hawkeye_reborn | 56243bb09bc9c59ec8aaa5cfa6af5742606fdd80513160f7ef48902973e74812

Analysis

max time kernel
137s
max time network
125s
platform
windows7_x64
resource
win7-en-20211208
submitted
05-02-2022 15:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Size

798KB
MD5

f3e15133475c60bee93e6070cd10e225
SHA1

a032ad2d8e73a9518a7b3ed576463651439e42a9
SHA256

4baf908e1965d8126d27be6eda11a4153c94ac0350e4d4856af65c60af4dfdcd
SHA512

15d1ecf626338579b3df6ca33dc1db60f43f7d133a9ed2a5f3668ee00b7ee2a98857567bb6b6c95a9ac65d83c7e99afb052a0c5a180c36154a1d95e7e70a20b5

Score

10^/10

hawkeye_reborn m00nd3v_logger collection keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Version

10.1.2.2

Credentials

Protocol: smtp
Host:
mail.bigmanstan.com
Port:
587
Username:
[email protected]
Password:
khalifa@2020

Mutex

c4ceaee6-98e6-414f-92f0-272fe7bd057c

Attributes

fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:khalifa@2020 _EmailPort:587 _EmailSSL:false _EmailServer:mail.bigmanstan.com _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:false _LogInterval:10 _MeltFile:false _Mutex:c4ceaee6-98e6-414f-92f0-272fe7bd057c _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.1.2.2 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
name
HawkEye Keylogger - RebornX, Version=10.1.2.2, Culture=neutral, PublicKeyToken=null

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger

M00nD3v Logger Payload 4 IoCs

Detects M00nD3v Logger payload in memory.

Processes:

resource	yara_rule
behavioral1/memory/1396-59-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger
behavioral1/memory/784-65-0x0000000000690000-0x0000000000899000-memory.dmp	m00nd3v_logger
behavioral1/memory/2496-102-0x00000000022A0000-0x0000000002510000-memory.dmp	m00nd3v_logger
behavioral1/memory/2084-134-0x0000000002550000-0x00000000046B0000-memory.dmp	m00nd3v_logger

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 64 IoCs

collection

Email Collection

T1114

Processes:

RegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

BALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\None"	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\None"	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\None"	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\None"	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\None"	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\None"	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\None"	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\None"	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\None"	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\None"	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\None"	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\None"	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\None"	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\None"	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\None"	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\None"	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\None"	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\None"	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\None"	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\None"	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\None"	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\None"	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\None"	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\None"	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\None"	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\None"	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\None"	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\None"	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\None"	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\None"	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\None"	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\None"	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\None"	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\None"	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\None"	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\None"	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\None"	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\None"	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\None"	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\None"	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\None"	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\None"	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\None"	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\None"	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\None"	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\None"	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\None"	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\None"	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\None"	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\None"	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\None"	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\None"	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\None"	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\None"	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\None"	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\None"	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\None"	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\None"	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\None"	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\None"	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\None"	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\None"	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\None"	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\None = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\None"	BALANCE PAYMENT OF INV #005788903736282 20200418.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 bot.whatismyipaddress.com

flow	ioc
7	bot.whatismyipaddress.com

Suspicious use of SetThreadContext 64 IoCs

Processes:

description	pid	process	target process
PID 1268 set thread context of 1396	1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 1156 set thread context of 784	1156	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 1716 set thread context of 436	1716	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 1404 set thread context of 1672	1404	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 1744 set thread context of 1676	1744	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 332 set thread context of 1940	332	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 1364 set thread context of 1884	1364	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 1380 set thread context of 1604	1380	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 1496 set thread context of 1648	1496	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 1052 set thread context of 2084	1052	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 2180 set thread context of 2276	2180	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 2408 set thread context of 2496	2408	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 2596 set thread context of 2692	2596	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 2808 set thread context of 2916	2808	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 3020 set thread context of 1184	3020	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 2076 set thread context of 2144	2076	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 2300 set thread context of 2796	2300	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 2524 set thread context of 2616	2524	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 1740 set thread context of 2956	1740	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 1536 set thread context of 2632	1536	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 2296 set thread context of 2064	2296	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 2608 set thread context of 2068	2608	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 3136 set thread context of 3204	3136	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 3320 set thread context of 3444	3320	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 3552 set thread context of 3620	3552	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 3728 set thread context of 3796	3728	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 3920 set thread context of 4028	3920	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 2196 set thread context of 2940	2196	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 3460 set thread context of 3236	3460	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 3608 set thread context of 3912	3608	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 2232 set thread context of 4020	2232	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 1096 set thread context of 2624	1096	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 3096 set thread context of 3324	3096	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 3828 set thread context of 4176	3828	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 4284 set thread context of 4448	4284	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 4564 set thread context of 4672	4564	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 4760 set thread context of 4888	4760	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 5028 set thread context of 3164	5028	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 2292 set thread context of 4684	2292	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 4200 set thread context of 4928	4200	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 2412 set thread context of 4568	2412	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 3832 set thread context of 4772	3832	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 3416 set thread context of 4184	3416	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 540 set thread context of 4196	540	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 4000 set thread context of 3404	4000	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 5084 set thread context of 5088	5084	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 5148 set thread context of 5240	5148	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 5336 set thread context of 5432	5336	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 5524 set thread context of 5604	5524	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 5700 set thread context of 5804	5700	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 5904 set thread context of 5976	5904	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 6060 set thread context of 4508	6060	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 5180 set thread context of 5332	5180	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 4964 set thread context of 5312	4964	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 5520 set thread context of 5628	5520	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 6140 set thread context of 5140	6140	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 4016 set thread context of 3928	4016	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 5280 set thread context of 5096	5280	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 3680 set thread context of 4516	3680	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 4124 set thread context of 6016	4124	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 6004 set thread context of 4364	6004	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 5492 set thread context of 4500	5492	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 5780 set thread context of 5788	5780	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 6196 set thread context of 6316	6196	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90fba1d8a51ad801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FD4FB0E1-8698-11EC-94AC-F6A981946521} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "350840196"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000029a8fa03d77d0143b95f148165a5bc9200000000020000000000106600000001000020000000536d59c85588a597d59ee47d53b85699be968d3c28678467e1ae5d5f2e26a22a000000000e80000000020000200000002977c27a921525f2137c902b933a1943fcb859ed30daf9ce8e5132b80efed6159000000061e4f8884e1bbe72421daeb91ba27b713a75a8f8ce8235fe922cb9a0d5b37ad676d6a46bc2e5b6eabd05ea54d2947b7bd13164e9b3334af670216eb3b29699d4fce9829356ca2af80bf913a529e66f657e5bbbcf0ea4001cd061915a323f670bf7d8a59bdd42083590da923ea72b307c96bdbe0f368a253b2c2ff7eb591467dd9c50047f55e724dddeb593e133f26d81400000002305468282f8df5aa8185594a2c9eb3d15b69a2d1b28f151a47bf5fcc43f196fd8d3887e46a03a28996bcbc3861001b3d61a318bdfb1c3abef408dacb5957cdf	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000029a8fa03d77d0143b95f148165a5bc92000000000200000000001066000000010000200000001dda2b1a36e6553de68da8b7577ce8c8f44bf2bfc0a57304d5d3ec169a6ceefe000000000e80000000020000200000001cb868a4b903e75952a4237e995536f6bf27297f452fb81203c4bb196dd1fa4720000000e0059f02566041f8153abc4a6783d4550d3bfbd11199863267f75654c36989324000000005418280a18536533345bed7157dd6f8cc556bef7020fc2a499c4e25703ce8f18233669272ba16e5016e96276346c015bc40e1a5420642ad40e3571eb9049ff1	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

BALANCE PAYMENT OF INV #005788903736282 20200418.exe

pid	process
1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe

Suspicious behavior: MapViewOfSection 64 IoCs

Processes:

pid	process
1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1156	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1156	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1156	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1716	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1716	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1716	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1716	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1404	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1744	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1744	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1744	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1744	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1744	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
332	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
332	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1364	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1364	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1380	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1380	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1496	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1052	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1052	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1052	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1052	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
2180	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
2408	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
2408	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
2596	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
2808	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
3020	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
2076	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
2076	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
2076	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
2076	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
2300	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
2524	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1740	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1740	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1536	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1536	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
2296	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
2608	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
3136	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
3136	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
3320	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
3320	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
3320	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
3320	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
3552	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
3552	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
3552	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
3728	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
3920	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
3920	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
3920	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
3920	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
2196	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
2196	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
3460	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
3460	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
3608	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
2232	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
1096	BALANCE PAYMENT OF INV #005788903736282 20200418.exe

Suspicious behavior: SetClipboardViewer 64 IoCs

Processes:

pid	process
784	RegAsm.exe
436	RegAsm.exe
1672	RegAsm.exe
1676	RegAsm.exe
1940	RegAsm.exe
1884	RegAsm.exe
1604	RegAsm.exe
1648	RegAsm.exe
2084	RegAsm.exe
2276	RegAsm.exe
2496	RegAsm.exe
2692	RegAsm.exe
2916	RegAsm.exe
1184	RegAsm.exe
2144	RegAsm.exe
2796	RegAsm.exe
2616	RegAsm.exe
2956	RegAsm.exe
2632	RegAsm.exe
2064	RegAsm.exe
2068	RegAsm.exe
3204	RegAsm.exe
3444	RegAsm.exe
3620	RegAsm.exe
3796	RegAsm.exe
4028	RegAsm.exe
2940	RegAsm.exe
3236	RegAsm.exe
3912	RegAsm.exe
2624	RegAsm.exe
4020	RegAsm.exe
3324	RegAsm.exe
4176	RegAsm.exe
4448	RegAsm.exe
4672	RegAsm.exe
4888	RegAsm.exe
3164	RegAsm.exe
4684	RegAsm.exe
4928	RegAsm.exe
4568	RegAsm.exe
4772	RegAsm.exe
4184	RegAsm.exe
4196	RegAsm.exe
3404	RegAsm.exe
5088	RegAsm.exe
5240	RegAsm.exe
5432	RegAsm.exe
5604	RegAsm.exe
5804	RegAsm.exe
5976	RegAsm.exe
4508	RegAsm.exe
5332	RegAsm.exe
5312	RegAsm.exe
5628	RegAsm.exe
5140	RegAsm.exe
3928	RegAsm.exe
5096	RegAsm.exe
4516	RegAsm.exe
6016	RegAsm.exe
4364	RegAsm.exe
4500	RegAsm.exe
5788	RegAsm.exe
6316	RegAsm.exe
6492	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Token: SeDebugPrivilege	1156	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Token: SeDebugPrivilege	1716	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Token: SeDebugPrivilege	1404	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Token: SeDebugPrivilege	1744	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Token: SeDebugPrivilege	332	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Token: SeDebugPrivilege	1364	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Token: SeDebugPrivilege	1380	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Token: SeDebugPrivilege	1496	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Token: SeDebugPrivilege	1396	RegAsm.exe
Token: SeDebugPrivilege	784	RegAsm.exe
Token: SeDebugPrivilege	1052	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Token: SeDebugPrivilege	436	RegAsm.exe
Token: SeDebugPrivilege	2180	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Token: SeDebugPrivilege	1672	RegAsm.exe
Token: SeDebugPrivilege	2408	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Token: SeDebugPrivilege	1676	RegAsm.exe
Token: SeDebugPrivilege	2596	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Token: SeDebugPrivilege	1940	RegAsm.exe
Token: SeDebugPrivilege	2808	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Token: SeDebugPrivilege	1884	RegAsm.exe
Token: SeDebugPrivilege	3020	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Token: SeDebugPrivilege	1604	RegAsm.exe
Token: SeDebugPrivilege	1648	RegAsm.exe
Token: SeDebugPrivilege	2076	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Token: SeDebugPrivilege	2084	RegAsm.exe
Token: SeDebugPrivilege	2300	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Token: SeDebugPrivilege	2524	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Token: SeDebugPrivilege	2276	RegAsm.exe
Token: SeDebugPrivilege	1740	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Token: SeDebugPrivilege	2496	RegAsm.exe
Token: SeDebugPrivilege	1536	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Token: SeDebugPrivilege	2692	RegAsm.exe
Token: SeDebugPrivilege	2296	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Token: SeDebugPrivilege	2916	RegAsm.exe
Token: SeDebugPrivilege	2608	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Token: SeDebugPrivilege	1184	RegAsm.exe
Token: SeDebugPrivilege	3136	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Token: SeDebugPrivilege	2144	RegAsm.exe
Token: SeDebugPrivilege	3320	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Token: SeDebugPrivilege	2796	RegAsm.exe
Token: SeDebugPrivilege	3552	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Token: SeDebugPrivilege	2616	RegAsm.exe
Token: SeDebugPrivilege	3728	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Token: SeDebugPrivilege	2956	RegAsm.exe
Token: SeDebugPrivilege	3920	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Token: SeDebugPrivilege	2632	RegAsm.exe
Token: SeDebugPrivilege	2196	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Token: SeDebugPrivilege	2064	RegAsm.exe
Token: SeDebugPrivilege	2068	RegAsm.exe
Token: SeDebugPrivilege	3460	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Token: SeDebugPrivilege	3204	RegAsm.exe
Token: SeDebugPrivilege	3608	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Token: SeDebugPrivilege	3444	RegAsm.exe
Token: SeDebugPrivilege	2232	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Token: SeDebugPrivilege	3620	RegAsm.exe
Token: SeDebugPrivilege	1096	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Token: SeDebugPrivilege	3796	RegAsm.exe
Token: SeDebugPrivilege	4028	RegAsm.exe
Token: SeDebugPrivilege	2940	RegAsm.exe
Token: SeDebugPrivilege	3236	RegAsm.exe
Token: SeDebugPrivilege	3096	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
Token: SeDebugPrivilege	3912	RegAsm.exe
Token: SeDebugPrivilege	3828	BALANCE PAYMENT OF INV #005788903736282 20200418.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

3604 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

3604 iexplore.exe
3604 iexplore.exe
2908 IEXPLORE.EXE
2908 IEXPLORE.EXE
2908 IEXPLORE.EXE
2908 IEXPLORE.EXE

pid	process
3604	iexplore.exe

pid	process
3604	iexplore.exe
3604	iexplore.exe
2908	IEXPLORE.EXE
2908	IEXPLORE.EXE
2908	IEXPLORE.EXE
2908	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

BALANCE PAYMENT OF INV #005788903736282 20200418.execmd.exeBALANCE PAYMENT OF INV #005788903736282 20200418.execmd.exeBALANCE PAYMENT OF INV #005788903736282 20200418.exe

description	pid	process	target process
PID 1268 wrote to memory of 1396	1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 1268 wrote to memory of 1396	1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 1268 wrote to memory of 1396	1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 1268 wrote to memory of 1396	1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 1268 wrote to memory of 1396	1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 1268 wrote to memory of 1396	1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 1268 wrote to memory of 1396	1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 1268 wrote to memory of 1396	1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 1268 wrote to memory of 1548	1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	cmd.exe
PID 1268 wrote to memory of 1548	1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	cmd.exe
PID 1268 wrote to memory of 1548	1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	cmd.exe
PID 1268 wrote to memory of 1548	1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	cmd.exe
PID 1548 wrote to memory of 1528	1548	cmd.exe	choice.exe
PID 1548 wrote to memory of 1528	1548	cmd.exe	choice.exe
PID 1548 wrote to memory of 1528	1548	cmd.exe	choice.exe
PID 1548 wrote to memory of 1528	1548	cmd.exe	choice.exe
PID 1268 wrote to memory of 1156	1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
PID 1268 wrote to memory of 1156	1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
PID 1268 wrote to memory of 1156	1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
PID 1268 wrote to memory of 1156	1268	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
PID 1156 wrote to memory of 708	1156	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 1156 wrote to memory of 708	1156	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 1156 wrote to memory of 708	1156	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 1156 wrote to memory of 708	1156	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 1156 wrote to memory of 708	1156	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 1156 wrote to memory of 708	1156	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 1156 wrote to memory of 708	1156	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 1156 wrote to memory of 744	1156	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 1156 wrote to memory of 744	1156	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 1156 wrote to memory of 744	1156	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 1156 wrote to memory of 744	1156	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 1156 wrote to memory of 744	1156	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 1156 wrote to memory of 744	1156	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 1156 wrote to memory of 744	1156	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 1156 wrote to memory of 784	1156	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 1156 wrote to memory of 784	1156	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 1156 wrote to memory of 784	1156	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 1156 wrote to memory of 784	1156	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 1156 wrote to memory of 784	1156	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 1156 wrote to memory of 784	1156	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 1156 wrote to memory of 784	1156	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 1156 wrote to memory of 784	1156	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 1156 wrote to memory of 1036	1156	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	cmd.exe
PID 1156 wrote to memory of 1036	1156	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	cmd.exe
PID 1156 wrote to memory of 1036	1156	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	cmd.exe
PID 1156 wrote to memory of 1036	1156	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	cmd.exe
PID 1036 wrote to memory of 1136	1036	cmd.exe	choice.exe
PID 1036 wrote to memory of 1136	1036	cmd.exe	choice.exe
PID 1036 wrote to memory of 1136	1036	cmd.exe	choice.exe
PID 1036 wrote to memory of 1136	1036	cmd.exe	choice.exe
PID 1156 wrote to memory of 1716	1156	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
PID 1156 wrote to memory of 1716	1156	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
PID 1156 wrote to memory of 1716	1156	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
PID 1156 wrote to memory of 1716	1156	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	BALANCE PAYMENT OF INV #005788903736282 20200418.exe
PID 1716 wrote to memory of 1552	1716	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 1716 wrote to memory of 1552	1716	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 1716 wrote to memory of 1552	1716	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 1716 wrote to memory of 1552	1716	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 1716 wrote to memory of 1552	1716	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 1716 wrote to memory of 1552	1716	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 1716 wrote to memory of 1552	1716	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 1716 wrote to memory of 1052	1716	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 1716 wrote to memory of 1052	1716	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe
PID 1716 wrote to memory of 1052	1716	BALANCE PAYMENT OF INV #005788903736282 20200418.exe	RegAsm.exe

outlook_office_path 1 IoCs

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

outlook_win_path 1 IoCs

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1268

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
PID:1396

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1548

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
3⤵
PID:1528

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1156

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:708

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:744

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:784

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1036

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:1136

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
3⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1716

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:1552

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:1052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:436

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
4⤵
PID:1116

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
5⤵
PID:1224

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
4⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1404

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:1672

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
5⤵
PID:1040

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
6⤵
PID:1796

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
5⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1744

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
PID:1604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
PID:1732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
PID:628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
PID:2044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:1676

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
6⤵
PID:804

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
7⤵
PID:876

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
6⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:332

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
7⤵
PID:1636

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
7⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:1940

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
7⤵
PID:972

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
8⤵
PID:1052

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
7⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1364

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
8⤵
PID:704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
8⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:1884

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
8⤵
PID:1644

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
9⤵
PID:1096

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
8⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1380

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
9⤵
PID:480

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
9⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:1604

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
9⤵
PID:1536

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
10⤵
PID:1100

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
9⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1496

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
10⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:1648

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
10⤵
PID:540

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
11⤵
PID:1964

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
10⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
11⤵
PID:2060

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
11⤵
PID:2068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
11⤵
PID:2076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
11⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:2084

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
11⤵
PID:2120

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
12⤵
PID:2148

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
11⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
12⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:2276

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
12⤵
PID:2296

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
13⤵
PID:2352

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
12⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2408

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
PID:2488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:2496

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
13⤵
PID:2524

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
14⤵
PID:2584

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
13⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
14⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:2692

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
14⤵
PID:2712

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
15⤵
PID:2776

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
14⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
15⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:2916

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
15⤵
PID:2940

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
16⤵
PID:3000

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
15⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
16⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:1184

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
16⤵
PID:2044

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
17⤵
PID:2072

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
16⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
17⤵
PID:2440

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
17⤵
PID:1924

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
17⤵
PID:2116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
17⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:2144

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
17⤵
PID:2148

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
17⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2300

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
18⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:2796

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
18⤵
PID:2700

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
19⤵
PID:3012

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
18⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
19⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:2616

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
19⤵
PID:2780

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
20⤵
PID:1216

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
19⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
20⤵
PID:2940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
20⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:2956

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
20⤵
PID:2124

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
21⤵
PID:2636

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
20⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1536

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
21⤵
PID:1636

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
21⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:2632

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
21⤵
PID:2116

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
22⤵
PID:2724

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
21⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2296

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
22⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:2064

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
22⤵
PID:2284

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
23⤵
PID:2412

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
22⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2608

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
23⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:2068

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
23⤵
PID:3080

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
24⤵
PID:3112

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
23⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3136

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
24⤵
PID:3196

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
24⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:3204

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
24⤵
PID:3248

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
25⤵
PID:3300

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
24⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
25⤵
PID:3420

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
25⤵
PID:3428

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
25⤵
PID:3436

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
25⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:3444

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
25⤵
PID:3468

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
26⤵
PID:3528

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
25⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3552

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
26⤵
PID:3604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
26⤵
PID:3612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
26⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:3620

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
26⤵
PID:3640

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
27⤵
PID:3712

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
26⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3728

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
27⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:3796

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
27⤵
PID:3840

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
28⤵
PID:3904

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
27⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3920

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
28⤵
PID:4004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
28⤵
PID:4012

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
28⤵
PID:4020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
28⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:4028

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
28⤵
PID:4064

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
29⤵
PID:3124

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
28⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2196

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
29⤵
PID:2704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
29⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:2940

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
29⤵
PID:1324

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
30⤵
PID:3476

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
29⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3460

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
30⤵
PID:3148

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
30⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:3236

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
30⤵
PID:3760

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
31⤵
PID:3612

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
30⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3608

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
31⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:3912

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
31⤵
PID:3644

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
32⤵
PID:3892

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
31⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2232

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
32⤵
- Suspicious behavior: SetClipboardViewer
PID:4020

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
32⤵
PID:3752

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
33⤵
PID:3440

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
32⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1096

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
33⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
PID:2624

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
33⤵
PID:3508

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
34⤵
PID:3360

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
33⤵
PID:3036

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=BALANCE PAYMENT OF INV#005788903736282 20200418.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
34⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3604

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3604 CREDAT:275457 /prefetch:2
35⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2908

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
33⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3096

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
34⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
PID:3324

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
34⤵
PID:4092

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
35⤵
PID:2904

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
34⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
35⤵
PID:4152

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
35⤵
PID:4160

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
35⤵
PID:4168

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
35⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
PID:4176

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
35⤵
PID:4196

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
36⤵
PID:4256

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
35⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:4284

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
36⤵
PID:4424

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
36⤵
PID:4432

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
36⤵
PID:4440

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
36⤵
- Suspicious behavior: SetClipboardViewer
PID:4448

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
36⤵
PID:4468

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
37⤵
PID:4520

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
36⤵
- Suspicious use of SetThreadContext
PID:4564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
37⤵
PID:4664

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
37⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
PID:4672

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
37⤵
PID:4704

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
38⤵
PID:4744

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
37⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:4760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
38⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
PID:4888

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
38⤵
PID:4960

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
39⤵
PID:5020

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
38⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:5028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
39⤵
PID:2600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
39⤵
- Suspicious behavior: SetClipboardViewer
PID:3164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
39⤵
PID:2708

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
39⤵
PID:4184

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
40⤵
PID:4168

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
39⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2292

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
40⤵
PID:4648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
40⤵
PID:4528

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
40⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
PID:4684

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
40⤵
PID:4432

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
41⤵
PID:4256

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
40⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:4200

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
41⤵
PID:4896

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
41⤵
- Suspicious behavior: SetClipboardViewer
PID:4928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
41⤵
PID:4976

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
41⤵
PID:4288

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
42⤵
PID:5016

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
41⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2412

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
42⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
PID:4568

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
42⤵
PID:3556

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
43⤵
PID:4572

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
42⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
43⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
PID:4772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
43⤵
PID:3036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
43⤵
PID:2744

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
43⤵
PID:4964

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
44⤵
PID:3412

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
43⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3416

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
44⤵
- Suspicious behavior: SetClipboardViewer
PID:4184

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
44⤵
PID:3652

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
45⤵
PID:4192

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
44⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:540

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
45⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
PID:4196

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
45⤵
PID:4320

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
46⤵
PID:4944

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
45⤵
- Suspicious use of SetThreadContext
PID:4000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
46⤵
PID:4432

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
46⤵
PID:4444

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
46⤵
PID:2444

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
46⤵
PID:1256

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
46⤵
PID:3928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
46⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
PID:3404

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
46⤵
PID:708

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
47⤵
PID:3556

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
46⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:5084

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
47⤵
- Suspicious behavior: SetClipboardViewer
PID:5088

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
47⤵
PID:3196

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
48⤵
PID:5128

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
47⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:5148

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
48⤵
- Suspicious behavior: SetClipboardViewer
PID:5240

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
48⤵
PID:5284

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
49⤵
PID:5320

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
48⤵
- Suspicious use of SetThreadContext
PID:5336

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
49⤵
PID:5424

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
49⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
PID:5432

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
49⤵
PID:5452

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
50⤵
PID:5516

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
49⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:5524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
50⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
PID:5604

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
50⤵
PID:5624

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
51⤵
PID:5672

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
50⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:5700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
51⤵
PID:5780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
51⤵
PID:5788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
51⤵
PID:5796

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
51⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
PID:5804

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
51⤵
PID:5832

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
52⤵
PID:5880

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
51⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:5904

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
52⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
PID:5976

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
52⤵
PID:5996

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
53⤵
PID:6028

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
52⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:6060

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
53⤵
- Suspicious behavior: SetClipboardViewer
PID:4508

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
53⤵
PID:2312

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
54⤵
PID:4608

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
53⤵
- Suspicious use of SetThreadContext
PID:5180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
54⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
PID:5332

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
54⤵
PID:3380

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
55⤵
PID:4212

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
54⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:4964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
55⤵
PID:5276

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
55⤵
PID:5324

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
55⤵
- Suspicious behavior: SetClipboardViewer
PID:5312

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
55⤵
PID:5696

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
56⤵
PID:5816

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
55⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:5520

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
56⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
PID:5628

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
56⤵
PID:5988

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
57⤵
PID:5660

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
56⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:6140

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
57⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
PID:5140

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
57⤵
PID:2792

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
58⤵
PID:6004

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
57⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:4016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
58⤵
PID:3172

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
58⤵
PID:6064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
58⤵
PID:6076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
58⤵
PID:4464

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
58⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
PID:3928

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
58⤵
PID:5892

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
59⤵
PID:4068

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
58⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:5280

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
59⤵
- Suspicious behavior: SetClipboardViewer
PID:5096

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
59⤵
PID:5872

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
60⤵
PID:1896

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
59⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
60⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
PID:4516

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
60⤵
PID:5496

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
61⤵
PID:5132

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
60⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:4124

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
61⤵
- Suspicious behavior: SetClipboardViewer
PID:6016

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
61⤵
PID:5532

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
62⤵
PID:5632

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
61⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:6004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
62⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
PID:4364

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
62⤵
PID:4904

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
63⤵
PID:5116

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
62⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:5492

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
63⤵
- Suspicious behavior: SetClipboardViewer
PID:4500

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
63⤵
PID:5796

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
64⤵
PID:5388

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
63⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:5780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
64⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
PID:5788

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
64⤵
PID:4068

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
65⤵
PID:6172

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
64⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:6196

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
65⤵
PID:6292

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
65⤵
PID:6300

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
65⤵
PID:6308

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
65⤵
- Suspicious behavior: SetClipboardViewer
PID:6316

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
65⤵
PID:6344

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
66⤵
PID:6408

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
65⤵
- Adds Run key to start application
PID:6416

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
66⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
PID:6492

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
66⤵
PID:6524

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
67⤵
PID:6560

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
66⤵
- Adds Run key to start application
PID:6580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
67⤵
- Accesses Microsoft Outlook profiles
PID:6664

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
67⤵
PID:6684

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
68⤵
PID:6732

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
67⤵
- Adds Run key to start application
PID:6768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
68⤵
PID:6852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
68⤵
PID:6860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
68⤵
PID:6868

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
68⤵
PID:6888

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
69⤵
PID:6940

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
68⤵
PID:6976

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
69⤵
- Accesses Microsoft Outlook profiles
PID:7060

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
69⤵
PID:7096

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
70⤵
PID:7128

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
69⤵
- Adds Run key to start application
PID:7152

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
70⤵
PID:6256

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
70⤵
PID:6376

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
71⤵
PID:5048

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
70⤵
- Adds Run key to start application
PID:6404

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
71⤵
PID:4068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
71⤵
- Accesses Microsoft Outlook profiles
PID:6148

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
71⤵
PID:5532

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
72⤵
PID:6624

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
71⤵
- Adds Run key to start application
PID:6572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
72⤵
PID:6812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
72⤵
PID:6672

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
72⤵
PID:6848

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
73⤵
PID:6420

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
72⤵
- Adds Run key to start application
PID:6972

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
73⤵
PID:6700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
73⤵
PID:7056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
73⤵
- Accesses Microsoft Outlook profiles
PID:7112

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
73⤵
PID:6852

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
74⤵
PID:6704

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
73⤵
- Adds Run key to start application
PID:7068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
74⤵
PID:6920

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
74⤵
PID:6776

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
75⤵
PID:3588

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
74⤵
PID:5956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
75⤵
- Accesses Microsoft Outlook profiles
PID:7160

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
75⤵
PID:6088

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
76⤵
PID:6732

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
75⤵
- Adds Run key to start application
PID:4696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
76⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:6952

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
76⤵
PID:5200

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
77⤵
PID:6964

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
76⤵
- Adds Run key to start application
PID:6636

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
77⤵
PID:6744

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
77⤵
PID:7036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
77⤵
PID:6876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
77⤵
PID:6160

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
77⤵
PID:4904

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
78⤵
PID:4652

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
77⤵
- Adds Run key to start application
PID:7144

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
78⤵
PID:2488

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
78⤵
PID:5716

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
79⤵
PID:6776

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
78⤵
PID:2468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
79⤵
PID:6884

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
79⤵
PID:5908

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
80⤵
PID:7036

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
79⤵
- Adds Run key to start application
PID:3976

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
80⤵
PID:6728

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
80⤵
PID:6928

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
81⤵
PID:6948

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
80⤵
PID:5896

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
81⤵
PID:5276

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
81⤵
PID:936

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
82⤵
PID:6260

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
81⤵
- Adds Run key to start application
PID:6856

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
82⤵
PID:7208

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
82⤵
PID:7228

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
83⤵
PID:7256

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
82⤵
PID:7272

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
83⤵
PID:7320

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
83⤵
PID:7352

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
84⤵
PID:7388

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
83⤵
PID:7416

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
84⤵
PID:7468

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
84⤵
PID:7500

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
85⤵
PID:7556

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
84⤵
PID:7580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
85⤵
PID:7632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
85⤵
PID:7624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
85⤵
PID:7616

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
85⤵
PID:7668

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
86⤵
PID:7712

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
85⤵
PID:7780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
86⤵
PID:7836

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
86⤵
PID:7872

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
87⤵
PID:7968

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
86⤵
PID:7936

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
87⤵
PID:8012

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
88⤵
PID:8056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
87⤵
PID:7992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
87⤵
PID:7984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
87⤵
PID:7976

C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe
"C:\Users\Admin\AppData\Local\Temp\BALANCE PAYMENT OF INV #005788903736282 20200418.exe"
87⤵
PID:8092

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
1⤵
PID:2356

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63

MD5
f742c983bfb271422cc314818647a531

SHA1
7de3e8c46e11199f79f89757e43837d6674709aa

SHA256
a89ddb6d65479220e630154a298dff5f2f2174365dbd8e78bb08dc2ae6e9d988

SHA512
e5de6a32a5ef7fc4a008ceb43315b0d4be1b18e895ea5b2cf3f02d3984df08d0d5fd4b15dfd65fd3b525c1fd20d705a87683a645bb22331784eb360f5bdbc0ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63

MD5
a7999a82aebd1b88005c3c3b8198a800

SHA1
a77d70c655f3241203aa20982320dfe93878a522

SHA256
eb2644f9d88f107ef6f36a0c997a7bf0b2669eec531feb44252a59c17001d00b

SHA512
b42291a9518232b8dbf6a192455a6957f4c5ab10c9a5d32db203a429c62463cfe24236b2fd9d567e58f4d682293f41ee025788a1b518360a52a8e7defc9b1e9c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5
9ca9104c9a422f242f66378813783dc2

SHA1
02c828092066e14ec7cfca313ca601ad678b8794

SHA256
37942bce48e0e01575d978336239ea18bed1e380004444b4d8249f580d3318c3

SHA512
75d6f61bf82bc285b4014248ae188aba234d78a58a1e6f923accdae9e4c42ac1a811592901ad35277a9a923b187632347745610c01e6561046f2ca15db43f2c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\o5rwqiw\imagestore.dat

MD5
f515459717cdd9bf8888442f2e2d1608

SHA1
7314e7effb03b47f4e93bd95d04e63af94a91bd5

SHA256
fa771e9d9eea2af4c4ff5dd0882dcafd0ae790f2355b564d13ea029da65ac69f

SHA512
00b7ecdcc2fe5bfc70b601ea8f0760918b71e4f2b08e96f2bf387b3f753f62305d89a1d38364bc67f012a20eb62c58d296cc8bcd29734da8f984eb97955605de

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\B87KW0LH.txt

MD5
8a16220da8b322f81406dcfa9fb4040e

SHA1
d9eff979de45db5cda95501e23afb2f8088baa80

SHA256
3241bc535398e2dccd7871cbbf4e4a33cbfc42862b363ea2eb540461b0b06d59

SHA512
760282d3da743623115cfa8de1afdb705d4179fc65c63e7a3c0e6e43d199108c15015902e7276649b7d8c4b6f2c6e507813c06ff884341fed4719f3109c97d30

Download Submit
memory/332-78-0x00000000001B0000-0x0000000000206000-memory.dmp

Filesize
344KB

Download
memory/436-70-0x0000000004E00000-0x0000000004E01000-memory.dmp

Filesize
4KB

Download
memory/784-65-0x0000000000690000-0x0000000000899000-memory.dmp

Filesize
2.0MB

Download
memory/784-103-0x0000000000690000-0x0000000000899000-memory.dmp

Filesize
2.0MB

Download
memory/1052-93-0x0000000000530000-0x0000000000560000-memory.dmp

Filesize
192KB

Download
memory/1156-64-0x00000000001D0000-0x0000000000210000-memory.dmp

Filesize
256KB

Download
memory/1184-158-0x0000000000715000-0x0000000000726000-memory.dmp

Filesize
68KB

Download
memory/1184-116-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download
memory/1268-54-0x00000000009C0000-0x0000000000A8E000-memory.dmp

Filesize
824KB

Download
memory/1268-55-0x00000000021A0000-0x0000000002238000-memory.dmp

Filesize
608KB

Download
memory/1268-56-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download
memory/1268-58-0x0000000000300000-0x0000000000340000-memory.dmp

Filesize
256KB

Download
memory/1364-84-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1396-59-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1396-60-0x00000000002B0000-0x00000000002B6000-memory.dmp

Filesize
24KB

Download
memory/1396-62-0x0000000004BD0000-0x0000000004BD1000-memory.dmp

Filesize
4KB

Download
memory/1536-137-0x0000000000290000-0x0000000000340000-memory.dmp

Filesize
704KB

Download
memory/1604-88-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/1604-124-0x0000000000615000-0x0000000000626000-memory.dmp

Filesize
68KB

Download
memory/1648-91-0x0000000004C30000-0x0000000004C31000-memory.dmp

Filesize
4KB

Download
memory/1672-108-0x0000000004DB5000-0x0000000004DC6000-memory.dmp

Filesize
68KB

Download
memory/1672-73-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

Filesize
4KB

Download
memory/1676-113-0x0000000004AA5000-0x0000000004AB6000-memory.dmp

Filesize
68KB

Download
memory/1676-77-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

Filesize
4KB

Download
memory/1716-69-0x0000000000330000-0x0000000000333000-memory.dmp

Filesize
12KB

Download
memory/1744-76-0x0000000000430000-0x0000000000483000-memory.dmp

Filesize
332KB

Download
memory/1884-85-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/1884-119-0x0000000000B35000-0x0000000000B46000-memory.dmp

Filesize
68KB

Download
memory/1940-118-0x0000000004C55000-0x0000000004C66000-memory.dmp

Filesize
68KB

Download
memory/1940-81-0x0000000004C50000-0x0000000004C51000-memory.dmp

Filesize
4KB

Download
memory/2064-144-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

Filesize
4KB

Download
memory/2068-148-0x0000000004B00000-0x0000000004B01000-memory.dmp

Filesize
4KB

Download
memory/2076-120-0x00000000001C0000-0x0000000000213000-memory.dmp

Filesize
332KB

Download
memory/2084-134-0x0000000002550000-0x00000000046B0000-memory.dmp

Filesize
33.4MB

Download
memory/2084-95-0x0000000002550000-0x00000000046B0000-memory.dmp

Filesize
33.4MB

Download
memory/2144-165-0x0000000002450000-0x0000000004790000-memory.dmp

Filesize
35.2MB

Download
memory/2144-123-0x0000000002450000-0x0000000004790000-memory.dmp

Filesize
35.2MB

Download
memory/2276-140-0x0000000000490000-0x00000000004D0000-memory.dmp

Filesize
256KB

Download
memory/2276-97-0x0000000000490000-0x00000000004D0000-memory.dmp

Filesize
256KB

Download
memory/2296-143-0x0000000000270000-0x00000000002C0000-memory.dmp

Filesize
320KB

Download
memory/2300-125-0x00000000001B0000-0x0000000000200000-memory.dmp

Filesize
320KB

Download
memory/2408-101-0x0000000000450000-0x0000000000523000-memory.dmp

Filesize
844KB

Download
memory/2496-102-0x00000000022A0000-0x0000000002510000-memory.dmp

Filesize
2.4MB

Download
memory/2496-146-0x00000000022A0000-0x0000000002510000-memory.dmp

Filesize
2.4MB

Download
memory/2524-130-0x0000000000240000-0x0000000000290000-memory.dmp

Filesize
320KB

Download
memory/2596-105-0x00000000001B0000-0x0000000000200000-memory.dmp

Filesize
320KB

Download
memory/2616-131-0x0000000004D00000-0x0000000004D01000-memory.dmp

Filesize
4KB

Download
memory/2632-139-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/2692-149-0x00000000049C5000-0x00000000049D6000-memory.dmp

Filesize
68KB

Download
memory/2692-107-0x00000000049C0000-0x00000000049C1000-memory.dmp

Filesize
4KB

Download
memory/2796-169-0x00000000023C0000-0x00000000026C0000-memory.dmp

Filesize
3.0MB

Download
memory/2796-127-0x00000000023C0000-0x00000000026C0000-memory.dmp

Filesize
3.0MB

Download
memory/2808-109-0x00000000002B0000-0x0000000000300000-memory.dmp

Filesize
320KB

Download
memory/2916-112-0x0000000004C10000-0x0000000004C11000-memory.dmp

Filesize
4KB

Download
memory/2916-154-0x0000000004C15000-0x0000000004C26000-memory.dmp

Filesize
68KB

Download
memory/2956-135-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/3136-150-0x0000000000190000-0x00000000001D0000-memory.dmp

Filesize
256KB

Download
memory/3204-153-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/3320-157-0x00000000002F0000-0x0000000000346000-memory.dmp

Filesize
344KB

Download
memory/3444-159-0x0000000004CD0000-0x0000000004CD1000-memory.dmp

Filesize
4KB

Download
memory/3552-161-0x0000000000330000-0x00000000003F0000-memory.dmp

Filesize
768KB

Download
memory/3620-163-0x00000000008A0000-0x00000000008A1000-memory.dmp

Filesize
4KB

Download
memory/3728-166-0x00000000001C0000-0x0000000000210000-memory.dmp

Filesize
320KB

Download
memory/3796-167-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/3920-172-0x00000000001D0000-0x0000000000201000-memory.dmp

Filesize
196KB

Download