Analysis
-
max time kernel
162s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
05-02-2022 11:47
General
-
Target
BALANCE PAYMENT OF INV #005788903736282 20200418.exe
-
Size
798KB
-
MD5
c7848797c3eb098eb5e6430baf4a26e1
-
SHA1
0c954e2e62839957e9746dae3438eb4aed1fe5b8
-
SHA256
088065e6c2fc3b413563bc44b0626a13ad9e32a330ae958dd24141862c3c90de
-
SHA512
7bc7071d52dd3ec1cfc9f5b4642110c8605f6eddbc22a669cc69ba33be86cf3ea991db231617f5fb3e23fd3cc3020cc01a1bb9becef49bc79dc028df7f9371de
Score
10/10
Malware Config
Extracted
Family
hawkeye_reborn
Version
10.1.2.2
Credentials
Protocol: smtp- Host:
mail.bigmanstan.com - Port:
587 - Username:
[email protected] - Password:
khalifa@2020
Mutex
c4ceaee6-98e6-414f-92f0-272fe7bd057c
Attributes
-
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:khalifa@2020 _EmailPort:587 _EmailSSL:false _EmailServer:mail.bigmanstan.com _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:false _LogInterval:10 _MeltFile:false _Mutex:c4ceaee6-98e6-414f-92f0-272fe7bd057c _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.1.2.2 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
-
name
HawkEye Keylogger - RebornX, Version=10.1.2.2, Culture=neutral, PublicKeyToken=null
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
M00nD3v Logger Payload 1 IoCs
Detects M00nD3v Logger payload in memory.
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 64 IoCs
-
Looks up external IP address via web service 18 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 64 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies data under HKEY_USERS 45 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 64 IoCs
-
Suspicious behavior: SetClipboardViewer 57 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 33⤵
-
C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"3⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 35⤵
-
C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"4⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 36⤵
-
C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"5⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 37⤵
-
C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"6⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"7⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"7⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 38⤵
-
C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"7⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"8⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"8⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 39⤵
-
C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"8⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"9⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"9⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"9⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 310⤵
-
C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"9⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"10⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"10⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"10⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 311⤵
-
C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"10⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"11⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"11⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 312⤵
-
C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"11⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"12⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"12⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 313⤵
-
C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"12⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"13⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"13⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"13⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"13⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"13⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 314⤵
-
C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"13⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"14⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"14⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"14⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 315⤵
-
C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"14⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"15⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"15⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 316⤵
-
C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"15⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"16⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"16⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 317⤵
-
C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"16⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"17⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"17⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 318⤵
-
C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"17⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"18⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"18⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 319⤵
-
C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"18⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"19⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"19⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 320⤵
-
C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"19⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"20⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"20⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"20⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"20⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 321⤵
-
C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"20⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"21⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"21⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"21⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 322⤵
-
C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"21⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"22⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"22⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 323⤵
-
C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"22⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"23⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"23⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"23⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"23⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 324⤵
-
C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"23⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"24⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"24⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 325⤵
-
C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"24⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"25⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"25⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"25⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 326⤵
-
C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"25⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"26⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"26⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"26⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 327⤵
-
C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"26⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"27⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"27⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"27⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"27⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 328⤵
-
C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"27⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"28⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"28⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"28⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"28⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 329⤵
-
C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"28⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"29⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"29⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 330⤵
-
C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"29⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"30⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"30⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"30⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 331⤵
-
C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"30⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"31⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"31⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 332⤵
-
C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"31⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"32⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"32⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 333⤵
-
C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"32⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"33⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"33⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"33⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 334⤵
-
C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"33⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"34⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"34⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 335⤵
-
C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"34⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"35⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"35⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 336⤵
-
C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"35⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"36⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"36⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 337⤵
-
C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"36⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"37⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"37⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 338⤵
-
C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"37⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"38⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"38⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 339⤵
-
C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"38⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"39⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"39⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 340⤵
-
C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"39⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"40⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"40⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"40⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 341⤵
-
C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"40⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"41⤵
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"41⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"41⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 342⤵
-
C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"41⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"42⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"42⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"42⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 343⤵
-
C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"42⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"43⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"43⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 344⤵
-
C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"43⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"44⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"44⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 345⤵
-
C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"44⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"45⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"45⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 346⤵
-
C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"45⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"46⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"46⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 347⤵
-
C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"46⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"47⤵
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"47⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 348⤵
-
C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"47⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"48⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"48⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 349⤵
-
C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"48⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"49⤵
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"49⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"49⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 350⤵
-
C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"49⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"50⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"50⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 351⤵
-
C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"50⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"51⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"51⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 352⤵
-
C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"51⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"52⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"52⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 353⤵
-
C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"52⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"53⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"53⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 354⤵
-
C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"53⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"54⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"54⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"54⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 355⤵
-
C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"54⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"55⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"55⤵
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"55⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 356⤵
-
C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"55⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"56⤵
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"56⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 357⤵
-
C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"56⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"57⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"57⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 358⤵
-
C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"57⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"58⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"58⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"58⤵
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"58⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 359⤵
-
C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"58⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"59⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"59⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"59⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 360⤵
-
C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"59⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"60⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"60⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 361⤵
-
C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"60⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"61⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"61⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 362⤵
-
C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"61⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"62⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"62⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 363⤵
-
C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"62⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"63⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"63⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"63⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 364⤵
-
C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"63⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"64⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"64⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"64⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 365⤵
-
C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"64⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"65⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"65⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"65⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 366⤵
-
C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"65⤵
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
-
Filesize
256KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
192KB
-
Filesize
4KB
-
Filesize
192KB
-
Filesize
624KB
-
Filesize
408KB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
4KB
-
Filesize
576KB
-
Filesize
772KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
192KB
-
Filesize
704KB
-
Filesize
4KB
-
Filesize
12KB
-
Filesize
824KB
-
Filesize
900KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
40KB
-
Filesize
4KB
-
Filesize
384KB
-
Filesize
256KB
-
Filesize
4KB
-
Filesize
256KB
-
Filesize
640KB
-
Filesize
4KB
-
Filesize
704KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
196KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
192KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
256KB
-
Filesize
4KB
-
Filesize
896KB
-
Filesize
4KB
-
Filesize
192KB
-
Filesize
4KB
-
Filesize
708KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
192KB
-
Filesize
196KB
-
Filesize
4KB
-
Filesize
704KB
-
Filesize
832KB
-
Filesize
4KB
-
Filesize
192KB
-
Filesize
196KB
-
Filesize
768KB