Malware Analysis Report

2025-01-18 02:40

Sample ID 220205-ltj5daachp
Target cf7f5d466211532b6f3f011fe0bee7f21ba57daff557d7916e94a3ea03314029
SHA256 cf7f5d466211532b6f3f011fe0bee7f21ba57daff557d7916e94a3ea03314029
Tags
hawkeye_reborn m00nd3v_logger collection keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cf7f5d466211532b6f3f011fe0bee7f21ba57daff557d7916e94a3ea03314029

Threat Level: Known bad

The file cf7f5d466211532b6f3f011fe0bee7f21ba57daff557d7916e94a3ea03314029 was found to be: Known bad.

Malicious Activity Summary

hawkeye_reborn m00nd3v_logger collection keylogger spyware stealer trojan

M00nd3v_Logger

HawkEye Reborn

M00nD3v Logger Payload

Checks computer location settings

Reads user/profile data of web browsers

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Suspicious behavior: SetClipboardViewer

Suspicious use of WriteProcessMemory

outlook_win_path

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

outlook_office_path

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-02-05 09:49

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-05 09:49

Reported

2022-02-05 09:52

Platform

win7-en-20211208

Max time kernel

151s

Max time network

65s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

Signatures

HawkEye Reborn

keylogger trojan stealer spyware hawkeye_reborn

M00nd3v_Logger

stealer spyware m00nd3v_logger

M00nD3v Logger Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A bot.whatismyipaddress.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 964 set thread context of 1972 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 572 set thread context of 568 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1044 set thread context of 1336 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 896 set thread context of 1644 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1784 set thread context of 1792 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 772 set thread context of 388 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1104 set thread context of 476 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 652 set thread context of 1048 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1800 set thread context of 1456 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 288 set thread context of 1064 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1072 set thread context of 1984 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1708 set thread context of 2140 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2260 set thread context of 2348 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 964 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 964 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 964 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 964 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 964 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 964 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 964 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 964 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 964 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 964 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 964 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 964 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 964 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 964 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 964 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 964 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\SysWOW64\cmd.exe
PID 964 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\SysWOW64\cmd.exe
PID 964 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\SysWOW64\cmd.exe
PID 964 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\SysWOW64\cmd.exe
PID 1900 wrote to memory of 1100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 1900 wrote to memory of 1100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 1900 wrote to memory of 1100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 1900 wrote to memory of 1100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 964 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
PID 964 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
PID 964 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
PID 964 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
PID 572 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 572 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 572 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 572 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 572 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 572 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 572 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 572 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 572 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\SysWOW64\cmd.exe
PID 572 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\SysWOW64\cmd.exe
PID 572 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\SysWOW64\cmd.exe
PID 572 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\SysWOW64\cmd.exe
PID 572 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
PID 572 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
PID 572 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
PID 572 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
PID 1340 wrote to memory of 864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 1340 wrote to memory of 864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 1340 wrote to memory of 864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 1340 wrote to memory of 864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 1044 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1044 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1044 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1044 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1044 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1044 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1044 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1044 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1044 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\SysWOW64\cmd.exe
PID 1044 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\SysWOW64\cmd.exe
PID 1044 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\SysWOW64\cmd.exe
PID 1044 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 1124 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 1384 wrote to memory of 1124 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 1384 wrote to memory of 1124 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 1384 wrote to memory of 1124 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 1044 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

Network

Country Destination Domain Proto
US 8.8.8.8:53 bot.whatismyipaddress.com udp

Files

memory/964-55-0x0000000000C40000-0x0000000000D0E000-memory.dmp

memory/964-56-0x0000000000A20000-0x0000000000AB8000-memory.dmp

memory/964-57-0x00000000760F1000-0x00000000760F3000-memory.dmp

memory/964-58-0x00000000001B0000-0x0000000000200000-memory.dmp

memory/1972-60-0x0000000000400000-0x0000000000490000-memory.dmp

memory/1972-61-0x00000000006C0000-0x00000000006C6000-memory.dmp

memory/1972-62-0x0000000000E50000-0x0000000000E51000-memory.dmp

memory/572-66-0x0000000000330000-0x0000000000333000-memory.dmp

memory/568-67-0x0000000000B10000-0x0000000000B11000-memory.dmp

memory/1044-70-0x0000000000230000-0x0000000000280000-memory.dmp

memory/1336-71-0x0000000000E00000-0x0000000000FC0000-memory.dmp

memory/1644-73-0x0000000004D70000-0x0000000004D71000-memory.dmp

memory/1792-78-0x0000000004C10000-0x0000000004C11000-memory.dmp

memory/1784-77-0x0000000000250000-0x0000000000280000-memory.dmp

memory/772-81-0x0000000000230000-0x0000000000280000-memory.dmp

memory/388-82-0x0000000001140000-0x0000000001141000-memory.dmp

memory/1104-84-0x0000000000470000-0x00000000004C0000-memory.dmp

memory/476-86-0x0000000004D60000-0x0000000004D61000-memory.dmp

memory/652-89-0x00000000001B0000-0x0000000000200000-memory.dmp

memory/1048-90-0x0000000004EF0000-0x0000000004EF1000-memory.dmp

memory/288-94-0x0000000000250000-0x0000000000280000-memory.dmp

memory/1064-96-0x0000000004B20000-0x0000000004B21000-memory.dmp

memory/1072-99-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1984-100-0x0000000004C60000-0x0000000004C61000-memory.dmp

memory/1708-102-0x00000000004E0000-0x0000000000520000-memory.dmp

memory/2140-103-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e14f0591-f1ea-0019-5386-0f68f3cbc499

MD5 0e94f508a7733660f34dd8bdee3498be
SHA1 3ff9062790b9b2e5db956f1c5f76437db41a4872
SHA256 557b364bfb2cb6e9af4bdb2dc00a8854ae502e2901bd2dd106af7197e0709116
SHA512 0f7ee5f3cffaa91c7588d23e4edc2cfb0605177d3d8ccbfe48f5f46e88ce350d55dc7f594d8acd2984976fa242e337454068585aadbe14dde85b9015ec96bd5a

C:\Users\Admin\AppData\Local\Temp\e14f0591-f1ea-0019-5386-0f68f3cbc499

MD5 0e94f508a7733660f34dd8bdee3498be
SHA1 3ff9062790b9b2e5db956f1c5f76437db41a4872
SHA256 557b364bfb2cb6e9af4bdb2dc00a8854ae502e2901bd2dd106af7197e0709116
SHA512 0f7ee5f3cffaa91c7588d23e4edc2cfb0605177d3d8ccbfe48f5f46e88ce350d55dc7f594d8acd2984976fa242e337454068585aadbe14dde85b9015ec96bd5a

memory/2348-109-0x0000000004D90000-0x0000000004D91000-memory.dmp

memory/1644-110-0x0000000004D75000-0x0000000004D86000-memory.dmp

memory/1048-111-0x0000000004EF5000-0x0000000004F06000-memory.dmp

memory/1336-112-0x0000000000E00000-0x0000000000FC0000-memory.dmp

memory/388-113-0x0000000001145000-0x0000000001156000-memory.dmp

memory/2140-115-0x0000000004DD5000-0x0000000004DE6000-memory.dmp

memory/1792-114-0x0000000004C15000-0x0000000004C26000-memory.dmp

memory/568-117-0x0000000000B15000-0x0000000000B26000-memory.dmp

memory/1984-116-0x0000000004C65000-0x0000000004C76000-memory.dmp

memory/2348-118-0x0000000004D95000-0x0000000004DA6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-05 09:49

Reported

2022-02-05 09:52

Platform

win10v2004-en-20220112

Max time kernel

154s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

Signatures

HawkEye Reborn

keylogger trojan stealer spyware hawkeye_reborn

M00nd3v_Logger

stealer spyware m00nd3v_logger

M00nD3v Logger Payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A bot.whatismyipaddress.com N/A N/A
N/A bot.whatismyipaddress.com N/A N/A
N/A bot.whatismyipaddress.com N/A N/A
N/A bot.whatismyipaddress.com N/A N/A
N/A bot.whatismyipaddress.com N/A N/A
N/A bot.whatismyipaddress.com N/A N/A
N/A bot.whatismyipaddress.com N/A N/A
N/A bot.whatismyipaddress.com N/A N/A
N/A bot.whatismyipaddress.com N/A N/A
N/A bot.whatismyipaddress.com N/A N/A
N/A bot.whatismyipaddress.com N/A N/A
N/A bot.whatismyipaddress.com N/A N/A
N/A bot.whatismyipaddress.com N/A N/A
N/A bot.whatismyipaddress.com N/A N/A
N/A bot.whatismyipaddress.com N/A N/A
N/A bot.whatismyipaddress.com N/A N/A
N/A bot.whatismyipaddress.com N/A N/A
N/A bot.whatismyipaddress.com N/A N/A
N/A bot.whatismyipaddress.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1692 set thread context of 3168 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2968 set thread context of 3308 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1132 set thread context of 1776 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3796 set thread context of 964 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3916 set thread context of 3960 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1740 set thread context of 560 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3000 set thread context of 3180 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2920 set thread context of 1352 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3428 set thread context of 2124 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4000 set thread context of 3408 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2212 set thread context of 1120 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4028 set thread context of 3756 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4172 set thread context of 4220 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4372 set thread context of 4412 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4536 set thread context of 4644 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4776 set thread context of 4856 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5000 set thread context of 5104 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3376 set thread context of 3884 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2996 set thread context of 3360 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4464 set thread context of 5092 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4952 set thread context of 1732 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4480 set thread context of 2100 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4448 set thread context of 4164 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4544 set thread context of 3996 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4864 set thread context of 4784 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3988 set thread context of 4132 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5228 set thread context of 5324 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5460 set thread context of 5556 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5688 set thread context of 5764 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5900 set thread context of 5980 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 6116 set thread context of 4920 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3676 set thread context of 4372 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5316 set thread context of 5732 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5884 set thread context of 5644 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5860 set thread context of 5804 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 6032 set thread context of 5336 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5184 set thread context of 3676 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 6024 set thread context of 1448 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5836 set thread context of 6052 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 6120 set thread context of 6116 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5180 set thread context of 3396 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2880 set thread context of 3472 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3268 set thread context of 4532 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 996 set thread context of 2532 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 6236 set thread context of 6304 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 6452 set thread context of 6508 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 6644 set thread context of 6716 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 6844 set thread context of 6932 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 7076 set thread context of 3380 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4632 set thread context of 5460 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 6276 set thread context of 2064 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 6820 set thread context of 6632 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 6208 set thread context of 6828 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 7068 set thread context of 7160 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 6200 set thread context of 6640 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1244 set thread context of 6360 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2544 set thread context of 6816 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1328 set thread context of 6656 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 6944 set thread context of 4604 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4556 set thread context of 6624 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5552 set thread context of 6524 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4200 set thread context of 1944 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5156 set thread context of 6432 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 544 set thread context of 7156 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat C:\Windows\System32\svchost.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\MusNotifyIcon.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\MusNotifyIcon.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "3.787829" C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4044" C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3884" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132887045933876912" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" C:\Windows\System32\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A

Suspicious behavior: SetClipboardViewer

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1692 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1692 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1692 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1692 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1692 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\SysWOW64\cmd.exe
PID 1692 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\SysWOW64\cmd.exe
PID 1692 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\SysWOW64\cmd.exe
PID 3984 wrote to memory of 3908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 3984 wrote to memory of 3908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 3984 wrote to memory of 3908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 1692 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
PID 1692 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
PID 1692 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
PID 2968 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2968 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2968 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2968 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2968 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2968 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2968 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2968 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\SysWOW64\cmd.exe
PID 2260 wrote to memory of 3180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2260 wrote to memory of 3180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2260 wrote to memory of 3180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2968 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
PID 2968 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
PID 2968 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
PID 1132 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1132 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1132 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1132 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1132 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
PID 1132 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
PID 1132 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
PID 2984 wrote to memory of 3720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2984 wrote to memory of 3720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2984 wrote to memory of 3720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 3796 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3796 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3796 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3796 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3796 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\SysWOW64\cmd.exe
PID 3796 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\SysWOW64\cmd.exe
PID 3796 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\SysWOW64\cmd.exe
PID 3200 wrote to memory of 2944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 3200 wrote to memory of 2944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 3200 wrote to memory of 2944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 3796 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
PID 3796 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
PID 3796 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
PID 3916 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3916 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3916 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3916 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3916 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3916 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3916 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3916 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\SysWOW64\cmd.exe
PID 3916 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\SysWOW64\cmd.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\system32\MusNotifyIcon.exe

%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 settings-win.data.microsoft.com udp
US 52.167.249.196:443 settings-win.data.microsoft.com tcp
US 52.167.249.196:443 settings-win.data.microsoft.com tcp
US 52.167.249.196:443 settings-win.data.microsoft.com tcp
US 52.167.249.196:443 settings-win.data.microsoft.com tcp
US 8.8.8.8:53 geo.prod.do.dsp.mp.microsoft.com udp
US 52.143.81.222:443 geo.prod.do.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 kv801.prod.do.dsp.mp.microsoft.com udp
NL 184.29.205.60:443 kv801.prod.do.dsp.mp.microsoft.com tcp
US 52.167.249.196:443 settings-win.data.microsoft.com tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 bot.whatismyipaddress.com udp
US 8.8.8.8:53 bot.whatismyipaddress.com udp
US 8.8.8.8:53 bot.whatismyipaddress.com udp
US 8.8.8.8:53 bot.whatismyipaddress.com udp
US 8.8.8.8:53 bot.whatismyipaddress.com udp
US 8.8.8.8:53 bot.whatismyipaddress.com udp
US 8.8.8.8:53 bot.whatismyipaddress.com udp
US 8.8.8.8:53 bot.whatismyipaddress.com udp
US 8.8.8.8:53 bot.whatismyipaddress.com udp
US 8.8.8.8:53 bot.whatismyipaddress.com udp
US 8.8.8.8:53 bot.whatismyipaddress.com udp
US 8.8.8.8:53 bot.whatismyipaddress.com udp
US 8.8.8.8:53 bot.whatismyipaddress.com udp
US 8.8.8.8:53 bot.whatismyipaddress.com udp
US 8.8.8.8:53 bot.whatismyipaddress.com udp
US 8.8.8.8:53 bot.whatismyipaddress.com udp
US 8.8.8.8:53 bot.whatismyipaddress.com udp
US 8.8.8.8:53 bot.whatismyipaddress.com udp
US 8.8.8.8:53 bot.whatismyipaddress.com udp
US 8.8.8.8:53 udp

Files

memory/1692-130-0x0000000000C90000-0x0000000000D5E000-memory.dmp

memory/1692-131-0x0000000002FA0000-0x0000000003071000-memory.dmp

memory/3168-132-0x0000000000400000-0x0000000000490000-memory.dmp

memory/3168-133-0x00000000059C0000-0x00000000059C1000-memory.dmp

memory/3168-134-0x0000000009F50000-0x0000000009FEC000-memory.dmp

memory/2968-135-0x00000000051F0000-0x00000000051F3000-memory.dmp

memory/3308-136-0x0000000005130000-0x0000000005131000-memory.dmp

memory/1776-137-0x0000000005430000-0x0000000005431000-memory.dmp

memory/964-138-0x00000000055E0000-0x00000000055E1000-memory.dmp

memory/3960-139-0x00000000056F0000-0x00000000056F1000-memory.dmp

memory/560-140-0x0000000005050000-0x0000000005051000-memory.dmp

memory/3180-141-0x0000000005880000-0x0000000005881000-memory.dmp

memory/3168-142-0x0000000009FF0000-0x000000000A056000-memory.dmp

memory/1352-143-0x0000000004EF0000-0x0000000004EF1000-memory.dmp

memory/3428-144-0x00000000014B0000-0x0000000001580000-memory.dmp

memory/2124-145-0x0000000004F10000-0x0000000004F11000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\288dcd02-fa31-ab9c-6c82-c07995aa8226

MD5 0e94f508a7733660f34dd8bdee3498be
SHA1 3ff9062790b9b2e5db956f1c5f76437db41a4872
SHA256 557b364bfb2cb6e9af4bdb2dc00a8854ae502e2901bd2dd106af7197e0709116
SHA512 0f7ee5f3cffaa91c7588d23e4edc2cfb0605177d3d8ccbfe48f5f46e88ce350d55dc7f594d8acd2984976fa242e337454068585aadbe14dde85b9015ec96bd5a

C:\Users\Admin\AppData\Local\Temp\288dcd02-fa31-ab9c-6c82-c07995aa8226

MD5 0e94f508a7733660f34dd8bdee3498be
SHA1 3ff9062790b9b2e5db956f1c5f76437db41a4872
SHA256 557b364bfb2cb6e9af4bdb2dc00a8854ae502e2901bd2dd106af7197e0709116
SHA512 0f7ee5f3cffaa91c7588d23e4edc2cfb0605177d3d8ccbfe48f5f46e88ce350d55dc7f594d8acd2984976fa242e337454068585aadbe14dde85b9015ec96bd5a

memory/3408-148-0x00000000056E0000-0x00000000056E1000-memory.dmp

memory/3308-149-0x000000000A530000-0x000000000AAD4000-memory.dmp

memory/3168-150-0x0000000005A70000-0x0000000005B02000-memory.dmp

memory/1120-151-0x0000000004FF0000-0x0000000004FF1000-memory.dmp

memory/3756-152-0x00000000051F0000-0x00000000051F1000-memory.dmp

memory/4220-153-0x0000000005270000-0x0000000005271000-memory.dmp

memory/4412-154-0x0000000005000000-0x0000000005001000-memory.dmp

memory/4644-155-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

memory/4856-156-0x0000000005190000-0x0000000005191000-memory.dmp

memory/5000-157-0x00000000031D0000-0x0000000003290000-memory.dmp

memory/5104-158-0x0000000005450000-0x0000000005680000-memory.dmp

memory/3884-159-0x00000000058F0000-0x00000000058F1000-memory.dmp

memory/3360-161-0x0000000005570000-0x0000000005571000-memory.dmp

memory/2996-160-0x0000000000C50000-0x0000000000C83000-memory.dmp

memory/4464-162-0x0000000005590000-0x00000000055C0000-memory.dmp

memory/5092-163-0x00000000057A0000-0x00000000057A1000-memory.dmp

memory/4220-164-0x0000000005C90000-0x0000000005C9A000-memory.dmp

memory/1732-165-0x0000000005730000-0x0000000005731000-memory.dmp

memory/2100-166-0x0000000002930000-0x0000000002931000-memory.dmp

memory/4164-167-0x00000000055F0000-0x00000000055F1000-memory.dmp

memory/4544-168-0x0000000001140000-0x0000000001171000-memory.dmp

memory/4864-169-0x0000000000E70000-0x0000000000EA0000-memory.dmp

memory/4784-170-0x0000000005180000-0x0000000005181000-memory.dmp

memory/4132-171-0x0000000005410000-0x0000000005411000-memory.dmp

memory/5228-172-0x0000000002580000-0x0000000002630000-memory.dmp

memory/5324-173-0x00000000052C0000-0x0000000005330000-memory.dmp

memory/5556-174-0x00000000054F0000-0x00000000054F1000-memory.dmp

memory/5764-175-0x0000000005690000-0x0000000005691000-memory.dmp

memory/5980-176-0x0000000005300000-0x0000000005301000-memory.dmp

memory/6116-177-0x00000000022E0000-0x00000000023C1000-memory.dmp

memory/4920-178-0x0000000005730000-0x0000000005800000-memory.dmp

memory/4372-179-0x0000000005190000-0x0000000005191000-memory.dmp

memory/5732-180-0x0000000005560000-0x0000000005561000-memory.dmp

memory/5644-181-0x00000000052F0000-0x00000000052F1000-memory.dmp

memory/5804-182-0x00000000059F0000-0x00000000059F1000-memory.dmp

memory/5336-183-0x00000000054A0000-0x00000000054A1000-memory.dmp

memory/5184-184-0x0000000001650000-0x00000000016A3000-memory.dmp

memory/3676-185-0x0000000005440000-0x0000000005441000-memory.dmp

memory/1448-186-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

memory/5836-187-0x0000000001930000-0x00000000019F0000-memory.dmp

memory/6052-188-0x0000000005660000-0x0000000005661000-memory.dmp

memory/6116-189-0x0000000005460000-0x00000000054D0000-memory.dmp

memory/3396-190-0x00000000057B0000-0x00000000057B1000-memory.dmp

memory/3472-191-0x00000000055F0000-0x00000000055F1000-memory.dmp

memory/4532-192-0x00000000057E0000-0x00000000057E1000-memory.dmp

memory/996-193-0x0000000002780000-0x0000000002840000-memory.dmp

memory/2532-194-0x0000000005060000-0x0000000005061000-memory.dmp

memory/6304-195-0x00000000052A0000-0x00000000052A1000-memory.dmp