neshta | a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc

Analysis

max time kernel
151s
max time network
131s
platform
windows7_x64
resource
win7-20220414-en
submitted
22-06-2022 12:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
Size

3.2MB
MD5

2df68cae0c75613b9bea1c10c1519136
SHA1

71a31818afbc0bfff98a1642802665e70c194fda
SHA256

a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc
SHA512

7aad207b0af831dc8a6e55170f89329c6986d4a9931745ff105cea03768bb5c8eb07f27e03a7935188084edbc31caf83135e5c118182b053eb42ae4ac482b8e7

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Detect Neshta Payload 52 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\3582-490\a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe	family_neshta
\Users\Admin\AppData\Local\Temp\3582-490\a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe	family_neshta
\Users\Admin\AppData\Local\Temp\3582-490\a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe	family_neshta
\Users\Admin\AppData\Local\Temp\._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe	family_neshta
\Users\Admin\AppData\Local\Temp\._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe	family_neshta
C:\Users\Admin\AppData\Local\Temp\._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe	family_neshta
C:\Users\Admin\AppData\Local\Temp\._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE	family_neshta
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe	family_neshta
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe	family_neshta
C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE	family_neshta
\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE	family_neshta
\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE	family_neshta
\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE	family_neshta
\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE	family_neshta
\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE	family_neshta
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE	family_neshta
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE	family_neshta
\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE	family_neshta
\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE	family_neshta
\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE	family_neshta
\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE	family_neshta
\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE	family_neshta
C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	family_neshta
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE	family_neshta
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE	family_neshta
C:\Windows\svchost.com	family_neshta
C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	family_neshta
\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE	family_neshta
\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE	family_neshta
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	family_neshta
\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE	family_neshta
\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE	family_neshta
\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE	family_neshta
\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE	family_neshta
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE	family_neshta
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	family_neshta
C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	family_neshta
C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE	family_neshta

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Executes dropped EXE 64 IoCs

Processes:

a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exesvchost.com_CACHE~1.EXE._cache__CACHE~1.EXEsvchost.com_CACHE~2.EXESynaptics.exe._cache__CACHE~2.EXEsvchost.com_CACHE~1.EXE._cache__CACHE~1.EXEsvchost.com_CACHE~2.EXE._cache__CACHE~2.EXEsvchost.com_CACHE~1.EXE._cache__CACHE~1.EXEsvchost.com_CACHE~2.EXE._cache__CACHE~2.EXEsvchost.com_CACHE~1.EXE._cache__CACHE~1.EXEsvchost.com_CACHE~2.EXE._cache__CACHE~2.EXEsvchost.com_CACHE~1.EXE._cache__CACHE~1.EXEsvchost.com_CACHE~2.EXE._cache__CACHE~2.EXEsvchost.com_CACHE~1.EXE._cache__CACHE~1.EXEsvchost.com_CACHE~2.EXE._cache__CACHE~2.EXEsvchost.com_CACHE~1.EXE._cache__CACHE~1.EXEsvchost.com_CACHE~2.EXE._cache__CACHE~2.EXEsvchost.com_CACHE~1.EXE._cache__CACHE~1.EXEsvchost.com_CACHE~2.EXE._cache__CACHE~2.EXEsvchost.com_CACHE~1.EXE._cache__CACHE~1.EXEsvchost.com_CACHE~1.EXE._cache__CACHE~1.EXEsvchost.com_CACHE~1.EXE._cache__CACHE~1.EXEsvchost.com_CACHE~1.EXE._cache__CACHE~1.EXEsvchost.com

pid	process
952	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
908	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
1956	svchost.com
436	_CACHE~1.EXE
1352	._cache__CACHE~1.EXE
540	svchost.com
1760	_CACHE~2.EXE
1620	Synaptics.exe
1480	._cache__CACHE~2.EXE
924	svchost.com
1832	_CACHE~1.EXE
1788	._cache__CACHE~1.EXE
1956	svchost.com
1648	_CACHE~2.EXE
1756	._cache__CACHE~2.EXE
1000	svchost.com
1964	_CACHE~1.EXE
1124	._cache__CACHE~1.EXE
1816	svchost.com
288	_CACHE~2.EXE
1640	._cache__CACHE~2.EXE
792	svchost.com
608	_CACHE~1.EXE
844	._cache__CACHE~1.EXE
1172	svchost.com
1060	_CACHE~2.EXE
1664	._cache__CACHE~2.EXE
436	svchost.com
1204	_CACHE~1.EXE
1596	._cache__CACHE~1.EXE
948	svchost.com
1224	_CACHE~2.EXE
868	._cache__CACHE~2.EXE
1856	svchost.com
1468	_CACHE~1.EXE
1608	._cache__CACHE~1.EXE
1612	svchost.com
608	_CACHE~2.EXE
588	._cache__CACHE~2.EXE
592	svchost.com
1756	_CACHE~1.EXE
1000	._cache__CACHE~1.EXE
1964	svchost.com
1736	_CACHE~2.EXE
992	._cache__CACHE~2.EXE
1564	svchost.com
1840	_CACHE~1.EXE
1712	._cache__CACHE~1.EXE
900	svchost.com
1896	_CACHE~2.EXE
1068	._cache__CACHE~2.EXE
872	svchost.com
776	_CACHE~1.EXE
1944	._cache__CACHE~1.EXE
1276	svchost.com
1032	_CACHE~1.EXE
628	._cache__CACHE~1.EXE
704	svchost.com
1928	_CACHE~1.EXE
1896	._cache__CACHE~1.EXE
1660	svchost.com
1588	_CACHE~1.EXE
1980	._cache__CACHE~1.EXE
1816	svchost.com

Loads dropped DLL 64 IoCs

Processes:

a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exea89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exesvchost.com_CACHE~1.EXEsvchost.com_CACHE~2.EXE._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exesvchost.com_CACHE~1.EXEsvchost.com_CACHE~2.EXEsvchost.com_CACHE~1.EXEsvchost.com_CACHE~2.EXEsvchost.com_CACHE~1.EXEsvchost.com_CACHE~2.EXEsvchost.com_CACHE~1.EXEEXCEL.EXE

pid	process
1228	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
1228	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
952	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
952	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
952	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
1956	svchost.com
1956	svchost.com
436	_CACHE~1.EXE
436	_CACHE~1.EXE
436	_CACHE~1.EXE
540	svchost.com
540	svchost.com
952	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
952	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
1760	_CACHE~2.EXE
1760	_CACHE~2.EXE
1760	_CACHE~2.EXE
1228	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
908	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
924	svchost.com
924	svchost.com
1832	_CACHE~1.EXE
1832	_CACHE~1.EXE
1832	_CACHE~1.EXE
1832	_CACHE~1.EXE
1956	svchost.com
1956	svchost.com
1648	_CACHE~2.EXE
1648	_CACHE~2.EXE
1648	_CACHE~2.EXE
1648	_CACHE~2.EXE
1000	svchost.com
1000	svchost.com
1964	_CACHE~1.EXE
1964	_CACHE~1.EXE
1964	_CACHE~1.EXE
1964	_CACHE~1.EXE
1816	svchost.com
1816	svchost.com
288	_CACHE~2.EXE
288	_CACHE~2.EXE
288	_CACHE~2.EXE
288	_CACHE~2.EXE
792	svchost.com
792	svchost.com
608	_CACHE~1.EXE
608	_CACHE~1.EXE
608	_CACHE~1.EXE
608	_CACHE~1.EXE
1172	svchost.com
1172	svchost.com
1060	_CACHE~2.EXE
1060	_CACHE~2.EXE
1060	_CACHE~2.EXE
1060	_CACHE~2.EXE
436	svchost.com
436	svchost.com
1204	_CACHE~1.EXE
1636	EXCEL.EXE
1636	EXCEL.EXE
908	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
1636	EXCEL.EXE
1636	EXCEL.EXE
908	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe

Drops file in Program Files directory 64 IoCs

Processes:

._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exea89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe

description	ioc	process
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~3\SYNAPT~1\SYNAPT~1.EXE	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe

Drops file in Windows directory 64 IoCs

Processes:

._cache__CACHE~1.EXEsvchost.comsvchost.comsvchost.comsvchost.comsvchost.com._cache__CACHE~1.EXE._cache__CACHE~1.EXE._cache__CACHE~1.EXEsvchost.com._cache__CACHE~1.EXE._cache__CACHE~1.EXE._cache__CACHE~2.EXE._cache__CACHE~1.EXE._cache__CACHE~1.EXE._cache__CACHE~1.EXEsvchost.com._cache__CACHE~2.EXE._cache__CACHE~1.EXE._cache__CACHE~1.EXEsvchost.com._cache__CACHE~1.EXE._cache__CACHE~1.EXE._cache__CACHE~1.EXE._cache__CACHE~1.EXEsvchost.com._cache__CACHE~1.EXE._cache__CACHE~1.EXEsvchost.comsvchost.comsvchost.com._cache__CACHE~1.EXEsvchost.comsvchost.comsvchost.com._cache__CACHE~1.EXEsvchost.com._cache__CACHE~1.EXEsvchost.com._cache__CACHE~1.EXE._cache__CACHE~1.EXEsvchost.comsvchost.com._cache__CACHE~1.EXE._cache__CACHE~1.EXEsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.com._cache__CACHE~1.EXE._cache__CACHE~1.EXE._cache__CACHE~1.EXE._cache__CACHE~1.EXEsvchost.comsvchost.com._cache__CACHE~1.EXE

description	ioc	process
File opened for modification	C:\Windows\directx.sys	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\directx.sys	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\svchost.com	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\directx.sys	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\directx.sys	._cache__CACHE~2.EXE
File opened for modification	C:\Windows\directx.sys	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\directx.sys	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\svchost.com	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	._cache__CACHE~2.EXE
File opened for modification	C:\Windows\directx.sys	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\svchost.com	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\svchost.com	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\svchost.com	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\svchost.com	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\svchost.com	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\svchost.com	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\directx.sys	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\svchost.com	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\svchost.com	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\svchost.com	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\directx.sys	._cache__CACHE~1.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE

Modifies registry class 64 IoCs

Processes:

EXCEL.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1636 EXCEL.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

EXCEL.EXE

pid process

1636 EXCEL.EXE

pid	process
1636	EXCEL.EXE

pid	process
1636	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exea89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exesvchost.com_CACHE~1.EXE._cache__CACHE~1.EXEsvchost.com_CACHE~2.EXE._cache__CACHE~2.EXEsvchost.com_CACHE~1.EXE._cache__CACHE~1.EXEsvchost.com_CACHE~2.EXE._cache__CACHE~2.EXE

description	pid	process	target process
PID 1228 wrote to memory of 952	1228	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
PID 1228 wrote to memory of 952	1228	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
PID 1228 wrote to memory of 952	1228	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
PID 1228 wrote to memory of 952	1228	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
PID 952 wrote to memory of 908	952	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
PID 952 wrote to memory of 908	952	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
PID 952 wrote to memory of 908	952	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
PID 952 wrote to memory of 908	952	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
PID 908 wrote to memory of 1956	908	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe	svchost.com
PID 908 wrote to memory of 1956	908	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe	svchost.com
PID 908 wrote to memory of 1956	908	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe	svchost.com
PID 908 wrote to memory of 1956	908	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe	svchost.com
PID 1956 wrote to memory of 436	1956	svchost.com	_CACHE~1.EXE
PID 1956 wrote to memory of 436	1956	svchost.com	_CACHE~1.EXE
PID 1956 wrote to memory of 436	1956	svchost.com	_CACHE~1.EXE
PID 1956 wrote to memory of 436	1956	svchost.com	_CACHE~1.EXE
PID 436 wrote to memory of 1352	436	_CACHE~1.EXE	._cache__CACHE~1.EXE
PID 436 wrote to memory of 1352	436	_CACHE~1.EXE	._cache__CACHE~1.EXE
PID 436 wrote to memory of 1352	436	_CACHE~1.EXE	._cache__CACHE~1.EXE
PID 436 wrote to memory of 1352	436	_CACHE~1.EXE	._cache__CACHE~1.EXE
PID 1352 wrote to memory of 540	1352	._cache__CACHE~1.EXE	svchost.com
PID 1352 wrote to memory of 540	1352	._cache__CACHE~1.EXE	svchost.com
PID 1352 wrote to memory of 540	1352	._cache__CACHE~1.EXE	svchost.com
PID 1352 wrote to memory of 540	1352	._cache__CACHE~1.EXE	svchost.com
PID 540 wrote to memory of 1760	540	svchost.com	_CACHE~2.EXE
PID 540 wrote to memory of 1760	540	svchost.com	_CACHE~2.EXE
PID 540 wrote to memory of 1760	540	svchost.com	_CACHE~2.EXE
PID 540 wrote to memory of 1760	540	svchost.com	_CACHE~2.EXE
PID 952 wrote to memory of 1620	952	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe	Synaptics.exe
PID 952 wrote to memory of 1620	952	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe	Synaptics.exe
PID 952 wrote to memory of 1620	952	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe	Synaptics.exe
PID 952 wrote to memory of 1620	952	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe	Synaptics.exe
PID 1760 wrote to memory of 1480	1760	_CACHE~2.EXE	._cache__CACHE~2.EXE
PID 1760 wrote to memory of 1480	1760	_CACHE~2.EXE	._cache__CACHE~2.EXE
PID 1760 wrote to memory of 1480	1760	_CACHE~2.EXE	._cache__CACHE~2.EXE
PID 1760 wrote to memory of 1480	1760	_CACHE~2.EXE	._cache__CACHE~2.EXE
PID 1480 wrote to memory of 924	1480	._cache__CACHE~2.EXE	svchost.com
PID 1480 wrote to memory of 924	1480	._cache__CACHE~2.EXE	svchost.com
PID 1480 wrote to memory of 924	1480	._cache__CACHE~2.EXE	svchost.com
PID 1480 wrote to memory of 924	1480	._cache__CACHE~2.EXE	svchost.com
PID 924 wrote to memory of 1832	924	svchost.com	_CACHE~1.EXE
PID 924 wrote to memory of 1832	924	svchost.com	_CACHE~1.EXE
PID 924 wrote to memory of 1832	924	svchost.com	_CACHE~1.EXE
PID 924 wrote to memory of 1832	924	svchost.com	_CACHE~1.EXE
PID 1832 wrote to memory of 1788	1832	_CACHE~1.EXE	._cache__CACHE~1.EXE
PID 1832 wrote to memory of 1788	1832	_CACHE~1.EXE	._cache__CACHE~1.EXE
PID 1832 wrote to memory of 1788	1832	_CACHE~1.EXE	._cache__CACHE~1.EXE
PID 1832 wrote to memory of 1788	1832	_CACHE~1.EXE	._cache__CACHE~1.EXE
PID 1788 wrote to memory of 1956	1788	._cache__CACHE~1.EXE	svchost.com
PID 1788 wrote to memory of 1956	1788	._cache__CACHE~1.EXE	svchost.com
PID 1788 wrote to memory of 1956	1788	._cache__CACHE~1.EXE	svchost.com
PID 1788 wrote to memory of 1956	1788	._cache__CACHE~1.EXE	svchost.com
PID 1956 wrote to memory of 1648	1956	svchost.com	_CACHE~2.EXE
PID 1956 wrote to memory of 1648	1956	svchost.com	_CACHE~2.EXE
PID 1956 wrote to memory of 1648	1956	svchost.com	_CACHE~2.EXE
PID 1956 wrote to memory of 1648	1956	svchost.com	_CACHE~2.EXE
PID 1648 wrote to memory of 1756	1648	_CACHE~2.EXE	._cache__CACHE~2.EXE
PID 1648 wrote to memory of 1756	1648	_CACHE~2.EXE	._cache__CACHE~2.EXE
PID 1648 wrote to memory of 1756	1648	_CACHE~2.EXE	._cache__CACHE~2.EXE
PID 1648 wrote to memory of 1756	1648	_CACHE~2.EXE	._cache__CACHE~2.EXE
PID 1756 wrote to memory of 1000	1756	._cache__CACHE~2.EXE	svchost.com
PID 1756 wrote to memory of 1000	1756	._cache__CACHE~2.EXE	svchost.com
PID 1756 wrote to memory of 1000	1756	._cache__CACHE~2.EXE	svchost.com
PID 1756 wrote to memory of 1000	1756	._cache__CACHE~2.EXE	svchost.com

C:\Users\Admin\AppData\Local\Temp\a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
"C:\Users\Admin\AppData\Local\Temp\a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe"
1⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1228

C:\Users\Admin\AppData\Local\Temp\3582-490\a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:952

C:\Users\Admin\AppData\Local\Temp\._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:908

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1956

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:436

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1352

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:540

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1760

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"
9⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1480

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:924

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1832

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
12⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1788

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"
13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1956

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1648

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"
15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1000

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1964

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
18⤵
- Executes dropped EXE
PID:1124

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"
19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1816

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:288

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"
21⤵
- Executes dropped EXE
PID:1640

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:792

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:608

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
24⤵
- Executes dropped EXE
PID:844

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"
25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1172

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1060

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"
27⤵
- Executes dropped EXE
PID:1664

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:436

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1204

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
30⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1596

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"
31⤵
- Executes dropped EXE
PID:948

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
32⤵
- Executes dropped EXE
PID:1224

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"
33⤵
- Executes dropped EXE
PID:868

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
34⤵
- Executes dropped EXE
PID:1856

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
35⤵
- Executes dropped EXE
PID:1468

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
36⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1608

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"
37⤵
- Executes dropped EXE
PID:1612

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
38⤵
- Executes dropped EXE
PID:608

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"
39⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:588

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
40⤵
- Executes dropped EXE
PID:592

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
41⤵
- Executes dropped EXE
PID:1756

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
42⤵
- Executes dropped EXE
PID:1000

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"
43⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1964

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
44⤵
- Executes dropped EXE
PID:1736

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"
45⤵
- Executes dropped EXE
PID:992

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
46⤵
- Executes dropped EXE
PID:1564

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
47⤵
- Executes dropped EXE
PID:1840

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
48⤵
- Executes dropped EXE
PID:1712

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"
49⤵
- Executes dropped EXE
PID:900

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
50⤵
- Executes dropped EXE
PID:1896

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"
51⤵
- Executes dropped EXE
PID:1068

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
52⤵
- Executes dropped EXE
PID:872

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
53⤵
- Executes dropped EXE
PID:776

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
54⤵
- Executes dropped EXE
PID:1944

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
55⤵
- Executes dropped EXE
PID:1276

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
56⤵
- Executes dropped EXE
PID:1032

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
57⤵
- Executes dropped EXE
PID:628

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
58⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:704

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
59⤵
- Executes dropped EXE
PID:1928

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
60⤵
- Executes dropped EXE
PID:1896

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
61⤵
- Executes dropped EXE
PID:1660

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
62⤵
- Executes dropped EXE
PID:1588

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
63⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1980

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
64⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1816

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
65⤵
PID:1224

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
66⤵
PID:1736

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
67⤵
PID:1032

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
68⤵
PID:1644

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
69⤵
PID:900

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
70⤵
PID:976

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
71⤵
PID:1520

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
72⤵
- Drops file in Windows directory
PID:1380

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
73⤵
PID:1000

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
74⤵
PID:1540

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
75⤵
PID:952

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
76⤵
PID:288

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
77⤵
PID:992

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
78⤵
PID:868

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
79⤵
- Drops file in Windows directory
PID:1640

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
80⤵
PID:1840

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
81⤵
PID:1468

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
82⤵
PID:1060

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
83⤵
PID:872

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
84⤵
PID:824

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
85⤵
PID:1716

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
86⤵
PID:1772

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
87⤵
- Drops file in Windows directory
PID:1540

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
88⤵
PID:952

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
89⤵
PID:1652

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
90⤵
- Drops file in Windows directory
PID:792

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
91⤵
PID:1204

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
92⤵
PID:1828

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
93⤵
PID:580

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
94⤵
- Drops file in Windows directory
PID:1644

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
95⤵
PID:1116

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
96⤵
- Drops file in Windows directory
PID:1580

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
97⤵
PID:576

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
98⤵
PID:1068

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
99⤵
PID:1000

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
100⤵
- Drops file in Windows directory
PID:1440

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
101⤵
PID:1588

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
102⤵
- Drops file in Windows directory
PID:1480

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
103⤵
PID:1760

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
104⤵
PID:1756

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
105⤵
PID:1952

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
106⤵
PID:868

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
107⤵
PID:1668

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
108⤵
- Drops file in Windows directory
PID:1896

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
109⤵
PID:588

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
110⤵
PID:1788

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
111⤵
PID:1700

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
112⤵
PID:824

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
113⤵
PID:1080

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
114⤵
PID:1476

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
115⤵
- Drops file in Windows directory
PID:272

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
116⤵
PID:1816

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
117⤵
PID:104

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
118⤵
PID:1856

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
119⤵
PID:2016

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
120⤵
- Drops file in Windows directory
PID:1952

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
121⤵
- Drops file in Windows directory
PID:1968

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
122⤵
PID:580

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
123⤵
- Drops file in Windows directory
PID:1896

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
124⤵
PID:1744

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
125⤵
PID:1004

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
126⤵
PID:1068

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
127⤵
PID:1440

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
128⤵
PID:1836

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
129⤵
PID:1964

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
130⤵
PID:1480

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
131⤵
PID:1760

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
132⤵
PID:1652

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
133⤵
PID:992

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
134⤵
PID:1828

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
135⤵
PID:1352

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
136⤵
PID:1528

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
137⤵
PID:580

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
138⤵
PID:1744

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
139⤵
PID:872

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
140⤵
PID:592

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
141⤵
- Drops file in Windows directory
PID:1488

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
142⤵
PID:1476

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
143⤵
PID:1964

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
144⤵
PID:1204

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
145⤵
PID:1652

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
146⤵
PID:628

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
147⤵
PID:900

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
148⤵
PID:320

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
149⤵
PID:1692

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
150⤵
PID:764

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
151⤵
- Drops file in Windows directory
PID:1004

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
152⤵
PID:436

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
153⤵
PID:1944

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
154⤵
PID:1836

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
155⤵
PID:272

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
156⤵
- Drops file in Windows directory
PID:1276

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
157⤵
PID:108

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
158⤵
PID:1708

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
159⤵
- Drops file in Windows directory
PID:1060

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
160⤵
PID:1556

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
161⤵
PID:868

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
162⤵
PID:320

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
163⤵
PID:1116

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
164⤵
PID:1788

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
165⤵
PID:824

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
166⤵
- Drops file in Windows directory
PID:1772

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
167⤵
PID:568

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
168⤵
PID:896

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
169⤵
PID:1684

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
170⤵
PID:1588

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
171⤵
PID:1204

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
172⤵
- Drops file in Windows directory
PID:456

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
173⤵
PID:1564

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
174⤵
- Drops file in Windows directory
PID:1952

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
175⤵
PID:1368

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
176⤵
PID:932

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
177⤵
PID:576

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
178⤵
PID:1116

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
179⤵
PID:1004

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
180⤵
PID:872

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
181⤵
PID:948

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
182⤵
PID:1688

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
183⤵
- Drops file in Windows directory
PID:1760

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
184⤵
PID:1476

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
185⤵
PID:1736

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
186⤵
PID:1892

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
187⤵
PID:456

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
188⤵
PID:1584

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
189⤵
- Drops file in Windows directory
PID:1468

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
190⤵
- Drops file in Windows directory
PID:1840

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
191⤵
PID:580

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
192⤵
- Drops file in Windows directory
PID:932

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
193⤵
PID:1116

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
194⤵
PID:1000

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
195⤵
PID:1068

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
196⤵
- Drops file in Windows directory
PID:592

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
197⤵
PID:1488

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
198⤵
- Drops file in Windows directory
PID:1820

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
199⤵
- Drops file in Windows directory
PID:1276

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
200⤵
PID:1476

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
201⤵
PID:1736

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
202⤵
PID:792

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
203⤵
PID:456

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
204⤵
PID:1584

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
205⤵
PID:320

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
206⤵
PID:628

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
207⤵
PID:576

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
208⤵
- Drops file in Windows directory
PID:1540

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
209⤵
PID:1116

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
210⤵
PID:1000

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
211⤵
PID:948

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
212⤵
PID:592

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
213⤵
PID:1488

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
214⤵
PID:1820

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
215⤵
PID:108

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
216⤵
- Drops file in Windows directory
PID:1816

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
217⤵
- Drops file in Windows directory
PID:1664

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
218⤵
PID:1832

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
219⤵
PID:1708

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
220⤵
PID:1896

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
221⤵
PID:1584

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
222⤵
PID:1660

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
223⤵
PID:1544

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
224⤵
PID:576

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
225⤵
PID:1004

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
226⤵
PID:872

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
227⤵
PID:1068

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
228⤵
PID:1780

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
229⤵
PID:1760

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
230⤵
PID:1488

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
231⤵
PID:1480

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
232⤵
PID:1436

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
233⤵
PID:992

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
234⤵
PID:1060

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
235⤵
PID:1700

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
236⤵
PID:1448

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
237⤵
- Drops file in Windows directory
PID:628

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
238⤵
PID:1692

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
239⤵
PID:904

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
240⤵
- Drops file in Windows directory
PID:768

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
241⤵
- Drops file in Windows directory
PID:1744

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
242⤵
PID:1772

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
243⤵
PID:1836

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
244⤵
PID:436

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
245⤵
PID:1780

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
246⤵
PID:1684

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
247⤵
PID:108

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
248⤵
PID:1480

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
249⤵
PID:704

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
250⤵
- Drops file in Windows directory
PID:1468

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
251⤵
PID:1844

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
252⤵
PID:1520

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
253⤵
PID:1840

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
254⤵
PID:1660

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
255⤵
PID:1172

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
256⤵
PID:692

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
257⤵
PID:904

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
258⤵
- Drops file in Windows directory
PID:1744

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
259⤵
PID:316

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
260⤵
PID:1772

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
261⤵
- Drops file in Windows directory
PID:436

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
262⤵
PID:1760

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
263⤵
PID:1812

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
264⤵
PID:1664

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
265⤵
- Drops file in Windows directory
PID:456

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
266⤵
PID:688

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
267⤵
PID:1708

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
268⤵
- Drops file in Windows directory
PID:1644

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
269⤵
PID:1844

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
270⤵
PID:1448

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
271⤵
- Drops file in Windows directory
PID:900

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
272⤵
PID:1692

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
273⤵
PID:1704

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
274⤵
PID:240

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
275⤵
PID:576

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
276⤵
- Drops file in Windows directory
PID:1744

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
277⤵
- Drops file in Windows directory
PID:1680

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
278⤵
PID:1688

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
279⤵
PID:1204

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
280⤵
PID:1684

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
281⤵
PID:1488

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
282⤵
PID:1816

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
283⤵
PID:1700

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
284⤵
PID:1828

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
285⤵
- Drops file in Windows directory
PID:1896

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
286⤵
PID:1472

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
287⤵
PID:1844

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
288⤵
PID:1092

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
289⤵
- Drops file in Windows directory
PID:1960

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
290⤵
PID:288

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
291⤵
PID:240

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
292⤵
PID:1980

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
293⤵
PID:1576

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
294⤵
PID:1440

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
295⤵
PID:592

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
296⤵
PID:1964

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
297⤵
PID:1684

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
298⤵
- Drops file in Windows directory
PID:1652

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
299⤵
PID:1352

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
300⤵
PID:1700

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
301⤵
PID:1832

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
302⤵
PID:1828

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
303⤵
- Drops file in Windows directory
PID:1472

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
304⤵
PID:1840

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
305⤵
PID:1228

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
306⤵
PID:1960

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
307⤵
PID:1080

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
308⤵
PID:1596

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
309⤵
PID:1744

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
310⤵
PID:1836

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
311⤵
PID:1680

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
312⤵
PID:1648

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
313⤵
PID:1036

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
314⤵
PID:1156

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
315⤵
- Drops file in Windows directory
PID:1480

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
316⤵
PID:1060

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
317⤵
PID:1352

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
318⤵
PID:868

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
319⤵
PID:588

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
320⤵
PID:1828

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
321⤵
PID:1840

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
322⤵
- Drops file in Windows directory
PID:1172

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
323⤵
PID:1000

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
324⤵
PID:240

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
325⤵
- Drops file in Windows directory
PID:576

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
326⤵
PID:384

C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
3⤵
- Executes dropped EXE
PID:1620

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Loads dropped DLL
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1636

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE
Filesize
859KB

MD5
02ee6a3424782531461fb2f10713d3c1

SHA1
b581a2c365d93ebb629e8363fd9f69afc673123f

SHA256
ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc

SHA512
6c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec

Download Submit
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe
Filesize
547KB

MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe
Filesize
186KB

MD5
58b58875a50a0d8b5e7be7d6ac685164

SHA1
1e0b89c1b2585c76e758e9141b846ed4477b0662

SHA256
2a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae

SHA512
d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe
Filesize
1.1MB

MD5
566ed4f62fdc96f175afedd811fa0370

SHA1
d4b47adc40e0d5a9391d3f6f2942d1889dd2a451

SHA256
e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460

SHA512
cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe
Filesize
381KB

MD5
3ec4922dbca2d07815cf28144193ded9

SHA1
75cda36469743fbc292da2684e76a26473f04a6d

SHA256
0587fd366ea7e94b3ae500874b1c5d684b5357fcc7389682d5a13c3301a28801

SHA512
956c3a1f2689cb72600edd2e90d652b77592a8a81d319dce026e88f6c02231af06aebd57d68460eb406de00c113522173423cb1b339a41a3918f379c7dc311f7

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE
Filesize
547KB

MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE
Filesize
503KB

MD5
3f67da7e800cd5b4af2283a9d74d2808

SHA1
f9288d052b20a9f4527e5a0f87f4249f5e4440f7

SHA256
31c10320edb2de22f37faee36611558db83b78a9c3c71ea0ed13c8dce25bf711

SHA512
6a40f4629ddae102d8737e921328e95717274cea16eb5f23bff6a6627c6047d7f27e7f6eb5cb52f53152e326e53b6ee44d9a9ee8eca7534a2f62fa457ac3d4e3

Download Submit
C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE
Filesize
138KB

MD5
950000c930454e0c30644f13ed60e9c3

SHA1
5f6b06e8a02e1390e7499722b277135b4950723d

SHA256
09786f64db91266470b56046098d9825253ba5d6a5361c2f4e6dbc8ec28c9bb2

SHA512
22e3c677c83c755e53a7bf8735734541223f57151d588c3380bc758e5433b706441666d0d95c42bd23a720b093a6942a62346dab24ee3f0a18bee3e5ad1cd9d9

Download Submit
C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE
Filesize
138KB

MD5
fafb18b930b2b05ac8c5ddb988e9062f

SHA1
825ea5069601fb875f8d050aa01300eac03d3826

SHA256
c17785fe7e6b5e08fe5a4ca3679fee85ba6f2e5efcce0fb9807727cf8aa25265

SHA512
be034e7377bd27092aad02e13a152fb80ff74c1ba2fb63ccb344cd55315d115ee47e46727cbe55ca808efafa58d7924e3eed965e9a2fd3b9ae2dff7834383e54

Download Submit
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE
Filesize
404KB

MD5
ea78ed9e7eb4cc64544163627476fe4b

SHA1
67aed91a59742a36c0ff635b15c692cde3eb3a9d

SHA256
d5adfd6c8160892716ad5f2907cc66888aee97e1d296404503e1d42dd30ba562

SHA512
eeee54e5ffbd243fe7ef6c93744c754bc238e5b05e85c7ca3b25edc02a8692cd10225edff40444fe2536608d0ed25578573e309503cb8f90f43d089d86f8710f

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe
Filesize
753KB

MD5
7a2469fb379933efb249d02662edae71

SHA1
2ce7fa489db984fffeaaf79e02582c6ac879e440

SHA256
7b6a0941706a341f69707f1c6d8d274a5590f844fa606766317bc7d41c8979e2

SHA512
16d60874e897817ce55611678f316d42920a6a5de2534419a5b9e57be49f483aa8fb8da81e8e06238c579e55f5d33806563284d34ada1b6e8e49987d8dc259c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
Filesize
1.7MB

MD5
d1a0b7695a30f65f9b8bd50fffa019b9

SHA1
85a398baa5b4422195e8bb0aad2e64125d5407c7

SHA256
91994ed0a582b837d66e5f957150e3981ec94b1a1645a94c3475b57f45dd7835

SHA512
ae3ecbb14a9128008df00866b34405f5bc793c0a030d42c995187b02cf44dd65fcf6e548e8a6bd4db34ef46b6bc0e82d837e858210f1d884d98ac53e5eae894b

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
Filesize
1.7MB

MD5
d1a0b7695a30f65f9b8bd50fffa019b9

SHA1
85a398baa5b4422195e8bb0aad2e64125d5407c7

SHA256
91994ed0a582b837d66e5f957150e3981ec94b1a1645a94c3475b57f45dd7835

SHA512
ae3ecbb14a9128008df00866b34405f5bc793c0a030d42c995187b02cf44dd65fcf6e548e8a6bd4db34ef46b6bc0e82d837e858210f1d884d98ac53e5eae894b

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
Filesize
1.7MB

MD5
d1a0b7695a30f65f9b8bd50fffa019b9

SHA1
85a398baa5b4422195e8bb0aad2e64125d5407c7

SHA256
91994ed0a582b837d66e5f957150e3981ec94b1a1645a94c3475b57f45dd7835

SHA512
ae3ecbb14a9128008df00866b34405f5bc793c0a030d42c995187b02cf44dd65fcf6e548e8a6bd4db34ef46b6bc0e82d837e858210f1d884d98ac53e5eae894b

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
Filesize
899KB

MD5
a62a30e87f89044cc4695871713fb0dd

SHA1
6c06f3dc150dc769ca6ba33b0b9ac8590d2980a5

SHA256
37e14c7fce8d2b2e2226b7abc489617d1ad1d0ee79ccc83afbfd784e28a737be

SHA512
34237c5c163358234b8e9eb18a23ae73cca054f624fe22fdfc3551dc8fc261b2dd5035160ffdbe4ab2b669128ccf9d1ae2501dc75eebc8dbd66571528fe51bc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
Filesize
899KB

MD5
a62a30e87f89044cc4695871713fb0dd

SHA1
6c06f3dc150dc769ca6ba33b0b9ac8590d2980a5

SHA256
37e14c7fce8d2b2e2226b7abc489617d1ad1d0ee79ccc83afbfd784e28a737be

SHA512
34237c5c163358234b8e9eb18a23ae73cca054f624fe22fdfc3551dc8fc261b2dd5035160ffdbe4ab2b669128ccf9d1ae2501dc75eebc8dbd66571528fe51bc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
Filesize
2.4MB

MD5
587b526d6e9f2e0375ba0f092023a35b

SHA1
d1a86048d02d9e211eea6d87820993f67f3c9f84

SHA256
e5dce39a9ee125e0d99fe289303fb59ad40ef60d7caeab4574a9fac64e3030ea

SHA512
4495e1d6a93d4ea23b8f91689a26d234868ba0948f97c1ed4caf75a84ce8fa119408fbcca19d20e71312f0f73271dd1fcac531b630b1f5a9ce8b4a70bf6ed6fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
Filesize
2.4MB

MD5
587b526d6e9f2e0375ba0f092023a35b

SHA1
d1a86048d02d9e211eea6d87820993f67f3c9f84

SHA256
e5dce39a9ee125e0d99fe289303fb59ad40ef60d7caeab4574a9fac64e3030ea

SHA512
4495e1d6a93d4ea23b8f91689a26d234868ba0948f97c1ed4caf75a84ce8fa119408fbcca19d20e71312f0f73271dd1fcac531b630b1f5a9ce8b4a70bf6ed6fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
Filesize
2.4MB

MD5
1c4056919197a1a47be522c54c0e2765

SHA1
7ccd88b07da34821e5eab78df5d21e49222bd06b

SHA256
03db1da57422fab2306ac201389ba21345015538909fd7dc68a68bc724960c4f

SHA512
335be370b0099912d51c04fb502e686a9a8cc67d96231515ad893a1d4e0fa39cf4fd7d6244de883cbf76f8786d07905a310ee3250d48ab0cdea3a2b930ef170f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
Filesize
2.4MB

MD5
1c4056919197a1a47be522c54c0e2765

SHA1
7ccd88b07da34821e5eab78df5d21e49222bd06b

SHA256
03db1da57422fab2306ac201389ba21345015538909fd7dc68a68bc724960c4f

SHA512
335be370b0099912d51c04fb502e686a9a8cc67d96231515ad893a1d4e0fa39cf4fd7d6244de883cbf76f8786d07905a310ee3250d48ab0cdea3a2b930ef170f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
Filesize
859KB

MD5
ee2e70d5174a3a929f349b282320f145

SHA1
6cfb28ed085a9679c500681922d584bbad44445e

SHA256
a461be738ae78a06e0ff9d3df84c4be29f41942146a356264c799d767278dc51

SHA512
a6de7a46d770a918314d15ebe2a3779bfc6c16f54d61f57c1ad0c0a3c4120f953e7d974aa5b0cdfb340629a319a6088d50a6c8967c932bd3b57ade3cf42cbfe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
Filesize
859KB

MD5
ee2e70d5174a3a929f349b282320f145

SHA1
6cfb28ed085a9679c500681922d584bbad44445e

SHA256
a461be738ae78a06e0ff9d3df84c4be29f41942146a356264c799d767278dc51

SHA512
a6de7a46d770a918314d15ebe2a3779bfc6c16f54d61f57c1ad0c0a3c4120f953e7d974aa5b0cdfb340629a319a6088d50a6c8967c932bd3b57ade3cf42cbfe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
Filesize
1.6MB

MD5
60cc7cedd88babb661bf3305e6de4e42

SHA1
add34eefb620d6ece72d42dc07986fde1d018222

SHA256
eeb252bbc294dc47d041faa2210109698fb09d1dcab2ef8de36e8dfcc736ecb7

SHA512
8b651c80d4da9a7572e9f4e0a99822717b9b050d97db449cc313211ade4cf5b837d5a9de1aee78ba0382b93ada912ae570683f9a395046c7b280bf8683d26a96

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
Filesize
1.6MB

MD5
60cc7cedd88babb661bf3305e6de4e42

SHA1
add34eefb620d6ece72d42dc07986fde1d018222

SHA256
eeb252bbc294dc47d041faa2210109698fb09d1dcab2ef8de36e8dfcc736ecb7

SHA512
8b651c80d4da9a7572e9f4e0a99822717b9b050d97db449cc313211ade4cf5b837d5a9de1aee78ba0382b93ada912ae570683f9a395046c7b280bf8683d26a96

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
Filesize
1.6MB

MD5
60cc7cedd88babb661bf3305e6de4e42

SHA1
add34eefb620d6ece72d42dc07986fde1d018222

SHA256
eeb252bbc294dc47d041faa2210109698fb09d1dcab2ef8de36e8dfcc736ecb7

SHA512
8b651c80d4da9a7572e9f4e0a99822717b9b050d97db449cc313211ade4cf5b837d5a9de1aee78ba0382b93ada912ae570683f9a395046c7b280bf8683d26a96

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
Filesize
3.2MB

MD5
5b6a8e12c7e0a556c312719df5d3a9be

SHA1
3f0bdcb2bda238efd25f3d7f18dd5cf11f94f7e9

SHA256
8182c39980c252ff582d95024e25053c3f3c4d24a42aaa92b0e25c03b3ad8a95

SHA512
433f5c64f02b99e1a6ee8d0e142e9977f588c7de48ae6a7db005b14673cc84405623884f8fba15428bca481c731653423ecfc08a1a27518d27f0d17b985133c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
Filesize
3.2MB

MD5
5b6a8e12c7e0a556c312719df5d3a9be

SHA1
3f0bdcb2bda238efd25f3d7f18dd5cf11f94f7e9

SHA256
8182c39980c252ff582d95024e25053c3f3c4d24a42aaa92b0e25c03b3ad8a95

SHA512
433f5c64f02b99e1a6ee8d0e142e9977f588c7de48ae6a7db005b14673cc84405623884f8fba15428bca481c731653423ecfc08a1a27518d27f0d17b985133c2

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
Filesize
57B

MD5
56abc40d1e45c091d8afddb90a4ce6b4

SHA1
08db549484467b32b79958700300cabefc659848

SHA256
a43fa861957415e3b0f25e2b54d931961cd309ff1d5354a9362852895b90b3e1

SHA512
51625c015a7c8fcf6fb51d3396aa08d2068772e3fcacaf32c409e82071af4ba1eb2ee94f36c06a98c32ba59d23bbaa6b540f7bd418a9472303cc225151daa698

Download Submit
C:\Windows\directx.sys
Filesize
57B

MD5
6b3bfceb3942a9508a2148acbee89007

SHA1
3622ac7466cc40f50515eb6fcdc15d1f34ad3be3

SHA256
e0a7bae2a9ac263cff5d725922e40272d8854278d901233a93a5267859c00a3c

SHA512
fa222bfcade636824af32124b45450c92b1abec7a33e6e647a9248eef5371c127d22ccb7cc5a096b4d5d52e2457f3841293a1b34304e8e5523549856ac02f224

Download Submit
C:\Windows\directx.sys
Filesize
57B

MD5
6b3bfceb3942a9508a2148acbee89007

SHA1
3622ac7466cc40f50515eb6fcdc15d1f34ad3be3

SHA256
e0a7bae2a9ac263cff5d725922e40272d8854278d901233a93a5267859c00a3c

SHA512
fa222bfcade636824af32124b45450c92b1abec7a33e6e647a9248eef5371c127d22ccb7cc5a096b4d5d52e2457f3841293a1b34304e8e5523549856ac02f224

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
Filesize
57B

MD5
6b3bfceb3942a9508a2148acbee89007

SHA1
3622ac7466cc40f50515eb6fcdc15d1f34ad3be3

SHA256
e0a7bae2a9ac263cff5d725922e40272d8854278d901233a93a5267859c00a3c

SHA512
fa222bfcade636824af32124b45450c92b1abec7a33e6e647a9248eef5371c127d22ccb7cc5a096b4d5d52e2457f3841293a1b34304e8e5523549856ac02f224

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
a3c562fce85f4cc4d2fb7b71c9c8254c

SHA1
3eb744dff72d01ca8a097c2fb4eb8341d39e6088

SHA256
6eb99699d97fa257ab586ad139dc40b70ee9d6be51af7ad7be226a1b7ab84df3

SHA512
824a676a1d138c10dac37236db51440da496b50ec477d279296ef555f4a6108977315d962965826d209e707d6eb63f26766f2a1dd7a0404a5c0b6c2e9fd369bd

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
a3c562fce85f4cc4d2fb7b71c9c8254c

SHA1
3eb744dff72d01ca8a097c2fb4eb8341d39e6088

SHA256
6eb99699d97fa257ab586ad139dc40b70ee9d6be51af7ad7be226a1b7ab84df3

SHA512
824a676a1d138c10dac37236db51440da496b50ec477d279296ef555f4a6108977315d962965826d209e707d6eb63f26766f2a1dd7a0404a5c0b6c2e9fd369bd

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
a3c562fce85f4cc4d2fb7b71c9c8254c

SHA1
3eb744dff72d01ca8a097c2fb4eb8341d39e6088

SHA256
6eb99699d97fa257ab586ad139dc40b70ee9d6be51af7ad7be226a1b7ab84df3

SHA512
824a676a1d138c10dac37236db51440da496b50ec477d279296ef555f4a6108977315d962965826d209e707d6eb63f26766f2a1dd7a0404a5c0b6c2e9fd369bd

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
a3c562fce85f4cc4d2fb7b71c9c8254c

SHA1
3eb744dff72d01ca8a097c2fb4eb8341d39e6088

SHA256
6eb99699d97fa257ab586ad139dc40b70ee9d6be51af7ad7be226a1b7ab84df3

SHA512
824a676a1d138c10dac37236db51440da496b50ec477d279296ef555f4a6108977315d962965826d209e707d6eb63f26766f2a1dd7a0404a5c0b6c2e9fd369bd

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
a3c562fce85f4cc4d2fb7b71c9c8254c

SHA1
3eb744dff72d01ca8a097c2fb4eb8341d39e6088

SHA256
6eb99699d97fa257ab586ad139dc40b70ee9d6be51af7ad7be226a1b7ab84df3

SHA512
824a676a1d138c10dac37236db51440da496b50ec477d279296ef555f4a6108977315d962965826d209e707d6eb63f26766f2a1dd7a0404a5c0b6c2e9fd369bd

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\ProgramData\Synaptics\Synaptics.exe
Filesize
753KB

MD5
7a2469fb379933efb249d02662edae71

SHA1
2ce7fa489db984fffeaaf79e02582c6ac879e440

SHA256
7b6a0941706a341f69707f1c6d8d274a5590f844fa606766317bc7d41c8979e2

SHA512
16d60874e897817ce55611678f316d42920a6a5de2534419a5b9e57be49f483aa8fb8da81e8e06238c579e55f5d33806563284d34ada1b6e8e49987d8dc259c4

Download Submit
\ProgramData\Synaptics\Synaptics.exe
Filesize
753KB

MD5
7a2469fb379933efb249d02662edae71

SHA1
2ce7fa489db984fffeaaf79e02582c6ac879e440

SHA256
7b6a0941706a341f69707f1c6d8d274a5590f844fa606766317bc7d41c8979e2

SHA512
16d60874e897817ce55611678f316d42920a6a5de2534419a5b9e57be49f483aa8fb8da81e8e06238c579e55f5d33806563284d34ada1b6e8e49987d8dc259c4

Download Submit
\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
Filesize
1.7MB

MD5
d1a0b7695a30f65f9b8bd50fffa019b9

SHA1
85a398baa5b4422195e8bb0aad2e64125d5407c7

SHA256
91994ed0a582b837d66e5f957150e3981ec94b1a1645a94c3475b57f45dd7835

SHA512
ae3ecbb14a9128008df00866b34405f5bc793c0a030d42c995187b02cf44dd65fcf6e548e8a6bd4db34ef46b6bc0e82d837e858210f1d884d98ac53e5eae894b

Download Submit
\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
Filesize
1.7MB

MD5
d1a0b7695a30f65f9b8bd50fffa019b9

SHA1
85a398baa5b4422195e8bb0aad2e64125d5407c7

SHA256
91994ed0a582b837d66e5f957150e3981ec94b1a1645a94c3475b57f45dd7835

SHA512
ae3ecbb14a9128008df00866b34405f5bc793c0a030d42c995187b02cf44dd65fcf6e548e8a6bd4db34ef46b6bc0e82d837e858210f1d884d98ac53e5eae894b

Download Submit
\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
Filesize
1.7MB

MD5
d1a0b7695a30f65f9b8bd50fffa019b9

SHA1
85a398baa5b4422195e8bb0aad2e64125d5407c7

SHA256
91994ed0a582b837d66e5f957150e3981ec94b1a1645a94c3475b57f45dd7835

SHA512
ae3ecbb14a9128008df00866b34405f5bc793c0a030d42c995187b02cf44dd65fcf6e548e8a6bd4db34ef46b6bc0e82d837e858210f1d884d98ac53e5eae894b

Download Submit
\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
Filesize
1.7MB

MD5
d1a0b7695a30f65f9b8bd50fffa019b9

SHA1
85a398baa5b4422195e8bb0aad2e64125d5407c7

SHA256
91994ed0a582b837d66e5f957150e3981ec94b1a1645a94c3475b57f45dd7835

SHA512
ae3ecbb14a9128008df00866b34405f5bc793c0a030d42c995187b02cf44dd65fcf6e548e8a6bd4db34ef46b6bc0e82d837e858210f1d884d98ac53e5eae894b

Download Submit
\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
Filesize
1.7MB

MD5
d1a0b7695a30f65f9b8bd50fffa019b9

SHA1
85a398baa5b4422195e8bb0aad2e64125d5407c7

SHA256
91994ed0a582b837d66e5f957150e3981ec94b1a1645a94c3475b57f45dd7835

SHA512
ae3ecbb14a9128008df00866b34405f5bc793c0a030d42c995187b02cf44dd65fcf6e548e8a6bd4db34ef46b6bc0e82d837e858210f1d884d98ac53e5eae894b

Download Submit
\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
Filesize
899KB

MD5
a62a30e87f89044cc4695871713fb0dd

SHA1
6c06f3dc150dc769ca6ba33b0b9ac8590d2980a5

SHA256
37e14c7fce8d2b2e2226b7abc489617d1ad1d0ee79ccc83afbfd784e28a737be

SHA512
34237c5c163358234b8e9eb18a23ae73cca054f624fe22fdfc3551dc8fc261b2dd5035160ffdbe4ab2b669128ccf9d1ae2501dc75eebc8dbd66571528fe51bc1

Download Submit
\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
Filesize
899KB

MD5
a62a30e87f89044cc4695871713fb0dd

SHA1
6c06f3dc150dc769ca6ba33b0b9ac8590d2980a5

SHA256
37e14c7fce8d2b2e2226b7abc489617d1ad1d0ee79ccc83afbfd784e28a737be

SHA512
34237c5c163358234b8e9eb18a23ae73cca054f624fe22fdfc3551dc8fc261b2dd5035160ffdbe4ab2b669128ccf9d1ae2501dc75eebc8dbd66571528fe51bc1

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
Filesize
2.4MB

MD5
587b526d6e9f2e0375ba0f092023a35b

SHA1
d1a86048d02d9e211eea6d87820993f67f3c9f84

SHA256
e5dce39a9ee125e0d99fe289303fb59ad40ef60d7caeab4574a9fac64e3030ea

SHA512
4495e1d6a93d4ea23b8f91689a26d234868ba0948f97c1ed4caf75a84ce8fa119408fbcca19d20e71312f0f73271dd1fcac531b630b1f5a9ce8b4a70bf6ed6fd

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
Filesize
2.4MB

MD5
587b526d6e9f2e0375ba0f092023a35b

SHA1
d1a86048d02d9e211eea6d87820993f67f3c9f84

SHA256
e5dce39a9ee125e0d99fe289303fb59ad40ef60d7caeab4574a9fac64e3030ea

SHA512
4495e1d6a93d4ea23b8f91689a26d234868ba0948f97c1ed4caf75a84ce8fa119408fbcca19d20e71312f0f73271dd1fcac531b630b1f5a9ce8b4a70bf6ed6fd

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
Filesize
2.4MB

MD5
1c4056919197a1a47be522c54c0e2765

SHA1
7ccd88b07da34821e5eab78df5d21e49222bd06b

SHA256
03db1da57422fab2306ac201389ba21345015538909fd7dc68a68bc724960c4f

SHA512
335be370b0099912d51c04fb502e686a9a8cc67d96231515ad893a1d4e0fa39cf4fd7d6244de883cbf76f8786d07905a310ee3250d48ab0cdea3a2b930ef170f

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
Filesize
2.4MB

MD5
1c4056919197a1a47be522c54c0e2765

SHA1
7ccd88b07da34821e5eab78df5d21e49222bd06b

SHA256
03db1da57422fab2306ac201389ba21345015538909fd7dc68a68bc724960c4f

SHA512
335be370b0099912d51c04fb502e686a9a8cc67d96231515ad893a1d4e0fa39cf4fd7d6244de883cbf76f8786d07905a310ee3250d48ab0cdea3a2b930ef170f

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
Filesize
2.4MB

MD5
1c4056919197a1a47be522c54c0e2765

SHA1
7ccd88b07da34821e5eab78df5d21e49222bd06b

SHA256
03db1da57422fab2306ac201389ba21345015538909fd7dc68a68bc724960c4f

SHA512
335be370b0099912d51c04fb502e686a9a8cc67d96231515ad893a1d4e0fa39cf4fd7d6244de883cbf76f8786d07905a310ee3250d48ab0cdea3a2b930ef170f

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
Filesize
859KB

MD5
ee2e70d5174a3a929f349b282320f145

SHA1
6cfb28ed085a9679c500681922d584bbad44445e

SHA256
a461be738ae78a06e0ff9d3df84c4be29f41942146a356264c799d767278dc51

SHA512
a6de7a46d770a918314d15ebe2a3779bfc6c16f54d61f57c1ad0c0a3c4120f953e7d974aa5b0cdfb340629a319a6088d50a6c8967c932bd3b57ade3cf42cbfe2

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
Filesize
859KB

MD5
ee2e70d5174a3a929f349b282320f145

SHA1
6cfb28ed085a9679c500681922d584bbad44445e

SHA256
a461be738ae78a06e0ff9d3df84c4be29f41942146a356264c799d767278dc51

SHA512
a6de7a46d770a918314d15ebe2a3779bfc6c16f54d61f57c1ad0c0a3c4120f953e7d974aa5b0cdfb340629a319a6088d50a6c8967c932bd3b57ade3cf42cbfe2

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
Filesize
859KB

MD5
ee2e70d5174a3a929f349b282320f145

SHA1
6cfb28ed085a9679c500681922d584bbad44445e

SHA256
a461be738ae78a06e0ff9d3df84c4be29f41942146a356264c799d767278dc51

SHA512
a6de7a46d770a918314d15ebe2a3779bfc6c16f54d61f57c1ad0c0a3c4120f953e7d974aa5b0cdfb340629a319a6088d50a6c8967c932bd3b57ade3cf42cbfe2

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
Filesize
1.6MB

MD5
60cc7cedd88babb661bf3305e6de4e42

SHA1
add34eefb620d6ece72d42dc07986fde1d018222

SHA256
eeb252bbc294dc47d041faa2210109698fb09d1dcab2ef8de36e8dfcc736ecb7

SHA512
8b651c80d4da9a7572e9f4e0a99822717b9b050d97db449cc313211ade4cf5b837d5a9de1aee78ba0382b93ada912ae570683f9a395046c7b280bf8683d26a96

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
Filesize
1.6MB

MD5
60cc7cedd88babb661bf3305e6de4e42

SHA1
add34eefb620d6ece72d42dc07986fde1d018222

SHA256
eeb252bbc294dc47d041faa2210109698fb09d1dcab2ef8de36e8dfcc736ecb7

SHA512
8b651c80d4da9a7572e9f4e0a99822717b9b050d97db449cc313211ade4cf5b837d5a9de1aee78ba0382b93ada912ae570683f9a395046c7b280bf8683d26a96

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
Filesize
1.6MB

MD5
60cc7cedd88babb661bf3305e6de4e42

SHA1
add34eefb620d6ece72d42dc07986fde1d018222

SHA256
eeb252bbc294dc47d041faa2210109698fb09d1dcab2ef8de36e8dfcc736ecb7

SHA512
8b651c80d4da9a7572e9f4e0a99822717b9b050d97db449cc313211ade4cf5b837d5a9de1aee78ba0382b93ada912ae570683f9a395046c7b280bf8683d26a96

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
Filesize
3.2MB

MD5
5b6a8e12c7e0a556c312719df5d3a9be

SHA1
3f0bdcb2bda238efd25f3d7f18dd5cf11f94f7e9

SHA256
8182c39980c252ff582d95024e25053c3f3c4d24a42aaa92b0e25c03b3ad8a95

SHA512
433f5c64f02b99e1a6ee8d0e142e9977f588c7de48ae6a7db005b14673cc84405623884f8fba15428bca481c731653423ecfc08a1a27518d27f0d17b985133c2

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
Filesize
3.2MB

MD5
5b6a8e12c7e0a556c312719df5d3a9be

SHA1
3f0bdcb2bda238efd25f3d7f18dd5cf11f94f7e9

SHA256
8182c39980c252ff582d95024e25053c3f3c4d24a42aaa92b0e25c03b3ad8a95

SHA512
433f5c64f02b99e1a6ee8d0e142e9977f588c7de48ae6a7db005b14673cc84405623884f8fba15428bca481c731653423ecfc08a1a27518d27f0d17b985133c2

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
Filesize
3.2MB

MD5
5b6a8e12c7e0a556c312719df5d3a9be

SHA1
3f0bdcb2bda238efd25f3d7f18dd5cf11f94f7e9

SHA256
8182c39980c252ff582d95024e25053c3f3c4d24a42aaa92b0e25c03b3ad8a95

SHA512
433f5c64f02b99e1a6ee8d0e142e9977f588c7de48ae6a7db005b14673cc84405623884f8fba15428bca481c731653423ecfc08a1a27518d27f0d17b985133c2

Download Submit
memory/288-158-0x0000000000000000-mapping.dmp

Download
memory/436-79-0x0000000000000000-mapping.dmp

Download
memory/436-176-0x0000000000000000-mapping.dmp

Download
memory/540-89-0x0000000000000000-mapping.dmp

Download
memory/588-211-0x0000000000000000-mapping.dmp

Download
memory/592-213-0x0000000000000000-mapping.dmp

Download
memory/608-197-0x0000000000000000-mapping.dmp

Download
memory/608-166-0x0000000000000000-mapping.dmp

Download
memory/628-248-0x0000000000000000-mapping.dmp

Download
memory/704-250-0x0000000000000000-mapping.dmp

Download
memory/776-240-0x0000000000000000-mapping.dmp

Download
memory/792-163-0x0000000000000000-mapping.dmp

Download
memory/844-168-0x0000000000000000-mapping.dmp

Download
memory/868-187-0x0000000000000000-mapping.dmp

Download
memory/872-237-0x0000000000000000-mapping.dmp

Download
memory/900-231-0x0000000000000000-mapping.dmp

Download
memory/908-64-0x0000000000000000-mapping.dmp

Download
memory/924-115-0x0000000000000000-mapping.dmp

Download
memory/948-183-0x0000000000000000-mapping.dmp

Download
memory/952-57-0x0000000000000000-mapping.dmp

Download
memory/992-223-0x0000000000000000-mapping.dmp

Download
memory/1000-217-0x0000000000000000-mapping.dmp

Download
memory/1000-150-0x0000000000000000-mapping.dmp

Download
memory/1032-246-0x0000000000000000-mapping.dmp

Download
memory/1060-172-0x0000000000000000-mapping.dmp

Download
memory/1068-235-0x0000000000000000-mapping.dmp

Download
memory/1124-154-0x0000000000000000-mapping.dmp

Download
memory/1172-170-0x0000000000000000-mapping.dmp

Download
memory/1204-178-0x0000000000000000-mapping.dmp

Download
memory/1224-185-0x0000000000000000-mapping.dmp

Download
memory/1228-54-0x00000000751C1000-0x00000000751C3000-memory.dmp

Filesize
8KB

Download
memory/1276-244-0x0000000000000000-mapping.dmp

Download
memory/1352-85-0x0000000000000000-mapping.dmp

Download
memory/1468-191-0x0000000000000000-mapping.dmp

Download
memory/1480-108-0x0000000000000000-mapping.dmp

Download
memory/1564-225-0x0000000000000000-mapping.dmp

Download
memory/1588-258-0x0000000000000000-mapping.dmp

Download
memory/1596-181-0x0000000000000000-mapping.dmp

Download
memory/1608-193-0x0000000000000000-mapping.dmp

Download
memory/1612-195-0x0000000000000000-mapping.dmp

Download
memory/1620-102-0x0000000000000000-mapping.dmp

Download
memory/1636-160-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1636-206-0x00000000007A2000-0x00000000007A8000-memory.dmp

Filesize
24KB

Download
memory/1636-198-0x00000000007A2000-0x00000000007A8000-memory.dmp

Filesize
24KB

Download
memory/1636-200-0x00000000007A2000-0x00000000007A8000-memory.dmp

Filesize
24KB

Download
memory/1636-202-0x00000000007A2000-0x00000000007A8000-memory.dmp

Filesize
24KB

Download
memory/1636-203-0x00000000007A2000-0x00000000007A8000-memory.dmp

Filesize
24KB

Download
memory/1636-201-0x00000000007A2000-0x00000000007A8000-memory.dmp

Filesize
24KB

Download
memory/1636-204-0x00000000007A2000-0x00000000007A8000-memory.dmp

Filesize
24KB

Download
memory/1636-205-0x00000000007A2000-0x00000000007A8000-memory.dmp

Filesize
24KB

Download
memory/1636-165-0x0000000071C3D000-0x0000000071C48000-memory.dmp

Filesize
44KB

Download
memory/1636-208-0x00000000007A2000-0x00000000007A8000-memory.dmp

Filesize
24KB

Download
memory/1636-207-0x00000000007A2000-0x00000000007A8000-memory.dmp

Filesize
24KB

Download
memory/1636-209-0x00000000007A2000-0x00000000007A8000-memory.dmp

Filesize
24KB

Download
memory/1636-210-0x00000000007A2000-0x00000000007A8000-memory.dmp

Filesize
24KB

Download
memory/1636-145-0x0000000070C51000-0x0000000070C53000-memory.dmp

Filesize
8KB

Download
memory/1636-239-0x0000000071C3D000-0x0000000071C48000-memory.dmp

Filesize
44KB

Download
memory/1636-135-0x000000002FD51000-0x000000002FD54000-memory.dmp

Filesize
12KB

Download
memory/1640-161-0x0000000000000000-mapping.dmp

Download
memory/1648-146-0x0000000000000000-mapping.dmp

Download
memory/1660-256-0x0000000000000000-mapping.dmp

Download
memory/1664-174-0x0000000000000000-mapping.dmp

Download
memory/1712-229-0x0000000000000000-mapping.dmp

Download
memory/1736-221-0x0000000000000000-mapping.dmp

Download
memory/1756-215-0x0000000000000000-mapping.dmp

Download
memory/1756-148-0x0000000000000000-mapping.dmp

Download
memory/1760-97-0x0000000000000000-mapping.dmp

Download
memory/1788-132-0x0000000000000000-mapping.dmp

Download
memory/1816-262-0x0000000000000000-mapping.dmp

Download
memory/1816-156-0x0000000000000000-mapping.dmp

Download
memory/1832-124-0x0000000000000000-mapping.dmp

Download
memory/1840-227-0x0000000000000000-mapping.dmp

Download
memory/1856-189-0x0000000000000000-mapping.dmp

Download
memory/1896-233-0x0000000000000000-mapping.dmp

Download
memory/1896-254-0x0000000000000000-mapping.dmp

Download
memory/1928-252-0x0000000000000000-mapping.dmp

Download
memory/1944-242-0x0000000000000000-mapping.dmp

Download
memory/1956-69-0x0000000000000000-mapping.dmp

Download
memory/1956-139-0x0000000000000000-mapping.dmp

Download
memory/1964-219-0x0000000000000000-mapping.dmp

Download
memory/1964-152-0x0000000000000000-mapping.dmp

Download
memory/1980-260-0x0000000000000000-mapping.dmp

Download