Malware Analysis Report

2025-01-18 02:37

Sample ID 220205-nx5atsbcap
Target a75aea27c33ea26c8ca3256a7e41c8534dfc1fc1f544b60bf048c2a2c1119149
SHA256 a75aea27c33ea26c8ca3256a7e41c8534dfc1fc1f544b60bf048c2a2c1119149
Tags
hawkeye_reborn m00nd3v_logger collection keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a75aea27c33ea26c8ca3256a7e41c8534dfc1fc1f544b60bf048c2a2c1119149

Threat Level: Known bad

The file a75aea27c33ea26c8ca3256a7e41c8534dfc1fc1f544b60bf048c2a2c1119149 was found to be: Known bad.

Malicious Activity Summary

hawkeye_reborn m00nd3v_logger collection keylogger spyware stealer trojan

HawkEye Reborn

M00nd3v_Logger

M00nD3v Logger Payload

Reads user/profile data of web browsers

Checks computer location settings

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

outlook_office_path

Modifies data under HKEY_USERS

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious behavior: SetClipboardViewer

Suspicious use of WriteProcessMemory

outlook_win_path

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-02-05 11:47

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-05 11:47

Reported

2022-02-05 11:50

Platform

win7-en-20211208

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

Signatures

HawkEye Reborn

keylogger trojan stealer spyware hawkeye_reborn

M00nd3v_Logger

stealer spyware m00nd3v_logger

M00nD3v Logger Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A bot.whatismyipaddress.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1440 set thread context of 884 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1888 set thread context of 1352 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 536 set thread context of 1236 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1052 set thread context of 1524 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1728 set thread context of 1296 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 524 set thread context of 268 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1584 set thread context of 644 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1560 set thread context of 1544 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 924 set thread context of 1816 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2108 set thread context of 2188 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2288 set thread context of 2356 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2456 set thread context of 2564 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2656 set thread context of 2740 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2828 set thread context of 2928 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3028 set thread context of 1604 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2260 set thread context of 2056 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2420 set thread context of 2572 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2748 set thread context of 584 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2776 set thread context of 2228 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2148 set thread context of 2304 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3004 set thread context of 1104 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2940 set thread context of 2280 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3160 set thread context of 3264 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3360 set thread context of 3444 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3532 set thread context of 3620 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3720 set thread context of 3804 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3892 set thread context of 3992 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4056 set thread context of 3228 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3152 set thread context of 3100 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3652 set thread context of 2436 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3468 set thread context of 3644 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2996 set thread context of 4008 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3120 set thread context of 2156 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3136 set thread context of 3512 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3816 set thread context of 956 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4020 set thread context of 3000 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4172 set thread context of 4252 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4352 set thread context of 4436 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4524 set thread context of 4612 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4712 set thread context of 4792 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4908 set thread context of 5000 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5116 set thread context of 2704 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4068 set thread context of 3368 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4180 set thread context of 4760 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4968 set thread context of 4676 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4832 set thread context of 2424 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4060 set thread context of 1944 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3280 set thread context of 764 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4756 set thread context of 4012 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3184 set thread context of 3768 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4504 set thread context of 4892 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1648 set thread context of 5204 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5292 set thread context of 5408 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5504 set thread context of 5588 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5676 set thread context of 5712 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5808 set thread context of 5892 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5980 set thread context of 6080 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4132 set thread context of 2944 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3452 set thread context of 5672 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5452 set thread context of 6040 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3580 set thread context of 5820 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2708 set thread context of 4960 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2428 set thread context of 5036 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3884 set thread context of 5684 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A

Suspicious behavior: SetClipboardViewer

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1440 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1440 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1440 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1440 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1440 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1440 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1440 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1440 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1440 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\SysWOW64\cmd.exe
PID 1440 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\SysWOW64\cmd.exe
PID 1440 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\SysWOW64\cmd.exe
PID 1440 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\SysWOW64\cmd.exe
PID 1744 wrote to memory of 760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 1744 wrote to memory of 760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 1744 wrote to memory of 760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 1744 wrote to memory of 760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 1440 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
PID 1440 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
PID 1440 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
PID 1440 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
PID 1888 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1888 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1888 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1888 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1888 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1888 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1888 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1888 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1888 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\SysWOW64\cmd.exe
PID 1888 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\SysWOW64\cmd.exe
PID 1888 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\SysWOW64\cmd.exe
PID 1888 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\SysWOW64\cmd.exe
PID 1888 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
PID 1888 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
PID 1888 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
PID 1888 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
PID 584 wrote to memory of 1500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 584 wrote to memory of 1500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 584 wrote to memory of 1500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 584 wrote to memory of 1500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 536 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 536 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 536 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 536 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 536 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 536 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 536 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 536 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 536 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\SysWOW64\cmd.exe
PID 536 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\SysWOW64\cmd.exe
PID 536 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\SysWOW64\cmd.exe
PID 536 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\SysWOW64\cmd.exe
PID 364 wrote to memory of 1932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 364 wrote to memory of 1932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 364 wrote to memory of 1932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 364 wrote to memory of 1932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 536 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
PID 536 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
PID 536 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
PID 536 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
PID 1052 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1052 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1052 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1052 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 bot.whatismyipaddress.com udp

Files

memory/1440-53-0x0000000001330000-0x00000000013FE000-memory.dmp

memory/1440-54-0x0000000000AF0000-0x0000000000B88000-memory.dmp

memory/1440-55-0x0000000075D61000-0x0000000075D63000-memory.dmp

memory/884-57-0x0000000000400000-0x0000000000490000-memory.dmp

memory/884-58-0x00000000003B0000-0x00000000003B6000-memory.dmp

memory/884-60-0x0000000004A70000-0x0000000004A71000-memory.dmp

memory/1440-59-0x0000000000220000-0x0000000000260000-memory.dmp

memory/1888-64-0x00000000002B0000-0x0000000000300000-memory.dmp

memory/1352-65-0x0000000000490000-0x00000000004E0000-memory.dmp

memory/536-68-0x0000000000370000-0x0000000000373000-memory.dmp

memory/1236-69-0x00000000004C0000-0x00000000004C1000-memory.dmp

memory/1052-71-0x00000000002B0000-0x0000000000300000-memory.dmp

memory/1524-72-0x0000000004C30000-0x0000000004C31000-memory.dmp

memory/1728-76-0x0000000000390000-0x00000000003E6000-memory.dmp

memory/1296-77-0x0000000004E20000-0x0000000004E21000-memory.dmp

memory/524-79-0x00000000001C0000-0x0000000000210000-memory.dmp

memory/268-81-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

memory/644-85-0x0000000000880000-0x0000000000881000-memory.dmp

memory/1584-84-0x00000000001B0000-0x0000000000200000-memory.dmp

memory/1544-89-0x0000000004A40000-0x0000000004A41000-memory.dmp

memory/1560-87-0x0000000000240000-0x0000000000293000-memory.dmp

memory/924-92-0x00000000001D0000-0x00000000002A0000-memory.dmp

memory/1816-93-0x0000000004ED0000-0x0000000004ED1000-memory.dmp

memory/2188-96-0x0000000004A70000-0x0000000004A71000-memory.dmp

memory/2356-99-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

memory/1352-100-0x0000000000490000-0x00000000004E0000-memory.dmp

memory/2564-103-0x0000000000490000-0x0000000000600000-memory.dmp

memory/1236-104-0x00000000004C5000-0x00000000004D6000-memory.dmp

memory/2740-108-0x0000000001040000-0x0000000001041000-memory.dmp

memory/2656-107-0x00000000001C0000-0x0000000000210000-memory.dmp

memory/1524-109-0x0000000004C35000-0x0000000004C46000-memory.dmp

memory/2928-111-0x0000000004CD0000-0x0000000004CD1000-memory.dmp

memory/1296-113-0x0000000004E25000-0x0000000004E36000-memory.dmp

memory/3028-114-0x0000000000350000-0x00000000003C3000-memory.dmp

memory/1604-117-0x0000000001230000-0x0000000001231000-memory.dmp

memory/268-118-0x0000000004AD5000-0x0000000004AE6000-memory.dmp

memory/2056-121-0x0000000004E50000-0x0000000004E51000-memory.dmp

memory/2572-123-0x0000000000660000-0x0000000000661000-memory.dmp

memory/1544-125-0x0000000004A45000-0x0000000004A56000-memory.dmp

memory/584-128-0x0000000004C90000-0x0000000004C91000-memory.dmp

memory/1816-129-0x0000000004ED5000-0x0000000004EE6000-memory.dmp

memory/2228-132-0x0000000001170000-0x0000000001171000-memory.dmp

memory/2304-135-0x00000000009D0000-0x00000000009D1000-memory.dmp

memory/2188-134-0x0000000004A75000-0x0000000004A86000-memory.dmp

memory/2356-137-0x0000000004BA5000-0x0000000004BB6000-memory.dmp

memory/3004-140-0x0000000000330000-0x0000000000380000-memory.dmp

memory/1104-141-0x0000000004B60000-0x0000000004B61000-memory.dmp

memory/2564-142-0x0000000000490000-0x0000000000600000-memory.dmp

memory/2940-144-0x00000000004C0000-0x00000000005A3000-memory.dmp

memory/2280-145-0x00000000027E0000-0x00000000027E1000-memory.dmp

memory/2740-147-0x0000000001045000-0x0000000001056000-memory.dmp

memory/3160-148-0x0000000000230000-0x00000000002C0000-memory.dmp

memory/3264-151-0x0000000001230000-0x0000000001231000-memory.dmp

memory/2928-152-0x0000000004CD5000-0x0000000004CE6000-memory.dmp

memory/1604-156-0x0000000001235000-0x0000000001246000-memory.dmp

memory/3444-155-0x00000000006F0000-0x00000000006F1000-memory.dmp

memory/3620-159-0x0000000004C80000-0x0000000004C81000-memory.dmp

memory/2056-160-0x0000000004E55000-0x0000000004E66000-memory.dmp

memory/3804-163-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

memory/2572-164-0x0000000000665000-0x0000000000676000-memory.dmp

memory/3892-167-0x00000000001E0000-0x0000000000210000-memory.dmp

memory/3992-168-0x0000000004B50000-0x0000000004B51000-memory.dmp

memory/584-169-0x0000000004C95000-0x0000000004CA6000-memory.dmp

memory/3228-173-0x0000000004C00000-0x0000000004C01000-memory.dmp

memory/4056-172-0x00000000001B0000-0x0000000000200000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-05 11:47

Reported

2022-02-05 11:50

Platform

win10v2004-en-20220112

Max time kernel

162s

Max time network

165s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

Signatures

HawkEye Reborn

keylogger trojan stealer spyware hawkeye_reborn

M00nd3v_Logger

stealer spyware m00nd3v_logger

M00nD3v Logger Payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A bot.whatismyipaddress.com N/A N/A
N/A bot.whatismyipaddress.com N/A N/A
N/A bot.whatismyipaddress.com N/A N/A
N/A bot.whatismyipaddress.com N/A N/A
N/A bot.whatismyipaddress.com N/A N/A
N/A bot.whatismyipaddress.com N/A N/A
N/A bot.whatismyipaddress.com N/A N/A
N/A bot.whatismyipaddress.com N/A N/A
N/A bot.whatismyipaddress.com N/A N/A
N/A bot.whatismyipaddress.com N/A N/A
N/A bot.whatismyipaddress.com N/A N/A
N/A bot.whatismyipaddress.com N/A N/A
N/A bot.whatismyipaddress.com N/A N/A
N/A bot.whatismyipaddress.com N/A N/A
N/A bot.whatismyipaddress.com N/A N/A
N/A bot.whatismyipaddress.com N/A N/A
N/A bot.whatismyipaddress.com N/A N/A
N/A bot.whatismyipaddress.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2884 set thread context of 1460 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2904 set thread context of 3036 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3228 set thread context of 384 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1124 set thread context of 3340 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2520 set thread context of 1020 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1920 set thread context of 3268 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2640 set thread context of 3620 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 376 set thread context of 2188 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2844 set thread context of 4092 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3772 set thread context of 1900 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1512 set thread context of 3740 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4048 set thread context of 376 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 180 set thread context of 2980 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2328 set thread context of 1920 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3416 set thread context of 216 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4184 set thread context of 4260 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4388 set thread context of 4464 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4600 set thread context of 4676 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4808 set thread context of 4900 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5036 set thread context of 2000 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3924 set thread context of 3468 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 964 set thread context of 3624 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3476 set thread context of 4504 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4616 set thread context of 4772 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4964 set thread context of 5040 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2924 set thread context of 4180 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4348 set thread context of 4896 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 632 set thread context of 5024 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5052 set thread context of 4328 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3280 set thread context of 4532 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5168 set thread context of 5236 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5388 set thread context of 5452 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5612 set thread context of 5656 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5808 set thread context of 5864 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 6028 set thread context of 6076 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4364 set thread context of 5152 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5140 set thread context of 2740 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5292 set thread context of 5836 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 6072 set thread context of 5616 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5808 set thread context of 4540 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5160 set thread context of 4888 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5356 set thread context of 4808 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5916 set thread context of 4544 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5360 set thread context of 5964 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4176 set thread context of 632 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5356 set thread context of 5604 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5760 set thread context of 4300 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5748 set thread context of 5724 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4088 set thread context of 3128 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 6180 set thread context of 6252 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 6388 set thread context of 6456 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 6588 set thread context of 6660 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 6796 set thread context of 6876 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 7012 set thread context of 7088 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3752 set thread context of 4100 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 6164 set thread context of 2908 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 6188 set thread context of 6564 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5124 set thread context of 6732 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 6968 set thread context of 6796 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 7128 set thread context of 6436 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2832 set thread context of 6380 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 6500 set thread context of 6756 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2520 set thread context of 6696 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3152 set thread context of 4936 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat C:\Windows\System32\svchost.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\MusNotifyIcon.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\MusNotifyIcon.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132887117179126506" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4116" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "6.849517" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" C:\Windows\System32\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A

Suspicious behavior: SetClipboardViewer

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2884 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2884 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2884 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2884 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2884 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\SysWOW64\cmd.exe
PID 3620 wrote to memory of 1492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 3620 wrote to memory of 1492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 3620 wrote to memory of 1492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2884 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
PID 2884 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
PID 2884 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
PID 2904 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2904 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2904 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2904 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2904 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2904 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2904 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2904 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\SysWOW64\cmd.exe
PID 2904 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\SysWOW64\cmd.exe
PID 2904 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\SysWOW64\cmd.exe
PID 2904 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
PID 2904 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
PID 2904 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
PID 3240 wrote to memory of 1464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 3240 wrote to memory of 1464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 3240 wrote to memory of 1464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 3228 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3228 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3228 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3228 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3228 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\SysWOW64\cmd.exe
PID 3228 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\SysWOW64\cmd.exe
PID 3228 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\SysWOW64\cmd.exe
PID 3228 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
PID 3228 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
PID 3228 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
PID 2844 wrote to memory of 3696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2844 wrote to memory of 3696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2844 wrote to memory of 3696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 1124 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1124 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1124 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1124 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1124 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\SysWOW64\cmd.exe
PID 1124 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\SysWOW64\cmd.exe
PID 1124 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 2464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2968 wrote to memory of 2464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2968 wrote to memory of 2464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 1124 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
PID 1124 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
PID 1124 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
PID 2520 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2520 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2520 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2520 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2520 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe C:\Windows\SysWOW64\cmd.exe
PID 840 wrote to memory of 3324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 840 wrote to memory of 3324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\system32\MusNotifyIcon.exe

%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe

"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"

Network

Country Destination Domain Proto
NL 104.110.191.140:80 tcp
US 8.8.8.8:53 settings-win.data.microsoft.com udp
NL 51.124.78.146:443 settings-win.data.microsoft.com tcp
NL 51.124.78.146:443 settings-win.data.microsoft.com tcp
NL 51.124.78.146:443 settings-win.data.microsoft.com tcp
US 8.8.8.8:53 settings-win.data.microsoft.com udp
US 52.167.17.97:443 settings-win.data.microsoft.com tcp
US 8.8.8.8:53 geo.prod.do.dsp.mp.microsoft.com udp
US 52.137.103.96:443 geo.prod.do.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 kv801.prod.do.dsp.mp.microsoft.com udp
NL 184.29.205.60:443 kv801.prod.do.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 settings-win.data.microsoft.com udp
NL 20.73.194.208:443 settings-win.data.microsoft.com tcp
US 8.8.8.8:53 bot.whatismyipaddress.com udp
US 8.8.8.8:53 bot.whatismyipaddress.com udp
US 8.8.8.8:53 bot.whatismyipaddress.com udp
US 8.8.8.8:53 bot.whatismyipaddress.com udp
US 8.8.8.8:53 bot.whatismyipaddress.com udp
US 8.8.8.8:53 bot.whatismyipaddress.com udp
US 8.8.8.8:53 bot.whatismyipaddress.com udp
US 8.8.8.8:53 bot.whatismyipaddress.com udp
US 8.8.8.8:53 bot.whatismyipaddress.com udp
US 8.8.8.8:53 bot.whatismyipaddress.com udp
US 8.8.8.8:53 bot.whatismyipaddress.com udp
US 8.8.8.8:53 bot.whatismyipaddress.com udp
US 8.8.8.8:53 bot.whatismyipaddress.com udp
US 8.8.8.8:53 bot.whatismyipaddress.com udp
US 8.8.8.8:53 bot.whatismyipaddress.com udp
US 8.8.8.8:53 bot.whatismyipaddress.com udp
US 8.8.8.8:53 bot.whatismyipaddress.com udp
US 8.8.8.8:53 bot.whatismyipaddress.com udp

Files

memory/2884-130-0x0000000000F90000-0x000000000105E000-memory.dmp

memory/2884-131-0x00000000059A0000-0x00000000059A3000-memory.dmp

memory/1460-132-0x0000000000400000-0x0000000000490000-memory.dmp

memory/1460-133-0x0000000005820000-0x0000000005821000-memory.dmp

memory/1460-134-0x000000000ADB0000-0x000000000AE4C000-memory.dmp

memory/2904-135-0x0000000002CB0000-0x0000000002D91000-memory.dmp

memory/3036-136-0x00000000058E0000-0x00000000058E1000-memory.dmp

memory/1460-137-0x000000000AE50000-0x000000000AEB6000-memory.dmp

memory/384-138-0x0000000005730000-0x0000000005731000-memory.dmp

memory/1124-139-0x0000000004C10000-0x0000000004C40000-memory.dmp

memory/3340-140-0x0000000002A80000-0x0000000002AE0000-memory.dmp

memory/1460-141-0x000000000BA60000-0x000000000C004000-memory.dmp

memory/1460-142-0x000000000B4B0000-0x000000000B542000-memory.dmp

memory/2520-143-0x0000000001320000-0x0000000001350000-memory.dmp

memory/1020-144-0x00000000051C0000-0x00000000051C1000-memory.dmp

memory/3268-145-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

memory/2640-146-0x0000000000F10000-0x0000000000FC0000-memory.dmp

memory/3620-147-0x0000000005670000-0x00000000056B0000-memory.dmp

memory/376-148-0x0000000002910000-0x0000000002950000-memory.dmp

memory/2188-149-0x0000000004EC0000-0x0000000004EC1000-memory.dmp

memory/4092-150-0x0000000005350000-0x0000000005351000-memory.dmp

memory/1900-151-0x0000000005460000-0x0000000005461000-memory.dmp

memory/3036-152-0x0000000006400000-0x000000000640A000-memory.dmp

memory/1512-153-0x0000000001780000-0x0000000001841000-memory.dmp

memory/3740-154-0x00000000054A0000-0x00000000054A1000-memory.dmp

memory/376-155-0x0000000005000000-0x0000000005001000-memory.dmp

memory/2980-156-0x0000000005340000-0x0000000005341000-memory.dmp

memory/1920-157-0x00000000054D0000-0x00000000054D1000-memory.dmp

memory/3416-158-0x00000000023B0000-0x00000000023F0000-memory.dmp

memory/216-159-0x0000000005470000-0x00000000054F0000-memory.dmp

memory/4260-160-0x0000000005660000-0x0000000005661000-memory.dmp

memory/4388-161-0x0000000002210000-0x0000000002241000-memory.dmp

memory/4464-162-0x00000000054E0000-0x00000000054E1000-memory.dmp

memory/4676-163-0x0000000000E10000-0x0000000000E11000-memory.dmp

memory/4808-164-0x00000000029B0000-0x00000000029F0000-memory.dmp

memory/4900-165-0x0000000002920000-0x0000000002A00000-memory.dmp

memory/5036-166-0x0000000005230000-0x0000000005260000-memory.dmp

memory/2000-167-0x0000000002E40000-0x0000000002E41000-memory.dmp

memory/3924-168-0x00000000028B0000-0x0000000002960000-memory.dmp

memory/3468-169-0x00000000052C0000-0x00000000052C1000-memory.dmp

memory/3624-170-0x0000000005720000-0x00000000057C0000-memory.dmp

memory/4504-171-0x0000000005160000-0x0000000005161000-memory.dmp

memory/4616-172-0x0000000003110000-0x0000000003140000-memory.dmp

memory/4772-173-0x0000000004F40000-0x0000000004F41000-memory.dmp

memory/5040-174-0x0000000005700000-0x0000000005701000-memory.dmp

memory/4180-175-0x0000000005110000-0x0000000005111000-memory.dmp

memory/4896-176-0x0000000005540000-0x0000000005541000-memory.dmp

memory/632-177-0x0000000000EF0000-0x0000000000F20000-memory.dmp

memory/5024-178-0x0000000005480000-0x0000000005481000-memory.dmp

memory/5052-179-0x0000000002D10000-0x0000000002DC1000-memory.dmp

memory/4328-180-0x0000000005380000-0x0000000005381000-memory.dmp

memory/4532-181-0x00000000057C0000-0x00000000057C1000-memory.dmp

memory/5236-182-0x00000000053F0000-0x00000000053F1000-memory.dmp

memory/5452-183-0x0000000005140000-0x0000000005170000-memory.dmp

memory/5656-185-0x0000000005220000-0x0000000005221000-memory.dmp

memory/5612-184-0x00000000026A0000-0x00000000026D1000-memory.dmp

memory/5808-186-0x0000000002C70000-0x0000000002D20000-memory.dmp

memory/5864-187-0x00000000052D0000-0x00000000052D1000-memory.dmp

memory/6028-188-0x00000000027C0000-0x00000000027F0000-memory.dmp

memory/6076-189-0x00000000052D0000-0x0000000005390000-memory.dmp

memory/5152-190-0x00000000050D0000-0x00000000050D1000-memory.dmp

memory/2740-191-0x00000000055B0000-0x00000000055B1000-memory.dmp

memory/5836-192-0x00000000052A0000-0x0000000005370000-memory.dmp

memory/6072-193-0x0000000002380000-0x00000000023B1000-memory.dmp