Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
04-05-2024 04:04
Static task
static1
Behavioral task
behavioral1
Sample
New Order.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
New Order.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral3
Sample
order list.exe
Resource
win7-20240215-en
Behavioral task
behavioral4
Sample
order list.exe
Resource
win10v2004-20240419-en
General
-
Target
order list.exe
-
Size
644KB
-
MD5
d2bdfbfa39edbb7b3823e241290a567b
-
SHA1
2a36ff5df72bbcc71ae4a47c6db12d3f36e47eec
-
SHA256
94b7faaa8caa0ffc8b44bce17629f8f758d79db26276a2b2844d6ac1fde122d3
-
SHA512
02be573dfe4e12505404973d55f196e088e2663940317e849eefad49c0a22a5f6b5d34230e2285bbe500716774f19851cb608edd614789c03574eec0cb602a70
-
SSDEEP
12288:QNHoLQeRh4W8ZJ76qXIvhMPmMXCiQ3dGfAWipVzCqo1r9zu4V:2HoLQeRh4P/6qXIv6+MXT+cizdgr9zuQ
Malware Config
Extracted
netwire
213.183.58.34:1030
blackhills.ddns.net:1030
blackhills.ddns.net:1031
213.183.58.34:1031
-
activex_autorun
true
-
activex_key
{P2HS6W4T-M16S-63O5-N061-BDQICW15LK6G}
-
copy_executable
true
-
delete_original
true
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Install\Host.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
true
-
mutex
HxAduTti
-
offline_keylogger
true
-
password
Password
-
registry_autorun
true
-
startup_name
svchost
-
use_mutex
true
Signatures
-
Babylon RAT
Babylon RAT is remote access trojan written in C++.
-
NetWire RAT payload 2 IoCs
Processes:
resource yara_rule behavioral4/files/0x0016000000023b8e-90.dat netwire behavioral4/memory/2996-103-0x0000000000400000-0x0000000000420000-memory.dmp netwire -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
Host.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{P2HS6W4T-M16S-63O5-N061-BDQICW15LK6G} Host.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{P2HS6W4T-M16S-63O5-N061-BDQICW15LK6G}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe\"" Host.exe -
Checks computer location settings 2 TTPs 22 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
svchost.exesvchost.exesvchost.exeorder list.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exec496228d2aee918eb567f499a542387ea28.exec496228d2aee918eb567f499a542387ea28.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation order list.exe Key value queried \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation c496228d2aee918eb567f499a542387ea28.exec496228d2aee918eb567f499a542387ea28.exe Key value queried \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation svchost.exe -
Executes dropped EXE 64 IoCs
Processes:
c496228d2aee918eb567f499a542387ea28.exec496228d2aee918eb567f499a542387ea28.exeorder list.exeorder list.exeorder list.exesvchost.exeorder list.exesvchost.exeorder list.exesvchost.exeorder list.exesvchost.exeorder list.exeorder list.exesvchost.exeorder list.exeorder list.exeorder list.exesvchost.exeHost.exeHost.exec496228d2aee918eb567f499a542387ea28.exec496228d2aee918eb567f499a542387ea28.exeHost.exerundll.exeorder list.exesvchost.exeorder list.exesvchost.exeorder list.exesvchost.exeorder list.exeorder list.exesvchost.exeorder list.exesvchost.exeorder list.exesvchost.exeorder list.exeorder list.exeorder list.exeorder list.exesvchost.exeorder list.exesvchost.exeorder list.exesvchost.exeorder list.exesvchost.exeorder list.exesvchost.exeorder list.exeorder list.exeorder list.exeorder list.exesvchost.exeorder list.exesvchost.exeorder list.exesvchost.exeorder list.exesvchost.exeorder list.exeorder list.exesvchost.exeorder list.exesvchost.exepid Process 1740 c496228d2aee918eb567f499a542387ea28.exec496228d2aee918eb567f499a542387ea28.exe 2312 order list.exe 2200 order list.exe 1292 order list.exe 3700 svchost.exe 4828 order list.exe 3248 svchost.exe 1960 order list.exe 4852 svchost.exe 3200 order list.exe 4560 svchost.exe 3324 order list.exe 2488 order list.exe 4592 svchost.exe 1632 order list.exe 3176 order list.exe 3664 order list.exe 2004 svchost.exe 2996 Host.exeHost.exe 4916 c496228d2aee918eb567f499a542387ea28.exec496228d2aee918eb567f499a542387ea28.exe 988 Host.exe 2900 rundll.exe 400 order list.exe 1528 svchost.exe 1832 order list.exe 1236 svchost.exe 4708 order list.exe 1680 svchost.exe 3104 order list.exe 1624 order list.exe 1692 svchost.exe 5040 order list.exe 2668 svchost.exe 4988 order list.exe 1288 svchost.exe 2500 order list.exe 3428 order list.exe 2520 order list.exe 2060 order list.exe 764 svchost.exe 628 order list.exe 3448 svchost.exe 4560 order list.exe 4384 svchost.exe 4364 order list.exe 2996 svchost.exe 4592 order list.exe 3812 svchost.exe 5032 order list.exe 4648 order list.exe 4720 order list.exe 4248 order list.exe 4728 svchost.exe 5080 order list.exe 4468 svchost.exe 4388 order list.exe 1364 svchost.exe 2632 order list.exe 4548 svchost.exe 5084 order list.exe 4644 order list.exe 2324 svchost.exe 3928 order list.exe 4444 svchost.exe -
Processes:
resource yara_rule behavioral4/memory/2312-20-0x0000000000400000-0x00000000004C9000-memory.dmp upx behavioral4/memory/2312-23-0x0000000000400000-0x00000000004C9000-memory.dmp upx behavioral4/memory/2312-18-0x0000000000400000-0x00000000004C9000-memory.dmp upx behavioral4/memory/2312-24-0x0000000000400000-0x00000000004C9000-memory.dmp upx behavioral4/memory/2312-22-0x0000000000400000-0x00000000004C9000-memory.dmp upx behavioral4/memory/400-118-0x0000000000400000-0x00000000004C9000-memory.dmp upx behavioral4/memory/400-119-0x0000000000400000-0x00000000004C9000-memory.dmp upx -
Adds Run key to start application 2 TTPs 64 IoCs
Processes:
order list.exeorder list.exeorder list.exeorder list.exeorder list.exeorder list.exeorder list.exeorder list.exeorder list.exeorder list.exeorder list.exeorder list.exeorder list.exeorder list.exeorder list.exeorder list.exeorder list.exeorder list.exeorder list.exeorder list.exeorder list.exeorder list.exeorder list.exeorder list.exeorder list.exeHost.exeorder list.exeorder list.exeorder list.exeorder list.exeorder list.exeorder list.exeorder list.exeorder list.exeorder list.exeorder list.exeorder list.exeorder list.exeorder list.exeorder list.exeorder list.exeorder list.exeorder list.exeorder list.exeorder list.exeorder list.exeorder list.exeorder list.exeorder list.exeorder list.exeorder list.exeorder list.exeorder list.exeorder list.exeorder list.exeorder list.exeorder list.exeorder list.exeorder list.exeorder list.exeorder list.exeorder list.exeorder list.exeorder list.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\conhost = "C:\\ProgramData\\adobe\\svchost.exe" order list.exe Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\conhost = "C:\\ProgramData\\adobe\\svchost.exe" order list.exe Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\conhost = "C:\\ProgramData\\adobe\\svchost.exe" order list.exe Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\conhost = "C:\\ProgramData\\adobe\\svchost.exe" order list.exe Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\conhost = "C:\\ProgramData\\adobe\\svchost.exe" order list.exe Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\conhost = "C:\\ProgramData\\adobe\\svchost.exe" order list.exe Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\conhost = "C:\\ProgramData\\adobe\\svchost.exe" order list.exe Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\conhost = "C:\\ProgramData\\adobe\\svchost.exe" order list.exe Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\conhost = "C:\\ProgramData\\adobe\\svchost.exe" order list.exe Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\conhost = "C:\\ProgramData\\adobe\\svchost.exe" order list.exe Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\conhost = "C:\\ProgramData\\adobe\\svchost.exe" order list.exe Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\conhost = "C:\\ProgramData\\adobe\\svchost.exe" order list.exe Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\conhost = "C:\\ProgramData\\adobe\\svchost.exe" order list.exe Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\conhost = "C:\\ProgramData\\adobe\\svchost.exe" order list.exe Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\conhost = "C:\\ProgramData\\adobe\\svchost.exe" order list.exe Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\conhost = "C:\\ProgramData\\adobe\\svchost.exe" order list.exe Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\conhost = "C:\\ProgramData\\adobe\\svchost.exe" order list.exe Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\conhost = "C:\\ProgramData\\adobe\\svchost.exe" order list.exe Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\conhost = "C:\\ProgramData\\adobe\\svchost.exe" order list.exe Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\conhost = "C:\\ProgramData\\adobe\\svchost.exe" order list.exe Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\conhost = "C:\\ProgramData\\adobe\\svchost.exe" order list.exe Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\conhost = "C:\\ProgramData\\adobe\\svchost.exe" order list.exe Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\conhost = "C:\\ProgramData\\adobe\\svchost.exe" order list.exe Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\conhost = "C:\\ProgramData\\adobe\\svchost.exe" order list.exe Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\conhost = "C:\\ProgramData\\adobe\\svchost.exe" order list.exe Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe" Host.exe Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\conhost = "C:\\ProgramData\\adobe\\svchost.exe" order list.exe Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\conhost = "C:\\ProgramData\\adobe\\svchost.exe" order list.exe Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\conhost = "C:\\ProgramData\\adobe\\svchost.exe" order list.exe Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\conhost = "C:\\ProgramData\\adobe\\svchost.exe" order list.exe Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\conhost = "C:\\ProgramData\\adobe\\svchost.exe" order list.exe Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\conhost = "C:\\ProgramData\\adobe\\svchost.exe" order list.exe Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\conhost = "C:\\ProgramData\\adobe\\svchost.exe" order list.exe Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\conhost = "C:\\ProgramData\\adobe\\svchost.exe" order list.exe Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\conhost = "C:\\ProgramData\\adobe\\svchost.exe" order list.exe Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\conhost = "C:\\ProgramData\\adobe\\svchost.exe" order list.exe Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\conhost = "C:\\ProgramData\\adobe\\svchost.exe" order list.exe Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\conhost = "C:\\ProgramData\\adobe\\svchost.exe" order list.exe Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\conhost = "C:\\ProgramData\\adobe\\svchost.exe" order list.exe Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\conhost = "C:\\ProgramData\\adobe\\svchost.exe" order list.exe Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\conhost = "C:\\ProgramData\\adobe\\svchost.exe" order list.exe Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\conhost = "C:\\ProgramData\\adobe\\svchost.exe" order list.exe Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\conhost = "C:\\ProgramData\\adobe\\svchost.exe" order list.exe Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\conhost = "C:\\ProgramData\\adobe\\svchost.exe" order list.exe Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\conhost = "C:\\ProgramData\\adobe\\svchost.exe" order list.exe Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\conhost = "C:\\ProgramData\\adobe\\svchost.exe" order list.exe Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\conhost = "C:\\ProgramData\\adobe\\svchost.exe" order list.exe Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\conhost = "C:\\ProgramData\\adobe\\svchost.exe" order list.exe Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\conhost = "C:\\ProgramData\\adobe\\svchost.exe" order list.exe Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\conhost = "C:\\ProgramData\\adobe\\svchost.exe" order list.exe Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\conhost = "C:\\ProgramData\\adobe\\svchost.exe" order list.exe Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\conhost = "C:\\ProgramData\\adobe\\svchost.exe" order list.exe Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\conhost = "C:\\ProgramData\\adobe\\svchost.exe" order list.exe Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\conhost = "C:\\ProgramData\\adobe\\svchost.exe" order list.exe Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\conhost = "C:\\ProgramData\\adobe\\svchost.exe" order list.exe Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\conhost = "C:\\ProgramData\\adobe\\svchost.exe" order list.exe Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\conhost = "C:\\ProgramData\\adobe\\svchost.exe" order list.exe Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\conhost = "C:\\ProgramData\\adobe\\svchost.exe" order list.exe Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\conhost = "C:\\ProgramData\\adobe\\svchost.exe" order list.exe Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\conhost = "C:\\ProgramData\\adobe\\svchost.exe" order list.exe Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\conhost = "C:\\ProgramData\\adobe\\svchost.exe" order list.exe Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\conhost = "C:\\ProgramData\\adobe\\svchost.exe" order list.exe Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\conhost = "C:\\ProgramData\\adobe\\svchost.exe" order list.exe Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\conhost = "C:\\ProgramData\\adobe\\svchost.exe" order list.exe -
Suspicious use of SetThreadContext 64 IoCs
Processes:
order list.exec496228d2aee918eb567f499a542387ea28.exec496228d2aee918eb567f499a542387ea28.exedescription pid Process procid_target PID 412 set thread context of 2312 412 order list.exe 99 PID 412 set thread context of 1292 412 order list.exe 104 PID 412 set thread context of 4828 412 order list.exe 106 PID 412 set thread context of 1960 412 order list.exe 108 PID 412 set thread context of 3200 412 order list.exe 110 PID 412 set thread context of 2488 412 order list.exe 113 PID 412 set thread context of 3664 412 order list.exe 119 PID 1740 set thread context of 4916 1740 c496228d2aee918eb567f499a542387ea28.exec496228d2aee918eb567f499a542387ea28.exe 122 PID 412 set thread context of 400 412 order list.exe 125 PID 412 set thread context of 1832 412 order list.exe 130 PID 412 set thread context of 4708 412 order list.exe 132 PID 412 set thread context of 1624 412 order list.exe 138 PID 412 set thread context of 5040 412 order list.exe 140 PID 412 set thread context of 4988 412 order list.exe 142 PID 412 set thread context of 2060 412 order list.exe 149 PID 412 set thread context of 628 412 order list.exe 151 PID 412 set thread context of 4560 412 order list.exe 153 PID 412 set thread context of 4364 412 order list.exe 157 PID 412 set thread context of 4592 412 order list.exe 159 PID 412 set thread context of 4720 412 order list.exe 164 PID 412 set thread context of 5080 412 order list.exe 168 PID 412 set thread context of 4388 412 order list.exe 170 PID 412 set thread context of 2632 412 order list.exe 172 PID 412 set thread context of 4644 412 order list.exe 177 PID 412 set thread context of 3928 412 order list.exe 179 PID 412 set thread context of 4832 412 order list.exe 181 PID 412 set thread context of 1140 412 order list.exe 187 PID 412 set thread context of 3436 412 order list.exe 194 PID 412 set thread context of 5024 412 order list.exe 197 PID 412 set thread context of 3308 412 order list.exe 201 PID 412 set thread context of 1236 412 order list.exe 203 PID 412 set thread context of 1856 412 order list.exe 205 PID 412 set thread context of 944 412 order list.exe 209 PID 412 set thread context of 3640 412 order list.exe 211 PID 412 set thread context of 3244 412 order list.exe 213 PID 412 set thread context of 2620 412 order list.exe 217 PID 412 set thread context of 348 412 order list.exe 222 PID 412 set thread context of 3520 412 order list.exe 224 PID 412 set thread context of 1692 412 order list.exe 228 PID 412 set thread context of 3768 412 order list.exe 231 PID 412 set thread context of 3804 412 order list.exe 239 PID 412 set thread context of 2444 412 order list.exe 245 PID 412 set thread context of 540 412 order list.exe 249 PID 412 set thread context of 4872 412 order list.exe 257 PID 412 set thread context of 4984 412 order list.exe 262 PID 412 set thread context of 3096 412 order list.exe 264 PID 412 set thread context of 2688 412 order list.exe 266 PID 412 set thread context of 3248 412 order list.exe 270 PID 412 set thread context of 748 412 order list.exe 272 PID 412 set thread context of 4628 412 order list.exe 274 PID 412 set thread context of 2676 412 order list.exe 278 PID 412 set thread context of 3344 412 order list.exe 281 PID 412 set thread context of 1240 412 order list.exe 283 PID 412 set thread context of 764 412 order list.exe 287 PID 412 set thread context of 2668 412 order list.exe 290 PID 412 set thread context of 4012 412 order list.exe 292 PID 412 set thread context of 1104 412 order list.exe 296 PID 412 set thread context of 4316 412 order list.exe 298 PID 412 set thread context of 2388 412 order list.exe 301 PID 412 set thread context of 4588 412 order list.exe 305 PID 412 set thread context of 3084 412 order list.exe 309 PID 412 set thread context of 4412 412 order list.exe 311 PID 412 set thread context of 4116 412 order list.exe 315 PID 412 set thread context of 452 412 order list.exe 317 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 3448 2312 WerFault.exe 99 -
Creates scheduled task(s) 1 TTPs 22 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid Process 928 schtasks.exe 2680 schtasks.exe 2284 schtasks.exe 1028 schtasks.exe 3564 schtasks.exe 4000 schtasks.exe 1628 schtasks.exe 4460 schtasks.exe 4956 schtasks.exe 1644 schtasks.exe 2816 schtasks.exe 4848 schtasks.exe 4376 schtasks.exe 2284 schtasks.exe 3784 schtasks.exe 3588 schtasks.exe 3320 schtasks.exe 4960 schtasks.exe 452 schtasks.exe 4116 schtasks.exe 4460 schtasks.exe 812 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
order list.exec496228d2aee918eb567f499a542387ea28.exec496228d2aee918eb567f499a542387ea28.exerundll.exepid Process 412 order list.exe 412 order list.exe 412 order list.exe 412 order list.exe 412 order list.exe 412 order list.exe 412 order list.exe 412 order list.exe 412 order list.exe 412 order list.exe 412 order list.exe 412 order list.exe 412 order list.exe 412 order list.exe 412 order list.exe 412 order list.exe 412 order list.exe 412 order list.exe 412 order list.exe 412 order list.exe 412 order list.exe 412 order list.exe 1740 c496228d2aee918eb567f499a542387ea28.exec496228d2aee918eb567f499a542387ea28.exe 1740 c496228d2aee918eb567f499a542387ea28.exec496228d2aee918eb567f499a542387ea28.exe 2900 rundll.exe 2900 rundll.exe 2900 rundll.exe 2900 rundll.exe 2900 rundll.exe 2900 rundll.exe 2900 rundll.exe 2900 rundll.exe 2900 rundll.exe 2900 rundll.exe 2900 rundll.exe 2900 rundll.exe 412 order list.exe 412 order list.exe 2900 rundll.exe 2900 rundll.exe 2900 rundll.exe 2900 rundll.exe 2900 rundll.exe 2900 rundll.exe 2900 rundll.exe 2900 rundll.exe 2900 rundll.exe 2900 rundll.exe 2900 rundll.exe 2900 rundll.exe 2900 rundll.exe 2900 rundll.exe 412 order list.exe 412 order list.exe 2900 rundll.exe 2900 rundll.exe 2900 rundll.exe 2900 rundll.exe 2900 rundll.exe 2900 rundll.exe 2900 rundll.exe 2900 rundll.exe 2900 rundll.exe 2900 rundll.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
order list.exeorder list.exeorder list.exeorder list.exeorder list.exeorder list.exeorder list.exec496228d2aee918eb567f499a542387ea28.exec496228d2aee918eb567f499a542387ea28.exerundll.exeorder list.exeorder list.exeorder list.exeorder list.exeorder list.exeorder list.exeorder list.exeorder list.exeorder list.exeorder list.exeorder list.exeorder list.exeorder list.exeorder list.exeorder list.exedescription pid Process Token: SeDebugPrivilege 412 order list.exe Token: SeShutdownPrivilege 1292 order list.exe Token: SeDebugPrivilege 1292 order list.exe Token: SeTcbPrivilege 1292 order list.exe Token: SeShutdownPrivilege 4828 order list.exe Token: SeDebugPrivilege 4828 order list.exe Token: SeTcbPrivilege 4828 order list.exe Token: SeShutdownPrivilege 1960 order list.exe Token: SeDebugPrivilege 1960 order list.exe Token: SeTcbPrivilege 1960 order list.exe Token: SeShutdownPrivilege 3200 order list.exe Token: SeDebugPrivilege 3200 order list.exe Token: SeTcbPrivilege 3200 order list.exe Token: SeShutdownPrivilege 2488 order list.exe Token: SeDebugPrivilege 2488 order list.exe Token: SeTcbPrivilege 2488 order list.exe Token: SeShutdownPrivilege 3664 order list.exe Token: SeDebugPrivilege 3664 order list.exe Token: SeTcbPrivilege 3664 order list.exe Token: SeDebugPrivilege 1740 c496228d2aee918eb567f499a542387ea28.exec496228d2aee918eb567f499a542387ea28.exe Token: SeDebugPrivilege 2900 rundll.exe Token: SeShutdownPrivilege 400 order list.exe Token: SeDebugPrivilege 400 order list.exe Token: SeTcbPrivilege 400 order list.exe Token: SeShutdownPrivilege 1832 order list.exe Token: SeDebugPrivilege 1832 order list.exe Token: SeTcbPrivilege 1832 order list.exe Token: SeShutdownPrivilege 4708 order list.exe Token: SeDebugPrivilege 4708 order list.exe Token: SeTcbPrivilege 4708 order list.exe Token: SeShutdownPrivilege 1624 order list.exe Token: SeDebugPrivilege 1624 order list.exe Token: SeTcbPrivilege 1624 order list.exe Token: SeShutdownPrivilege 5040 order list.exe Token: SeDebugPrivilege 5040 order list.exe Token: SeTcbPrivilege 5040 order list.exe Token: SeShutdownPrivilege 4988 order list.exe Token: SeDebugPrivilege 4988 order list.exe Token: SeTcbPrivilege 4988 order list.exe Token: SeShutdownPrivilege 2060 order list.exe Token: SeDebugPrivilege 2060 order list.exe Token: SeTcbPrivilege 2060 order list.exe Token: SeShutdownPrivilege 628 order list.exe Token: SeDebugPrivilege 628 order list.exe Token: SeTcbPrivilege 628 order list.exe Token: SeShutdownPrivilege 4560 order list.exe Token: SeDebugPrivilege 4560 order list.exe Token: SeTcbPrivilege 4560 order list.exe Token: SeShutdownPrivilege 4364 order list.exe Token: SeDebugPrivilege 4364 order list.exe Token: SeTcbPrivilege 4364 order list.exe Token: SeShutdownPrivilege 4592 order list.exe Token: SeDebugPrivilege 4592 order list.exe Token: SeTcbPrivilege 4592 order list.exe Token: SeShutdownPrivilege 4720 order list.exe Token: SeDebugPrivilege 4720 order list.exe Token: SeTcbPrivilege 4720 order list.exe Token: SeShutdownPrivilege 5080 order list.exe Token: SeDebugPrivilege 5080 order list.exe Token: SeTcbPrivilege 5080 order list.exe Token: SeShutdownPrivilege 4388 order list.exe Token: SeDebugPrivilege 4388 order list.exe Token: SeTcbPrivilege 4388 order list.exe Token: SeShutdownPrivilege 2632 order list.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
order list.exeorder list.exeorder list.exeorder list.exeorder list.exedescription pid Process procid_target PID 412 wrote to memory of 928 412 order list.exe 96 PID 412 wrote to memory of 928 412 order list.exe 96 PID 412 wrote to memory of 928 412 order list.exe 96 PID 412 wrote to memory of 1740 412 order list.exe 98 PID 412 wrote to memory of 1740 412 order list.exe 98 PID 412 wrote to memory of 1740 412 order list.exe 98 PID 412 wrote to memory of 2312 412 order list.exe 99 PID 412 wrote to memory of 2312 412 order list.exe 99 PID 412 wrote to memory of 2312 412 order list.exe 99 PID 412 wrote to memory of 2312 412 order list.exe 99 PID 412 wrote to memory of 2312 412 order list.exe 99 PID 412 wrote to memory of 2312 412 order list.exe 99 PID 412 wrote to memory of 2312 412 order list.exe 99 PID 412 wrote to memory of 2200 412 order list.exe 103 PID 412 wrote to memory of 2200 412 order list.exe 103 PID 412 wrote to memory of 2200 412 order list.exe 103 PID 412 wrote to memory of 1292 412 order list.exe 104 PID 412 wrote to memory of 1292 412 order list.exe 104 PID 412 wrote to memory of 1292 412 order list.exe 104 PID 412 wrote to memory of 1292 412 order list.exe 104 PID 412 wrote to memory of 1292 412 order list.exe 104 PID 412 wrote to memory of 1292 412 order list.exe 104 PID 412 wrote to memory of 1292 412 order list.exe 104 PID 1292 wrote to memory of 3700 1292 order list.exe 105 PID 1292 wrote to memory of 3700 1292 order list.exe 105 PID 1292 wrote to memory of 3700 1292 order list.exe 105 PID 412 wrote to memory of 4828 412 order list.exe 106 PID 412 wrote to memory of 4828 412 order list.exe 106 PID 412 wrote to memory of 4828 412 order list.exe 106 PID 412 wrote to memory of 4828 412 order list.exe 106 PID 412 wrote to memory of 4828 412 order list.exe 106 PID 412 wrote to memory of 4828 412 order list.exe 106 PID 412 wrote to memory of 4828 412 order list.exe 106 PID 4828 wrote to memory of 3248 4828 order list.exe 107 PID 4828 wrote to memory of 3248 4828 order list.exe 107 PID 4828 wrote to memory of 3248 4828 order list.exe 107 PID 412 wrote to memory of 1960 412 order list.exe 108 PID 412 wrote to memory of 1960 412 order list.exe 108 PID 412 wrote to memory of 1960 412 order list.exe 108 PID 412 wrote to memory of 1960 412 order list.exe 108 PID 412 wrote to memory of 1960 412 order list.exe 108 PID 412 wrote to memory of 1960 412 order list.exe 108 PID 412 wrote to memory of 1960 412 order list.exe 108 PID 1960 wrote to memory of 4852 1960 order list.exe 109 PID 1960 wrote to memory of 4852 1960 order list.exe 109 PID 1960 wrote to memory of 4852 1960 order list.exe 109 PID 412 wrote to memory of 3200 412 order list.exe 110 PID 412 wrote to memory of 3200 412 order list.exe 110 PID 412 wrote to memory of 3200 412 order list.exe 110 PID 412 wrote to memory of 3200 412 order list.exe 110 PID 412 wrote to memory of 3200 412 order list.exe 110 PID 412 wrote to memory of 3200 412 order list.exe 110 PID 412 wrote to memory of 3200 412 order list.exe 110 PID 3200 wrote to memory of 4560 3200 order list.exe 111 PID 3200 wrote to memory of 4560 3200 order list.exe 111 PID 3200 wrote to memory of 4560 3200 order list.exe 111 PID 412 wrote to memory of 3324 412 order list.exe 112 PID 412 wrote to memory of 3324 412 order list.exe 112 PID 412 wrote to memory of 3324 412 order list.exe 112 PID 412 wrote to memory of 2488 412 order list.exe 113 PID 412 wrote to memory of 2488 412 order list.exe 113 PID 412 wrote to memory of 2488 412 order list.exe 113 PID 412 wrote to memory of 2488 412 order list.exe 113 PID 412 wrote to memory of 2488 412 order list.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:412 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Update\conhost" /XML "C:\Users\Admin\AppData\Local\Temp\z95"2⤵
- Creates scheduled task(s)
PID:928
-
-
C:\Users\Admin\AppData\Local\Temp\c496228d2aee918eb567f499a542387ea28.exec496228d2aee918eb567f499a542387ea28.exe"C:\Users\Admin\AppData\Local\Temp\c496228d2aee918eb567f499a542387ea28.exec496228d2aee918eb567f499a542387ea28.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1740 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Update\conhost" /XML "C:\Users\Admin\AppData\Local\Temp\z373"3⤵
- Creates scheduled task(s)
PID:1028
-
-
C:\Users\Admin\AppData\Local\Temp\Host.exeHost.exe"C:\Users\Admin\AppData\Local\Temp\Host.exeHost.exe"3⤵
- Executes dropped EXE
PID:2996 -
C:\Users\Admin\AppData\Roaming\Install\Host.exe-m "C:\Users\Admin\AppData\Local\Temp\Host.exeHost.exe"4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:988
-
-
-
C:\Users\Admin\AppData\Local\Temp\c496228d2aee918eb567f499a542387ea28.exec496228d2aee918eb567f499a542387ea28.exe"C:\Users\Admin\AppData\Local\Temp\c496228d2aee918eb567f499a542387ea28.exec496228d2aee918eb567f499a542387ea28.exe"3⤵
- Executes dropped EXE
PID:4916 -
C:\Users\Admin\AppData\Local\Temp\rundll.exeC:\Users\Admin\AppData\Local\Temp\rundll.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2900
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 5043⤵
- Program crash
PID:3448
-
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵
- Executes dropped EXE
PID:2200
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\ProgramData\adobe\svchost.exe"C:\ProgramData\adobe\svchost.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
PID:3700 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Update\conhost" /XML "C:\Users\Admin\AppData\Local\Temp\z436"4⤵
- Creates scheduled task(s)
PID:3320
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\ProgramData\adobe\svchost.exe"C:\ProgramData\adobe\svchost.exe"3⤵
- Executes dropped EXE
PID:3248
-
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\ProgramData\adobe\svchost.exe"C:\ProgramData\adobe\svchost.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
PID:4852 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Update\conhost" /XML "C:\Users\Admin\AppData\Local\Temp\z441"4⤵
- Creates scheduled task(s)
PID:3564
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\ProgramData\adobe\svchost.exe"C:\ProgramData\adobe\svchost.exe"3⤵
- Executes dropped EXE
PID:4560
-
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵
- Executes dropped EXE
PID:3324
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2488 -
C:\ProgramData\adobe\svchost.exe"C:\ProgramData\adobe\svchost.exe"3⤵
- Executes dropped EXE
PID:4592
-
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵
- Executes dropped EXE
PID:1632
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵
- Executes dropped EXE
PID:3176
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3664 -
C:\ProgramData\adobe\svchost.exe"C:\ProgramData\adobe\svchost.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Update\conhost" /XML "C:\Users\Admin\AppData\Local\Temp\z488"4⤵
- Creates scheduled task(s)
PID:4960
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:400 -
C:\ProgramData\adobe\svchost.exe"C:\ProgramData\adobe\svchost.exe"3⤵
- Executes dropped EXE
PID:1528
-
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1832 -
C:\ProgramData\adobe\svchost.exe"C:\ProgramData\adobe\svchost.exe"3⤵
- Executes dropped EXE
PID:1236
-
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4708 -
C:\ProgramData\adobe\svchost.exe"C:\ProgramData\adobe\svchost.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Update\conhost" /XML "C:\Users\Admin\AppData\Local\Temp\z844"4⤵
- Creates scheduled task(s)
PID:2816
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵
- Executes dropped EXE
PID:3104
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1624 -
C:\ProgramData\adobe\svchost.exe"C:\ProgramData\adobe\svchost.exe"3⤵
- Executes dropped EXE
PID:1692
-
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:5040 -
C:\ProgramData\adobe\svchost.exe"C:\ProgramData\adobe\svchost.exe"3⤵
- Executes dropped EXE
PID:2668
-
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4988 -
C:\ProgramData\adobe\svchost.exe"C:\ProgramData\adobe\svchost.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
PID:1288 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Update\conhost" /XML "C:\Users\Admin\AppData\Local\Temp\z3"4⤵
- Creates scheduled task(s)
PID:4848
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵
- Executes dropped EXE
PID:2500
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵
- Executes dropped EXE
PID:3428
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵
- Executes dropped EXE
PID:2520
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2060 -
C:\ProgramData\adobe\svchost.exe"C:\ProgramData\adobe\svchost.exe"3⤵
- Executes dropped EXE
PID:764
-
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:628 -
C:\ProgramData\adobe\svchost.exe"C:\ProgramData\adobe\svchost.exe"3⤵
- Executes dropped EXE
PID:3448
-
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4560 -
C:\ProgramData\adobe\svchost.exe"C:\ProgramData\adobe\svchost.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
PID:4384 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Update\conhost" /XML "C:\Users\Admin\AppData\Local\Temp\z74"4⤵
- Creates scheduled task(s)
PID:4000
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4364 -
C:\ProgramData\adobe\svchost.exe"C:\ProgramData\adobe\svchost.exe"3⤵
- Executes dropped EXE
PID:2996
-
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4592 -
C:\ProgramData\adobe\svchost.exe"C:\ProgramData\adobe\svchost.exe"3⤵
- Executes dropped EXE
PID:3812
-
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵
- Executes dropped EXE
PID:5032
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵
- Executes dropped EXE
PID:4648
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵
- Executes dropped EXE
PID:4248
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4720 -
C:\ProgramData\adobe\svchost.exe"C:\ProgramData\adobe\svchost.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
PID:4728 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Update\conhost" /XML "C:\Users\Admin\AppData\Local\Temp\z68"4⤵
- Creates scheduled task(s)
PID:2680
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:5080 -
C:\ProgramData\adobe\svchost.exe"C:\ProgramData\adobe\svchost.exe"3⤵
- Executes dropped EXE
PID:4468
-
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4388 -
C:\ProgramData\adobe\svchost.exe"C:\ProgramData\adobe\svchost.exe"3⤵
- Executes dropped EXE
PID:1364
-
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2632 -
C:\ProgramData\adobe\svchost.exe"C:\ProgramData\adobe\svchost.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
PID:4548 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Update\conhost" /XML "C:\Users\Admin\AppData\Local\Temp\z119"4⤵
- Creates scheduled task(s)
PID:452
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵
- Executes dropped EXE
PID:5084
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4644 -
C:\ProgramData\adobe\svchost.exe"C:\ProgramData\adobe\svchost.exe"3⤵
- Executes dropped EXE
PID:2324
-
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3928 -
C:\ProgramData\adobe\svchost.exe"C:\ProgramData\adobe\svchost.exe"3⤵
- Executes dropped EXE
PID:4444
-
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵
- Adds Run key to start application
PID:4832 -
C:\ProgramData\adobe\svchost.exe"C:\ProgramData\adobe\svchost.exe"3⤵
- Checks computer location settings
PID:1904 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Update\conhost" /XML "C:\Users\Admin\AppData\Local\Temp\z388"4⤵
- Creates scheduled task(s)
PID:4376
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵PID:3336
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵PID:1140
-
C:\ProgramData\adobe\svchost.exe"C:\ProgramData\adobe\svchost.exe"3⤵PID:4960
-
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵PID:632
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵
- Adds Run key to start application
PID:3436 -
C:\ProgramData\adobe\svchost.exe"C:\ProgramData\adobe\svchost.exe"3⤵PID:3488
-
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵PID:4384
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵
- Adds Run key to start application
PID:5024 -
C:\ProgramData\adobe\svchost.exe"C:\ProgramData\adobe\svchost.exe"3⤵
- Checks computer location settings
PID:2796 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Update\conhost" /XML "C:\Users\Admin\AppData\Local\Temp\z828"4⤵
- Creates scheduled task(s)
PID:4116
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵
- Adds Run key to start application
PID:3308 -
C:\ProgramData\adobe\svchost.exe"C:\ProgramData\adobe\svchost.exe"3⤵PID:2492
-
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵
- Adds Run key to start application
PID:1236 -
C:\ProgramData\adobe\svchost.exe"C:\ProgramData\adobe\svchost.exe"3⤵PID:2380
-
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵
- Adds Run key to start application
PID:1856 -
C:\ProgramData\adobe\svchost.exe"C:\ProgramData\adobe\svchost.exe"3⤵
- Checks computer location settings
PID:5004 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Update\conhost" /XML "C:\Users\Admin\AppData\Local\Temp\z934"4⤵
- Creates scheduled task(s)
PID:1628
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵
- Adds Run key to start application
PID:944 -
C:\ProgramData\adobe\svchost.exe"C:\ProgramData\adobe\svchost.exe"3⤵PID:972
-
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵
- Adds Run key to start application
PID:3640 -
C:\ProgramData\adobe\svchost.exe"C:\ProgramData\adobe\svchost.exe"3⤵PID:2536
-
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵
- Adds Run key to start application
PID:3244 -
C:\ProgramData\adobe\svchost.exe"C:\ProgramData\adobe\svchost.exe"3⤵
- Checks computer location settings
PID:3136 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Update\conhost" /XML "C:\Users\Admin\AppData\Local\Temp\z789"4⤵
- Creates scheduled task(s)
PID:4460
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵
- Adds Run key to start application
PID:2620 -
C:\ProgramData\adobe\svchost.exe"C:\ProgramData\adobe\svchost.exe"3⤵PID:4448
-
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵PID:4468
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵PID:4344
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵PID:1472
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵
- Adds Run key to start application
PID:348 -
C:\ProgramData\adobe\svchost.exe"C:\ProgramData\adobe\svchost.exe"3⤵PID:2020
-
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵
- Adds Run key to start application
PID:3520 -
C:\ProgramData\adobe\svchost.exe"C:\ProgramData\adobe\svchost.exe"3⤵
- Checks computer location settings
PID:4548 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Update\conhost" /XML "C:\Users\Admin\AppData\Local\Temp\z199"4⤵
- Creates scheduled task(s)
PID:2284
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵
- Adds Run key to start application
PID:1692 -
C:\ProgramData\adobe\svchost.exe"C:\ProgramData\adobe\svchost.exe"3⤵PID:5116
-
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵PID:4296
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵
- Adds Run key to start application
PID:3768 -
C:\ProgramData\adobe\svchost.exe"C:\ProgramData\adobe\svchost.exe"3⤵PID:5020
-
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵PID:2420
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵PID:4184
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵PID:4452
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵PID:3960
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵PID:4728
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵PID:4000
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵
- Adds Run key to start application
PID:3804 -
C:\ProgramData\adobe\svchost.exe"C:\ProgramData\adobe\svchost.exe"3⤵
- Checks computer location settings
PID:4580 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Update\conhost" /XML "C:\Users\Admin\AppData\Local\Temp\z357"4⤵
- Creates scheduled task(s)
PID:4956
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵PID:776
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵PID:4972
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵
- Adds Run key to start application
PID:2444 -
C:\ProgramData\adobe\svchost.exe"C:\ProgramData\adobe\svchost.exe"3⤵PID:3304
-
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵PID:3116
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵
- Adds Run key to start application
PID:540 -
C:\ProgramData\adobe\svchost.exe"C:\ProgramData\adobe\svchost.exe"3⤵PID:3980
-
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵
- Adds Run key to start application
PID:4872 -
C:\ProgramData\adobe\svchost.exe"C:\ProgramData\adobe\svchost.exe"3⤵
- Checks computer location settings
PID:3888 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Update\conhost" /XML "C:\Users\Admin\AppData\Local\Temp\z104"4⤵
- Creates scheduled task(s)
PID:2284
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵
- Adds Run key to start application
PID:4984 -
C:\ProgramData\adobe\svchost.exe"C:\ProgramData\adobe\svchost.exe"3⤵PID:2816
-
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵
- Adds Run key to start application
PID:3096 -
C:\ProgramData\adobe\svchost.exe"C:\ProgramData\adobe\svchost.exe"3⤵PID:4264
-
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵
- Adds Run key to start application
PID:2688 -
C:\ProgramData\adobe\svchost.exe"C:\ProgramData\adobe\svchost.exe"3⤵
- Checks computer location settings
PID:4920 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Update\conhost" /XML "C:\Users\Admin\AppData\Local\Temp\z373"4⤵
- Creates scheduled task(s)
PID:3784
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵
- Adds Run key to start application
PID:3248 -
C:\ProgramData\adobe\svchost.exe"C:\ProgramData\adobe\svchost.exe"3⤵PID:4888
-
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵
- Adds Run key to start application
PID:748 -
C:\ProgramData\adobe\svchost.exe"C:\ProgramData\adobe\svchost.exe"3⤵PID:4080
-
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵
- Adds Run key to start application
PID:4628 -
C:\ProgramData\adobe\svchost.exe"C:\ProgramData\adobe\svchost.exe"3⤵
- Checks computer location settings
PID:3084 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Update\conhost" /XML "C:\Users\Admin\AppData\Local\Temp\z977"4⤵
- Creates scheduled task(s)
PID:1644
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵
- Adds Run key to start application
PID:2676 -
C:\ProgramData\adobe\svchost.exe"C:\ProgramData\adobe\svchost.exe"3⤵PID:4952
-
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵PID:4736
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵PID:3344
-
C:\ProgramData\adobe\svchost.exe"C:\ProgramData\adobe\svchost.exe"3⤵PID:4180
-
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵
- Adds Run key to start application
PID:1240 -
C:\ProgramData\adobe\svchost.exe"C:\ProgramData\adobe\svchost.exe"3⤵
- Checks computer location settings
PID:2976 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Update\conhost" /XML "C:\Users\Admin\AppData\Local\Temp\z832"4⤵
- Creates scheduled task(s)
PID:4460
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵
- Adds Run key to start application
PID:764 -
C:\ProgramData\adobe\svchost.exe"C:\ProgramData\adobe\svchost.exe"3⤵PID:2440
-
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵PID:1684
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵
- Adds Run key to start application
PID:2668 -
C:\ProgramData\adobe\svchost.exe"C:\ProgramData\adobe\svchost.exe"3⤵PID:1364
-
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵
- Adds Run key to start application
PID:4012 -
C:\ProgramData\adobe\svchost.exe"C:\ProgramData\adobe\svchost.exe"3⤵
- Checks computer location settings
PID:640 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Update\conhost" /XML "C:\Users\Admin\AppData\Local\Temp\z524"4⤵
- Creates scheduled task(s)
PID:3588
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵
- Adds Run key to start application
PID:1104 -
C:\ProgramData\adobe\svchost.exe"C:\ProgramData\adobe\svchost.exe"3⤵PID:3032
-
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵
- Adds Run key to start application
PID:4316 -
C:\ProgramData\adobe\svchost.exe"C:\ProgramData\adobe\svchost.exe"3⤵PID:4424
-
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵PID:3316
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵
- Adds Run key to start application
PID:2388 -
C:\ProgramData\adobe\svchost.exe"C:\ProgramData\adobe\svchost.exe"3⤵
- Checks computer location settings
PID:3980 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Update\conhost" /XML "C:\Users\Admin\AppData\Local\Temp\z737"4⤵
- Creates scheduled task(s)
PID:812
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵
- Adds Run key to start application
PID:4588 -
C:\ProgramData\adobe\svchost.exe"C:\ProgramData\adobe\svchost.exe"3⤵PID:4952
-
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵
- Adds Run key to start application
PID:3084 -
C:\ProgramData\adobe\svchost.exe"C:\ProgramData\adobe\svchost.exe"3⤵PID:3228
-
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵
- Adds Run key to start application
PID:4412 -
C:\ProgramData\adobe\svchost.exe"C:\ProgramData\adobe\svchost.exe"3⤵PID:4152
-
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵
- Adds Run key to start application
PID:4116 -
C:\ProgramData\adobe\svchost.exe"C:\ProgramData\adobe\svchost.exe"3⤵PID:916
-
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵
- Adds Run key to start application
PID:452 -
C:\ProgramData\adobe\svchost.exe"C:\ProgramData\adobe\svchost.exe"3⤵PID:972
-
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵
- Adds Run key to start application
PID:1420 -
C:\ProgramData\adobe\svchost.exe"C:\ProgramData\adobe\svchost.exe"3⤵PID:4036
-
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵
- Adds Run key to start application
PID:1552 -
C:\ProgramData\adobe\svchost.exe"C:\ProgramData\adobe\svchost.exe"3⤵PID:2680
-
-
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵
- Adds Run key to start application
PID:936 -
C:\ProgramData\adobe\svchost.exe"C:\ProgramData\adobe\svchost.exe"3⤵PID:4448
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2312 -ip 23121⤵PID:3612
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
496B
MD5cb76b18ebed3a9f05a14aed43d35fba6
SHA1836a4b4e351846fca08b84149cb734cb59b8c0d6
SHA2568d0edecf54cbbdf7981c8e41a3ed8621503188a87415f9af0fb8d890b138c349
SHA5127631141e4a6dda29452ada666326837372cd3d045f773006f63d9eff15d9432ed00029d9108a72c1a3b858377600a2aab2c9ec03764285c8801b6019babcf21c
-
Filesize
88KB
MD5886a38f318cf5d03cda1b7b97e9746d4
SHA1809f6d9069515c0c43d8dde63e574bca1a9dd597
SHA256109d87b79191cc55290af0244a3ade9c07f28c3d375919cefd2a5b1fcc9596ea
SHA512aa07d656ed059187cfc0fd3f8498517a9df0fe80facb670b89584a2bfc2898e7b08fcb29342636fcc629921c0bef5a2e7ec762be478de1ae2f96407d71b947d6
-
C:\Users\Admin\AppData\Local\Temp\c496228d2aee918eb567f499a542387ea28.exec496228d2aee918eb567f499a542387ea28.exe
Filesize216KB
MD5221ec94084afaafc916a271b13f75d09
SHA1b1fc96ac5f482e0451ed9a493e6db577e29b1304
SHA256de9d8f4d7ff65c81d3a2dd9c1b75a327ee24fffba25926a912f4d287d8999ccf
SHA51287f89d64bcb4d3295c4ac0b483062e700374129b830415d64b9d9b90820abc967b5520bf2ef8df0d96083d1671fbb30d19a6fd51ffbb9a30a02a111263c9187f
-
Filesize
644KB
MD5d2bdfbfa39edbb7b3823e241290a567b
SHA12a36ff5df72bbcc71ae4a47c6db12d3f36e47eec
SHA25694b7faaa8caa0ffc8b44bce17629f8f758d79db26276a2b2844d6ac1fde122d3
SHA51202be573dfe4e12505404973d55f196e088e2663940317e849eefad49c0a22a5f6b5d34230e2285bbe500716774f19851cb608edd614789c03574eec0cb602a70
-
Filesize
8KB
MD53b43488997e498313ddf322481621b2b
SHA1ca9329e3129fe83fe0b084b91a6016a16edcb9c0
SHA2563a5bf0b0c1650b75a6cc29186456666bee4be6cb0573377bb8e1af777eed169c
SHA5124931eb21aa376d6b0728f75ee97020d0ec14d1aec5773e29fa61a7a087ecc1e960837a39a5563d789e680d0c94389f383d35d7c074df133c2aa964c0d514f8ec
-
Filesize
1KB
MD55caa36f90120e95e0618bfdfa6e1a5dd
SHA16f313f295334d96e3439400a6b4ef2026be68c18
SHA2566b6b3a5e5b017861f32dd459e61ddea8cb20f4a9982ef9b68f2894d9d34abc88
SHA512bf9f0f392b0ac996278d8c8fd782b67939169a4bb579435d3cf71e36eb61999b50fa537ef66dfa1246771e0e9e76b2f80c2a7e2cdf840330a166511393d28d0a