Analysis
-
max time kernel
151s -
max time network
134s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
05-02-2022 16:10
General
-
Target
PI_160420PDF ARJ005634420200429 ,pdf.exe
-
Size
781KB
-
MD5
e132a0c2ded7c6dd950cc745862896b1
-
SHA1
c63c29aefc1245fb66f67d0049cc682c76d6287b
-
SHA256
2cc9a439b0ba13097ff33a8bb0af64130fec5c4f128c5cc4fcec7403e55ff50c
-
SHA512
7ffe8b5e25f6b7b24cb5453de02b098273747d08fc4a9195791cef9876af43baf2daacb1e4785d7e416f50874b0340856b5cad7e8eded5db461cc68d0055d584
Score
10/10
Malware Config
Extracted
Family
hawkeye_reborn
Version
10.1.2.2
Credentials
Protocol: ftp- Host:
ftp.tashipta.com - Port:
21 - Username:
[email protected] - Password:
@Success$2020
Mutex
74d527f5-bde5-4c9c-9f90-0d96801270c7
Attributes
-
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:2 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPort:0 _EmailSSL:false _ExecutionDelay:10 _FTPPassword:@Success$2020 _FTPPort:21 _FTPSFTP:true _FTPServer:ftp.tashipta.com _FTPUsername:[email protected] _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:false _LogInterval:10 _MeltFile:false _Mutex:74d527f5-bde5-4c9c-9f90-0d96801270c7 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:10.1.2.2 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
-
name
HawkEye Keylogger - RebornX, Version=10.1.2.2, Culture=neutral, PublicKeyToken=null
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
M00nD3v Logger Payload 2 IoCs
Detects M00nD3v Logger payload in memory.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 64 IoCs
-
Adds Run key to start application 2 TTPs 64 IoCs
-
Looks up external IP address via web service 10 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 64 IoCs
-
Suspicious behavior: SetClipboardViewer 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 33⤵
-
C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 35⤵
-
C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"4⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"5⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 36⤵
-
C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"5⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"6⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 37⤵
-
C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"6⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"7⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"7⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 38⤵
-
C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"7⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"8⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"8⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 39⤵
-
C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"8⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"9⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"9⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 310⤵
-
C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"9⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"10⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"10⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 311⤵
-
C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"10⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"11⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"11⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 312⤵
-
C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"11⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"12⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"12⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 313⤵
-
C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"12⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"13⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"13⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 314⤵
-
C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"13⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"14⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"14⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 315⤵
-
C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"14⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"15⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"15⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"15⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 316⤵
-
C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"15⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"16⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"16⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 317⤵
-
C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"16⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"17⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"17⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 318⤵
-
C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"17⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"18⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"18⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 319⤵
-
C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"18⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"19⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"19⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 320⤵
-
C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"19⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"20⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"20⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"20⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 321⤵
-
C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"20⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"21⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"21⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 322⤵
-
C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"21⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"22⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"22⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"22⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 323⤵
-
C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"22⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"23⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"23⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 324⤵
-
C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"23⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"24⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"24⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 325⤵
-
C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"24⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"25⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"25⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 326⤵
-
C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"25⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"26⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"26⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 327⤵
-
C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"26⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"27⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"27⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 328⤵
-
C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"27⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"28⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"28⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 329⤵
-
C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"28⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"29⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"29⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 330⤵
-
C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"29⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"30⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"30⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 331⤵
-
C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"30⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"31⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"31⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 332⤵
-
C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"31⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"32⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"32⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 333⤵
-
C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"32⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"33⤵
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"33⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 334⤵
-
C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"33⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"34⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"34⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 335⤵
-
C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"34⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"35⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"35⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"35⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 336⤵
-
C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"35⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"36⤵
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"36⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 337⤵
-
C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"36⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"37⤵
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"37⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 338⤵
-
C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"37⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"38⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"38⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 339⤵
-
C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"38⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"39⤵
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"39⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 340⤵
-
C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"39⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"40⤵
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"40⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 341⤵
-
C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"40⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"41⤵
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"41⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 342⤵
-
C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"41⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"42⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"42⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 343⤵
-
C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"42⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"43⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"43⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 344⤵
-
C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"43⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"44⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"44⤵
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"44⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 345⤵
-
C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"44⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"45⤵
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"45⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 346⤵
-
C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"45⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"46⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"46⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 347⤵
-
C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"46⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"47⤵
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"47⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 348⤵
-
C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"47⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"48⤵
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"48⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 349⤵
-
C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"48⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"49⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"49⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 350⤵
-
C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"49⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"50⤵
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"50⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 351⤵
-
C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"50⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"51⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"51⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 352⤵
-
C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"51⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"52⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"52⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 353⤵
-
C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"52⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"53⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"53⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 354⤵
-
C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"53⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"54⤵
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"54⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 355⤵
-
C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"54⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"55⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"55⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 356⤵
-
C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"55⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"56⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"56⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 357⤵
-
C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"56⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"57⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"57⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 358⤵
-
C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"57⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"58⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"58⤵
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"58⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 359⤵
-
C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"58⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"59⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"59⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"59⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"59⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 360⤵
-
C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"59⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"60⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"60⤵
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"60⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 361⤵
-
C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"60⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"61⤵
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"61⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 362⤵
-
C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"61⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"62⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"62⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 363⤵
-
C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"62⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"63⤵
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"63⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 364⤵
-
C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"63⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"64⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"64⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 365⤵
-
C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"64⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"65⤵
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"65⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 366⤵
-
C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"65⤵
- Adds Run key to start application
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"66⤵
- Suspicious behavior: SetClipboardViewer
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"66⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 367⤵
-
C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"66⤵
- Adds Run key to start application
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"67⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"67⤵
- Accesses Microsoft Outlook profiles
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"67⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 368⤵
-
C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"67⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"68⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"68⤵
- Accesses Microsoft Outlook profiles
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"68⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 369⤵
-
C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"68⤵
- Adds Run key to start application
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"69⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"69⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 370⤵
-
C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"69⤵
- Adds Run key to start application
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"70⤵
- Accesses Microsoft Outlook profiles
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"70⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 371⤵
-
C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"70⤵
- Adds Run key to start application
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"71⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"71⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 372⤵
-
C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"C:\Users\Admin\AppData\Local\Temp\PI_160420PDF ARJ005634420200429 ,pdf.exe"71⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
0e94f508a7733660f34dd8bdee3498be
SHA13ff9062790b9b2e5db956f1c5f76437db41a4872
SHA256557b364bfb2cb6e9af4bdb2dc00a8854ae502e2901bd2dd106af7197e0709116
SHA5120f7ee5f3cffaa91c7588d23e4edc2cfb0605177d3d8ccbfe48f5f46e88ce350d55dc7f594d8acd2984976fa242e337454068585aadbe14dde85b9015ec96bd5a
-
MD5
0e94f508a7733660f34dd8bdee3498be
SHA13ff9062790b9b2e5db956f1c5f76437db41a4872
SHA256557b364bfb2cb6e9af4bdb2dc00a8854ae502e2901bd2dd106af7197e0709116
SHA5120f7ee5f3cffaa91c7588d23e4edc2cfb0605177d3d8ccbfe48f5f46e88ce350d55dc7f594d8acd2984976fa242e337454068585aadbe14dde85b9015ec96bd5a
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
320KB
-
Filesize
68KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
320KB
-
Filesize
576KB
-
Filesize
4KB
-
Filesize
68KB
-
Filesize
24KB
-
Filesize
808KB
-
Filesize
608KB
-
Filesize
8KB
-
Filesize
12KB
-
Filesize
4KB
-
Filesize
68KB
-
Filesize
320KB
-
Filesize
4KB
-
Filesize
68KB
-
Filesize
344KB
-
Filesize
68KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
68KB
-
Filesize
280KB
-
Filesize
320KB
-
Filesize
708KB
-
Filesize
320KB
-
Filesize
4KB
-
Filesize
68KB
-
Filesize
192KB
-
Filesize
4KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
1.2MB
-
Filesize
68KB
-
Filesize
4KB
-
Filesize
576KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
68KB
-
Filesize
320KB
-
Filesize
4KB
-
Filesize
768KB
-
Filesize
1.7MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
68KB
-
Filesize
320KB
-
Filesize
68KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
320KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
256KB
-
Filesize
4KB
-
Filesize
256KB
-
Filesize
4KB
-
Filesize
320KB