neshta | 4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4

Analysis

max time kernel
152s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
16-06-2022 06:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
Size

6.8MB
MD5

270765468d8169fa2eb0d59c01683c67
SHA1

e662801c56c133116ca043dcd17e19b0e8fec9a9
SHA256

4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4
SHA512

57c1cbe1b1ba7519aef7e47feea0e2c2c923ef329817b7e666e5848a78d7df51780ae6cbe389b1fbcec389bc6ee34c910edb7fadffc0d728715c7b1d38924c16

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Detect Neshta Payload 41 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe	family_neshta
C:\Users\Admin\AppData\Local\Temp\._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe	family_neshta
C:\Users\Admin\AppData\Local\Temp\._cache_._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe	family_neshta
C:\Users\Admin\AppData\Local\Temp\._cache_._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe	family_neshta
C:\odt\OFFICE~1.EXE	family_neshta
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE	family_neshta
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\._cache__CACHE~2.EXE	family_neshta
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE	family_neshta
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE	family_neshta
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	family_neshta
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE	family_neshta
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE	family_neshta
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE	family_neshta
C:\Windows\svchost.com	family_neshta
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	family_neshta
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE	family_neshta
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE	family_neshta
C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	family_neshta
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	family_neshta
C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	family_neshta
C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	family_neshta
C:\PROGRA~2\Google\Update\DISABL~1.EXE	family_neshta
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE	family_neshta

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Executes dropped EXE 64 IoCs

Processes:

._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exeSynaptics.exe._cache_._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exesvchost.com_CACHE~2.EXE._cache__CACHE~2.EXEsvchost.com_CACHE~1.EXE._cache__CACHE~1.EXEsvchost.com_CACHE~1.EXE._cache__CACHE~1.EXEsvchost.com_CACHE~1.EXE._cache__CACHE~1.EXEsvchost.com_CACHE~1.EXE._cache__CACHE~1.EXEsvchost.com_CACHE~1.EXE._cache__CACHE~1.EXEsvchost.com_CACHE~1.EXE._cache__CACHE~1.EXEsvchost.com_CACHE~1.EXE._cache__CACHE~1.EXEsvchost.com_CACHE~1.EXE._cache__CACHE~1.EXEsvchost.com_CACHE~1.EXE._cache__CACHE~1.EXEsvchost.com_CACHE~1.EXE._cache__CACHE~1.EXEsvchost.com_CACHE~1.EXE._cache__CACHE~1.EXEsvchost.com_CACHE~1.EXE._cache__CACHE~1.EXEsvchost.com_CACHE~1.EXE._cache__CACHE~1.EXEsvchost.com_CACHE~1.EXE._cache__CACHE~1.EXEsvchost.com_CACHE~1.EXE._cache__CACHE~1.EXEsvchost.com_CACHE~1.EXE._cache__CACHE~1.EXEsvchost.com_CACHE~1.EXE._cache__CACHE~1.EXEsvchost.com_CACHE~1.EXE._cache__CACHE~1.EXEsvchost.com_CACHE~1.EXE._cache__CACHE~1.EXE

pid	process
5060	._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
4072	._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
3424	Synaptics.exe
4236	._cache_._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
1240	svchost.com
1720	_CACHE~2.EXE
1080	._cache__CACHE~2.EXE
4228	svchost.com
5016	_CACHE~1.EXE
4012	._cache__CACHE~1.EXE
2108	svchost.com
2368	_CACHE~1.EXE
2708	._cache__CACHE~1.EXE
1980	svchost.com
3688	_CACHE~1.EXE
3348	._cache__CACHE~1.EXE
800	svchost.com
2692	_CACHE~1.EXE
1748	._cache__CACHE~1.EXE
4784	svchost.com
1844	_CACHE~1.EXE
3668	._cache__CACHE~1.EXE
4568	svchost.com
2936	_CACHE~1.EXE
444	._cache__CACHE~1.EXE
3664	svchost.com
1808	_CACHE~1.EXE
3744	._cache__CACHE~1.EXE
3480	svchost.com
2296	_CACHE~1.EXE
4952	._cache__CACHE~1.EXE
636	svchost.com
1096	_CACHE~1.EXE
1412	._cache__CACHE~1.EXE
4908	svchost.com
2256	_CACHE~1.EXE
1684	._cache__CACHE~1.EXE
3504	svchost.com
2400	_CACHE~1.EXE
3372	._cache__CACHE~1.EXE
3124	svchost.com
5044	_CACHE~1.EXE
3976	._cache__CACHE~1.EXE
648	svchost.com
2928	_CACHE~1.EXE
2368	._cache__CACHE~1.EXE
3720	svchost.com
5084	_CACHE~1.EXE
2812	._cache__CACHE~1.EXE
3468	svchost.com
2944	_CACHE~1.EXE
4628	._cache__CACHE~1.EXE
4524	svchost.com
4264	_CACHE~1.EXE
1400	._cache__CACHE~1.EXE
1724	svchost.com
4452	_CACHE~1.EXE
2960	._cache__CACHE~1.EXE
3364	svchost.com
2408	_CACHE~1.EXE
4052	._cache__CACHE~1.EXE
4852	svchost.com
3644	_CACHE~1.EXE
4372	._cache__CACHE~1.EXE

Checks computer location settings 2 TTPs 61 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe._cache__CACHE~1.EXE._cache__CACHE~1.EXE._cache__CACHE~1.EXE._cache__CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE._cache__CACHE~2.EXE_CACHE~1.EXE._cache__CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe._cache__CACHE~1.EXE._cache__CACHE~1.EXE_CACHE~1.EXE_CACHE~2.EXE_CACHE~1.EXE._cache__CACHE~1.EXE._cache__CACHE~1.EXE._cache__CACHE~1.EXE._cache__CACHE~1.EXE._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE._cache__CACHE~1.EXE_CACHE~1.EXE._cache__CACHE~1.EXE._cache__CACHE~1.EXE._cache__CACHE~1.EXE_CACHE~1.EXE._cache__CACHE~1.EXE._cache__CACHE~1.EXE._cache__CACHE~1.EXE_CACHE~1.EXE._cache__CACHE~1.EXE_CACHE~1.EXE._cache__CACHE~1.EXE_CACHE~1.EXE._cache__CACHE~1.EXE._cache__CACHE~1.EXE._cache_._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe_CACHE~1.EXE_CACHE~1.EXE._cache__CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE._cache__CACHE~1.EXE._cache__CACHE~1.EXE._cache__CACHE~1.EXE._cache__CACHE~1.EXE

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	._cache__CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	._cache__CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	._cache__CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	._cache__CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	_CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	_CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	_CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	._cache__CACHE~2.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	_CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	._cache__CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	_CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	_CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	_CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	_CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	._cache__CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	._cache__CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	_CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	_CACHE~2.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	_CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	._cache__CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	._cache__CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	._cache__CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	._cache__CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	_CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	_CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	_CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	_CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	_CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	._cache__CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	_CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	._cache__CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	._cache__CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	._cache__CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	_CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	._cache__CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	._cache__CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	._cache__CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	_CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	._cache__CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	_CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	._cache__CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	_CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	._cache__CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	._cache__CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	._cache_._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	_CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	_CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	._cache__CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	_CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	_CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	_CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	_CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	_CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	_CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	._cache__CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	._cache__CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	._cache__CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	._cache__CACHE~1.EXE

Loads dropped DLL 54 IoCs

Processes:

_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE

pid	process
2368	_CACHE~1.EXE
2368	_CACHE~1.EXE
3688	_CACHE~1.EXE
3688	_CACHE~1.EXE
2692	_CACHE~1.EXE
2692	_CACHE~1.EXE
1844	_CACHE~1.EXE
1844	_CACHE~1.EXE
2936	_CACHE~1.EXE
2936	_CACHE~1.EXE
1808	_CACHE~1.EXE
1808	_CACHE~1.EXE
2296	_CACHE~1.EXE
2296	_CACHE~1.EXE
1096	_CACHE~1.EXE
1096	_CACHE~1.EXE
2256	_CACHE~1.EXE
2256	_CACHE~1.EXE
2400	_CACHE~1.EXE
2400	_CACHE~1.EXE
5044	_CACHE~1.EXE
5044	_CACHE~1.EXE
2928	_CACHE~1.EXE
2928	_CACHE~1.EXE
5084	_CACHE~1.EXE
5084	_CACHE~1.EXE
2944	_CACHE~1.EXE
2944	_CACHE~1.EXE
4264	_CACHE~1.EXE
4264	_CACHE~1.EXE
4452	_CACHE~1.EXE
4452	_CACHE~1.EXE
2408	_CACHE~1.EXE
2408	_CACHE~1.EXE
3644	_CACHE~1.EXE
3644	_CACHE~1.EXE
1124	_CACHE~1.EXE
1124	_CACHE~1.EXE
3492	_CACHE~1.EXE
3492	_CACHE~1.EXE
1532	_CACHE~1.EXE
1532	_CACHE~1.EXE
528	_CACHE~1.EXE
528	_CACHE~1.EXE
4064	_CACHE~1.EXE
4064	_CACHE~1.EXE
1240	_CACHE~1.EXE
1240	_CACHE~1.EXE
1072	_CACHE~1.EXE
1072	_CACHE~1.EXE
4012	_CACHE~1.EXE
4012	_CACHE~1.EXE
2928	_CACHE~1.EXE
2928	_CACHE~1.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe

Drops file in Program Files directory 64 IoCs

Processes:

._cache_._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	._cache_._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	._cache_._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	._cache_._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	._cache_._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	._cache_._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	._cache_._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	._cache_._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	._cache_._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	._cache_._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	._cache_._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	._cache_._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	._cache_._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	._cache_._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	._cache_._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	._cache_._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	._cache_._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	._cache_._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	._cache_._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	._cache_._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	._cache_._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	._cache_._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE	._cache_._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	._cache_._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	._cache_._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	._cache_._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	._cache_._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	._cache_._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE	._cache_._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	._cache_._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	._cache_._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	._cache_._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	._cache_._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	._cache_._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	._cache_._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	._cache_._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE	._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe

Drops file in Windows directory 64 IoCs

Processes:

._cache__CACHE~1.EXE._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exesvchost.comsvchost.comsvchost.com._cache_._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe._cache__CACHE~1.EXE._cache__CACHE~1.EXEsvchost.comsvchost.com._cache__CACHE~1.EXEsvchost.com._cache__CACHE~2.EXEsvchost.com._cache__CACHE~1.EXEsvchost.com._cache__CACHE~1.EXE._cache__CACHE~1.EXEsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.com._cache__CACHE~1.EXEsvchost.com._cache__CACHE~1.EXE._cache__CACHE~1.EXE._cache__CACHE~1.EXE._cache__CACHE~1.EXEsvchost.com._cache__CACHE~1.EXE._cache__CACHE~1.EXEsvchost.com._cache__CACHE~1.EXE._cache__CACHE~1.EXE._cache__CACHE~1.EXEsvchost.comsvchost.comsvchost.com._cache__CACHE~1.EXEsvchost.comsvchost.com._cache__CACHE~1.EXE._cache__CACHE~1.EXEsvchost.com._cache__CACHE~1.EXEsvchost.com._cache__CACHE~1.EXE

description	ioc	process
File opened for modification	C:\Windows\directx.sys	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\svchost.com	._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	._cache_._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
File opened for modification	C:\Windows\directx.sys	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\svchost.com	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\svchost.com	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	._cache__CACHE~2.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\svchost.com	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\directx.sys	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\svchost.com	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\svchost.com	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\directx.sys	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\svchost.com	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\svchost.com	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\directx.sys	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\svchost.com	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\svchost.com	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	._cache__CACHE~1.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 61 IoCs

Processes:

_CACHE~1.EXE_CACHE~1.EXE._cache__CACHE~1.EXE_CACHE~1.EXE._cache__CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE._cache__CACHE~1.EXE._cache__CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE._cache__CACHE~1.EXE_CACHE~1.EXE._cache__CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE._cache__CACHE~1.EXE._cache__CACHE~1.EXE._cache__CACHE~1.EXE._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe_CACHE~1.EXE._cache__CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe_CACHE~1.EXE_CACHE~1.EXE._cache__CACHE~1.EXE_CACHE~1.EXE._cache__CACHE~1.EXE_CACHE~1.EXE_CACHE~2.EXE._cache__CACHE~2.EXE._cache__CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe._cache__CACHE~1.EXE._cache__CACHE~1.EXE._cache__CACHE~1.EXE._cache__CACHE~1.EXE._cache__CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE._cache_._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe_CACHE~1.EXE._cache__CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE._cache__CACHE~1.EXE._cache__CACHE~1.EXE._cache__CACHE~1.EXE_CACHE~1.EXE._cache__CACHE~1.EXE._cache__CACHE~1.EXE._cache__CACHE~1.EXE._cache__CACHE~1.EXE._cache__CACHE~1.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	_CACHE~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	_CACHE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	._cache__CACHE~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	_CACHE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	._cache__CACHE~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	_CACHE~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	_CACHE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	._cache__CACHE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	._cache__CACHE~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	_CACHE~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	_CACHE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	._cache__CACHE~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	_CACHE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	._cache__CACHE~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	_CACHE~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	_CACHE~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	_CACHE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	._cache__CACHE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	._cache__CACHE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	._cache__CACHE~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	_CACHE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	._cache__CACHE~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	_CACHE~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	_CACHE~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	_CACHE~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	_CACHE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	._cache__CACHE~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	_CACHE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	._cache__CACHE~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	_CACHE~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	_CACHE~2.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	._cache__CACHE~2.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	._cache__CACHE~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	_CACHE~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	_CACHE~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	._cache__CACHE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	._cache__CACHE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	._cache__CACHE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	._cache__CACHE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	._cache__CACHE~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	_CACHE~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	_CACHE~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	_CACHE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	._cache_._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	_CACHE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	._cache__CACHE~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	_CACHE~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	_CACHE~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	_CACHE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	._cache__CACHE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	._cache__CACHE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	._cache__CACHE~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	_CACHE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	._cache__CACHE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	._cache__CACHE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	._cache__CACHE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	._cache__CACHE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	._cache__CACHE~1.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe._cache_._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exesvchost.com_CACHE~2.EXE._cache__CACHE~2.EXEsvchost.com_CACHE~1.EXE._cache__CACHE~1.EXEsvchost.com_CACHE~1.EXE._cache__CACHE~1.EXEsvchost.com_CACHE~1.EXE._cache__CACHE~1.EXEsvchost.com_CACHE~1.EXE._cache__CACHE~1.EXEsvchost.com_CACHE~1.EXE

description	pid	process	target process
PID 4612 wrote to memory of 5060	4612	4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe	._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
PID 4612 wrote to memory of 5060	4612	4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe	._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
PID 4612 wrote to memory of 5060	4612	4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe	._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
PID 5060 wrote to memory of 4072	5060	._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe	._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
PID 5060 wrote to memory of 4072	5060	._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe	._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
PID 5060 wrote to memory of 4072	5060	._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe	._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
PID 4612 wrote to memory of 3424	4612	4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe	Synaptics.exe
PID 4612 wrote to memory of 3424	4612	4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe	Synaptics.exe
PID 4612 wrote to memory of 3424	4612	4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe	Synaptics.exe
PID 4072 wrote to memory of 4236	4072	._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe	._cache_._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
PID 4072 wrote to memory of 4236	4072	._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe	._cache_._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
PID 4072 wrote to memory of 4236	4072	._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe	._cache_._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
PID 4236 wrote to memory of 1240	4236	._cache_._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe	svchost.com
PID 4236 wrote to memory of 1240	4236	._cache_._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe	svchost.com
PID 4236 wrote to memory of 1240	4236	._cache_._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe	svchost.com
PID 1240 wrote to memory of 1720	1240	svchost.com	_CACHE~2.EXE
PID 1240 wrote to memory of 1720	1240	svchost.com	_CACHE~2.EXE
PID 1240 wrote to memory of 1720	1240	svchost.com	_CACHE~2.EXE
PID 1720 wrote to memory of 1080	1720	_CACHE~2.EXE	._cache__CACHE~2.EXE
PID 1720 wrote to memory of 1080	1720	_CACHE~2.EXE	._cache__CACHE~2.EXE
PID 1720 wrote to memory of 1080	1720	_CACHE~2.EXE	._cache__CACHE~2.EXE
PID 1080 wrote to memory of 4228	1080	._cache__CACHE~2.EXE	svchost.com
PID 1080 wrote to memory of 4228	1080	._cache__CACHE~2.EXE	svchost.com
PID 1080 wrote to memory of 4228	1080	._cache__CACHE~2.EXE	svchost.com
PID 4228 wrote to memory of 5016	4228	svchost.com	_CACHE~1.EXE
PID 4228 wrote to memory of 5016	4228	svchost.com	_CACHE~1.EXE
PID 4228 wrote to memory of 5016	4228	svchost.com	_CACHE~1.EXE
PID 5016 wrote to memory of 4012	5016	_CACHE~1.EXE	._cache__CACHE~1.EXE
PID 5016 wrote to memory of 4012	5016	_CACHE~1.EXE	._cache__CACHE~1.EXE
PID 5016 wrote to memory of 4012	5016	_CACHE~1.EXE	._cache__CACHE~1.EXE
PID 4012 wrote to memory of 2108	4012	._cache__CACHE~1.EXE	svchost.com
PID 4012 wrote to memory of 2108	4012	._cache__CACHE~1.EXE	svchost.com
PID 4012 wrote to memory of 2108	4012	._cache__CACHE~1.EXE	svchost.com
PID 2108 wrote to memory of 2368	2108	svchost.com	_CACHE~1.EXE
PID 2108 wrote to memory of 2368	2108	svchost.com	_CACHE~1.EXE
PID 2108 wrote to memory of 2368	2108	svchost.com	_CACHE~1.EXE
PID 2368 wrote to memory of 2708	2368	_CACHE~1.EXE	._cache__CACHE~1.EXE
PID 2368 wrote to memory of 2708	2368	_CACHE~1.EXE	._cache__CACHE~1.EXE
PID 2368 wrote to memory of 2708	2368	_CACHE~1.EXE	._cache__CACHE~1.EXE
PID 2708 wrote to memory of 1980	2708	._cache__CACHE~1.EXE	svchost.com
PID 2708 wrote to memory of 1980	2708	._cache__CACHE~1.EXE	svchost.com
PID 2708 wrote to memory of 1980	2708	._cache__CACHE~1.EXE	svchost.com
PID 1980 wrote to memory of 3688	1980	svchost.com	_CACHE~1.EXE
PID 1980 wrote to memory of 3688	1980	svchost.com	_CACHE~1.EXE
PID 1980 wrote to memory of 3688	1980	svchost.com	_CACHE~1.EXE
PID 3688 wrote to memory of 3348	3688	_CACHE~1.EXE	._cache__CACHE~1.EXE
PID 3688 wrote to memory of 3348	3688	_CACHE~1.EXE	._cache__CACHE~1.EXE
PID 3688 wrote to memory of 3348	3688	_CACHE~1.EXE	._cache__CACHE~1.EXE
PID 3348 wrote to memory of 800	3348	._cache__CACHE~1.EXE	svchost.com
PID 3348 wrote to memory of 800	3348	._cache__CACHE~1.EXE	svchost.com
PID 3348 wrote to memory of 800	3348	._cache__CACHE~1.EXE	svchost.com
PID 800 wrote to memory of 2692	800	svchost.com	_CACHE~1.EXE
PID 800 wrote to memory of 2692	800	svchost.com	_CACHE~1.EXE
PID 800 wrote to memory of 2692	800	svchost.com	_CACHE~1.EXE
PID 2692 wrote to memory of 1748	2692	_CACHE~1.EXE	._cache__CACHE~1.EXE
PID 2692 wrote to memory of 1748	2692	_CACHE~1.EXE	._cache__CACHE~1.EXE
PID 2692 wrote to memory of 1748	2692	_CACHE~1.EXE	._cache__CACHE~1.EXE
PID 1748 wrote to memory of 4784	1748	._cache__CACHE~1.EXE	svchost.com
PID 1748 wrote to memory of 4784	1748	._cache__CACHE~1.EXE	svchost.com
PID 1748 wrote to memory of 4784	1748	._cache__CACHE~1.EXE	svchost.com
PID 4784 wrote to memory of 1844	4784	svchost.com	_CACHE~1.EXE
PID 4784 wrote to memory of 1844	4784	svchost.com	_CACHE~1.EXE
PID 4784 wrote to memory of 1844	4784	svchost.com	_CACHE~1.EXE
PID 1844 wrote to memory of 3668	1844	_CACHE~1.EXE	._cache__CACHE~1.EXE

C:\Users\Admin\AppData\Local\Temp\4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
"C:\Users\Admin\AppData\Local\Temp\4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4612

C:\Users\Admin\AppData\Local\Temp\._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe"
2⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5060

C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4072

C:\Users\Admin\AppData\Local\Temp\._cache_._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4236

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"
5⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1240

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
6⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1720

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"
7⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1080

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
8⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4228

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
9⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5016

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
10⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4012

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
11⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2108

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
12⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2368

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
13⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2708

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
14⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1980

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
15⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3688

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
16⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3348

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
17⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:800

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
18⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2692

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
19⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1748

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
20⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4784

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
21⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1844

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
22⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
PID:3668

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
23⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4568

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
24⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Modifies registry class
PID:2936

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
25⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
PID:444

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
26⤵
- Executes dropped EXE
PID:3664

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
27⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Modifies registry class
PID:1808

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
28⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
PID:3744

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
29⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3480

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
30⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Modifies registry class
PID:2296

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
31⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
PID:4952

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
32⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:636

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
33⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Modifies registry class
PID:1096

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
34⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
PID:1412

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
35⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4908

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
36⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Modifies registry class
PID:2256

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
37⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
PID:1684

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
38⤵
- Executes dropped EXE
PID:3504

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
39⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Modifies registry class
PID:2400

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
40⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
PID:3372

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
41⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3124

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
42⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Modifies registry class
PID:5044

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
43⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
PID:3976

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
44⤵
- Executes dropped EXE
PID:648

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
45⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Modifies registry class
PID:2928

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
46⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
PID:2368

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
47⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3720

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
48⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Modifies registry class
PID:5084

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
49⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
PID:2812

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
50⤵
- Executes dropped EXE
PID:3468

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
51⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Modifies registry class
PID:2944

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
52⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
PID:4628

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
53⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4524

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
54⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Modifies registry class
PID:4264

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
55⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
PID:1400

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
56⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1724

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
57⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Modifies registry class
PID:4452

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
58⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
PID:2960

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
59⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3364

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
60⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Modifies registry class
PID:2408

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
61⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
PID:4052

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
62⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4852

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
63⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Modifies registry class
PID:3644

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
64⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
PID:4372

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
65⤵
- Drops file in Windows directory
PID:1808

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
66⤵
- Checks computer location settings
- Loads dropped DLL
- Modifies registry class
PID:1124

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
67⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
PID:2892

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
68⤵
PID:2296

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
69⤵
- Checks computer location settings
- Loads dropped DLL
- Modifies registry class
PID:3492

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
70⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
PID:1048

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
71⤵
- Drops file in Windows directory
PID:2596

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
72⤵
- Checks computer location settings
- Loads dropped DLL
- Modifies registry class
PID:1532

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
73⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
PID:1904

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
74⤵
- Drops file in Windows directory
PID:2136

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
75⤵
- Checks computer location settings
- Loads dropped DLL
- Modifies registry class
PID:528

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
76⤵
- Checks computer location settings
- Modifies registry class
PID:3444

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
77⤵
- Drops file in Windows directory
PID:64

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
78⤵
- Checks computer location settings
- Loads dropped DLL
- Modifies registry class
PID:4064

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
79⤵
- Checks computer location settings
- Modifies registry class
PID:5076

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
80⤵
- Drops file in Windows directory
PID:2304

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
81⤵
- Checks computer location settings
- Loads dropped DLL
- Modifies registry class
PID:1240

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
82⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
PID:936

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
83⤵
- Drops file in Windows directory
PID:4228

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
84⤵
- Checks computer location settings
- Loads dropped DLL
- Modifies registry class
PID:1072

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
85⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
PID:4212

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
86⤵
- Drops file in Windows directory
PID:216

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
87⤵
- Checks computer location settings
- Loads dropped DLL
- Modifies registry class
PID:4012

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
88⤵
- Checks computer location settings
- Modifies registry class
PID:648

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
89⤵
- Drops file in Windows directory
PID:3516

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
90⤵
- Checks computer location settings
- Loads dropped DLL
- Modifies registry class
PID:2928

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
91⤵
PID:2628

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
92⤵
PID:5084

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
93⤵
PID:800

C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
2⤵
- Executes dropped EXE
PID:3424

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE
Filesize
328KB

MD5
39c8a4c2c3984b64b701b85cb724533b

SHA1
c911f4c4070dfe9a35d9adcb7de6e6fb1482ce00

SHA256
888a1dd0033e5d758a4e731e3e55357de866e80d03b1b194375f714e1fd4351d

SHA512
f42ca2962fe60cff1a13dea8b81ff0647b317c785ee4f5159c38487c34d33aecba8478757047d31ab2ee893fbdcb91a21655353456ba6a018fc71b2278db4db2

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe
Filesize
131KB

MD5
5791075058b526842f4601c46abd59f5

SHA1
b2748f7542e2eebcd0353c3720d92bbffad8678f

SHA256
5c3ef3ec7594c040146e908014791dd15201ba58b4d70032770bb661b6a0e394

SHA512
83e303971ed64019fde9e4ba6f6e889f8fb105088490dfa7dcf579a12baff20ef491f563d132d60c7b24a4fd3cac29bd9dc974571cd162000fae8fba4e0e54fb

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe
Filesize
125KB

MD5
cce8964848413b49f18a44da9cb0a79b

SHA1
0b7452100d400acebb1c1887542f322a92cbd7ae

SHA256
fe44ca8d5050932851aa54c23133277e66db939501af58e5aeb7b67ec1dde7b5

SHA512
bf8fc270229d46a083ced30da6637f3ca510b0ce44624a9b21ec6aacac81666dffd41855053a936aa9e8ea6e745a09b820b506ec7bf1173b6f1837828a35103d

Download Submit
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe
Filesize
982KB

MD5
4e8c731e3175d6d2f5085fe55974e1db

SHA1
74604823bd1e5af86d66e4986c1203f2bf26e657

SHA256
8a8d0905d868bc8b3bbd3545de42b459b3b517bb874365f911ff05ae71f90325

SHA512
a058948f7a82ca4c14ea41527c66918e7737776f7af65b00888f3c39de416397821861ba4e77cdb8a738bc0136462d1256bc6447f0d105d929831a2b47c87485

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE
Filesize
161KB

MD5
faf78e3f3cf0f2ae6db284279d0f6ff4

SHA1
0d8e13ff68c65995e7c5c6496ce6c5efff1e1d5d

SHA256
9efa96e84b1ee98d2af2117a904d613b0da063278a8722da9a062ae81a32bf4b

SHA512
dad369bf628a3de472ab51fa69a51c9ee92575b7c3c696b434cfe30fd57221171a20f28d2e3760cb1f28b526f278e760aedd861efa914eb7592219af087cd98e

Download Submit
C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE
Filesize
138KB

MD5
950000c930454e0c30644f13ed60e9c3

SHA1
5f6b06e8a02e1390e7499722b277135b4950723d

SHA256
09786f64db91266470b56046098d9825253ba5d6a5361c2f4e6dbc8ec28c9bb2

SHA512
22e3c677c83c755e53a7bf8735734541223f57151d588c3380bc758e5433b706441666d0d95c42bd23a720b093a6942a62346dab24ee3f0a18bee3e5ad1cd9d9

Download Submit
C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE
Filesize
138KB

MD5
fafb18b930b2b05ac8c5ddb988e9062f

SHA1
825ea5069601fb875f8d050aa01300eac03d3826

SHA256
c17785fe7e6b5e08fe5a4ca3679fee85ba6f2e5efcce0fb9807727cf8aa25265

SHA512
be034e7377bd27092aad02e13a152fb80ff74c1ba2fb63ccb344cd55315d115ee47e46727cbe55ca808efafa58d7924e3eed965e9a2fd3b9ae2dff7834383e54

Download Submit
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE
Filesize
366KB

MD5
9e63bd6a4360beabbc82ed4a2f03522e

SHA1
10961b7873ce3b99939ab5abd634b0f771dc6436

SHA256
c8f05c107ecdc905dd2b3c708c40eb50118a65d497e12df6958ce5e1a53af108

SHA512
ae72061d3c198cdd9dd4eb17651b6532f3d6016651d943ae23c82d11d1b8b8c86679f0d516d1050f258e445edd7447019fbdb24d897bb919807ff8c449e04925

Download Submit
C:\PROGRA~2\Google\Update\DISABL~1.EXE
Filesize
191KB

MD5
dd5586c90fad3d0acb402c1aab8f6642

SHA1
3440cd9e78d4e4b3c2f5ba31435cedaa559e5c7f

SHA256
fba2b9270ade0ce80e8dfc5e3279db683324502f6103e451cd090c69da56415e

SHA512
e56f6d6b446411ba4ed24f0d113953d9c9e874b2ac4511d33e5c5b85dddd81216579695e35c34b6054c187b00ee214d5648594dad498297f487f2fd47f040a4d

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe
Filesize
753KB

MD5
170bbaa416953a140a898d56e23bd161

SHA1
422afc229914075c9637854bdae58db86f6996a5

SHA256
24fc8dd07d4431f72366f8cccce9644e6b5e890d6679654b22ad4f549e55ff0f

SHA512
5d25966c9fa2dfda3f5bff16c066313dd28e6a9b64ca68ee2a1440ef8325f2fd137bee046a76e449e88571f66e7169774871001db2b7860eddbb230d6be34ede

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe
Filesize
753KB

MD5
170bbaa416953a140a898d56e23bd161

SHA1
422afc229914075c9637854bdae58db86f6996a5

SHA256
24fc8dd07d4431f72366f8cccce9644e6b5e890d6679654b22ad4f549e55ff0f

SHA512
5d25966c9fa2dfda3f5bff16c066313dd28e6a9b64ca68ee2a1440ef8325f2fd137bee046a76e449e88571f66e7169774871001db2b7860eddbb230d6be34ede

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
Filesize
5.2MB

MD5
cb637196328e1e139e38fceb254874fb

SHA1
e1b77f2bb1c120f7fd550dfae4d0eabb4a11204c

SHA256
120d77264c9ce495637333f52c9ef1ca8e0d4ac81e1eb4e723c2bba4b80897a1

SHA512
213a835eaa83283b9c1b0eccd6fb8d6d7669d3d70afaceaf3d12293a72beb77f59ec9730d30b1328b8343510ee216c54c480a2729bf6675ad85fc2368a725f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
Filesize
5.2MB

MD5
cb637196328e1e139e38fceb254874fb

SHA1
e1b77f2bb1c120f7fd550dfae4d0eabb4a11204c

SHA256
120d77264c9ce495637333f52c9ef1ca8e0d4ac81e1eb4e723c2bba4b80897a1

SHA512
213a835eaa83283b9c1b0eccd6fb8d6d7669d3d70afaceaf3d12293a72beb77f59ec9730d30b1328b8343510ee216c54c480a2729bf6675ad85fc2368a725f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
Filesize
6.0MB

MD5
7a3fa9fb8b4e25909336f13577bc8620

SHA1
9d0f32e38711b83d27a712fc5f7216d2654c1835

SHA256
d4b3e88dc2e9ea49e633c2305742c099827f7422c0fdefb4e15af6794e2b3c76

SHA512
cef9aa7f6fcbc5aa0525cc303996f8c933392dcf60691f98f8cf78c065076610e7636f2af3dff00d15f49e0e04e69a2a61a00a85d113c16ea5a9ccac32b0be6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
Filesize
6.0MB

MD5
7a3fa9fb8b4e25909336f13577bc8620

SHA1
9d0f32e38711b83d27a712fc5f7216d2654c1835

SHA256
d4b3e88dc2e9ea49e633c2305742c099827f7422c0fdefb4e15af6794e2b3c76

SHA512
cef9aa7f6fcbc5aa0525cc303996f8c933392dcf60691f98f8cf78c065076610e7636f2af3dff00d15f49e0e04e69a2a61a00a85d113c16ea5a9ccac32b0be6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
Filesize
3.7MB

MD5
8b76680b1a00abacb327478dc2bacc1b

SHA1
5fc3c553f96c807fcc2a5515a36d99bbbb42a90b

SHA256
20f5f1972a3972bab4453475b5042ae4ffdc12dcb8735cf7b08f5d313cad8cf8

SHA512
9b31998a93b2eb4c0f02dc2dd6132ecbcbd3cf32f8e6d87e65e6cfc49a12700b3d825f61f2c19882ce30b2962239b2eeb263a8d0703b15df1fdbd2f5b9923e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
Filesize
3.7MB

MD5
8b76680b1a00abacb327478dc2bacc1b

SHA1
5fc3c553f96c807fcc2a5515a36d99bbbb42a90b

SHA256
20f5f1972a3972bab4453475b5042ae4ffdc12dcb8735cf7b08f5d313cad8cf8

SHA512
9b31998a93b2eb4c0f02dc2dd6132ecbcbd3cf32f8e6d87e65e6cfc49a12700b3d825f61f2c19882ce30b2962239b2eeb263a8d0703b15df1fdbd2f5b9923e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
Filesize
3.7MB

MD5
8b76680b1a00abacb327478dc2bacc1b

SHA1
5fc3c553f96c807fcc2a5515a36d99bbbb42a90b

SHA256
20f5f1972a3972bab4453475b5042ae4ffdc12dcb8735cf7b08f5d313cad8cf8

SHA512
9b31998a93b2eb4c0f02dc2dd6132ecbcbd3cf32f8e6d87e65e6cfc49a12700b3d825f61f2c19882ce30b2962239b2eeb263a8d0703b15df1fdbd2f5b9923e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
Filesize
3.7MB

MD5
8b76680b1a00abacb327478dc2bacc1b

SHA1
5fc3c553f96c807fcc2a5515a36d99bbbb42a90b

SHA256
20f5f1972a3972bab4453475b5042ae4ffdc12dcb8735cf7b08f5d313cad8cf8

SHA512
9b31998a93b2eb4c0f02dc2dd6132ecbcbd3cf32f8e6d87e65e6cfc49a12700b3d825f61f2c19882ce30b2962239b2eeb263a8d0703b15df1fdbd2f5b9923e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
Filesize
3.7MB

MD5
8b76680b1a00abacb327478dc2bacc1b

SHA1
5fc3c553f96c807fcc2a5515a36d99bbbb42a90b

SHA256
20f5f1972a3972bab4453475b5042ae4ffdc12dcb8735cf7b08f5d313cad8cf8

SHA512
9b31998a93b2eb4c0f02dc2dd6132ecbcbd3cf32f8e6d87e65e6cfc49a12700b3d825f61f2c19882ce30b2962239b2eeb263a8d0703b15df1fdbd2f5b9923e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
Filesize
3.7MB

MD5
8b76680b1a00abacb327478dc2bacc1b

SHA1
5fc3c553f96c807fcc2a5515a36d99bbbb42a90b

SHA256
20f5f1972a3972bab4453475b5042ae4ffdc12dcb8735cf7b08f5d313cad8cf8

SHA512
9b31998a93b2eb4c0f02dc2dd6132ecbcbd3cf32f8e6d87e65e6cfc49a12700b3d825f61f2c19882ce30b2962239b2eeb263a8d0703b15df1fdbd2f5b9923e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
Filesize
3.7MB

MD5
8b76680b1a00abacb327478dc2bacc1b

SHA1
5fc3c553f96c807fcc2a5515a36d99bbbb42a90b

SHA256
20f5f1972a3972bab4453475b5042ae4ffdc12dcb8735cf7b08f5d313cad8cf8

SHA512
9b31998a93b2eb4c0f02dc2dd6132ecbcbd3cf32f8e6d87e65e6cfc49a12700b3d825f61f2c19882ce30b2962239b2eeb263a8d0703b15df1fdbd2f5b9923e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
Filesize
3.7MB

MD5
8b76680b1a00abacb327478dc2bacc1b

SHA1
5fc3c553f96c807fcc2a5515a36d99bbbb42a90b

SHA256
20f5f1972a3972bab4453475b5042ae4ffdc12dcb8735cf7b08f5d313cad8cf8

SHA512
9b31998a93b2eb4c0f02dc2dd6132ecbcbd3cf32f8e6d87e65e6cfc49a12700b3d825f61f2c19882ce30b2962239b2eeb263a8d0703b15df1fdbd2f5b9923e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
Filesize
3.7MB

MD5
8b76680b1a00abacb327478dc2bacc1b

SHA1
5fc3c553f96c807fcc2a5515a36d99bbbb42a90b

SHA256
20f5f1972a3972bab4453475b5042ae4ffdc12dcb8735cf7b08f5d313cad8cf8

SHA512
9b31998a93b2eb4c0f02dc2dd6132ecbcbd3cf32f8e6d87e65e6cfc49a12700b3d825f61f2c19882ce30b2962239b2eeb263a8d0703b15df1fdbd2f5b9923e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
Filesize
3.7MB

MD5
8b76680b1a00abacb327478dc2bacc1b

SHA1
5fc3c553f96c807fcc2a5515a36d99bbbb42a90b

SHA256
20f5f1972a3972bab4453475b5042ae4ffdc12dcb8735cf7b08f5d313cad8cf8

SHA512
9b31998a93b2eb4c0f02dc2dd6132ecbcbd3cf32f8e6d87e65e6cfc49a12700b3d825f61f2c19882ce30b2962239b2eeb263a8d0703b15df1fdbd2f5b9923e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
Filesize
3.7MB

MD5
8b76680b1a00abacb327478dc2bacc1b

SHA1
5fc3c553f96c807fcc2a5515a36d99bbbb42a90b

SHA256
20f5f1972a3972bab4453475b5042ae4ffdc12dcb8735cf7b08f5d313cad8cf8

SHA512
9b31998a93b2eb4c0f02dc2dd6132ecbcbd3cf32f8e6d87e65e6cfc49a12700b3d825f61f2c19882ce30b2962239b2eeb263a8d0703b15df1fdbd2f5b9923e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
Filesize
3.7MB

MD5
8b76680b1a00abacb327478dc2bacc1b

SHA1
5fc3c553f96c807fcc2a5515a36d99bbbb42a90b

SHA256
20f5f1972a3972bab4453475b5042ae4ffdc12dcb8735cf7b08f5d313cad8cf8

SHA512
9b31998a93b2eb4c0f02dc2dd6132ecbcbd3cf32f8e6d87e65e6cfc49a12700b3d825f61f2c19882ce30b2962239b2eeb263a8d0703b15df1fdbd2f5b9923e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
Filesize
4.4MB

MD5
4147edb2ee4f90619de45e4da86e63a4

SHA1
0a7b666c3a424eb16942126373b024901fa4fa86

SHA256
b7378a151bc8b2e06aa1f516fec75fccd3b90abff8ea5820ce682fc607489e2a

SHA512
06d9c83721448853b1e7c67114306d393dd41dd562ba31c980fc38d4471561fb95e50e602e7f4fbc45c4c5b6b38714d357b7fccb3d2fa6761e5ca56a0f802dbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
Filesize
4.4MB

MD5
4147edb2ee4f90619de45e4da86e63a4

SHA1
0a7b666c3a424eb16942126373b024901fa4fa86

SHA256
b7378a151bc8b2e06aa1f516fec75fccd3b90abff8ea5820ce682fc607489e2a

SHA512
06d9c83721448853b1e7c67114306d393dd41dd562ba31c980fc38d4471561fb95e50e602e7f4fbc45c4c5b6b38714d357b7fccb3d2fa6761e5ca56a0f802dbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
Filesize
5.2MB

MD5
f44d3c4516eeab26c19977504a489348

SHA1
6d9c8d5d031776672b823f1bbc8800d7960f89e4

SHA256
2e9ba90fd45f84816b40018b36327abc66d94043c28bfa6ac0a152f48f48c856

SHA512
799361419c34a24e3556f7f08a12ad5368856150f63b863058bb378d59ec2539fcc0810c101cf636c47398641e9771c3949dc9ee1e28786a65a3b03c33c6c69d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
Filesize
6.0MB

MD5
b850a6f065128d50e5d7f68e634791d8

SHA1
1ed6094c18b193454d56fcf79844966e84007802

SHA256
90aa27b7a620bcb9f88bc94712427187512d12f95e6d307b8afcfe3f3b25d0ad

SHA512
6a5bc637192e74a78c26ad45f44368933c2f46e1768f0c5880d549c277f8868d9be62c225cec770ab6988f08da0bd8ce9a52693592b9b196b323f2e06512c04d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_4b8fe24560d919a2e4d4d347945c7d89eef3e6ddf339ddc7f85ab2633c59cab4.exe
Filesize
6.0MB

MD5
b850a6f065128d50e5d7f68e634791d8

SHA1
1ed6094c18b193454d56fcf79844966e84007802

SHA256
90aa27b7a620bcb9f88bc94712427187512d12f95e6d307b8afcfe3f3b25d0ad

SHA512
6a5bc637192e74a78c26ad45f44368933c2f46e1768f0c5880d549c277f8868d9be62c225cec770ab6988f08da0bd8ce9a52693592b9b196b323f2e06512c04d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\._cache__CACHE~1.EXE
Filesize
3.6MB

MD5
87f46467a6553f7f0af60297397cd3de

SHA1
b714d8c3272b00d2de4e2b9d752dae24427e4721

SHA256
6ac807d05ad01759fd19146568e1f345478c02313de531a1f158b8339b8d4dee

SHA512
6f10b14ab476d861fc116e359a3f550cf88d4de30bd19797f16582d6a1cb5aa609f4c5733057d7b3e724f05d178503268b12a78f672d663a5e9c80c2fcf8eeff

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\._cache__CACHE~1.EXE
Filesize
3.6MB

MD5
87f46467a6553f7f0af60297397cd3de

SHA1
b714d8c3272b00d2de4e2b9d752dae24427e4721

SHA256
6ac807d05ad01759fd19146568e1f345478c02313de531a1f158b8339b8d4dee

SHA512
6f10b14ab476d861fc116e359a3f550cf88d4de30bd19797f16582d6a1cb5aa609f4c5733057d7b3e724f05d178503268b12a78f672d663a5e9c80c2fcf8eeff

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\._cache__CACHE~1.EXE
Filesize
3.6MB

MD5
87f46467a6553f7f0af60297397cd3de

SHA1
b714d8c3272b00d2de4e2b9d752dae24427e4721

SHA256
6ac807d05ad01759fd19146568e1f345478c02313de531a1f158b8339b8d4dee

SHA512
6f10b14ab476d861fc116e359a3f550cf88d4de30bd19797f16582d6a1cb5aa609f4c5733057d7b3e724f05d178503268b12a78f672d663a5e9c80c2fcf8eeff

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\._cache__CACHE~1.EXE
Filesize
3.6MB

MD5
87f46467a6553f7f0af60297397cd3de

SHA1
b714d8c3272b00d2de4e2b9d752dae24427e4721

SHA256
6ac807d05ad01759fd19146568e1f345478c02313de531a1f158b8339b8d4dee

SHA512
6f10b14ab476d861fc116e359a3f550cf88d4de30bd19797f16582d6a1cb5aa609f4c5733057d7b3e724f05d178503268b12a78f672d663a5e9c80c2fcf8eeff

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\._cache__CACHE~2.EXE
Filesize
4.4MB

MD5
9b182b3095078520b46c3a13018e90c1

SHA1
6a5b6894439c12ada897c85732c839e5f6086977

SHA256
a0c976cc9285d95b2dab47c82bdba84696aa5bc231afe0b617251e03be6162e2

SHA512
6979277280f4c33909d17c9ffb125c9a16d589b76d257738058fd056949024b23838d1aff37f8a7219676711e4b9db8ef296bb0d781fdd30197b74fb697fc6ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
Filesize
4.4MB

MD5
9b182b3095078520b46c3a13018e90c1

SHA1
6a5b6894439c12ada897c85732c839e5f6086977

SHA256
a0c976cc9285d95b2dab47c82bdba84696aa5bc231afe0b617251e03be6162e2

SHA512
6979277280f4c33909d17c9ffb125c9a16d589b76d257738058fd056949024b23838d1aff37f8a7219676711e4b9db8ef296bb0d781fdd30197b74fb697fc6ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
Filesize
3.6MB

MD5
87f46467a6553f7f0af60297397cd3de

SHA1
b714d8c3272b00d2de4e2b9d752dae24427e4721

SHA256
6ac807d05ad01759fd19146568e1f345478c02313de531a1f158b8339b8d4dee

SHA512
6f10b14ab476d861fc116e359a3f550cf88d4de30bd19797f16582d6a1cb5aa609f4c5733057d7b3e724f05d178503268b12a78f672d663a5e9c80c2fcf8eeff

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
Filesize
3.6MB

MD5
87f46467a6553f7f0af60297397cd3de

SHA1
b714d8c3272b00d2de4e2b9d752dae24427e4721

SHA256
6ac807d05ad01759fd19146568e1f345478c02313de531a1f158b8339b8d4dee

SHA512
6f10b14ab476d861fc116e359a3f550cf88d4de30bd19797f16582d6a1cb5aa609f4c5733057d7b3e724f05d178503268b12a78f672d663a5e9c80c2fcf8eeff

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
Filesize
3.6MB

MD5
87f46467a6553f7f0af60297397cd3de

SHA1
b714d8c3272b00d2de4e2b9d752dae24427e4721

SHA256
6ac807d05ad01759fd19146568e1f345478c02313de531a1f158b8339b8d4dee

SHA512
6f10b14ab476d861fc116e359a3f550cf88d4de30bd19797f16582d6a1cb5aa609f4c5733057d7b3e724f05d178503268b12a78f672d663a5e9c80c2fcf8eeff

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
Filesize
5.2MB

MD5
f44d3c4516eeab26c19977504a489348

SHA1
6d9c8d5d031776672b823f1bbc8800d7960f89e4

SHA256
2e9ba90fd45f84816b40018b36327abc66d94043c28bfa6ac0a152f48f48c856

SHA512
799361419c34a24e3556f7f08a12ad5368856150f63b863058bb378d59ec2539fcc0810c101cf636c47398641e9771c3949dc9ee1e28786a65a3b03c33c6c69d

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
Filesize
57B

MD5
56abc40d1e45c091d8afddb90a4ce6b4

SHA1
08db549484467b32b79958700300cabefc659848

SHA256
a43fa861957415e3b0f25e2b54d931961cd309ff1d5354a9362852895b90b3e1

SHA512
51625c015a7c8fcf6fb51d3396aa08d2068772e3fcacaf32c409e82071af4ba1eb2ee94f36c06a98c32ba59d23bbaa6b540f7bd418a9472303cc225151daa698

Download Submit
C:\Windows\directx.sys
Filesize
57B

MD5
56abc40d1e45c091d8afddb90a4ce6b4

SHA1
08db549484467b32b79958700300cabefc659848

SHA256
a43fa861957415e3b0f25e2b54d931961cd309ff1d5354a9362852895b90b3e1

SHA512
51625c015a7c8fcf6fb51d3396aa08d2068772e3fcacaf32c409e82071af4ba1eb2ee94f36c06a98c32ba59d23bbaa6b540f7bd418a9472303cc225151daa698

Download Submit
C:\Windows\directx.sys
Filesize
57B

MD5
56abc40d1e45c091d8afddb90a4ce6b4

SHA1
08db549484467b32b79958700300cabefc659848

SHA256
a43fa861957415e3b0f25e2b54d931961cd309ff1d5354a9362852895b90b3e1

SHA512
51625c015a7c8fcf6fb51d3396aa08d2068772e3fcacaf32c409e82071af4ba1eb2ee94f36c06a98c32ba59d23bbaa6b540f7bd418a9472303cc225151daa698

Download Submit
C:\Windows\directx.sys
Filesize
57B

MD5
56abc40d1e45c091d8afddb90a4ce6b4

SHA1
08db549484467b32b79958700300cabefc659848

SHA256
a43fa861957415e3b0f25e2b54d931961cd309ff1d5354a9362852895b90b3e1

SHA512
51625c015a7c8fcf6fb51d3396aa08d2068772e3fcacaf32c409e82071af4ba1eb2ee94f36c06a98c32ba59d23bbaa6b540f7bd418a9472303cc225151daa698

Download Submit
C:\Windows\directx.sys
Filesize
57B

MD5
56abc40d1e45c091d8afddb90a4ce6b4

SHA1
08db549484467b32b79958700300cabefc659848

SHA256
a43fa861957415e3b0f25e2b54d931961cd309ff1d5354a9362852895b90b3e1

SHA512
51625c015a7c8fcf6fb51d3396aa08d2068772e3fcacaf32c409e82071af4ba1eb2ee94f36c06a98c32ba59d23bbaa6b540f7bd418a9472303cc225151daa698

Download Submit
C:\Windows\directx.sys
Filesize
57B

MD5
56abc40d1e45c091d8afddb90a4ce6b4

SHA1
08db549484467b32b79958700300cabefc659848

SHA256
a43fa861957415e3b0f25e2b54d931961cd309ff1d5354a9362852895b90b3e1

SHA512
51625c015a7c8fcf6fb51d3396aa08d2068772e3fcacaf32c409e82071af4ba1eb2ee94f36c06a98c32ba59d23bbaa6b540f7bd418a9472303cc225151daa698

Download Submit
C:\Windows\directx.sys
Filesize
57B

MD5
56abc40d1e45c091d8afddb90a4ce6b4

SHA1
08db549484467b32b79958700300cabefc659848

SHA256
a43fa861957415e3b0f25e2b54d931961cd309ff1d5354a9362852895b90b3e1

SHA512
51625c015a7c8fcf6fb51d3396aa08d2068772e3fcacaf32c409e82071af4ba1eb2ee94f36c06a98c32ba59d23bbaa6b540f7bd418a9472303cc225151daa698

Download Submit
C:\Windows\directx.sys
Filesize
57B

MD5
56abc40d1e45c091d8afddb90a4ce6b4

SHA1
08db549484467b32b79958700300cabefc659848

SHA256
a43fa861957415e3b0f25e2b54d931961cd309ff1d5354a9362852895b90b3e1

SHA512
51625c015a7c8fcf6fb51d3396aa08d2068772e3fcacaf32c409e82071af4ba1eb2ee94f36c06a98c32ba59d23bbaa6b540f7bd418a9472303cc225151daa698

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
79b7d44e4d5b4d3469bde72d4f2065fb

SHA1
72a6849a2ffa008ed051b06e23e097a83cac0812

SHA256
b432fa6402cd61b67e4bb645460d9d30369fde5713109c79282b93621ad6bb49

SHA512
835fbd0f05b84b7aea4c95f5fc7a1c65f52372994a34b5847db2c3e33fdc5b7f77e607053db36a08babd77f206336b60bb56ae952bc0c7f2821112369d985417

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
79b7d44e4d5b4d3469bde72d4f2065fb

SHA1
72a6849a2ffa008ed051b06e23e097a83cac0812

SHA256
b432fa6402cd61b67e4bb645460d9d30369fde5713109c79282b93621ad6bb49

SHA512
835fbd0f05b84b7aea4c95f5fc7a1c65f52372994a34b5847db2c3e33fdc5b7f77e607053db36a08babd77f206336b60bb56ae952bc0c7f2821112369d985417

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
79b7d44e4d5b4d3469bde72d4f2065fb

SHA1
72a6849a2ffa008ed051b06e23e097a83cac0812

SHA256
b432fa6402cd61b67e4bb645460d9d30369fde5713109c79282b93621ad6bb49

SHA512
835fbd0f05b84b7aea4c95f5fc7a1c65f52372994a34b5847db2c3e33fdc5b7f77e607053db36a08babd77f206336b60bb56ae952bc0c7f2821112369d985417

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
79b7d44e4d5b4d3469bde72d4f2065fb

SHA1
72a6849a2ffa008ed051b06e23e097a83cac0812

SHA256
b432fa6402cd61b67e4bb645460d9d30369fde5713109c79282b93621ad6bb49

SHA512
835fbd0f05b84b7aea4c95f5fc7a1c65f52372994a34b5847db2c3e33fdc5b7f77e607053db36a08babd77f206336b60bb56ae952bc0c7f2821112369d985417

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
79b7d44e4d5b4d3469bde72d4f2065fb

SHA1
72a6849a2ffa008ed051b06e23e097a83cac0812

SHA256
b432fa6402cd61b67e4bb645460d9d30369fde5713109c79282b93621ad6bb49

SHA512
835fbd0f05b84b7aea4c95f5fc7a1c65f52372994a34b5847db2c3e33fdc5b7f77e607053db36a08babd77f206336b60bb56ae952bc0c7f2821112369d985417

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
79b7d44e4d5b4d3469bde72d4f2065fb

SHA1
72a6849a2ffa008ed051b06e23e097a83cac0812

SHA256
b432fa6402cd61b67e4bb645460d9d30369fde5713109c79282b93621ad6bb49

SHA512
835fbd0f05b84b7aea4c95f5fc7a1c65f52372994a34b5847db2c3e33fdc5b7f77e607053db36a08babd77f206336b60bb56ae952bc0c7f2821112369d985417

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
79b7d44e4d5b4d3469bde72d4f2065fb

SHA1
72a6849a2ffa008ed051b06e23e097a83cac0812

SHA256
b432fa6402cd61b67e4bb645460d9d30369fde5713109c79282b93621ad6bb49

SHA512
835fbd0f05b84b7aea4c95f5fc7a1c65f52372994a34b5847db2c3e33fdc5b7f77e607053db36a08babd77f206336b60bb56ae952bc0c7f2821112369d985417

Download Submit
C:\odt\OFFICE~1.EXE
Filesize
5.1MB

MD5
02c3d242fe142b0eabec69211b34bc55

SHA1
ea0a4a6d6078b362f7b3a4ad1505ce49957dc16e

SHA256
2a1ed24be7e3859b46ec3ebc316789ead5f12055853f86a9656e04b4bb771842

SHA512
0efb08492eaaa2e923beddc21566e98fbbef3a102f9415ff310ec616f5c84fd2ba3a7025b05e01c0bdf37e5e2f64dfd845f9254a376144cc7d827e7577dbb099

Download Submit
memory/444-214-0x0000000000000000-mapping.dmp

Download
memory/636-221-0x0000000000000000-mapping.dmp

Download
memory/648-233-0x0000000000000000-mapping.dmp

Download
memory/800-186-0x0000000000000000-mapping.dmp

Download
memory/1080-149-0x0000000000000000-mapping.dmp

Download
memory/1096-222-0x0000000000000000-mapping.dmp

Download
memory/1240-142-0x0000000000000000-mapping.dmp

Download
memory/1400-244-0x0000000000000000-mapping.dmp

Download
memory/1412-223-0x0000000000000000-mapping.dmp

Download
memory/1684-226-0x0000000000000000-mapping.dmp

Download
memory/1720-147-0x0000000000000000-mapping.dmp

Download
memory/1724-245-0x0000000000000000-mapping.dmp

Download
memory/1748-201-0x0000000000000000-mapping.dmp

Download
memory/1808-216-0x0000000000000000-mapping.dmp

Download
memory/1844-208-0x0000000000000000-mapping.dmp

Download
memory/1980-176-0x0000000000000000-mapping.dmp

Download
memory/2108-162-0x0000000000000000-mapping.dmp

Download
memory/2256-225-0x0000000000000000-mapping.dmp

Download
memory/2296-219-0x0000000000000000-mapping.dmp

Download
memory/2368-235-0x0000000000000000-mapping.dmp

Download
memory/2368-167-0x0000000000000000-mapping.dmp

Download
memory/2400-228-0x0000000000000000-mapping.dmp

Download
memory/2408-249-0x0000000000000000-mapping.dmp

Download
memory/2692-191-0x0000000000000000-mapping.dmp

Download
memory/2708-174-0x0000000000000000-mapping.dmp

Download
memory/2812-238-0x0000000000000000-mapping.dmp

Download
memory/2928-234-0x0000000000000000-mapping.dmp

Download
memory/2936-213-0x0000000000000000-mapping.dmp

Download
memory/2944-240-0x0000000000000000-mapping.dmp

Download
memory/2960-247-0x0000000000000000-mapping.dmp

Download
memory/3124-230-0x0000000000000000-mapping.dmp

Download
memory/3348-184-0x0000000000000000-mapping.dmp

Download
memory/3364-248-0x0000000000000000-mapping.dmp

Download
memory/3372-229-0x0000000000000000-mapping.dmp

Download
memory/3424-136-0x0000000000000000-mapping.dmp

Download
memory/3468-239-0x0000000000000000-mapping.dmp

Download
memory/3480-218-0x0000000000000000-mapping.dmp

Download
memory/3504-227-0x0000000000000000-mapping.dmp

Download
memory/3644-252-0x0000000000000000-mapping.dmp

Download
memory/3664-215-0x0000000000000000-mapping.dmp

Download
memory/3668-211-0x0000000000000000-mapping.dmp

Download
memory/3688-180-0x0000000000000000-mapping.dmp

Download
memory/3720-236-0x0000000000000000-mapping.dmp

Download
memory/3744-217-0x0000000000000000-mapping.dmp

Download
memory/3976-232-0x0000000000000000-mapping.dmp

Download
memory/4012-159-0x0000000000000000-mapping.dmp

Download
memory/4052-250-0x0000000000000000-mapping.dmp

Download
memory/4072-133-0x0000000000000000-mapping.dmp

Download
memory/4228-152-0x0000000000000000-mapping.dmp

Download
memory/4236-139-0x0000000000000000-mapping.dmp

Download
memory/4264-243-0x0000000000000000-mapping.dmp

Download
memory/4372-253-0x0000000000000000-mapping.dmp

Download
memory/4452-246-0x0000000000000000-mapping.dmp

Download
memory/4524-242-0x0000000000000000-mapping.dmp

Download
memory/4568-212-0x0000000000000000-mapping.dmp

Download
memory/4628-241-0x0000000000000000-mapping.dmp

Download
memory/4784-203-0x0000000000000000-mapping.dmp

Download
memory/4852-251-0x0000000000000000-mapping.dmp

Download
memory/4908-224-0x0000000000000000-mapping.dmp

Download
memory/4952-220-0x0000000000000000-mapping.dmp

Download
memory/5016-157-0x0000000000000000-mapping.dmp

Download
memory/5044-231-0x0000000000000000-mapping.dmp

Download
memory/5060-130-0x0000000000000000-mapping.dmp

Download
memory/5084-237-0x0000000000000000-mapping.dmp

Download