Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-05-2024 04:04

General

  • Target

    order list.exe

  • Size

    644KB

  • MD5

    d2bdfbfa39edbb7b3823e241290a567b

  • SHA1

    2a36ff5df72bbcc71ae4a47c6db12d3f36e47eec

  • SHA256

    94b7faaa8caa0ffc8b44bce17629f8f758d79db26276a2b2844d6ac1fde122d3

  • SHA512

    02be573dfe4e12505404973d55f196e088e2663940317e849eefad49c0a22a5f6b5d34230e2285bbe500716774f19851cb608edd614789c03574eec0cb602a70

  • SSDEEP

    12288:QNHoLQeRh4W8ZJ76qXIvhMPmMXCiQ3dGfAWipVzCqo1r9zu4V:2HoLQeRh4P/6qXIv6+MXT+cizdgr9zuQ

Malware Config

Extracted

Family

netwire

C2

213.183.58.34:1030

blackhills.ddns.net:1030

blackhills.ddns.net:1031

213.183.58.34:1031

Attributes
  • activex_autorun

    true

  • activex_key

    {P2HS6W4T-M16S-63O5-N061-BDQICW15LK6G}

  • copy_executable

    true

  • delete_original

    true

  • host_id

    HostId-%Rand%

  • install_path

    %AppData%\Install\Host.exe

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    true

  • mutex

    HxAduTti

  • offline_keylogger

    true

  • password

    Password

  • registry_autorun

    true

  • startup_name

    svchost

  • use_mutex

    true

Signatures

  • Babylon RAT

    Babylon RAT is remote access trojan written in C++.

  • NetWire RAT payload 2 IoCs
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
  • Checks computer location settings 2 TTPs 22 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 64 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 64 IoCs
  • Suspicious use of SetThreadContext 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 22 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\order list.exe
    "C:\Users\Admin\AppData\Local\Temp\order list.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:412
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Update\conhost" /XML "C:\Users\Admin\AppData\Local\Temp\z95"
      2⤵
      • Creates scheduled task(s)
      PID:928
    • C:\Users\Admin\AppData\Local\Temp\c496228d2aee918eb567f499a542387ea28.exec496228d2aee918eb567f499a542387ea28.exe
      "C:\Users\Admin\AppData\Local\Temp\c496228d2aee918eb567f499a542387ea28.exec496228d2aee918eb567f499a542387ea28.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1740
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Update\conhost" /XML "C:\Users\Admin\AppData\Local\Temp\z373"
        3⤵
        • Creates scheduled task(s)
        PID:1028
      • C:\Users\Admin\AppData\Local\Temp\Host.exeHost.exe
        "C:\Users\Admin\AppData\Local\Temp\Host.exeHost.exe"
        3⤵
        • Executes dropped EXE
        PID:2996
        • C:\Users\Admin\AppData\Roaming\Install\Host.exe
          -m "C:\Users\Admin\AppData\Local\Temp\Host.exeHost.exe"
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          PID:988
      • C:\Users\Admin\AppData\Local\Temp\c496228d2aee918eb567f499a542387ea28.exec496228d2aee918eb567f499a542387ea28.exe
        "C:\Users\Admin\AppData\Local\Temp\c496228d2aee918eb567f499a542387ea28.exec496228d2aee918eb567f499a542387ea28.exe"
        3⤵
        • Executes dropped EXE
        PID:4916
        • C:\Users\Admin\AppData\Local\Temp\rundll.exe
          C:\Users\Admin\AppData\Local\Temp\rundll.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2900
    • C:\Users\Admin\AppData\Local\Temp\order list.exe
      "C:\Users\Admin\AppData\Local\Temp\order list.exe"
      2⤵
      • Executes dropped EXE
      PID:2312
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 504
        3⤵
        • Program crash
        PID:3448
    • C:\Users\Admin\AppData\Local\Temp\order list.exe
      "C:\Users\Admin\AppData\Local\Temp\order list.exe"
      2⤵
      • Executes dropped EXE
      PID:2200
    • C:\Users\Admin\AppData\Local\Temp\order list.exe
      "C:\Users\Admin\AppData\Local\Temp\order list.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1292
      • C:\ProgramData\adobe\svchost.exe
        "C:\ProgramData\adobe\svchost.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        PID:3700
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /TN "Update\conhost" /XML "C:\Users\Admin\AppData\Local\Temp\z436"
          4⤵
          • Creates scheduled task(s)
          PID:3320
    • C:\Users\Admin\AppData\Local\Temp\order list.exe
      "C:\Users\Admin\AppData\Local\Temp\order list.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4828
      • C:\ProgramData\adobe\svchost.exe
        "C:\ProgramData\adobe\svchost.exe"
        3⤵
        • Executes dropped EXE
        PID:3248
    • C:\Users\Admin\AppData\Local\Temp\order list.exe
      "C:\Users\Admin\AppData\Local\Temp\order list.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1960
      • C:\ProgramData\adobe\svchost.exe
        "C:\ProgramData\adobe\svchost.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        PID:4852
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /TN "Update\conhost" /XML "C:\Users\Admin\AppData\Local\Temp\z441"
          4⤵
          • Creates scheduled task(s)
          PID:3564
    • C:\Users\Admin\AppData\Local\Temp\order list.exe
      "C:\Users\Admin\AppData\Local\Temp\order list.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3200
      • C:\ProgramData\adobe\svchost.exe
        "C:\ProgramData\adobe\svchost.exe"
        3⤵
        • Executes dropped EXE
        PID:4560
    • C:\Users\Admin\AppData\Local\Temp\order list.exe
      "C:\Users\Admin\AppData\Local\Temp\order list.exe"
      2⤵
      • Executes dropped EXE
      PID:3324
    • C:\Users\Admin\AppData\Local\Temp\order list.exe
      "C:\Users\Admin\AppData\Local\Temp\order list.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      PID:2488
      • C:\ProgramData\adobe\svchost.exe
        "C:\ProgramData\adobe\svchost.exe"
        3⤵
        • Executes dropped EXE
        PID:4592
    • C:\Users\Admin\AppData\Local\Temp\order list.exe
      "C:\Users\Admin\AppData\Local\Temp\order list.exe"
      2⤵
      • Executes dropped EXE
      PID:1632
    • C:\Users\Admin\AppData\Local\Temp\order list.exe
      "C:\Users\Admin\AppData\Local\Temp\order list.exe"
      2⤵
      • Executes dropped EXE
      PID:3176
    • C:\Users\Admin\AppData\Local\Temp\order list.exe
      "C:\Users\Admin\AppData\Local\Temp\order list.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      PID:3664
      • C:\ProgramData\adobe\svchost.exe
        "C:\ProgramData\adobe\svchost.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        PID:2004
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /TN "Update\conhost" /XML "C:\Users\Admin\AppData\Local\Temp\z488"
          4⤵
          • Creates scheduled task(s)
          PID:4960
    • C:\Users\Admin\AppData\Local\Temp\order list.exe
      "C:\Users\Admin\AppData\Local\Temp\order list.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      PID:400
      • C:\ProgramData\adobe\svchost.exe
        "C:\ProgramData\adobe\svchost.exe"
        3⤵
        • Executes dropped EXE
        PID:1528
    • C:\Users\Admin\AppData\Local\Temp\order list.exe
      "C:\Users\Admin\AppData\Local\Temp\order list.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      PID:1832
      • C:\ProgramData\adobe\svchost.exe
        "C:\ProgramData\adobe\svchost.exe"
        3⤵
        • Executes dropped EXE
        PID:1236
    • C:\Users\Admin\AppData\Local\Temp\order list.exe
      "C:\Users\Admin\AppData\Local\Temp\order list.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      PID:4708
      • C:\ProgramData\adobe\svchost.exe
        "C:\ProgramData\adobe\svchost.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        PID:1680
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /TN "Update\conhost" /XML "C:\Users\Admin\AppData\Local\Temp\z844"
          4⤵
          • Creates scheduled task(s)
          PID:2816
    • C:\Users\Admin\AppData\Local\Temp\order list.exe
      "C:\Users\Admin\AppData\Local\Temp\order list.exe"
      2⤵
      • Executes dropped EXE
      PID:3104
    • C:\Users\Admin\AppData\Local\Temp\order list.exe
      "C:\Users\Admin\AppData\Local\Temp\order list.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      PID:1624
      • C:\ProgramData\adobe\svchost.exe
        "C:\ProgramData\adobe\svchost.exe"
        3⤵
        • Executes dropped EXE
        PID:1692
    • C:\Users\Admin\AppData\Local\Temp\order list.exe
      "C:\Users\Admin\AppData\Local\Temp\order list.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      PID:5040
      • C:\ProgramData\adobe\svchost.exe
        "C:\ProgramData\adobe\svchost.exe"
        3⤵
        • Executes dropped EXE
        PID:2668
    • C:\Users\Admin\AppData\Local\Temp\order list.exe
      "C:\Users\Admin\AppData\Local\Temp\order list.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      PID:4988
      • C:\ProgramData\adobe\svchost.exe
        "C:\ProgramData\adobe\svchost.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        PID:1288
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /TN "Update\conhost" /XML "C:\Users\Admin\AppData\Local\Temp\z3"
          4⤵
          • Creates scheduled task(s)
          PID:4848
    • C:\Users\Admin\AppData\Local\Temp\order list.exe
      "C:\Users\Admin\AppData\Local\Temp\order list.exe"
      2⤵
      • Executes dropped EXE
      PID:2500
    • C:\Users\Admin\AppData\Local\Temp\order list.exe
      "C:\Users\Admin\AppData\Local\Temp\order list.exe"
      2⤵
      • Executes dropped EXE
      PID:3428
    • C:\Users\Admin\AppData\Local\Temp\order list.exe
      "C:\Users\Admin\AppData\Local\Temp\order list.exe"
      2⤵
      • Executes dropped EXE
      PID:2520
    • C:\Users\Admin\AppData\Local\Temp\order list.exe
      "C:\Users\Admin\AppData\Local\Temp\order list.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      PID:2060
      • C:\ProgramData\adobe\svchost.exe
        "C:\ProgramData\adobe\svchost.exe"
        3⤵
        • Executes dropped EXE
        PID:764
    • C:\Users\Admin\AppData\Local\Temp\order list.exe
      "C:\Users\Admin\AppData\Local\Temp\order list.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      PID:628
      • C:\ProgramData\adobe\svchost.exe
        "C:\ProgramData\adobe\svchost.exe"
        3⤵
        • Executes dropped EXE
        PID:3448
    • C:\Users\Admin\AppData\Local\Temp\order list.exe
      "C:\Users\Admin\AppData\Local\Temp\order list.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      PID:4560
      • C:\ProgramData\adobe\svchost.exe
        "C:\ProgramData\adobe\svchost.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        PID:4384
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /TN "Update\conhost" /XML "C:\Users\Admin\AppData\Local\Temp\z74"
          4⤵
          • Creates scheduled task(s)
          PID:4000
    • C:\Users\Admin\AppData\Local\Temp\order list.exe
      "C:\Users\Admin\AppData\Local\Temp\order list.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      PID:4364
      • C:\ProgramData\adobe\svchost.exe
        "C:\ProgramData\adobe\svchost.exe"
        3⤵
        • Executes dropped EXE
        PID:2996
    • C:\Users\Admin\AppData\Local\Temp\order list.exe
      "C:\Users\Admin\AppData\Local\Temp\order list.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      PID:4592
      • C:\ProgramData\adobe\svchost.exe
        "C:\ProgramData\adobe\svchost.exe"
        3⤵
        • Executes dropped EXE
        PID:3812
    • C:\Users\Admin\AppData\Local\Temp\order list.exe
      "C:\Users\Admin\AppData\Local\Temp\order list.exe"
      2⤵
      • Executes dropped EXE
      PID:5032
    • C:\Users\Admin\AppData\Local\Temp\order list.exe
      "C:\Users\Admin\AppData\Local\Temp\order list.exe"
      2⤵
      • Executes dropped EXE
      PID:4648
    • C:\Users\Admin\AppData\Local\Temp\order list.exe
      "C:\Users\Admin\AppData\Local\Temp\order list.exe"
      2⤵
      • Executes dropped EXE
      PID:4248
    • C:\Users\Admin\AppData\Local\Temp\order list.exe
      "C:\Users\Admin\AppData\Local\Temp\order list.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      PID:4720
      • C:\ProgramData\adobe\svchost.exe
        "C:\ProgramData\adobe\svchost.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        PID:4728
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /TN "Update\conhost" /XML "C:\Users\Admin\AppData\Local\Temp\z68"
          4⤵
          • Creates scheduled task(s)
          PID:2680
    • C:\Users\Admin\AppData\Local\Temp\order list.exe
      "C:\Users\Admin\AppData\Local\Temp\order list.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      PID:5080
      • C:\ProgramData\adobe\svchost.exe
        "C:\ProgramData\adobe\svchost.exe"
        3⤵
        • Executes dropped EXE
        PID:4468
    • C:\Users\Admin\AppData\Local\Temp\order list.exe
      "C:\Users\Admin\AppData\Local\Temp\order list.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      PID:4388
      • C:\ProgramData\adobe\svchost.exe
        "C:\ProgramData\adobe\svchost.exe"
        3⤵
        • Executes dropped EXE
        PID:1364
    • C:\Users\Admin\AppData\Local\Temp\order list.exe
      "C:\Users\Admin\AppData\Local\Temp\order list.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      PID:2632
      • C:\ProgramData\adobe\svchost.exe
        "C:\ProgramData\adobe\svchost.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        PID:4548
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /TN "Update\conhost" /XML "C:\Users\Admin\AppData\Local\Temp\z119"
          4⤵
          • Creates scheduled task(s)
          PID:452
    • C:\Users\Admin\AppData\Local\Temp\order list.exe
      "C:\Users\Admin\AppData\Local\Temp\order list.exe"
      2⤵
      • Executes dropped EXE
      PID:5084
    • C:\Users\Admin\AppData\Local\Temp\order list.exe
      "C:\Users\Admin\AppData\Local\Temp\order list.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      PID:4644
      • C:\ProgramData\adobe\svchost.exe
        "C:\ProgramData\adobe\svchost.exe"
        3⤵
        • Executes dropped EXE
        PID:2324
    • C:\Users\Admin\AppData\Local\Temp\order list.exe
      "C:\Users\Admin\AppData\Local\Temp\order list.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      PID:3928
      • C:\ProgramData\adobe\svchost.exe
        "C:\ProgramData\adobe\svchost.exe"
        3⤵
        • Executes dropped EXE
        PID:4444
    • C:\Users\Admin\AppData\Local\Temp\order list.exe
      "C:\Users\Admin\AppData\Local\Temp\order list.exe"
      2⤵
      • Adds Run key to start application
      PID:4832
      • C:\ProgramData\adobe\svchost.exe
        "C:\ProgramData\adobe\svchost.exe"
        3⤵
        • Checks computer location settings
        PID:1904
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /TN "Update\conhost" /XML "C:\Users\Admin\AppData\Local\Temp\z388"
          4⤵
          • Creates scheduled task(s)
          PID:4376
    • C:\Users\Admin\AppData\Local\Temp\order list.exe
      "C:\Users\Admin\AppData\Local\Temp\order list.exe"
      2⤵
        PID:3336
      • C:\Users\Admin\AppData\Local\Temp\order list.exe
        "C:\Users\Admin\AppData\Local\Temp\order list.exe"
        2⤵
          PID:1140
          • C:\ProgramData\adobe\svchost.exe
            "C:\ProgramData\adobe\svchost.exe"
            3⤵
              PID:4960
          • C:\Users\Admin\AppData\Local\Temp\order list.exe
            "C:\Users\Admin\AppData\Local\Temp\order list.exe"
            2⤵
              PID:632
            • C:\Users\Admin\AppData\Local\Temp\order list.exe
              "C:\Users\Admin\AppData\Local\Temp\order list.exe"
              2⤵
              • Adds Run key to start application
              PID:3436
              • C:\ProgramData\adobe\svchost.exe
                "C:\ProgramData\adobe\svchost.exe"
                3⤵
                  PID:3488
              • C:\Users\Admin\AppData\Local\Temp\order list.exe
                "C:\Users\Admin\AppData\Local\Temp\order list.exe"
                2⤵
                  PID:4384
                • C:\Users\Admin\AppData\Local\Temp\order list.exe
                  "C:\Users\Admin\AppData\Local\Temp\order list.exe"
                  2⤵
                  • Adds Run key to start application
                  PID:5024
                  • C:\ProgramData\adobe\svchost.exe
                    "C:\ProgramData\adobe\svchost.exe"
                    3⤵
                    • Checks computer location settings
                    PID:2796
                    • C:\Windows\SysWOW64\schtasks.exe
                      "C:\Windows\System32\schtasks.exe" /Create /TN "Update\conhost" /XML "C:\Users\Admin\AppData\Local\Temp\z828"
                      4⤵
                      • Creates scheduled task(s)
                      PID:4116
                • C:\Users\Admin\AppData\Local\Temp\order list.exe
                  "C:\Users\Admin\AppData\Local\Temp\order list.exe"
                  2⤵
                  • Adds Run key to start application
                  PID:3308
                  • C:\ProgramData\adobe\svchost.exe
                    "C:\ProgramData\adobe\svchost.exe"
                    3⤵
                      PID:2492
                  • C:\Users\Admin\AppData\Local\Temp\order list.exe
                    "C:\Users\Admin\AppData\Local\Temp\order list.exe"
                    2⤵
                    • Adds Run key to start application
                    PID:1236
                    • C:\ProgramData\adobe\svchost.exe
                      "C:\ProgramData\adobe\svchost.exe"
                      3⤵
                        PID:2380
                    • C:\Users\Admin\AppData\Local\Temp\order list.exe
                      "C:\Users\Admin\AppData\Local\Temp\order list.exe"
                      2⤵
                      • Adds Run key to start application
                      PID:1856
                      • C:\ProgramData\adobe\svchost.exe
                        "C:\ProgramData\adobe\svchost.exe"
                        3⤵
                        • Checks computer location settings
                        PID:5004
                        • C:\Windows\SysWOW64\schtasks.exe
                          "C:\Windows\System32\schtasks.exe" /Create /TN "Update\conhost" /XML "C:\Users\Admin\AppData\Local\Temp\z934"
                          4⤵
                          • Creates scheduled task(s)
                          PID:1628
                    • C:\Users\Admin\AppData\Local\Temp\order list.exe
                      "C:\Users\Admin\AppData\Local\Temp\order list.exe"
                      2⤵
                      • Adds Run key to start application
                      PID:944
                      • C:\ProgramData\adobe\svchost.exe
                        "C:\ProgramData\adobe\svchost.exe"
                        3⤵
                          PID:972
                      • C:\Users\Admin\AppData\Local\Temp\order list.exe
                        "C:\Users\Admin\AppData\Local\Temp\order list.exe"
                        2⤵
                        • Adds Run key to start application
                        PID:3640
                        • C:\ProgramData\adobe\svchost.exe
                          "C:\ProgramData\adobe\svchost.exe"
                          3⤵
                            PID:2536
                        • C:\Users\Admin\AppData\Local\Temp\order list.exe
                          "C:\Users\Admin\AppData\Local\Temp\order list.exe"
                          2⤵
                          • Adds Run key to start application
                          PID:3244
                          • C:\ProgramData\adobe\svchost.exe
                            "C:\ProgramData\adobe\svchost.exe"
                            3⤵
                            • Checks computer location settings
                            PID:3136
                            • C:\Windows\SysWOW64\schtasks.exe
                              "C:\Windows\System32\schtasks.exe" /Create /TN "Update\conhost" /XML "C:\Users\Admin\AppData\Local\Temp\z789"
                              4⤵
                              • Creates scheduled task(s)
                              PID:4460
                        • C:\Users\Admin\AppData\Local\Temp\order list.exe
                          "C:\Users\Admin\AppData\Local\Temp\order list.exe"
                          2⤵
                          • Adds Run key to start application
                          PID:2620
                          • C:\ProgramData\adobe\svchost.exe
                            "C:\ProgramData\adobe\svchost.exe"
                            3⤵
                              PID:4448
                          • C:\Users\Admin\AppData\Local\Temp\order list.exe
                            "C:\Users\Admin\AppData\Local\Temp\order list.exe"
                            2⤵
                              PID:4468
                            • C:\Users\Admin\AppData\Local\Temp\order list.exe
                              "C:\Users\Admin\AppData\Local\Temp\order list.exe"
                              2⤵
                                PID:4344
                              • C:\Users\Admin\AppData\Local\Temp\order list.exe
                                "C:\Users\Admin\AppData\Local\Temp\order list.exe"
                                2⤵
                                  PID:1472
                                • C:\Users\Admin\AppData\Local\Temp\order list.exe
                                  "C:\Users\Admin\AppData\Local\Temp\order list.exe"
                                  2⤵
                                  • Adds Run key to start application
                                  PID:348
                                  • C:\ProgramData\adobe\svchost.exe
                                    "C:\ProgramData\adobe\svchost.exe"
                                    3⤵
                                      PID:2020
                                  • C:\Users\Admin\AppData\Local\Temp\order list.exe
                                    "C:\Users\Admin\AppData\Local\Temp\order list.exe"
                                    2⤵
                                    • Adds Run key to start application
                                    PID:3520
                                    • C:\ProgramData\adobe\svchost.exe
                                      "C:\ProgramData\adobe\svchost.exe"
                                      3⤵
                                      • Checks computer location settings
                                      PID:4548
                                      • C:\Windows\SysWOW64\schtasks.exe
                                        "C:\Windows\System32\schtasks.exe" /Create /TN "Update\conhost" /XML "C:\Users\Admin\AppData\Local\Temp\z199"
                                        4⤵
                                        • Creates scheduled task(s)
                                        PID:2284
                                  • C:\Users\Admin\AppData\Local\Temp\order list.exe
                                    "C:\Users\Admin\AppData\Local\Temp\order list.exe"
                                    2⤵
                                    • Adds Run key to start application
                                    PID:1692
                                    • C:\ProgramData\adobe\svchost.exe
                                      "C:\ProgramData\adobe\svchost.exe"
                                      3⤵
                                        PID:5116
                                    • C:\Users\Admin\AppData\Local\Temp\order list.exe
                                      "C:\Users\Admin\AppData\Local\Temp\order list.exe"
                                      2⤵
                                        PID:4296
                                      • C:\Users\Admin\AppData\Local\Temp\order list.exe
                                        "C:\Users\Admin\AppData\Local\Temp\order list.exe"
                                        2⤵
                                        • Adds Run key to start application
                                        PID:3768
                                        • C:\ProgramData\adobe\svchost.exe
                                          "C:\ProgramData\adobe\svchost.exe"
                                          3⤵
                                            PID:5020
                                        • C:\Users\Admin\AppData\Local\Temp\order list.exe
                                          "C:\Users\Admin\AppData\Local\Temp\order list.exe"
                                          2⤵
                                            PID:2420
                                          • C:\Users\Admin\AppData\Local\Temp\order list.exe
                                            "C:\Users\Admin\AppData\Local\Temp\order list.exe"
                                            2⤵
                                              PID:4184
                                            • C:\Users\Admin\AppData\Local\Temp\order list.exe
                                              "C:\Users\Admin\AppData\Local\Temp\order list.exe"
                                              2⤵
                                                PID:4452
                                              • C:\Users\Admin\AppData\Local\Temp\order list.exe
                                                "C:\Users\Admin\AppData\Local\Temp\order list.exe"
                                                2⤵
                                                  PID:3960
                                                • C:\Users\Admin\AppData\Local\Temp\order list.exe
                                                  "C:\Users\Admin\AppData\Local\Temp\order list.exe"
                                                  2⤵
                                                    PID:4728
                                                  • C:\Users\Admin\AppData\Local\Temp\order list.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\order list.exe"
                                                    2⤵
                                                      PID:4000
                                                    • C:\Users\Admin\AppData\Local\Temp\order list.exe
                                                      "C:\Users\Admin\AppData\Local\Temp\order list.exe"
                                                      2⤵
                                                      • Adds Run key to start application
                                                      PID:3804
                                                      • C:\ProgramData\adobe\svchost.exe
                                                        "C:\ProgramData\adobe\svchost.exe"
                                                        3⤵
                                                        • Checks computer location settings
                                                        PID:4580
                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                          "C:\Windows\System32\schtasks.exe" /Create /TN "Update\conhost" /XML "C:\Users\Admin\AppData\Local\Temp\z357"
                                                          4⤵
                                                          • Creates scheduled task(s)
                                                          PID:4956
                                                    • C:\Users\Admin\AppData\Local\Temp\order list.exe
                                                      "C:\Users\Admin\AppData\Local\Temp\order list.exe"
                                                      2⤵
                                                        PID:776
                                                      • C:\Users\Admin\AppData\Local\Temp\order list.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\order list.exe"
                                                        2⤵
                                                          PID:4972
                                                        • C:\Users\Admin\AppData\Local\Temp\order list.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\order list.exe"
                                                          2⤵
                                                          • Adds Run key to start application
                                                          PID:2444
                                                          • C:\ProgramData\adobe\svchost.exe
                                                            "C:\ProgramData\adobe\svchost.exe"
                                                            3⤵
                                                              PID:3304
                                                          • C:\Users\Admin\AppData\Local\Temp\order list.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\order list.exe"
                                                            2⤵
                                                              PID:3116
                                                            • C:\Users\Admin\AppData\Local\Temp\order list.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\order list.exe"
                                                              2⤵
                                                              • Adds Run key to start application
                                                              PID:540
                                                              • C:\ProgramData\adobe\svchost.exe
                                                                "C:\ProgramData\adobe\svchost.exe"
                                                                3⤵
                                                                  PID:3980
                                                              • C:\Users\Admin\AppData\Local\Temp\order list.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\order list.exe"
                                                                2⤵
                                                                • Adds Run key to start application
                                                                PID:4872
                                                                • C:\ProgramData\adobe\svchost.exe
                                                                  "C:\ProgramData\adobe\svchost.exe"
                                                                  3⤵
                                                                  • Checks computer location settings
                                                                  PID:3888
                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                    "C:\Windows\System32\schtasks.exe" /Create /TN "Update\conhost" /XML "C:\Users\Admin\AppData\Local\Temp\z104"
                                                                    4⤵
                                                                    • Creates scheduled task(s)
                                                                    PID:2284
                                                              • C:\Users\Admin\AppData\Local\Temp\order list.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\order list.exe"
                                                                2⤵
                                                                • Adds Run key to start application
                                                                PID:4984
                                                                • C:\ProgramData\adobe\svchost.exe
                                                                  "C:\ProgramData\adobe\svchost.exe"
                                                                  3⤵
                                                                    PID:2816
                                                                • C:\Users\Admin\AppData\Local\Temp\order list.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\order list.exe"
                                                                  2⤵
                                                                  • Adds Run key to start application
                                                                  PID:3096
                                                                  • C:\ProgramData\adobe\svchost.exe
                                                                    "C:\ProgramData\adobe\svchost.exe"
                                                                    3⤵
                                                                      PID:4264
                                                                  • C:\Users\Admin\AppData\Local\Temp\order list.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\order list.exe"
                                                                    2⤵
                                                                    • Adds Run key to start application
                                                                    PID:2688
                                                                    • C:\ProgramData\adobe\svchost.exe
                                                                      "C:\ProgramData\adobe\svchost.exe"
                                                                      3⤵
                                                                      • Checks computer location settings
                                                                      PID:4920
                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                        "C:\Windows\System32\schtasks.exe" /Create /TN "Update\conhost" /XML "C:\Users\Admin\AppData\Local\Temp\z373"
                                                                        4⤵
                                                                        • Creates scheduled task(s)
                                                                        PID:3784
                                                                  • C:\Users\Admin\AppData\Local\Temp\order list.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\order list.exe"
                                                                    2⤵
                                                                    • Adds Run key to start application
                                                                    PID:3248
                                                                    • C:\ProgramData\adobe\svchost.exe
                                                                      "C:\ProgramData\adobe\svchost.exe"
                                                                      3⤵
                                                                        PID:4888
                                                                    • C:\Users\Admin\AppData\Local\Temp\order list.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\order list.exe"
                                                                      2⤵
                                                                      • Adds Run key to start application
                                                                      PID:748
                                                                      • C:\ProgramData\adobe\svchost.exe
                                                                        "C:\ProgramData\adobe\svchost.exe"
                                                                        3⤵
                                                                          PID:4080
                                                                      • C:\Users\Admin\AppData\Local\Temp\order list.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\order list.exe"
                                                                        2⤵
                                                                        • Adds Run key to start application
                                                                        PID:4628
                                                                        • C:\ProgramData\adobe\svchost.exe
                                                                          "C:\ProgramData\adobe\svchost.exe"
                                                                          3⤵
                                                                          • Checks computer location settings
                                                                          PID:3084
                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                            "C:\Windows\System32\schtasks.exe" /Create /TN "Update\conhost" /XML "C:\Users\Admin\AppData\Local\Temp\z977"
                                                                            4⤵
                                                                            • Creates scheduled task(s)
                                                                            PID:1644
                                                                      • C:\Users\Admin\AppData\Local\Temp\order list.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\order list.exe"
                                                                        2⤵
                                                                        • Adds Run key to start application
                                                                        PID:2676
                                                                        • C:\ProgramData\adobe\svchost.exe
                                                                          "C:\ProgramData\adobe\svchost.exe"
                                                                          3⤵
                                                                            PID:4952
                                                                        • C:\Users\Admin\AppData\Local\Temp\order list.exe
                                                                          "C:\Users\Admin\AppData\Local\Temp\order list.exe"
                                                                          2⤵
                                                                            PID:4736
                                                                          • C:\Users\Admin\AppData\Local\Temp\order list.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\order list.exe"
                                                                            2⤵
                                                                              PID:3344
                                                                              • C:\ProgramData\adobe\svchost.exe
                                                                                "C:\ProgramData\adobe\svchost.exe"
                                                                                3⤵
                                                                                  PID:4180
                                                                              • C:\Users\Admin\AppData\Local\Temp\order list.exe
                                                                                "C:\Users\Admin\AppData\Local\Temp\order list.exe"
                                                                                2⤵
                                                                                • Adds Run key to start application
                                                                                PID:1240
                                                                                • C:\ProgramData\adobe\svchost.exe
                                                                                  "C:\ProgramData\adobe\svchost.exe"
                                                                                  3⤵
                                                                                  • Checks computer location settings
                                                                                  PID:2976
                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                    "C:\Windows\System32\schtasks.exe" /Create /TN "Update\conhost" /XML "C:\Users\Admin\AppData\Local\Temp\z832"
                                                                                    4⤵
                                                                                    • Creates scheduled task(s)
                                                                                    PID:4460
                                                                              • C:\Users\Admin\AppData\Local\Temp\order list.exe
                                                                                "C:\Users\Admin\AppData\Local\Temp\order list.exe"
                                                                                2⤵
                                                                                • Adds Run key to start application
                                                                                PID:764
                                                                                • C:\ProgramData\adobe\svchost.exe
                                                                                  "C:\ProgramData\adobe\svchost.exe"
                                                                                  3⤵
                                                                                    PID:2440
                                                                                • C:\Users\Admin\AppData\Local\Temp\order list.exe
                                                                                  "C:\Users\Admin\AppData\Local\Temp\order list.exe"
                                                                                  2⤵
                                                                                    PID:1684
                                                                                  • C:\Users\Admin\AppData\Local\Temp\order list.exe
                                                                                    "C:\Users\Admin\AppData\Local\Temp\order list.exe"
                                                                                    2⤵
                                                                                    • Adds Run key to start application
                                                                                    PID:2668
                                                                                    • C:\ProgramData\adobe\svchost.exe
                                                                                      "C:\ProgramData\adobe\svchost.exe"
                                                                                      3⤵
                                                                                        PID:1364
                                                                                    • C:\Users\Admin\AppData\Local\Temp\order list.exe
                                                                                      "C:\Users\Admin\AppData\Local\Temp\order list.exe"
                                                                                      2⤵
                                                                                      • Adds Run key to start application
                                                                                      PID:4012
                                                                                      • C:\ProgramData\adobe\svchost.exe
                                                                                        "C:\ProgramData\adobe\svchost.exe"
                                                                                        3⤵
                                                                                        • Checks computer location settings
                                                                                        PID:640
                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                          "C:\Windows\System32\schtasks.exe" /Create /TN "Update\conhost" /XML "C:\Users\Admin\AppData\Local\Temp\z524"
                                                                                          4⤵
                                                                                          • Creates scheduled task(s)
                                                                                          PID:3588
                                                                                    • C:\Users\Admin\AppData\Local\Temp\order list.exe
                                                                                      "C:\Users\Admin\AppData\Local\Temp\order list.exe"
                                                                                      2⤵
                                                                                      • Adds Run key to start application
                                                                                      PID:1104
                                                                                      • C:\ProgramData\adobe\svchost.exe
                                                                                        "C:\ProgramData\adobe\svchost.exe"
                                                                                        3⤵
                                                                                          PID:3032
                                                                                      • C:\Users\Admin\AppData\Local\Temp\order list.exe
                                                                                        "C:\Users\Admin\AppData\Local\Temp\order list.exe"
                                                                                        2⤵
                                                                                        • Adds Run key to start application
                                                                                        PID:4316
                                                                                        • C:\ProgramData\adobe\svchost.exe
                                                                                          "C:\ProgramData\adobe\svchost.exe"
                                                                                          3⤵
                                                                                            PID:4424
                                                                                        • C:\Users\Admin\AppData\Local\Temp\order list.exe
                                                                                          "C:\Users\Admin\AppData\Local\Temp\order list.exe"
                                                                                          2⤵
                                                                                            PID:3316
                                                                                          • C:\Users\Admin\AppData\Local\Temp\order list.exe
                                                                                            "C:\Users\Admin\AppData\Local\Temp\order list.exe"
                                                                                            2⤵
                                                                                            • Adds Run key to start application
                                                                                            PID:2388
                                                                                            • C:\ProgramData\adobe\svchost.exe
                                                                                              "C:\ProgramData\adobe\svchost.exe"
                                                                                              3⤵
                                                                                              • Checks computer location settings
                                                                                              PID:3980
                                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                                "C:\Windows\System32\schtasks.exe" /Create /TN "Update\conhost" /XML "C:\Users\Admin\AppData\Local\Temp\z737"
                                                                                                4⤵
                                                                                                • Creates scheduled task(s)
                                                                                                PID:812
                                                                                          • C:\Users\Admin\AppData\Local\Temp\order list.exe
                                                                                            "C:\Users\Admin\AppData\Local\Temp\order list.exe"
                                                                                            2⤵
                                                                                            • Adds Run key to start application
                                                                                            PID:4588
                                                                                            • C:\ProgramData\adobe\svchost.exe
                                                                                              "C:\ProgramData\adobe\svchost.exe"
                                                                                              3⤵
                                                                                                PID:4952
                                                                                            • C:\Users\Admin\AppData\Local\Temp\order list.exe
                                                                                              "C:\Users\Admin\AppData\Local\Temp\order list.exe"
                                                                                              2⤵
                                                                                              • Adds Run key to start application
                                                                                              PID:3084
                                                                                              • C:\ProgramData\adobe\svchost.exe
                                                                                                "C:\ProgramData\adobe\svchost.exe"
                                                                                                3⤵
                                                                                                  PID:3228
                                                                                              • C:\Users\Admin\AppData\Local\Temp\order list.exe
                                                                                                "C:\Users\Admin\AppData\Local\Temp\order list.exe"
                                                                                                2⤵
                                                                                                • Adds Run key to start application
                                                                                                PID:4412
                                                                                                • C:\ProgramData\adobe\svchost.exe
                                                                                                  "C:\ProgramData\adobe\svchost.exe"
                                                                                                  3⤵
                                                                                                    PID:4152
                                                                                                • C:\Users\Admin\AppData\Local\Temp\order list.exe
                                                                                                  "C:\Users\Admin\AppData\Local\Temp\order list.exe"
                                                                                                  2⤵
                                                                                                  • Adds Run key to start application
                                                                                                  PID:4116
                                                                                                  • C:\ProgramData\adobe\svchost.exe
                                                                                                    "C:\ProgramData\adobe\svchost.exe"
                                                                                                    3⤵
                                                                                                      PID:916
                                                                                                  • C:\Users\Admin\AppData\Local\Temp\order list.exe
                                                                                                    "C:\Users\Admin\AppData\Local\Temp\order list.exe"
                                                                                                    2⤵
                                                                                                    • Adds Run key to start application
                                                                                                    PID:452
                                                                                                    • C:\ProgramData\adobe\svchost.exe
                                                                                                      "C:\ProgramData\adobe\svchost.exe"
                                                                                                      3⤵
                                                                                                        PID:972
                                                                                                    • C:\Users\Admin\AppData\Local\Temp\order list.exe
                                                                                                      "C:\Users\Admin\AppData\Local\Temp\order list.exe"
                                                                                                      2⤵
                                                                                                      • Adds Run key to start application
                                                                                                      PID:1420
                                                                                                      • C:\ProgramData\adobe\svchost.exe
                                                                                                        "C:\ProgramData\adobe\svchost.exe"
                                                                                                        3⤵
                                                                                                          PID:4036
                                                                                                      • C:\Users\Admin\AppData\Local\Temp\order list.exe
                                                                                                        "C:\Users\Admin\AppData\Local\Temp\order list.exe"
                                                                                                        2⤵
                                                                                                        • Adds Run key to start application
                                                                                                        PID:1552
                                                                                                        • C:\ProgramData\adobe\svchost.exe
                                                                                                          "C:\ProgramData\adobe\svchost.exe"
                                                                                                          3⤵
                                                                                                            PID:2680
                                                                                                        • C:\Users\Admin\AppData\Local\Temp\order list.exe
                                                                                                          "C:\Users\Admin\AppData\Local\Temp\order list.exe"
                                                                                                          2⤵
                                                                                                          • Adds Run key to start application
                                                                                                          PID:936
                                                                                                          • C:\ProgramData\adobe\svchost.exe
                                                                                                            "C:\ProgramData\adobe\svchost.exe"
                                                                                                            3⤵
                                                                                                              PID:4448
                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2312 -ip 2312
                                                                                                          1⤵
                                                                                                            PID:3612

                                                                                                          Network

                                                                                                          MITRE ATT&CK Enterprise v15

                                                                                                          Replay Monitor

                                                                                                          Loading Replay Monitor...

                                                                                                          Downloads

                                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\svchost.exe.log

                                                                                                            Filesize

                                                                                                            496B

                                                                                                            MD5

                                                                                                            cb76b18ebed3a9f05a14aed43d35fba6

                                                                                                            SHA1

                                                                                                            836a4b4e351846fca08b84149cb734cb59b8c0d6

                                                                                                            SHA256

                                                                                                            8d0edecf54cbbdf7981c8e41a3ed8621503188a87415f9af0fb8d890b138c349

                                                                                                            SHA512

                                                                                                            7631141e4a6dda29452ada666326837372cd3d045f773006f63d9eff15d9432ed00029d9108a72c1a3b858377600a2aab2c9ec03764285c8801b6019babcf21c

                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Host.exeHost.exe

                                                                                                            Filesize

                                                                                                            88KB

                                                                                                            MD5

                                                                                                            886a38f318cf5d03cda1b7b97e9746d4

                                                                                                            SHA1

                                                                                                            809f6d9069515c0c43d8dde63e574bca1a9dd597

                                                                                                            SHA256

                                                                                                            109d87b79191cc55290af0244a3ade9c07f28c3d375919cefd2a5b1fcc9596ea

                                                                                                            SHA512

                                                                                                            aa07d656ed059187cfc0fd3f8498517a9df0fe80facb670b89584a2bfc2898e7b08fcb29342636fcc629921c0bef5a2e7ec762be478de1ae2f96407d71b947d6

                                                                                                          • C:\Users\Admin\AppData\Local\Temp\c496228d2aee918eb567f499a542387ea28.exec496228d2aee918eb567f499a542387ea28.exe

                                                                                                            Filesize

                                                                                                            216KB

                                                                                                            MD5

                                                                                                            221ec94084afaafc916a271b13f75d09

                                                                                                            SHA1

                                                                                                            b1fc96ac5f482e0451ed9a493e6db577e29b1304

                                                                                                            SHA256

                                                                                                            de9d8f4d7ff65c81d3a2dd9c1b75a327ee24fffba25926a912f4d287d8999ccf

                                                                                                            SHA512

                                                                                                            87f89d64bcb4d3295c4ac0b483062e700374129b830415d64b9d9b90820abc967b5520bf2ef8df0d96083d1671fbb30d19a6fd51ffbb9a30a02a111263c9187f

                                                                                                          • C:\Users\Admin\AppData\Local\Temp\order list.exe

                                                                                                            Filesize

                                                                                                            644KB

                                                                                                            MD5

                                                                                                            d2bdfbfa39edbb7b3823e241290a567b

                                                                                                            SHA1

                                                                                                            2a36ff5df72bbcc71ae4a47c6db12d3f36e47eec

                                                                                                            SHA256

                                                                                                            94b7faaa8caa0ffc8b44bce17629f8f758d79db26276a2b2844d6ac1fde122d3

                                                                                                            SHA512

                                                                                                            02be573dfe4e12505404973d55f196e088e2663940317e849eefad49c0a22a5f6b5d34230e2285bbe500716774f19851cb608edd614789c03574eec0cb602a70

                                                                                                          • C:\Users\Admin\AppData\Local\Temp\rundll.exe

                                                                                                            Filesize

                                                                                                            8KB

                                                                                                            MD5

                                                                                                            3b43488997e498313ddf322481621b2b

                                                                                                            SHA1

                                                                                                            ca9329e3129fe83fe0b084b91a6016a16edcb9c0

                                                                                                            SHA256

                                                                                                            3a5bf0b0c1650b75a6cc29186456666bee4be6cb0573377bb8e1af777eed169c

                                                                                                            SHA512

                                                                                                            4931eb21aa376d6b0728f75ee97020d0ec14d1aec5773e29fa61a7a087ecc1e960837a39a5563d789e680d0c94389f383d35d7c074df133c2aa964c0d514f8ec

                                                                                                          • C:\Users\Admin\AppData\Local\Temp\z95

                                                                                                            Filesize

                                                                                                            1KB

                                                                                                            MD5

                                                                                                            5caa36f90120e95e0618bfdfa6e1a5dd

                                                                                                            SHA1

                                                                                                            6f313f295334d96e3439400a6b4ef2026be68c18

                                                                                                            SHA256

                                                                                                            6b6b3a5e5b017861f32dd459e61ddea8cb20f4a9982ef9b68f2894d9d34abc88

                                                                                                            SHA512

                                                                                                            bf9f0f392b0ac996278d8c8fd782b67939169a4bb579435d3cf71e36eb61999b50fa537ef66dfa1246771e0e9e76b2f80c2a7e2cdf840330a166511393d28d0a

                                                                                                          • memory/400-119-0x0000000000400000-0x00000000004C9000-memory.dmp

                                                                                                            Filesize

                                                                                                            804KB

                                                                                                          • memory/400-118-0x0000000000400000-0x00000000004C9000-memory.dmp

                                                                                                            Filesize

                                                                                                            804KB

                                                                                                          • memory/412-159-0x0000000075000000-0x00000000755B1000-memory.dmp

                                                                                                            Filesize

                                                                                                            5.7MB

                                                                                                          • memory/412-132-0x0000000075000000-0x00000000755B1000-memory.dmp

                                                                                                            Filesize

                                                                                                            5.7MB

                                                                                                          • memory/412-50-0x0000000075000000-0x00000000755B1000-memory.dmp

                                                                                                            Filesize

                                                                                                            5.7MB

                                                                                                          • memory/412-0-0x0000000075002000-0x0000000075003000-memory.dmp

                                                                                                            Filesize

                                                                                                            4KB

                                                                                                          • memory/412-3-0x0000000075000000-0x00000000755B1000-memory.dmp

                                                                                                            Filesize

                                                                                                            5.7MB

                                                                                                          • memory/412-28-0x0000000075000000-0x00000000755B1000-memory.dmp

                                                                                                            Filesize

                                                                                                            5.7MB

                                                                                                          • memory/412-29-0x0000000075000000-0x00000000755B1000-memory.dmp

                                                                                                            Filesize

                                                                                                            5.7MB

                                                                                                          • memory/412-2-0x0000000075000000-0x00000000755B1000-memory.dmp

                                                                                                            Filesize

                                                                                                            5.7MB

                                                                                                          • memory/412-1-0x0000000075000000-0x00000000755B1000-memory.dmp

                                                                                                            Filesize

                                                                                                            5.7MB

                                                                                                          • memory/412-42-0x0000000075002000-0x0000000075003000-memory.dmp

                                                                                                            Filesize

                                                                                                            4KB

                                                                                                          • memory/1740-25-0x0000000075000000-0x00000000755B1000-memory.dmp

                                                                                                            Filesize

                                                                                                            5.7MB

                                                                                                          • memory/1740-141-0x0000000075000000-0x00000000755B1000-memory.dmp

                                                                                                            Filesize

                                                                                                            5.7MB

                                                                                                          • memory/1740-26-0x0000000075000000-0x00000000755B1000-memory.dmp

                                                                                                            Filesize

                                                                                                            5.7MB

                                                                                                          • memory/1740-27-0x0000000075000000-0x00000000755B1000-memory.dmp

                                                                                                            Filesize

                                                                                                            5.7MB

                                                                                                          • memory/2312-18-0x0000000000400000-0x00000000004C9000-memory.dmp

                                                                                                            Filesize

                                                                                                            804KB

                                                                                                          • memory/2312-20-0x0000000000400000-0x00000000004C9000-memory.dmp

                                                                                                            Filesize

                                                                                                            804KB

                                                                                                          • memory/2312-24-0x0000000000400000-0x00000000004C9000-memory.dmp

                                                                                                            Filesize

                                                                                                            804KB

                                                                                                          • memory/2312-22-0x0000000000400000-0x00000000004C9000-memory.dmp

                                                                                                            Filesize

                                                                                                            804KB

                                                                                                          • memory/2312-23-0x0000000000400000-0x00000000004C9000-memory.dmp

                                                                                                            Filesize

                                                                                                            804KB

                                                                                                          • memory/2996-103-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                            Filesize

                                                                                                            128KB

                                                                                                          • memory/4916-100-0x0000000000400000-0x000000000041B000-memory.dmp

                                                                                                            Filesize

                                                                                                            108KB

                                                                                                          • memory/4916-94-0x0000000000400000-0x000000000041B000-memory.dmp

                                                                                                            Filesize

                                                                                                            108KB

                                                                                                          • memory/4916-95-0x0000000000400000-0x000000000041B000-memory.dmp

                                                                                                            Filesize

                                                                                                            108KB

                                                                                                          • memory/4916-96-0x0000000000400000-0x000000000041B000-memory.dmp

                                                                                                            Filesize

                                                                                                            108KB

                                                                                                          • memory/4916-97-0x0000000000400000-0x000000000041B000-memory.dmp

                                                                                                            Filesize

                                                                                                            108KB

                                                                                                          • memory/4916-98-0x0000000000400000-0x000000000041B000-memory.dmp

                                                                                                            Filesize

                                                                                                            108KB

                                                                                                          • memory/4916-99-0x0000000000400000-0x000000000041B000-memory.dmp

                                                                                                            Filesize

                                                                                                            108KB

                                                                                                          • memory/4916-104-0x0000000000400000-0x000000000041B000-memory.dmp

                                                                                                            Filesize

                                                                                                            108KB