dmp

Filesize
80KB

Download
memory/756-161-0x0000000002EF0000-0x0000000002F04000-memory.dmp

Filesize
80KB

Download
memory/756-156-0x0000000002FF0000-0x000000000333A000-memory.dmp

Filesize
3.3MB

Download
memory/756-145-0x0000000000000000-mapping.dmp

Download
memory/820-318-0x0000000000000000-mapping.dmp

Download
memory/976-224-0x0000000003140000-0x000000000348A000-memory.dmp

Filesize
3.3MB

Download
memory/976-216-0x0000000000000000-mapping.dmp

Download
memory/976-223-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/976-221-0x00000000014C0000-0x00000000014D4000-memory.dmp

Filesize
80KB

Download
memory/1124-203-0x0000000008AC0000-0x0000000008BEC000-memory.dmp

Filesize
1.2MB

Download
memory/1124-163-0x0000000007FE0000-0x0000000008129000-memory.dmp

Filesize
1.3MB

Download
memory/1124-138-0x0000000007EC0000-0x0000000007FDD000-memory.dmp

Filesize
1.1MB

Download
memory/1124-185-0x0000000008760000-0x00000000088B4000-memory.dmp

Filesize
1.3MB

Download
memory/1124-201-0x00000000088C0000-0x0000000008A32000-memory.dmp

Filesize
1.4MB

Download
memory/1124-149-0x00000000085B0000-0x0000000008754000-memory.dmp

Filesize
1.6MB

Download
memory/1124-160-0x0000000002B80000-0x0000000002C4E000-memory.dmp

Filesize
824KB

Download
memory/1124-178-0x0000000008470000-0x0000000008570000-memory.dmp

Filesize
1024KB

Download
memory/1124-152-0x0000000002A00000-0x0000000002AF6000-memory.dmp

Filesize
984KB

Download
memory/1220-319-0x0000000000000000-mapping.dmp

Download
memory/1300-147-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1300-143-0x0000000000000000-mapping.dmp

Download
memory/1300-151-0x0000000003150000-0x0000000003164000-memory.dmp

Filesize
80KB

Download
memory/1300-150-0x0000000003190000-0x00000000034DA000-memory.dmp

Filesize
3.3MB

Download
memory/1336-182-0x0000000002F70000-0x00000000032BA000-memory.dmp

Filesize
3.3MB

Download
memory/1336-180-0x0000000001060000-0x000000000108D000-memory.dmp

Filesize
180KB

Download
memory/1336-179-0x0000000000720000-0x0000000000736000-memory.dmp

Filesize
88KB

Download
memory/1336-171-0x0000000000000000-mapping.dmp

Download
memory/1468-144-0x0000000000000000-mapping.dmp

Download
memory/1492-199-0x0000000000000000-mapping.dmp

Download
memory/1492-205-0x0000000002230000-0x000000000257A000-memory.dmp

Filesize
3.3MB

Download
memory/1492-211-0x00000000020C0000-0x00000000020D4000-memory.dmp

Filesize
80KB

Download
memory/1536-262-0x0000000000000000-mapping.dmp

Download
memory/1576-297-0x0000000000000000-mapping.dmp

Download
memory/1584-264-0x0000000000000000-mapping.dmp

Download
memory/1588-233-0x0000000000000000-mapping.dmp

Download
memory/1772-214-0x0000000002640000-0x000000000298A000-memory.dmp

Filesize
3.3MB

Download
memory/1772-208-0x0000000000000000-mapping.dmp

Download
memory/1772-212-0x0000000002620000-0x0000000002634000-memory.dmp

Filesize
80KB

Download
memory/1772-213-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1824-172-0x0000000002D20000-0x000000000306A000-memory.dmp

Filesize
3.3MB

Download
memory/1824-176-0x00000000011C0000-0x00000000011D4000-memory.dmp

Filesize
80KB

Download
memory/1824-165-0x0000000000000000-mapping.dmp

Download
memory/1872-230-0x0000000000000000-mapping.dmp

Download
memory/1908-331-0x0000000000000000-mapping.dmp

Download
memory/1960-313-0x0000000000000000-mapping.dmp

Download
memory/1976-267-0x0000000000000000-mapping.dmp

Download
memory/2004-153-0x0000000000000000-mapping.dmp

Download
memory/2044-309-0x0000000000000000-mapping.dmp

Download
memory/2080-289-0x0000000000000000-mapping.dmp

Download
memory/2096-321-0x0000000000000000-mapping.dmp

Download
memory/2164-228-0x0000000000000000-mapping.dmp

Download
memory/2200-206-0x0000000002AE0000-0x0000000002E2A000-memory.dmp

Filesize
3.3MB

Download
memory/2200-197-0x0000000000000000-mapping.dmp

Download
memory/2200-202-0x0000000002E50000-0x0000000002E64000-memory.dmp

Filesize
80KB

Download
memory/2200-204-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2224-131-0x0000000004BE0000-0x0000000004BE3000-memory.dmp

Filesize
12KB

Download
memory/2224-134-0x00000000051F0000-0x00000000051F3000-memory.dmp

Filesize
12KB

Download
memory/2224-130-0x0000000000280000-0x00000000002CC000-memory.dmp

Filesize
304KB

Download
memory/2412-320-0x0000000000000000-mapping.dmp

Download
memory/2520-249-0x0000000000000000-mapping.dmp

Download
memory/2624-332-0x0000000000000000-mapping.dmp

Download
memory/2900-251-0x0000000000000000-mapping.dmp

Download
memory/3048-266-0x0000000000000000-mapping.dmp

Download
memory/3068-170-0x0000000000000000-mapping.dmp

Download
memory/3148-308-0x0000000000000000-mapping.dmp

Download
memory/3212-209-0x0000000000000000-mapping.dmp

Download
memory/3324-164-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3324-158-0x0000000002880000-0x0000000002894000-memory.dmp

Filesize
80KB

Download
memory/3324-168-0x0000000002A10000-0x0000000002D5A000-memory.dmp

Filesize
3.3MB

Download
memory/3324-155-0x0000000000000000-mapping.dmp

Download
memory/3352-219-0x00000000027D0000-0x0000000002B1A000-memory.dmp

Filesize
3.3MB

Download
memory/3352-220-0x0000000000C40000-0x0000000000C54000-memory.dmp

Filesize
80KB

Download
memory/3352-210-0x0000000000000000-mapping.dmp

Download
memory/3532-215-0x0000000000000000-mapping.dmp

Download
memory/3632-183-0x0000000002F70000-0x00000000032BA000-memory.dmp

Filesize
3.3MB

Download
memory/3632-175-0x0000000000000000-mapping.dmp

Download
memory/3632-184-0x0000000002E80000-0x0000000002E94000-memory.dmp

Filesize
80KB

Download
memory/3912-229-0x0000000000000000-mapping.dmp

Download
memory/3944-218-0x0000000000000000-mapping.dmp

Download
memory/3944-226-0x0000000001550000-0x0000000001564000-memory.dmp

Filesize
80KB

Download
memory/3944-222-0x0000000003170000-0x00000000034BA000-memory.dmp

Filesize
3.3MB

Download
memory/3956-298-0x0000000000000000-mapping.dmp

Download
memory/3980-196-0x0000000000000000-mapping.dmp

Download
memory/4016-186-0x0000000000000000-mapping.dmp

Download
memory/4016-189-0x0000000001620000-0x000000000163E000-memory.dmp

Filesize
120KB

Download
memory/4016-190-0x0000000000F70000-0x0000000000F9D000-memory.dmp

Filesize
180KB

Download
memory/4016-193-0x0000000001BF0000-0x0000000001F3A000-memory.dmp

Filesize
3.3MB

Download
memory/4140-265-0x0000000000000000-mapping.dmp

Download
memory/4160-286-0x0000000000000000-mapping.dmp

Download
memory/4180-166-0x00000000003F0000-0x0000000000823000-memory.dmp

Filesize
4.2MB

Download
memory/4180-154-0x0000000000000000-mapping.dmp

Download
memory/4180-225-0x0000000002990000-0x0000000002AB0000-memory.dmp

Filesize
1.1MB

Download
memory/4180-167-0x0000000000930000-0x000000000095D000-memory.dmp

Filesize
180KB

Download
memory/4180-157-0x0000000002B60000-0x0000000002EAA000-memory.dmp

Filesize
3.3MB

Download
memory/4236-133-0x0000000000000000-mapping.dmp

Download
memory/4272-207-0x0000000000000000-mapping.dmp

Download
memory/4284-287-0x0000000000000000-mapping.dmp

Download
memory/4364-141-0x0000000000000000-mapping.dmp

Download
memory/4392-310-0x0000000000000000-mapping.dmp

Download
memory/4444-217-0x0000000000000000-mapping.dmp

Download
memory/4452-195-0x0000000001210000-0x000000000155A000-memory.dmp

Filesize
3.3MB

Download
memory/4452-192-0x0000000000A90000-0x0000000000ABD000-memory.dmp

Filesize
180KB

Download
memory/4452-187-0x0000000000000000-mapping.dmp

Download
memory/4452-191-0x0000000000BA0000-0x0000000000BAA000-memory.dmp

Filesize
40KB

Download
memory/4472-200-0x0000000001370000-0x0000000001384000-memory.dmp

Filesize
80KB

Download
memory/4472-188-0x0000000000000000-mapping.dmp

Download
memory/4472-194-0x0000000003130000-0x000000000347A000-memory.dmp

Filesize
3.3MB

Download
memory/4540-243-0x0000000000000000-mapping.dmp

Download
memory/4548-198-0x0000000000000000-mapping.dmp

Download
memory/4612-330-0x0000000000000000-mapping.dmp

Download
memory/4688-132-0x0000000000000000-mapping.dmp

Download
memory/4688-136-0x0000000002B60000-0x0000000002EAA000-memory.dmp

Filesize
3.3MB

Download
memory/4688-137-0x0000000000D90000-0x0000000000DA4000-memory.dmp

Filesize
80KB

Download
memory/4688-135-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4692-181-0x0000000000000000-mapping.dmp

Download
memory/4780-159-0x0000000000000000-mapping.dmp

Download
memory/4792-295-0x0000000000000000-mapping.dmp

Download
memory/4864-140-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4864-148-0x0000000000F30000-0x0000000000F44000-memory.dmp

Filesize
80KB

Download
memory/4864-146-0x0000000002C00000-0x0000000002F4A000-memory.dmp

Filesize
3.3MB

Download
memory/4864-139-0x0000000000000000-mapping.dmp

Download
memory/5084-174-0x00000000011C0000-0x00000000011ED000-memory.dmp

Filesize
180KB

Download
memory/5084-173-0x0000000000570000-0x0000000000597000-memory.dmp

Filesize
156KB

Download
memory/5084-177-0x00000000032C0000-0x000000000360A000-memory.dmp

Filesize
3.3MB

Download
memory/5084-169-0x0000000000000000-mapping.dmp

Download