2c069320cf1b5c2d0dd66a40f85e2a84fd4a2e07eb37d9684df6c8aec4dad34b

General

Target

orden pdf.exe
Size

1.5MB
MD5

4f1ad14256cc9c420d78d69b468bab48
SHA1

7734beec32b17c6ef0678533cc9634bd2c890c65
SHA256

1f05b369246b2867a66aba3cacd9da9c2f29c03adc4d45883c91054c35ac3345
SHA512

38dbbf685b18d2540d739b0ff74bb00f20a1e0b1c142e40b7bbb2e451f6d8ea9e992eb01f77eff945a47bc57fb6ada9e184dd9d6f07e732c253449509deeec71

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

orden pdf.exe

description ioc process

File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.url orden pdf.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.url	orden pdf.exe

Suspicious behavior: MapViewOfSection 64 IoCs

Processes:

orden pdf.exe

pid	process
1540	orden pdf.exe
1540	orden pdf.exe
1540	orden pdf.exe
1540	orden pdf.exe
1540	orden pdf.exe
1540	orden pdf.exe
1540	orden pdf.exe
1540	orden pdf.exe
1540	orden pdf.exe
1540	orden pdf.exe
1540	orden pdf.exe
1540	orden pdf.exe
1540	orden pdf.exe
1540	orden pdf.exe
1540	orden pdf.exe
1540	orden pdf.exe
1540	orden pdf.exe
1540	orden pdf.exe
1540	orden pdf.exe
1540	orden pdf.exe
1540	orden pdf.exe
1540	orden pdf.exe
1540	orden pdf.exe
1540	orden pdf.exe
1540	orden pdf.exe
1540	orden pdf.exe
1540	orden pdf.exe
1540	orden pdf.exe
1540	orden pdf.exe
1540	orden pdf.exe
1540	orden pdf.exe
1540	orden pdf.exe
1540	orden pdf.exe
1540	orden pdf.exe
1540	orden pdf.exe
1540	orden pdf.exe
1540	orden pdf.exe
1540	orden pdf.exe
1540	orden pdf.exe
1540	orden pdf.exe
1540	orden pdf.exe
1540	orden pdf.exe
1540	orden pdf.exe
1540	orden pdf.exe
1540	orden pdf.exe
1540	orden pdf.exe
1540	orden pdf.exe
1540	orden pdf.exe
1540	orden pdf.exe
1540	orden pdf.exe
1540	orden pdf.exe
1540	orden pdf.exe
1540	orden pdf.exe
1540	orden pdf.exe
1540	orden pdf.exe
1540	orden pdf.exe
1540	orden pdf.exe
1540	orden pdf.exe
1540	orden pdf.exe
1540	orden pdf.exe
1540	orden pdf.exe
1540	orden pdf.exe
1540	orden pdf.exe
1540	orden pdf.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

orden pdf.exe

pid process

1540 orden pdf.exe
1540 orden pdf.exe
1540 orden pdf.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

orden pdf.exe

pid process

1540 orden pdf.exe
1540 orden pdf.exe
1540 orden pdf.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

orden pdf.exe

description	pid	process	target process
PID 1540 wrote to memory of 1680	1540	orden pdf.exe	orden pdf.exe
PID 1540 wrote to memory of 1680	1540	orden pdf.exe	orden pdf.exe
PID 1540 wrote to memory of 1680	1540	orden pdf.exe	orden pdf.exe
PID 1540 wrote to memory of 1680	1540	orden pdf.exe	orden pdf.exe
PID 1540 wrote to memory of 1628	1540	orden pdf.exe	orden pdf.exe
PID 1540 wrote to memory of 1628	1540	orden pdf.exe	orden pdf.exe
PID 1540 wrote to memory of 1628	1540	orden pdf.exe	orden pdf.exe
PID 1540 wrote to memory of 1628	1540	orden pdf.exe	orden pdf.exe
PID 1540 wrote to memory of 524	1540	orden pdf.exe	orden pdf.exe
PID 1540 wrote to memory of 524	1540	orden pdf.exe	orden pdf.exe
PID 1540 wrote to memory of 524	1540	orden pdf.exe	orden pdf.exe
PID 1540 wrote to memory of 524	1540	orden pdf.exe	orden pdf.exe
PID 1540 wrote to memory of 332	1540	orden pdf.exe	orden pdf.exe
PID 1540 wrote to memory of 332	1540	orden pdf.exe	orden pdf.exe
PID 1540 wrote to memory of 332	1540	orden pdf.exe	orden pdf.exe
PID 1540 wrote to memory of 332	1540	orden pdf.exe	orden pdf.exe
PID 1540 wrote to memory of 756	1540	orden pdf.exe	orden pdf.exe
PID 1540 wrote to memory of 756	1540	orden pdf.exe	orden pdf.exe
PID 1540 wrote to memory of 756	1540	orden pdf.exe	orden pdf.exe
PID 1540 wrote to memory of 756	1540	orden pdf.exe	orden pdf.exe
PID 1540 wrote to memory of 528	1540	orden pdf.exe	orden pdf.exe
PID 1540 wrote to memory of 528	1540	orden pdf.exe	orden pdf.exe
PID 1540 wrote to memory of 528	1540	orden pdf.exe	orden pdf.exe
PID 1540 wrote to memory of 528	1540	orden pdf.exe	orden pdf.exe
PID 1540 wrote to memory of 760	1540	orden pdf.exe	orden pdf.exe
PID 1540 wrote to memory of 760	1540	orden pdf.exe	orden pdf.exe
PID 1540 wrote to memory of 760	1540	orden pdf.exe	orden pdf.exe
PID 1540 wrote to memory of 760	1540	orden pdf.exe	orden pdf.exe
PID 1540 wrote to memory of 860	1540	orden pdf.exe	orden pdf.exe
PID 1540 wrote to memory of 860	1540	orden pdf.exe	orden pdf.exe
PID 1540 wrote to memory of 860	1540	orden pdf.exe	orden pdf.exe
PID 1540 wrote to memory of 860	1540	orden pdf.exe	orden pdf.exe
PID 1540 wrote to memory of 1388	1540	orden pdf.exe	orden pdf.exe
PID 1540 wrote to memory of 1388	1540	orden pdf.exe	orden pdf.exe
PID 1540 wrote to memory of 1388	1540	orden pdf.exe	orden pdf.exe
PID 1540 wrote to memory of 1388	1540	orden pdf.exe	orden pdf.exe
PID 1540 wrote to memory of 560	1540	orden pdf.exe	orden pdf.exe
PID 1540 wrote to memory of 560	1540	orden pdf.exe	orden pdf.exe
PID 1540 wrote to memory of 560	1540	orden pdf.exe	orden pdf.exe
PID 1540 wrote to memory of 560	1540	orden pdf.exe	orden pdf.exe
PID 1540 wrote to memory of 304	1540	orden pdf.exe	orden pdf.exe
PID 1540 wrote to memory of 304	1540	orden pdf.exe	orden pdf.exe
PID 1540 wrote to memory of 304	1540	orden pdf.exe	orden pdf.exe
PID 1540 wrote to memory of 304	1540	orden pdf.exe	orden pdf.exe
PID 1540 wrote to memory of 1644	1540	orden pdf.exe	orden pdf.exe
PID 1540 wrote to memory of 1644	1540	orden pdf.exe	orden pdf.exe
PID 1540 wrote to memory of 1644	1540	orden pdf.exe	orden pdf.exe
PID 1540 wrote to memory of 1644	1540	orden pdf.exe	orden pdf.exe
PID 1540 wrote to memory of 1368	1540	orden pdf.exe	orden pdf.exe
PID 1540 wrote to memory of 1368	1540	orden pdf.exe	orden pdf.exe
PID 1540 wrote to memory of 1368	1540	orden pdf.exe	orden pdf.exe
PID 1540 wrote to memory of 1368	1540	orden pdf.exe	orden pdf.exe
PID 1540 wrote to memory of 1372	1540	orden pdf.exe	orden pdf.exe
PID 1540 wrote to memory of 1372	1540	orden pdf.exe	orden pdf.exe
PID 1540 wrote to memory of 1372	1540	orden pdf.exe	orden pdf.exe
PID 1540 wrote to memory of 1372	1540	orden pdf.exe	orden pdf.exe
PID 1540 wrote to memory of 1104	1540	orden pdf.exe	orden pdf.exe
PID 1540 wrote to memory of 1104	1540	orden pdf.exe	orden pdf.exe
PID 1540 wrote to memory of 1104	1540	orden pdf.exe	orden pdf.exe
PID 1540 wrote to memory of 1104	1540	orden pdf.exe	orden pdf.exe
PID 1540 wrote to memory of 592	1540	orden pdf.exe	orden pdf.exe
PID 1540 wrote to memory of 592	1540	orden pdf.exe	orden pdf.exe
PID 1540 wrote to memory of 592	1540	orden pdf.exe	orden pdf.exe
PID 1540 wrote to memory of 592	1540	orden pdf.exe	orden pdf.exe

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
1⤵
- Drops startup file
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1540

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:1680

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:1628

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:524

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:332

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:756

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:528

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:760

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:860

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:1388

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:560

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:304

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:1644

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:1368

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:1372

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:1104

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:592

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:1840

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:1708

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:1700

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:1180

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:1168

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:1988

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:1072

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:1244

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:396

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:976

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:1996

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:1972

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:2020

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:1088

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:1332

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:2004

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:1852

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:1592

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:1800

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:1596

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:1692

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:1688

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:1000

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:1188

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:1668

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:992

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:1484

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:1508

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:1720

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:1844

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:1632

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:1732

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:1460

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:1636

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:972

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:1784

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:1928

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:556

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:1748

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:676

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:1500

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:1060

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:1560

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:1068

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:1064

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:1984

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:1704

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:1712

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:892

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:1476

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:1412

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:1536

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:1480

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:1588

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:1724

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:1728

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:1848

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:1048

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:2056

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:2064

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:2072

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:2080

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:2088

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:2096

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:2104

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:2112

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:2120

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:2128

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:2136

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:2144

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:2152

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:2160

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:2168

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:2176

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:2184

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:2192

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:2200

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:2208

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:2216

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:2224

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:2232

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:2240

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:2248

C:\Users\Admin\AppData\Local\Temp\orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden pdf.exe"
2⤵
PID:2256

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1540-54-0x0000000075891000-0x0000000075893000-memory.dmp

Filesize
8KB

Download
memory/1540-55-0x0000000000240000-0x000000000026D000-memory.dmp

Filesize
180KB

Download
memory/1540-56-0x0000000000120000-0x0000000000123000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads