Malware Analysis Report

2024-11-16 12:12

Sample ID 240723-fa5dbayakb
Target cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da
SHA256 cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da
Tags
neshta persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da

Threat Level: Known bad

The file cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da was found to be: Known bad.

Malicious Activity Summary

neshta persistence spyware stealer

Neshta family

Neshta

Detect Neshta payload

Sets service image path in registry

Checks computer location settings

Executes dropped EXE

Modifies system executable filetype association

Reads user/profile data of web browsers

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: LoadsDriver

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-23 04:41

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A

Neshta family

neshta

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-23 04:41

Reported

2024-07-23 04:43

Platform

win10v2004-20240709-en

Max time kernel

150s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\hGtUNymlXilNdbLfeSvDg\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\hGtUNymlXilNdbLfeSvDg" C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MICROS~3.EXE C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MICROS~2.EXE C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13187~1.41\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MICROS~4.EXE C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4184 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe
PID 4184 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe
PID 832 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 832 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 832 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 832 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 832 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 832 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 832 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 832 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 832 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 832 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 832 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 832 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 832 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 832 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 832 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 832 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 832 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 832 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 832 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 832 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 832 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 832 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 832 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 832 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 832 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 832 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 832 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 832 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 832 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 832 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 832 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 832 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 832 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 832 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 832 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 832 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 832 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 832 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 832 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 832 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 832 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 832 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 832 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 832 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 832 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 832 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 832 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 832 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 832 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 832 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 832 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 832 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 832 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 832 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 832 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 832 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 832 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 832 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 832 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 832 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 832 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 832 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe

"C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp

Files

memory/4184-0-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe

MD5 4ac882ebdbc1431cdd3ab45e1712ada1
SHA1 b871304fd060b700fd66ce0c87014ec955d12979
SHA256 b13f23643fddce3f41b6908a00051b6688788668c81d698994c140bf6290c2d6
SHA512 f3ff8d00849289436b723bc48c14113e51b583955d7f69870458d7b7d72ba214ad531d601a950b247f43325a610fd15cd6584008fd842a29c1dd0804ee2e6f98

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

MD5 a40427e3788637e741fb69ea8d76cd52
SHA1 f8c8c7ec493e32a7573d90ce400fccd79fc98f31
SHA256 18dcc8fae245869d02b7db0edbe22ec57a30bdd51a64090452118a79ba194052
SHA512 e6b688d4ad0506c74db323b50a2588472f45e66da2a3456450aea96d93882b13662f8b3bbed7773180f5bec851a31d2e45262ecb9283b425c60c8caa06d56ca2

memory/4184-98-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4184-99-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4184-100-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4184-102-0x0000000000400000-0x000000000042B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-23 04:41

Reported

2024-07-23 04:43

Platform

win11-20240709-en

Max time kernel

149s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DOYBUhaHlsyZSrlwldpMikdWxheGr\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\DOYBUhaHlsyZSrlwldpMikdWxheGr" C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateSetup.exe C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\cookie_exporter.exe C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\BHO\ie_to_edge_stub.exe C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\Installer\setup.exe C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\msedgewebview2.exe C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\Application\msedge.exe C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeComRegisterShellARM64.exe C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\identity_helper.exe C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateComRegisterShell64.exe C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\msedge.exe C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\msedge_proxy.exe C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\msedge_pwa_launcher.exe C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateBroker.exe C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\notification_helper.exe C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\pwahelper.exe C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateCore.exe C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2472 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe
PID 2472 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe
PID 1992 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 128 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 128 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe C:\Windows\system32\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe

"C:\Users\Admin\AppData\Local\Temp\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

Network

Country Destination Domain Proto
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/2472-0-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3582-490\cea71a299ebe23ee56705c7b80d1b24751dc45fdbd8762618cfa5c99eccac3da.exe

MD5 4ac882ebdbc1431cdd3ab45e1712ada1
SHA1 b871304fd060b700fd66ce0c87014ec955d12979
SHA256 b13f23643fddce3f41b6908a00051b6688788668c81d698994c140bf6290c2d6
SHA512 f3ff8d00849289436b723bc48c14113e51b583955d7f69870458d7b7d72ba214ad531d601a950b247f43325a610fd15cd6584008fd842a29c1dd0804ee2e6f98

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

MD5 a40427e3788637e741fb69ea8d76cd52
SHA1 f8c8c7ec493e32a7573d90ce400fccd79fc98f31
SHA256 18dcc8fae245869d02b7db0edbe22ec57a30bdd51a64090452118a79ba194052
SHA512 e6b688d4ad0506c74db323b50a2588472f45e66da2a3456450aea96d93882b13662f8b3bbed7773180f5bec851a31d2e45262ecb9283b425c60c8caa06d56ca2

memory/2472-119-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2472-122-0x0000000000400000-0x000000000042B000-memory.dmp