hawkeye_reborn | cf7f5d466211532b6f3f011fe0bee7f21ba57daff557d7916e94a3ea03314029

Analysis

max time kernel
154s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
05-02-2022 09:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Size

798KB
MD5

c718b028581ee91d323ab14a2de31b53
SHA1

8b81e7e97f0d024fefdf8a7a31682c2cba199cf7
SHA256

cc883ff2da665b29da191f3e5ada7da98810684658676f84dc6275d98f52f151
SHA512

2d483b1f0466f05c69db4fb1c69c5bf4607f065fc9e9715f073d114a273bed52b8472ca77de0b4de10d4de2bdae07343050e2ac97dfc08443987ab498210353a

Score

10^/10

hawkeye_reborn m00nd3v_logger collection keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Version

10.1.2.2

Credentials

Protocol: smtp
Host:
mail.bigmanstan.com
Port:
587
Username:
[email protected]
Password:
khalifa@2020

Mutex

c4ceaee6-98e6-414f-92f0-272fe7bd057c

Attributes

fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:khalifa@2020 _EmailPort:587 _EmailSSL:false _EmailServer:mail.bigmanstan.com _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:false _LogInterval:10 _MeltFile:false _Mutex:c4ceaee6-98e6-414f-92f0-272fe7bd057c _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.1.2.2 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
name
HawkEye Keylogger - RebornX, Version=10.1.2.2, Culture=neutral, PublicKeyToken=null

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger Payload 1 IoCs

Detects M00nD3v Logger payload in memory.

Processes:

resource	yara_rule
behavioral2/memory/3168-132-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

BALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	BALANCE PAYMENT OF INV #005788903736282 20200418.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 64 IoCs

collection

Email Collection

T1114

Processes:

RegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

Looks up external IP address via web service 19 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
38	bot.whatismyipaddress.com
55	bot.whatismyipaddress.com
60	bot.whatismyipaddress.com
52	bot.whatismyipaddress.com
53	bot.whatismyipaddress.com
58	bot.whatismyipaddress.com
35	bot.whatismyipaddress.com
41	bot.whatismyipaddress.com
43	bot.whatismyipaddress.com
46	bot.whatismyipaddress.com
51	bot.whatismyipaddress.com
42	bot.whatismyipaddress.com
47	bot.whatismyipaddress.com
48	bot.whatismyipaddress.com
50	bot.whatismyipaddress.com
59	bot.whatismyipaddress.com
54	bot.whatismyipaddress.com
56	bot.whatismyipaddress.com
57	bot.whatismyipaddress.com

Suspicious use of SetThreadContext 64 IoCs

Processes:

description	pid	process	target process
PID 1692 set thread context of 3168	1692	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 2968 set thread context of 3308	2968	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 1132 set thread context of 1776	1132	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 3796 set thread context of 964	3796	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 3916 set thread context of 3960	3916	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 1740 set thread context of 560	1740	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 3000 set thread context of 3180	3000	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 2920 set thread context of 1352	2920	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 3428 set thread context of 2124	3428	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 4000 set thread context of 3408	4000	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 2212 set thread context of 1120	2212	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 4028 set thread context of 3756	4028	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 4172 set thread context of 4220	4172	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 4372 set thread context of 4412	4372	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 4536 set thread context of 4644	4536	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 4776 set thread context of 4856	4776	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 5000 set thread context of 5104	5000	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 3376 set thread context of 3884	3376	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 2996 set thread context of 3360	2996	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 4464 set thread context of 5092	4464	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 4952 set thread context of 1732	4952	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 4480 set thread context of 2100	4480	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 4448 set thread context of 4164	4448	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 4544 set thread context of 3996	4544	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 4864 set thread context of 4784	4864	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 3988 set thread context of 4132	3988	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 5228 set thread context of 5324	5228	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 5460 set thread context of 5556	5460	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 5688 set thread context of 5764	5688	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 5900 set thread context of 5980	5900	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 6116 set thread context of 4920	6116	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 3676 set thread context of 4372	3676	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 5316 set thread context of 5732	5316	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 5884 set thread context of 5644	5884	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 5860 set thread context of 5804	5860	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 6032 set thread context of 5336	6032	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 5184 set thread context of 3676	5184	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 6024 set thread context of 1448	6024	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 5836 set thread context of 6052	5836	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 6120 set thread context of 6116	6120	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 5180 set thread context of 3396	5180	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 2880 set thread context of 3472	2880	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 3268 set thread context of 4532	3268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 996 set thread context of 2532	996	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 6236 set thread context of 6304	6236	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 6452 set thread context of 6508	6452	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 6644 set thread context of 6716	6644	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 6844 set thread context of 6932	6844	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 7076 set thread context of 3380	7076	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 4632 set thread context of 5460	4632	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 6276 set thread context of 2064	6276	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 6820 set thread context of 6632	6820	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 6208 set thread context of 6828	6208	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 7068 set thread context of 7160	7068	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 6200 set thread context of 6640	6200	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 1244 set thread context of 6360	1244	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 2544 set thread context of 6816	2544	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 1328 set thread context of 6656	1328	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 6944 set thread context of 4604	6944	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 4556 set thread context of 6624	4556	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 5552 set thread context of 6524	5552	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 4200 set thread context of 1944	4200	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 5156 set thread context of 6432	5156	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 544 set thread context of 7156	544	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe

Drops file in Windows directory 1 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MusNotifyIcon.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MusNotifyIcon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MusNotifyIcon.exe

Modifies data under HKEY_USERS 47 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "3.787829"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4044"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3884"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132887045933876912"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0"	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

BALANCE PAYMENT OF INV #005788903736282 20200418.exe

pid	process
1692	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1692	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1692	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1692	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1692	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1692	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1692	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1692	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1692	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1692	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1692	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1692	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1692	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1692	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1692	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1692	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1692	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1692	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1692	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1692	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1692	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1692	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1692	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1692	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1692	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1692	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1692	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1692	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1692	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1692	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1692	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1692	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1692	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1692	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1692	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1692	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1692	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1692	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1692	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1692	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1692	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1692	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1692	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1692	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1692	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1692	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1692	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1692	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1692	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1692	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1692	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1692	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1692	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1692	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1692	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1692	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1692	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1692	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1692	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1692	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1692	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1692	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1692	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1692	BALANCE PAYMENT OF INV #005788903736282 20200418.exe

Suspicious behavior: MapViewOfSection 64 IoCs

Processes:

pid	process
1692	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
2968	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
2968	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1132	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
3796	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
3916	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
3916	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1740	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1740	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
3000	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
3000	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
2920	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
3428	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
3428	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
4000	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
2212	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
2212	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
4028	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
4172	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
4172	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
4172	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
4372	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
4536	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
4776	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
5000	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
3376	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
3376	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
2996	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
4464	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
4952	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
4480	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
4448	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
4448	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
4544	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
4864	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
3988	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
3988	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
3988	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
5228	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
5228	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
5460	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
5460	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
5460	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
5460	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
5688	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
5900	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
6116	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
3676	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
5316	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
5884	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
5884	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
5860	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
5860	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
6032	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
5184	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
5184	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
5184	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
5184	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
6024	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
5836	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
6120	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
6120	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
5180	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
2880	BALANCE PAYMENT OF INV #005788903736282 20200418.exe

Suspicious behavior: SetClipboardViewer 64 IoCs

Processes:

pid	process
3180	RegAsm.exe
3960	RegAsm.exe
3408	RegAsm.exe
2124	RegAsm.exe
1120	RegAsm.exe
964	RegAsm.exe
1352	RegAsm.exe
3308	RegAsm.exe
560	RegAsm.exe
1776	RegAsm.exe
3168	RegAsm.exe
4220	RegAsm.exe
4412	RegAsm.exe
4644	RegAsm.exe
4856	RegAsm.exe
5104	RegAsm.exe
3884	RegAsm.exe
3360	RegAsm.exe
5092	RegAsm.exe
1732	RegAsm.exe
2100	RegAsm.exe
4164	RegAsm.exe
4784	RegAsm.exe
4132	RegAsm.exe
5324	RegAsm.exe
5556	RegAsm.exe
5764	RegAsm.exe
5980	RegAsm.exe
4920	RegAsm.exe
4372	RegAsm.exe
5732	RegAsm.exe
5644	RegAsm.exe
5804	RegAsm.exe
5336	RegAsm.exe
3676	RegAsm.exe
1448	RegAsm.exe
6052	RegAsm.exe
6116	RegAsm.exe
3396	RegAsm.exe
3472	RegAsm.exe
4532	RegAsm.exe
2532	RegAsm.exe
6304	RegAsm.exe
6508	RegAsm.exe
6716	RegAsm.exe
6932	RegAsm.exe
3380	RegAsm.exe
5460	RegAsm.exe
2064	RegAsm.exe
6632	RegAsm.exe
6828	RegAsm.exe
7160	RegAsm.exe
6640	RegAsm.exe
6360	RegAsm.exe
6816	RegAsm.exe
6656	RegAsm.exe
4604	RegAsm.exe
6624	RegAsm.exe
6524	RegAsm.exe
1944	RegAsm.exe
6432	RegAsm.exe
7156	RegAsm.exe
7260	RegAsm.exe
7496	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	1692	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Token: SeDebugPrivilege	2968	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Token: SeDebugPrivilege	1132	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Token: SeDebugPrivilege	3796	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Token: SeDebugPrivilege	3916	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Token: SeDebugPrivilege	1740	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Token: SeDebugPrivilege	3000	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Token: SeDebugPrivilege	2920	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Token: SeDebugPrivilege	3428	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Token: SeDebugPrivilege	4000	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Token: SeDebugPrivilege	2212	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Token: SeDebugPrivilege	4028	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Token: SeDebugPrivilege	4172	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Token: SeDebugPrivilege	4372	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Token: SeDebugPrivilege	4536	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Token: SeDebugPrivilege	4776	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Token: SeDebugPrivilege	5000	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Token: SeDebugPrivilege	3960	RegAsm.exe
Token: SeDebugPrivilege	3180	RegAsm.exe
Token: SeDebugPrivilege	3308	RegAsm.exe
Token: SeDebugPrivilege	3408	RegAsm.exe
Token: SeDebugPrivilege	560	RegAsm.exe
Token: SeDebugPrivilege	2124	RegAsm.exe
Token: SeDebugPrivilege	964	RegAsm.exe
Token: SeDebugPrivilege	1352	RegAsm.exe
Token: SeDebugPrivilege	3168	RegAsm.exe
Token: SeDebugPrivilege	1776	RegAsm.exe
Token: SeDebugPrivilege	1120	RegAsm.exe
Token: SeDebugPrivilege	3376	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Token: SeDebugPrivilege	3756	RegAsm.exe
Token: SeDebugPrivilege	2996	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Token: SeDebugPrivilege	4220	RegAsm.exe
Token: SeDebugPrivilege	4464	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Token: SeDebugPrivilege	4412	RegAsm.exe
Token: SeDebugPrivilege	4952	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Token: SeDebugPrivilege	4644	RegAsm.exe
Token: SeDebugPrivilege	4480	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Token: SeDebugPrivilege	4856	RegAsm.exe
Token: SeDebugPrivilege	4448	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Token: SeDebugPrivilege	5104	RegAsm.exe
Token: SeDebugPrivilege	4544	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Token: SeDebugPrivilege	3884	RegAsm.exe
Token: SeDebugPrivilege	4864	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Token: SeDebugPrivilege	3360	RegAsm.exe
Token: SeDebugPrivilege	3988	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Token: SeDebugPrivilege	5092	RegAsm.exe
Token: SeDebugPrivilege	5228	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Token: SeDebugPrivilege	1732	RegAsm.exe
Token: SeDebugPrivilege	5460	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Token: SeDebugPrivilege	2100	RegAsm.exe
Token: SeDebugPrivilege	5688	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Token: SeDebugPrivilege	4164	RegAsm.exe
Token: SeDebugPrivilege	5900	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Token: SeDebugPrivilege	6116	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Token: SeDebugPrivilege	4784	RegAsm.exe
Token: SeDebugPrivilege	3676	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Token: SeDebugPrivilege	4132	RegAsm.exe
Token: SeDebugPrivilege	5316	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Token: SeDebugPrivilege	5324	RegAsm.exe
Token: SeDebugPrivilege	5884	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Token: SeDebugPrivilege	5556	RegAsm.exe
Token: SeDebugPrivilege	5860	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Token: SeDebugPrivilege	5764	RegAsm.exe
Token: SeDebugPrivilege	6032	BALANCE PAYMENT OF INV #005788903736282 20200418.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

BALANCE PAYMENT OF INV #005788903736282 20200418.execmd.exeBALANCE PAYMENT OF INV #005788903736282 20200418.execmd.exeBALANCE PAYMENT OF INV #005788903736282 20200418.execmd.exeBALANCE PAYMENT OF INV #005788903736282 20200418.execmd.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exe

description	pid	process	target process
PID 1692 wrote to memory of 3168	1692	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 1692 wrote to memory of 3168	1692	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 1692 wrote to memory of 3168	1692	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 1692 wrote to memory of 3168	1692	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 1692 wrote to memory of 3984	1692	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	cmd.exe
PID 1692 wrote to memory of 3984	1692	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	cmd.exe
PID 1692 wrote to memory of 3984	1692	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	cmd.exe
PID 3984 wrote to memory of 3908	3984	cmd.exe	choice.exe
PID 3984 wrote to memory of 3908	3984	cmd.exe	choice.exe
PID 3984 wrote to memory of 3908	3984	cmd.exe	choice.exe
PID 1692 wrote to memory of 2968	1692	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
PID 1692 wrote to memory of 2968	1692	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
PID 1692 wrote to memory of 2968	1692	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
PID 2968 wrote to memory of 3844	2968	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 2968 wrote to memory of 3844	2968	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 2968 wrote to memory of 3844	2968	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 2968 wrote to memory of 3308	2968	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 2968 wrote to memory of 3308	2968	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 2968 wrote to memory of 3308	2968	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 2968 wrote to memory of 3308	2968	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 2968 wrote to memory of 2260	2968	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	cmd.exe
PID 2968 wrote to memory of 2260	2968	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	cmd.exe
PID 2968 wrote to memory of 2260	2968	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	cmd.exe
PID 2260 wrote to memory of 3180	2260	cmd.exe	choice.exe
PID 2260 wrote to memory of 3180	2260	cmd.exe	choice.exe
PID 2260 wrote to memory of 3180	2260	cmd.exe	choice.exe
PID 2968 wrote to memory of 1132	2968	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
PID 2968 wrote to memory of 1132	2968	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
PID 2968 wrote to memory of 1132	2968	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
PID 1132 wrote to memory of 1776	1132	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 1132 wrote to memory of 1776	1132	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 1132 wrote to memory of 1776	1132	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 1132 wrote to memory of 1776	1132	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 1132 wrote to memory of 2984	1132	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	cmd.exe
PID 1132 wrote to memory of 2984	1132	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	cmd.exe
PID 1132 wrote to memory of 2984	1132	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	cmd.exe
PID 1132 wrote to memory of 3796	1132	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
PID 1132 wrote to memory of 3796	1132	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
PID 1132 wrote to memory of 3796	1132	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
PID 2984 wrote to memory of 3720	2984	cmd.exe	choice.exe
PID 2984 wrote to memory of 3720	2984	cmd.exe	choice.exe
PID 2984 wrote to memory of 3720	2984	cmd.exe	choice.exe
PID 3796 wrote to memory of 964	3796	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 3796 wrote to memory of 964	3796	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 3796 wrote to memory of 964	3796	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 3796 wrote to memory of 964	3796	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 3796 wrote to memory of 3200	3796	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	cmd.exe
PID 3796 wrote to memory of 3200	3796	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	cmd.exe
PID 3796 wrote to memory of 3200	3796	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	cmd.exe
PID 3200 wrote to memory of 2944	3200	cmd.exe	choice.exe
PID 3200 wrote to memory of 2944	3200	cmd.exe	choice.exe
PID 3200 wrote to memory of 2944	3200	cmd.exe	choice.exe
PID 3796 wrote to memory of 3916	3796	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
PID 3796 wrote to memory of 3916	3796	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
PID 3796 wrote to memory of 3916	3796	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
PID 3916 wrote to memory of 3776	3916	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 3916 wrote to memory of 3776	3916	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 3916 wrote to memory of 3776	3916	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 3916 wrote to memory of 3960	3916	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 3916 wrote to memory of 3960	3916	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 3916 wrote to memory of 3960	3916	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 3916 wrote to memory of 3960	3916	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 3916 wrote to memory of 3052	3916	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	cmd.exe
PID 3916 wrote to memory of 3052	3916	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	cmd.exe

outlook_office_path 1 IoCs

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

outlook_win_path 1 IoCs

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:3168

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3984

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
3⤵
PID:3908

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:3844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:3308

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2260

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:3180

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1132

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:1776

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:2984

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
5⤵
PID:3720

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
4⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3796

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:964

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:3200

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
6⤵
PID:2944

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
5⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
PID:3776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:3960

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
6⤵
PID:3052

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
7⤵
PID:1732

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
6⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
7⤵
PID:556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
7⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:560

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
7⤵
PID:2708

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
8⤵
PID:2576

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
7⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
8⤵
PID:3192

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
8⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:3180

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
8⤵
PID:3896

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
9⤵
PID:1132

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
8⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2920

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
9⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:1352

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
9⤵
PID:100

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
10⤵
PID:3832

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
9⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3428

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
10⤵
PID:3448

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
10⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:2124

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
10⤵
PID:3176

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
11⤵
PID:2100

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
10⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
11⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:3408

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
11⤵
PID:1016

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
12⤵
PID:3996

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
11⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
12⤵
PID:1212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
12⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:1120

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
12⤵
PID:3012

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
13⤵
PID:3988

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
12⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
PID:3756

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
13⤵
PID:1016

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
14⤵
PID:4148

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
13⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4172

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
14⤵
PID:4204

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
14⤵
PID:4212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
14⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:4220

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
14⤵
PID:4276

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
15⤵
PID:4328

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
14⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4372

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
15⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:4412

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
15⤵
PID:4456

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
16⤵
PID:4544

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
15⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4536

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
16⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:4644

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
16⤵
PID:4700

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
17⤵
PID:4752

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
16⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
17⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:4856

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
17⤵
PID:4920

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
18⤵
PID:4972

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
17⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
18⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:5104

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
18⤵
PID:908

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
19⤵
PID:544

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
18⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3376

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
19⤵
PID:1804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
19⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:3884

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
19⤵
PID:3196

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
20⤵
PID:3604

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
19⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2996

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
20⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:3360

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
20⤵
PID:4436

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
21⤵
PID:4460

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
20⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4464

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
21⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:5092

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
21⤵
PID:4736

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
22⤵
PID:4692

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
21⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
22⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:1732

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
22⤵
PID:4160

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
23⤵
PID:4040

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
22⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4480

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
23⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:2100

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
23⤵
PID:3176

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
24⤵
PID:4568

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
23⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4448

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
24⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:4164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
24⤵
PID:4396

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
24⤵
PID:4692

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
25⤵
PID:4736

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
24⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
25⤵
- Accesses Microsoft Outlook profiles
PID:3996

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
25⤵
PID:4160

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
26⤵
PID:484

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
25⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
26⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:4784

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
26⤵
PID:3688

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
27⤵
PID:660

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
26⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
27⤵
PID:4692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
27⤵
PID:4700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
27⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:4132

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
27⤵
PID:5156

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
28⤵
PID:5200

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
27⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5228

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
28⤵
PID:5316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
28⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:5324

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
28⤵
PID:5392

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
29⤵
PID:5436

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
28⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5460

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
29⤵
PID:5532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
29⤵
PID:5540

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
29⤵
PID:5548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
29⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:5556

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
29⤵
PID:5620

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
30⤵
PID:5664

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
29⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
30⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:5764

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
30⤵
PID:5820

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
31⤵
PID:5872

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
30⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
31⤵
- Suspicious behavior: SetClipboardViewer
PID:5980

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
31⤵
PID:6044

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
32⤵
PID:6088

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
31⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:6116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
32⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
PID:4920

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
32⤵
PID:5220

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
33⤵
PID:5404

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
32⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
33⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
PID:4372

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
33⤵
PID:1108

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
34⤵
PID:5156

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
33⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
34⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
PID:5732

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
34⤵
PID:5240

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
35⤵
PID:5428

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
34⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5884

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
35⤵
PID:5652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
35⤵
- Suspicious behavior: SetClipboardViewer
PID:5644

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
35⤵
PID:5592

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
36⤵
PID:2120

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
35⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
36⤵
PID:5784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
36⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
PID:5804

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
36⤵
PID:6080

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
37⤵
PID:5204

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
36⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:6032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
37⤵
- Suspicious behavior: SetClipboardViewer
PID:5336

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
37⤵
PID:4544

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
38⤵
PID:5832

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
37⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:5184

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
38⤵
PID:3592

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
38⤵
PID:3220

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
38⤵
PID:5508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
38⤵
- Suspicious behavior: SetClipboardViewer
PID:3676

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
38⤵
PID:5256

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
39⤵
PID:4592

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
38⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:6024

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
39⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
PID:1448

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
39⤵
PID:5684

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
40⤵
PID:5180

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
39⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:5836

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
40⤵
- Suspicious behavior: SetClipboardViewer
PID:6052

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
40⤵
PID:5976

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
41⤵
PID:3220

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
40⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:6120

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
41⤵
PID:5448

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
41⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
PID:6116

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
41⤵
PID:5460

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
42⤵
PID:5228

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
41⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:5180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
42⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
PID:3396

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
42⤵
PID:6024

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
43⤵
PID:4604

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
42⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
43⤵
- Suspicious behavior: SetClipboardViewer
PID:3472

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
43⤵
PID:4684

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
44⤵
PID:3384

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
43⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:3268

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
44⤵
PID:3792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
44⤵
- Suspicious behavior: SetClipboardViewer
PID:4532

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
44⤵
PID:5156

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
45⤵
PID:1328

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
44⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:996

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
45⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
PID:2532

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
45⤵
PID:6152

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
46⤵
PID:6268

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
45⤵
- Suspicious use of SetThreadContext
PID:6236

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
46⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
PID:6304

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
46⤵
PID:6360

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
47⤵
PID:6412

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
46⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:6452

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
47⤵
- Suspicious behavior: SetClipboardViewer
PID:6508

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
47⤵
PID:6564

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
48⤵
PID:6620

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
47⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:6644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
48⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
PID:6716

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
48⤵
PID:6772

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
49⤵
PID:6832

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
48⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:6844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
49⤵
PID:6924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
49⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
PID:6932

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
49⤵
PID:6988

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
50⤵
PID:7044

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
49⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:7076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
50⤵
PID:7148

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
50⤵
PID:7156

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
50⤵
PID:7164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
50⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
PID:3380

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
50⤵
PID:5976

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
51⤵
PID:4684

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
50⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:4632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
51⤵
PID:5208

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
51⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
PID:5460

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
51⤵
PID:6432

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
52⤵
PID:5392

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
51⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:6276

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
52⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
PID:2064

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
52⤵
PID:6412

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
53⤵
PID:6360

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
52⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:6820

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
53⤵
PID:392

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
53⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
PID:6632

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
53⤵
PID:6556

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
54⤵
PID:7064

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
53⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:6208

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
54⤵
- Suspicious behavior: SetClipboardViewer
PID:6828

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
54⤵
PID:6664

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
55⤵
PID:4384

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
54⤵
- Suspicious use of SetThreadContext
PID:7068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
55⤵
PID:7016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
55⤵
PID:7152

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
55⤵
- Suspicious behavior: SetClipboardViewer
PID:7160

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
55⤵
PID:3320

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
56⤵
PID:6092

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
55⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:6200

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
56⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
PID:6640

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
56⤵
PID:5836

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
57⤵
PID:6312

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
56⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:1244

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
57⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
PID:6360

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
57⤵
PID:6516

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
58⤵
PID:4556

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
57⤵
- Suspicious use of SetThreadContext
PID:2544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
58⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
PID:6816

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
58⤵
PID:7156

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
59⤵
PID:6024

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
58⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:1328

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
59⤵
- Suspicious behavior: SetClipboardViewer
PID:6656

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
59⤵
PID:4508

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
60⤵
PID:7060

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
59⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:6944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
60⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
PID:4604

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
60⤵
PID:7096

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
61⤵
PID:3812

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
60⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:4556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
61⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
PID:6624

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
61⤵
PID:2596

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
62⤵
PID:5392

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
61⤵
- Suspicious use of SetThreadContext
PID:5552

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
62⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
PID:6524

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
62⤵
PID:1836

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
63⤵
PID:3320

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
62⤵
- Suspicious use of SetThreadContext
PID:4200

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
63⤵
- Suspicious behavior: SetClipboardViewer
PID:1944

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
63⤵
PID:7096

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
64⤵
PID:3228

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
63⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:5156

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
64⤵
- Suspicious behavior: SetClipboardViewer
PID:6432

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
64⤵
PID:3564

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
65⤵
PID:7016

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
64⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
65⤵
PID:4392

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
65⤵
- Suspicious behavior: SetClipboardViewer
PID:7156

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
65⤵
PID:6348

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
66⤵
PID:7172

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
65⤵
- Checks computer location settings
PID:7196

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
66⤵
- Suspicious behavior: SetClipboardViewer
PID:7260

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
66⤵
PID:7328

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
67⤵
PID:7372

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
66⤵
- Checks computer location settings
PID:7404

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
67⤵
PID:7472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
67⤵
PID:7480

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
67⤵
PID:7488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
67⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
PID:7496

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
67⤵
PID:7560

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
68⤵
PID:7604

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
67⤵
- Checks computer location settings
PID:7628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
68⤵
- Accesses Microsoft Outlook profiles
PID:7704

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
68⤵
PID:7768

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
69⤵
PID:7812

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
68⤵
- Checks computer location settings
PID:7836

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
69⤵
PID:7908

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
69⤵
PID:7972

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
70⤵
PID:8024

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
69⤵
- Checks computer location settings
PID:8048

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
70⤵
PID:8116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
70⤵
- Accesses Microsoft Outlook profiles
PID:8124

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
70⤵
PID:8188

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
71⤵
PID:4672

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
70⤵
- Checks computer location settings
PID:7188

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
71⤵
PID:7148

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
71⤵
PID:7392

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
72⤵
PID:7172

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
71⤵
- Checks computer location settings
PID:6616

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
72⤵
- Accesses Microsoft Outlook profiles
PID:544

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
72⤵
PID:7348

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
73⤵
PID:7780

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
72⤵
- Checks computer location settings
PID:7484

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
73⤵
PID:7860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
73⤵
- Accesses Microsoft Outlook profiles
PID:7888

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
73⤵
PID:7828

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
74⤵
PID:8088

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
73⤵
- Checks computer location settings
PID:7404

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
74⤵
PID:5472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
74⤵
- outlook_office_path
- outlook_win_path
PID:5976

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
74⤵
PID:8132

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
75⤵
PID:7992

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
74⤵
- Checks computer location settings
PID:6768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
75⤵
PID:7944

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
75⤵
PID:776

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
76⤵
PID:2880

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
75⤵
- Checks computer location settings
PID:8136

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
76⤵
PID:7308

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
76⤵
PID:7400

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
77⤵
PID:7244

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
76⤵
- Checks computer location settings
PID:3848

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
77⤵
PID:5512

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
77⤵
PID:7780

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
77⤵
PID:5780

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
78⤵
PID:7380

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
77⤵
- Checks computer location settings
PID:5532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
78⤵
PID:8088

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
78⤵
PID:5472

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
79⤵
PID:8060

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
78⤵
- Checks computer location settings
PID:8012

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
79⤵
PID:7848

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
79⤵
PID:7816

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
79⤵
PID:7728

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
79⤵
PID:7788

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
79⤵
PID:5988

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
80⤵
PID:7192

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
79⤵
PID:7396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
80⤵
PID:1244

C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
1⤵
- Checks processor information in registry
PID:1408

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3892

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\288dcd02-fa31-ab9c-6c82-c07995aa8226

MD5
0e94f508a7733660f34dd8bdee3498be

SHA1
3ff9062790b9b2e5db956f1c5f76437db41a4872

SHA256
557b364bfb2cb6e9af4bdb2dc00a8854ae502e2901bd2dd106af7197e0709116

SHA512
0f7ee5f3cffaa91c7588d23e4edc2cfb0605177d3d8ccbfe48f5f46e88ce350d55dc7f594d8acd2984976fa242e337454068585aadbe14dde85b9015ec96bd5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\288dcd02-fa31-ab9c-6c82-c07995aa8226

MD5
0e94f508a7733660f34dd8bdee3498be

SHA1
3ff9062790b9b2e5db956f1c5f76437db41a4872

SHA256
557b364bfb2cb6e9af4bdb2dc00a8854ae502e2901bd2dd106af7197e0709116

SHA512
0f7ee5f3cffaa91c7588d23e4edc2cfb0605177d3d8ccbfe48f5f46e88ce350d55dc7f594d8acd2984976fa242e337454068585aadbe14dde85b9015ec96bd5a

Download Submit
memory/560-140-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/964-138-0x00000000055E0000-0x00000000055E1000-memory.dmp

Filesize
4KB

Download
memory/996-193-0x0000000002780000-0x0000000002840000-memory.dmp

Filesize
768KB

Download
memory/1120-151-0x0000000004FF0000-0x0000000004FF1000-memory.dmp

Filesize
4KB

Download
memory/1352-143-0x0000000004EF0000-0x0000000004EF1000-memory.dmp

Filesize
4KB

Download
memory/1448-186-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

Filesize
4KB

Download
memory/1692-130-0x0000000000C90000-0x0000000000D5E000-memory.dmp

Filesize
824KB

Download
memory/1692-131-0x0000000002FA0000-0x0000000003071000-memory.dmp

Filesize
836KB

Download
memory/1732-165-0x0000000005730000-0x0000000005731000-memory.dmp

Filesize
4KB

Download
memory/1776-137-0x0000000005430000-0x0000000005431000-memory.dmp

Filesize
4KB

Download
memory/2100-166-0x0000000002930000-0x0000000002931000-memory.dmp

Filesize
4KB

Download
memory/2124-145-0x0000000004F10000-0x0000000004F11000-memory.dmp

Filesize
4KB

Download
memory/2532-194-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/2968-135-0x00000000051F0000-0x00000000051F3000-memory.dmp

Filesize
12KB

Download
memory/2996-160-0x0000000000C50000-0x0000000000C83000-memory.dmp

Filesize
204KB

Download
memory/3168-150-0x0000000005A70000-0x0000000005B02000-memory.dmp

Filesize
584KB

Download
memory/3168-132-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3168-133-0x00000000059C0000-0x00000000059C1000-memory.dmp

Filesize
4KB

Download
memory/3168-134-0x0000000009F50000-0x0000000009FEC000-memory.dmp

Filesize
624KB

Download
memory/3168-142-0x0000000009FF0000-0x000000000A056000-memory.dmp

Filesize
408KB

Download
memory/3180-141-0x0000000005880000-0x0000000005881000-memory.dmp

Filesize
4KB

Download
memory/3308-149-0x000000000A530000-0x000000000AAD4000-memory.dmp

Filesize
5.6MB

Download
memory/3308-136-0x0000000005130000-0x0000000005131000-memory.dmp

Filesize
4KB

Download
memory/3360-161-0x0000000005570000-0x0000000005571000-memory.dmp

Filesize
4KB

Download
memory/3396-190-0x00000000057B0000-0x00000000057B1000-memory.dmp

Filesize
4KB

Download
memory/3408-148-0x00000000056E0000-0x00000000056E1000-memory.dmp

Filesize
4KB

Download
memory/3428-144-0x00000000014B0000-0x0000000001580000-memory.dmp

Filesize
832KB

Download
memory/3472-191-0x00000000055F0000-0x00000000055F1000-memory.dmp

Filesize
4KB

Download
memory/3676-185-0x0000000005440000-0x0000000005441000-memory.dmp

Filesize
4KB

Download
memory/3756-152-0x00000000051F0000-0x00000000051F1000-memory.dmp

Filesize
4KB

Download
memory/3884-159-0x00000000058F0000-0x00000000058F1000-memory.dmp

Filesize
4KB

Download
memory/3960-139-0x00000000056F0000-0x00000000056F1000-memory.dmp

Filesize
4KB

Download
memory/4132-171-0x0000000005410000-0x0000000005411000-memory.dmp

Filesize
4KB

Download
memory/4164-167-0x00000000055F0000-0x00000000055F1000-memory.dmp

Filesize
4KB

Download
memory/4220-164-0x0000000005C90000-0x0000000005C9A000-memory.dmp

Filesize
40KB

Download
memory/4220-153-0x0000000005270000-0x0000000005271000-memory.dmp

Filesize
4KB

Download
memory/4372-179-0x0000000005190000-0x0000000005191000-memory.dmp

Filesize
4KB

Download
memory/4412-154-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/4464-162-0x0000000005590000-0x00000000055C0000-memory.dmp

Filesize
192KB

Download
memory/4532-192-0x00000000057E0000-0x00000000057E1000-memory.dmp

Filesize
4KB

Download
memory/4544-168-0x0000000001140000-0x0000000001171000-memory.dmp

Filesize
196KB

Download
memory/4644-155-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

Filesize
4KB

Download
memory/4784-170-0x0000000005180000-0x0000000005181000-memory.dmp

Filesize
4KB

Download
memory/4856-156-0x0000000005190000-0x0000000005191000-memory.dmp

Filesize
4KB

Download
memory/4864-169-0x0000000000E70000-0x0000000000EA0000-memory.dmp

Filesize
192KB

Download
memory/4920-178-0x0000000005730000-0x0000000005800000-memory.dmp

Filesize
832KB

Download
memory/5000-157-0x00000000031D0000-0x0000000003290000-memory.dmp

Filesize
768KB

Download
memory/5092-163-0x00000000057A0000-0x00000000057A1000-memory.dmp

Filesize
4KB

Download
memory/5104-158-0x0000000005450000-0x0000000005680000-memory.dmp

Filesize
2.2MB

Download
memory/5184-184-0x0000000001650000-0x00000000016A3000-memory.dmp

Filesize
332KB

Download
memory/5228-172-0x0000000002580000-0x0000000002630000-memory.dmp

Filesize
704KB

Download
memory/5324-173-0x00000000052C0000-0x0000000005330000-memory.dmp

Filesize
448KB

Download
memory/5336-183-0x00000000054A0000-0x00000000054A1000-memory.dmp

Filesize
4KB

Download
memory/5556-174-0x00000000054F0000-0x00000000054F1000-memory.dmp

Filesize
4KB

Download
memory/5644-181-0x00000000052F0000-0x00000000052F1000-memory.dmp

Filesize
4KB

Download
memory/5732-180-0x0000000005560000-0x0000000005561000-memory.dmp

Filesize
4KB

Download
memory/5764-175-0x0000000005690000-0x0000000005691000-memory.dmp

Filesize
4KB

Download
memory/5804-182-0x00000000059F0000-0x00000000059F1000-memory.dmp

Filesize
4KB

Download
memory/5836-187-0x0000000001930000-0x00000000019F0000-memory.dmp

Filesize
768KB

Download
memory/5980-176-0x0000000005300000-0x0000000005301000-memory.dmp

Filesize
4KB

Download
memory/6052-188-0x0000000005660000-0x0000000005661000-memory.dmp

Filesize
4KB

Download
memory/6116-177-0x00000000022E0000-0x00000000023C1000-memory.dmp

Filesize
900KB

Download
memory/6116-189-0x0000000005460000-0x00000000054D0000-memory.dmp

Filesize
448KB

Download
memory/6304-195-0x00000000052A0000-0x00000000052A1000-memory.dmp

Filesize
4KB

Download