neshta | a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc

Analysis

max time kernel
141s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
22-06-2022 12:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
Size

3.2MB
MD5

2df68cae0c75613b9bea1c10c1519136
SHA1

71a31818afbc0bfff98a1642802665e70c194fda
SHA256

a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc
SHA512

7aad207b0af831dc8a6e55170f89329c6986d4a9931745ff105cea03768bb5c8eb07f27e03a7935188084edbc31caf83135e5c118182b053eb42ae4ac482b8e7

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Detect Neshta Payload 53 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\3582-490\a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe	family_neshta
C:\Users\Admin\AppData\Local\Temp\._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe	family_neshta
C:\Users\Admin\AppData\Local\Temp\._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe	family_neshta
C:\odt\OFFICE~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	family_neshta
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE	family_neshta
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\._cache__CACHE~1.EXE	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	family_neshta
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	family_neshta
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	family_neshta
C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	family_neshta
C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	family_neshta
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	family_neshta
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE	family_neshta
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE	family_neshta
C:\Windows\svchost.com	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\._cache__CACHE~2.EXE	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE	family_neshta
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE	family_neshta
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\EDGEUP~1\13157~1.61\MI391D~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\EDGEUP~1\13157~1.61\MI9C33~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\EDGEUP~1\13157~1.61\MICROS~2.EXE	family_neshta
C:\PROGRA~2\MICROS~1\EDGEUP~1\13157~1.61\MICROS~3.EXE	family_neshta
C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	family_neshta
C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	family_neshta
C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	family_neshta
C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	family_neshta
C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	family_neshta
C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	family_neshta
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE	family_neshta
C:\Users\Admin\AppData\Local\MICROS~1\OneDrive\181510~1.001\FILESY~1.EXE	family_neshta
C:\Users\Admin\AppData\Local\MICROS~1\OneDrive\ONEDRI~1.EXE	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE	family_neshta
C:\Users\ALLUSE~1\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	family_neshta
C:\Users\ALLUSE~1\Adobe\Setup\{AC76B~1\setup.exe	family_neshta

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Executes dropped EXE 64 IoCs

Processes:

a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exeSynaptics.exesvchost.com_CACHE~1.EXE._cache__CACHE~1.EXEsvchost.com_CACHE~2.EXE._cache__CACHE~2.EXEsvchost.com_CACHE~1.EXE._cache__CACHE~1.EXEsvchost.com_CACHE~2.EXE._cache__CACHE~2.EXEsvchost.com_CACHE~1.EXE._cache__CACHE~1.EXEsvchost.com_CACHE~2.EXE._cache__CACHE~2.EXEsvchost.com_CACHE~1.EXE._cache__CACHE~1.EXEsvchost.com_CACHE~2.EXE._cache__CACHE~2.EXEsvchost.com_CACHE~1.EXE._cache__CACHE~1.EXEsvchost.com_CACHE~2.EXE._cache__CACHE~2.EXEsvchost.com_CACHE~1.EXE._cache__CACHE~1.EXEsvchost.com_CACHE~2.EXE._cache__CACHE~2.EXEsvchost.com_CACHE~1.EXE._cache__CACHE~1.EXEsvchost.com_CACHE~2.EXE._cache__CACHE~2.EXEsvchost.com_CACHE~1.EXE._cache__CACHE~1.EXEsvchost.com_CACHE~2.EXE._cache__CACHE~2.EXEsvchost.com_CACHE~1.EXE._cache__CACHE~1.EXEsvchost.com_CACHE~2.EXE._cache__CACHE~2.EXEsvchost.com_CACHE~1.EXE._cache__CACHE~1.EXEsvchost.com_CACHE~2.EXE._cache__CACHE~2.EXEsvchost.com

pid	process
1608	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
1928	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
792	Synaptics.exe
1740	svchost.com
1280	_CACHE~1.EXE
3104	._cache__CACHE~1.EXE
2280	svchost.com
5100	_CACHE~2.EXE
5064	._cache__CACHE~2.EXE
4560	svchost.com
1040	_CACHE~1.EXE
3484	._cache__CACHE~1.EXE
2492	svchost.com
3188	_CACHE~2.EXE
4644	._cache__CACHE~2.EXE
4948	svchost.com
2488	_CACHE~1.EXE
916	._cache__CACHE~1.EXE
1188	svchost.com
3604	_CACHE~2.EXE
2732	._cache__CACHE~2.EXE
5024	svchost.com
1336	_CACHE~1.EXE
924	._cache__CACHE~1.EXE
2512	svchost.com
1736	_CACHE~2.EXE
5068	._cache__CACHE~2.EXE
920	svchost.com
1652	_CACHE~1.EXE
3348	._cache__CACHE~1.EXE
1876	svchost.com
1660	_CACHE~2.EXE
4824	._cache__CACHE~2.EXE
364	svchost.com
4820	_CACHE~1.EXE
4384	._cache__CACHE~1.EXE
5004	svchost.com
3816	_CACHE~2.EXE
116	._cache__CACHE~2.EXE
3248	svchost.com
3536	_CACHE~1.EXE
2920	._cache__CACHE~1.EXE
4200	svchost.com
2316	_CACHE~2.EXE
1460	._cache__CACHE~2.EXE
3972	svchost.com
2320	_CACHE~1.EXE
4672	._cache__CACHE~1.EXE
3208	svchost.com
3604	_CACHE~2.EXE
3340	._cache__CACHE~2.EXE
2580	svchost.com
4764	_CACHE~1.EXE
1744	._cache__CACHE~1.EXE
1264	svchost.com
3168	_CACHE~2.EXE
1904	._cache__CACHE~2.EXE
4636	svchost.com
4204	_CACHE~1.EXE
2032	._cache__CACHE~1.EXE
1876	svchost.com
2968	_CACHE~2.EXE
2068	._cache__CACHE~2.EXE
4900	svchost.com

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

_CACHE~1.EXE._cache__CACHE~2.EXE._cache__CACHE~1.EXE._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe_CACHE~2.EXE_CACHE~2.EXE_CACHE~1.EXE._cache__CACHE~1.EXE_CACHE~2.EXE._cache__CACHE~2.EXE_CACHE~1.EXE_CACHE~2.EXE_CACHE~2.EXE._cache__CACHE~2.EXE_CACHE~1.EXE._cache__CACHE~1.EXE._cache__CACHE~1.EXE._cache__CACHE~1.EXE._cache__CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE._cache__CACHE~2.EXE_CACHE~2.EXE_CACHE~2.EXE_CACHE~2.EXE._cache__CACHE~1.EXE._cache__CACHE~2.EXE_CACHE~2.EXE._cache__CACHE~2.EXE._cache__CACHE~1.EXE_CACHE~1.EXE._cache__CACHE~1.EXE._cache__CACHE~2.EXE_CACHE~1.EXE_CACHE~2.EXE_CACHE~1.EXE._cache__CACHE~1.EXE._cache__CACHE~1.EXE_CACHE~2.EXE._cache__CACHE~2.EXE._cache__CACHE~2.EXE._cache__CACHE~2.EXE._cache__CACHE~1.EXE_CACHE~1.EXE_CACHE~2.EXE._cache__CACHE~2.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE._cache__CACHE~2.EXE._cache__CACHE~1.EXE_CACHE~2.EXE._cache__CACHE~2.EXE_CACHE~2.EXE._cache__CACHE~2.EXE_CACHE~1.EXE._cache__CACHE~1.EXE._cache__CACHE~1.EXE._cache__CACHE~1.EXE_CACHE~1.EXE._cache__CACHE~2.EXE_CACHE~1.EXE._cache__CACHE~1.EXE._cache__CACHE~1.EXE

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	_CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	._cache__CACHE~2.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	._cache__CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	_CACHE~2.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	_CACHE~2.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	_CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	._cache__CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	_CACHE~2.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	._cache__CACHE~2.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	_CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	_CACHE~2.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	_CACHE~2.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	._cache__CACHE~2.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	_CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	._cache__CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	._cache__CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	._cache__CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	._cache__CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	_CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	_CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	._cache__CACHE~2.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	_CACHE~2.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	_CACHE~2.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	_CACHE~2.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	._cache__CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	._cache__CACHE~2.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	_CACHE~2.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	._cache__CACHE~2.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	._cache__CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	_CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	._cache__CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	._cache__CACHE~2.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	_CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	_CACHE~2.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	_CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	._cache__CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	._cache__CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	_CACHE~2.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	._cache__CACHE~2.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	._cache__CACHE~2.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	._cache__CACHE~2.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	._cache__CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	_CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	_CACHE~2.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	._cache__CACHE~2.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	_CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	_CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	_CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	._cache__CACHE~2.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	._cache__CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	_CACHE~2.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	._cache__CACHE~2.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	_CACHE~2.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	._cache__CACHE~2.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	_CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	._cache__CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	._cache__CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	._cache__CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	_CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	._cache__CACHE~2.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	_CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	._cache__CACHE~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	._cache__CACHE~1.EXE

Loads dropped DLL 64 IoCs

Processes:

_CACHE~1.EXE_CACHE~2.EXE_CACHE~1.EXE_CACHE~2.EXE_CACHE~1.EXE_CACHE~2.EXE_CACHE~1.EXE_CACHE~2.EXE_CACHE~1.EXE_CACHE~2.EXE_CACHE~1.EXE_CACHE~2.EXE_CACHE~1.EXE_CACHE~2.EXE_CACHE~1.EXE_CACHE~2.EXE_CACHE~1.EXE_CACHE~2.EXE_CACHE~1.EXE_CACHE~2.EXE_CACHE~1.EXE_CACHE~2.EXE_CACHE~1.EXE_CACHE~2.EXE_CACHE~1.EXE_CACHE~2.EXE_CACHE~1.EXE_CACHE~2.EXE_CACHE~1.EXE_CACHE~2.EXE_CACHE~1.EXE_CACHE~2.EXE

pid	process
1040	_CACHE~1.EXE
1040	_CACHE~1.EXE
3188	_CACHE~2.EXE
3188	_CACHE~2.EXE
2488	_CACHE~1.EXE
2488	_CACHE~1.EXE
3604	_CACHE~2.EXE
3604	_CACHE~2.EXE
1336	_CACHE~1.EXE
1336	_CACHE~1.EXE
1736	_CACHE~2.EXE
1736	_CACHE~2.EXE
1652	_CACHE~1.EXE
1652	_CACHE~1.EXE
1660	_CACHE~2.EXE
1660	_CACHE~2.EXE
4820	_CACHE~1.EXE
4820	_CACHE~1.EXE
3816	_CACHE~2.EXE
3816	_CACHE~2.EXE
3536	_CACHE~1.EXE
3536	_CACHE~1.EXE
2316	_CACHE~2.EXE
2316	_CACHE~2.EXE
2320	_CACHE~1.EXE
2320	_CACHE~1.EXE
3604	_CACHE~2.EXE
3604	_CACHE~2.EXE
4764	_CACHE~1.EXE
4764	_CACHE~1.EXE
3168	_CACHE~2.EXE
3168	_CACHE~2.EXE
4204	_CACHE~1.EXE
4204	_CACHE~1.EXE
2968	_CACHE~2.EXE
2968	_CACHE~2.EXE
3724	_CACHE~1.EXE
3724	_CACHE~1.EXE
3184	_CACHE~2.EXE
3184	_CACHE~2.EXE
1520	_CACHE~1.EXE
1520	_CACHE~1.EXE
1396	_CACHE~2.EXE
1396	_CACHE~2.EXE
2868	_CACHE~1.EXE
2868	_CACHE~1.EXE
1560	_CACHE~2.EXE
1560	_CACHE~2.EXE
4316	_CACHE~1.EXE
4316	_CACHE~1.EXE
1264	_CACHE~2.EXE
1264	_CACHE~2.EXE
560	_CACHE~1.EXE
560	_CACHE~1.EXE
1900	_CACHE~2.EXE
1900	_CACHE~2.EXE
3104	_CACHE~1.EXE
3104	_CACHE~1.EXE
644	_CACHE~2.EXE
644	_CACHE~2.EXE
4108	_CACHE~1.EXE
4108	_CACHE~1.EXE
3968	_CACHE~2.EXE
3968	_CACHE~2.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe

Drops file in Program Files directory 64 IoCs

Processes:

a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Install\{AA6B4~1\MicrosoftEdgeUpdateSetup_X86_1.3.157.61.exe	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13157~1.61\MICROS~4.EXE	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13157~1.61\MICROS~1.EXE	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13157~1.61\MICROS~1.EXE	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe

Drops file in Windows directory 64 IoCs

Processes:

._cache__CACHE~1.EXEsvchost.comsvchost.comsvchost.com._cache__CACHE~2.EXE._cache__CACHE~2.EXEsvchost.com._cache__CACHE~1.EXE._cache__CACHE~1.EXEsvchost.com._cache__CACHE~1.EXE._cache__CACHE~1.EXEsvchost.com._cache__CACHE~1.EXE._cache__CACHE~2.EXEsvchost.comsvchost.comsvchost.com._cache__CACHE~2.EXE._cache__CACHE~1.EXE._cache__CACHE~1.EXE._cache__CACHE~1.EXE._cache__CACHE~1.EXE._cache__CACHE~1.EXE._cache__CACHE~1.EXEsvchost.com._cache__CACHE~2.EXEsvchost.com._cache__CACHE~2.EXE._cache__CACHE~1.EXEsvchost.com._cache__CACHE~1.EXE._cache__CACHE~1.EXEsvchost.comsvchost.com._cache__CACHE~2.EXEsvchost.comsvchost.comsvchost.comsvchost.comsvchost.com._cache__CACHE~1.EXEsvchost.comsvchost.com._cache__CACHE~1.EXEsvchost.comsvchost.com._cache__CACHE~1.EXEsvchost.comsvchost.comsvchost.comsvchost.com._cache__CACHE~2.EXEsvchost.com

description	ioc	process
File opened for modification	C:\Windows\svchost.com	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	._cache__CACHE~2.EXE
File opened for modification	C:\Windows\svchost.com	._cache__CACHE~2.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\directx.sys	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\svchost.com	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\directx.sys	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\directx.sys	._cache__CACHE~2.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	._cache__CACHE~2.EXE
File opened for modification	C:\Windows\svchost.com	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\svchost.com	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\directx.sys	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\directx.sys	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\svchost.com	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\svchost.com	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	._cache__CACHE~2.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	._cache__CACHE~2.EXE
File opened for modification	C:\Windows\directx.sys	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\directx.sys	._cache__CACHE~2.EXE
File opened for modification	C:\Windows\svchost.com	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	._cache__CACHE~2.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\directx.sys	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\svchost.com	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	._cache__CACHE~2.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 64 IoCs

Processes:

_CACHE~2.EXE._cache__CACHE~1.EXE._cache__CACHE~1.EXE._cache__CACHE~1.EXE_CACHE~2.EXE._cache__CACHE~2.EXE._cache__CACHE~2.EXE._cache__CACHE~2.EXE_CACHE~1.EXE._cache__CACHE~1.EXE._cache__CACHE~2.EXE._cache__CACHE~1.EXE_CACHE~2.EXE_CACHE~1.EXE_CACHE~2.EXE_CACHE~1.EXE_CACHE~2.EXE._cache__CACHE~2.EXE._cache__CACHE~2.EXE_CACHE~1.EXE_CACHE~1.EXE._cache__CACHE~2.EXE_CACHE~1.EXE_CACHE~2.EXE._cache__CACHE~2.EXE_CACHE~1.EXE_CACHE~1.EXE._cache__CACHE~1.EXE._cache__CACHE~1.EXE_CACHE~2.EXE_CACHE~2.EXE_CACHE~2.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~2.EXE_CACHE~2.EXE_CACHE~2.EXE_CACHE~1.EXE_CACHE~1.EXE._cache__CACHE~1.EXE._cache__CACHE~1.EXE_CACHE~1.EXE._cache__CACHE~2.EXE_CACHE~2.EXEa89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe_CACHE~1.EXE_CACHE~2.EXE._cache__CACHE~2.EXE_CACHE~2.EXE._cache__CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE._cache__CACHE~1.EXE._cache__CACHE~1.EXE._cache__CACHE~2.EXE_CACHE~2.EXE._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe._cache__CACHE~1.EXE_CACHE~1.EXE._cache__CACHE~2.EXE._cache__CACHE~1.EXE_CACHE~1.EXE_CACHE~2.EXE._cache__CACHE~1.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	_CACHE~2.EXE
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings	._cache__CACHE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings	._cache__CACHE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings	._cache__CACHE~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	_CACHE~2.EXE
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings	._cache__CACHE~2.EXE
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings	._cache__CACHE~2.EXE
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings	._cache__CACHE~2.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	_CACHE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings	._cache__CACHE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings	._cache__CACHE~2.EXE
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings	._cache__CACHE~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	_CACHE~2.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	_CACHE~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	_CACHE~2.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	_CACHE~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	_CACHE~2.EXE
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings	._cache__CACHE~2.EXE
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings	._cache__CACHE~2.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	_CACHE~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	_CACHE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings	._cache__CACHE~2.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	_CACHE~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	_CACHE~2.EXE
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings	._cache__CACHE~2.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	_CACHE~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	_CACHE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings	._cache__CACHE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings	._cache__CACHE~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	_CACHE~2.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	_CACHE~2.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	_CACHE~2.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	_CACHE~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	_CACHE~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	_CACHE~2.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	_CACHE~2.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	_CACHE~2.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	_CACHE~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	_CACHE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings	._cache__CACHE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings	._cache__CACHE~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	_CACHE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings	._cache__CACHE~2.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	_CACHE~2.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	_CACHE~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	_CACHE~2.EXE
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings	._cache__CACHE~2.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	_CACHE~2.EXE
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings	._cache__CACHE~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	_CACHE~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	_CACHE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings	._cache__CACHE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings	._cache__CACHE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings	._cache__CACHE~2.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	_CACHE~2.EXE
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings	._cache__CACHE~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	_CACHE~1.EXE
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings	._cache__CACHE~2.EXE
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings	._cache__CACHE~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	_CACHE~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	_CACHE~2.EXE
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings	._cache__CACHE~1.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

4596 EXCEL.EXE
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

EXCEL.EXE

pid process

4596 EXCEL.EXE
4596 EXCEL.EXE
4596 EXCEL.EXE
4596 EXCEL.EXE

pid	process
4596	EXCEL.EXE

pid	process
4596	EXCEL.EXE
4596	EXCEL.EXE
4596	EXCEL.EXE
4596	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exea89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exesvchost.com_CACHE~1.EXE._cache__CACHE~1.EXEsvchost.com_CACHE~2.EXE._cache__CACHE~2.EXEsvchost.com_CACHE~1.EXE._cache__CACHE~1.EXEsvchost.com_CACHE~2.EXE._cache__CACHE~2.EXEsvchost.com_CACHE~1.EXE._cache__CACHE~1.EXEsvchost.com_CACHE~2.EXE._cache__CACHE~2.EXE

description	pid	process	target process
PID 4792 wrote to memory of 1608	4792	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
PID 4792 wrote to memory of 1608	4792	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
PID 4792 wrote to memory of 1608	4792	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
PID 1608 wrote to memory of 1928	1608	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
PID 1608 wrote to memory of 1928	1608	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
PID 1608 wrote to memory of 1928	1608	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
PID 1608 wrote to memory of 792	1608	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe	Synaptics.exe
PID 1608 wrote to memory of 792	1608	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe	Synaptics.exe
PID 1608 wrote to memory of 792	1608	a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe	Synaptics.exe
PID 1928 wrote to memory of 1740	1928	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe	svchost.com
PID 1928 wrote to memory of 1740	1928	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe	svchost.com
PID 1928 wrote to memory of 1740	1928	._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe	svchost.com
PID 1740 wrote to memory of 1280	1740	svchost.com	_CACHE~1.EXE
PID 1740 wrote to memory of 1280	1740	svchost.com	_CACHE~1.EXE
PID 1740 wrote to memory of 1280	1740	svchost.com	_CACHE~1.EXE
PID 1280 wrote to memory of 3104	1280	_CACHE~1.EXE	._cache__CACHE~1.EXE
PID 1280 wrote to memory of 3104	1280	_CACHE~1.EXE	._cache__CACHE~1.EXE
PID 1280 wrote to memory of 3104	1280	_CACHE~1.EXE	._cache__CACHE~1.EXE
PID 3104 wrote to memory of 2280	3104	._cache__CACHE~1.EXE	svchost.com
PID 3104 wrote to memory of 2280	3104	._cache__CACHE~1.EXE	svchost.com
PID 3104 wrote to memory of 2280	3104	._cache__CACHE~1.EXE	svchost.com
PID 2280 wrote to memory of 5100	2280	svchost.com	_CACHE~2.EXE
PID 2280 wrote to memory of 5100	2280	svchost.com	_CACHE~2.EXE
PID 2280 wrote to memory of 5100	2280	svchost.com	_CACHE~2.EXE
PID 5100 wrote to memory of 5064	5100	_CACHE~2.EXE	._cache__CACHE~2.EXE
PID 5100 wrote to memory of 5064	5100	_CACHE~2.EXE	._cache__CACHE~2.EXE
PID 5100 wrote to memory of 5064	5100	_CACHE~2.EXE	._cache__CACHE~2.EXE
PID 5064 wrote to memory of 4560	5064	._cache__CACHE~2.EXE	svchost.com
PID 5064 wrote to memory of 4560	5064	._cache__CACHE~2.EXE	svchost.com
PID 5064 wrote to memory of 4560	5064	._cache__CACHE~2.EXE	svchost.com
PID 4560 wrote to memory of 1040	4560	svchost.com	_CACHE~1.EXE
PID 4560 wrote to memory of 1040	4560	svchost.com	_CACHE~1.EXE
PID 4560 wrote to memory of 1040	4560	svchost.com	_CACHE~1.EXE
PID 1040 wrote to memory of 3484	1040	_CACHE~1.EXE	._cache__CACHE~1.EXE
PID 1040 wrote to memory of 3484	1040	_CACHE~1.EXE	._cache__CACHE~1.EXE
PID 1040 wrote to memory of 3484	1040	_CACHE~1.EXE	._cache__CACHE~1.EXE
PID 3484 wrote to memory of 2492	3484	._cache__CACHE~1.EXE	svchost.com
PID 3484 wrote to memory of 2492	3484	._cache__CACHE~1.EXE	svchost.com
PID 3484 wrote to memory of 2492	3484	._cache__CACHE~1.EXE	svchost.com
PID 2492 wrote to memory of 3188	2492	svchost.com	_CACHE~2.EXE
PID 2492 wrote to memory of 3188	2492	svchost.com	_CACHE~2.EXE
PID 2492 wrote to memory of 3188	2492	svchost.com	_CACHE~2.EXE
PID 3188 wrote to memory of 4644	3188	_CACHE~2.EXE	._cache__CACHE~2.EXE
PID 3188 wrote to memory of 4644	3188	_CACHE~2.EXE	._cache__CACHE~2.EXE
PID 3188 wrote to memory of 4644	3188	_CACHE~2.EXE	._cache__CACHE~2.EXE
PID 4644 wrote to memory of 4948	4644	._cache__CACHE~2.EXE	svchost.com
PID 4644 wrote to memory of 4948	4644	._cache__CACHE~2.EXE	svchost.com
PID 4644 wrote to memory of 4948	4644	._cache__CACHE~2.EXE	svchost.com
PID 4948 wrote to memory of 2488	4948	svchost.com	_CACHE~1.EXE
PID 4948 wrote to memory of 2488	4948	svchost.com	_CACHE~1.EXE
PID 4948 wrote to memory of 2488	4948	svchost.com	_CACHE~1.EXE
PID 2488 wrote to memory of 916	2488	_CACHE~1.EXE	._cache__CACHE~1.EXE
PID 2488 wrote to memory of 916	2488	_CACHE~1.EXE	._cache__CACHE~1.EXE
PID 2488 wrote to memory of 916	2488	_CACHE~1.EXE	._cache__CACHE~1.EXE
PID 916 wrote to memory of 1188	916	._cache__CACHE~1.EXE	svchost.com
PID 916 wrote to memory of 1188	916	._cache__CACHE~1.EXE	svchost.com
PID 916 wrote to memory of 1188	916	._cache__CACHE~1.EXE	svchost.com
PID 1188 wrote to memory of 3604	1188	svchost.com	_CACHE~2.EXE
PID 1188 wrote to memory of 3604	1188	svchost.com	_CACHE~2.EXE
PID 1188 wrote to memory of 3604	1188	svchost.com	_CACHE~2.EXE
PID 3604 wrote to memory of 2732	3604	_CACHE~2.EXE	._cache__CACHE~2.EXE
PID 3604 wrote to memory of 2732	3604	_CACHE~2.EXE	._cache__CACHE~2.EXE
PID 3604 wrote to memory of 2732	3604	_CACHE~2.EXE	._cache__CACHE~2.EXE
PID 2732 wrote to memory of 5024	2732	._cache__CACHE~2.EXE	svchost.com

C:\Users\Admin\AppData\Local\Temp\a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
"C:\Users\Admin\AppData\Local\Temp\a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe"
1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4792

C:\Users\Admin\AppData\Local\Temp\3582-490\a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1608

C:\Users\Admin\AppData\Local\Temp\._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1740

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1280

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
6⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3104

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"
7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2280

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5100

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"
9⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5064

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
10⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4560

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
11⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1040

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
12⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3484

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"
13⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2492

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
14⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3188

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"
15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4644

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4948

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
17⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2488

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
18⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:916

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"
19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1188

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
20⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3604

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"
21⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2732

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
22⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5024

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1336

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
24⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
PID:924

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"
25⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2512

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1736

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"
27⤵
- Executes dropped EXE
- Checks computer location settings
PID:5068

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
28⤵
- Executes dropped EXE
PID:920

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
29⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Modifies registry class
PID:1652

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
30⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
PID:3348

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"
31⤵
- Executes dropped EXE
PID:1876

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1660

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"
33⤵
- Executes dropped EXE
PID:4824

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
34⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:364

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
35⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4820

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
36⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
PID:4384

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"
37⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5004

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
38⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Modifies registry class
PID:3816

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"
39⤵
- Executes dropped EXE
- Checks computer location settings
PID:116

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
40⤵
- Executes dropped EXE
PID:3248

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
41⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Modifies registry class
PID:3536

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
42⤵
- Executes dropped EXE
- Checks computer location settings
PID:2920

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"
43⤵
- Executes dropped EXE
PID:4200

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
44⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Modifies registry class
PID:2316

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"
45⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
PID:1460

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
46⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3972

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
47⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
PID:2320

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
48⤵
- Executes dropped EXE
- Checks computer location settings
PID:4672

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"
49⤵
- Executes dropped EXE
PID:3208

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
50⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3604

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"
51⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
PID:3340

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
52⤵
- Executes dropped EXE
PID:2580

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
53⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Modifies registry class
PID:4764

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
54⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
PID:1744

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"
55⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1264

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
56⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3168

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"
57⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1904

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
58⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4636

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
59⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:4204

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
60⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
PID:2032

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"
61⤵
- Executes dropped EXE
PID:1876

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
62⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2968

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"
63⤵
- Executes dropped EXE
- Checks computer location settings
PID:2068

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
64⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4900

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
65⤵
- Loads dropped DLL
- Modifies registry class
PID:3724

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
66⤵
- Checks computer location settings
PID:3768

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"
67⤵
- Drops file in Windows directory
PID:2308

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
68⤵
- Checks computer location settings
- Loads dropped DLL
- Modifies registry class
PID:3184

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"
69⤵
- Modifies registry class
PID:2216

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
70⤵
- Drops file in Windows directory
PID:3932

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
71⤵
- Loads dropped DLL
- Modifies registry class
PID:1520

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
72⤵
- Checks computer location settings
- Modifies registry class
PID:2036

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"
73⤵
PID:3880

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
74⤵
- Loads dropped DLL
PID:1396

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"
75⤵
- Drops file in Windows directory
PID:4948

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
76⤵
- Drops file in Windows directory
PID:3912

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
77⤵
- Checks computer location settings
- Loads dropped DLL
PID:2868

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
78⤵
- Drops file in Windows directory
PID:3824

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"
79⤵
- Drops file in Windows directory
PID:1760

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
80⤵
- Checks computer location settings
- Loads dropped DLL
- Modifies registry class
PID:1560

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"
81⤵
PID:860

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
82⤵
- Drops file in Windows directory
PID:2580

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
83⤵
- Loads dropped DLL
- Modifies registry class
PID:4316

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
84⤵
- Drops file in Windows directory
PID:1140

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"
85⤵
- Drops file in Windows directory
PID:5068

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
86⤵
- Checks computer location settings
- Loads dropped DLL
- Modifies registry class
PID:1264

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"
87⤵
PID:1292

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
88⤵
- Drops file in Windows directory
PID:1620

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
89⤵
- Checks computer location settings
- Loads dropped DLL
- Modifies registry class
PID:560

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
90⤵
- Drops file in Windows directory
PID:3176

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"
91⤵
- Drops file in Windows directory
PID:2676

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
92⤵
- Checks computer location settings
- Loads dropped DLL
PID:1900

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"
93⤵
PID:4060

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
94⤵
- Drops file in Windows directory
PID:4904

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
95⤵
- Checks computer location settings
- Loads dropped DLL
- Modifies registry class
PID:3104

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
96⤵
- Checks computer location settings
- Drops file in Windows directory
PID:1856

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"
97⤵
PID:4848

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
98⤵
- Checks computer location settings
- Loads dropped DLL
- Modifies registry class
PID:644

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"
99⤵
- Drops file in Windows directory
- Modifies registry class
PID:2280

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
100⤵
- Drops file in Windows directory
PID:4220

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
101⤵
- Loads dropped DLL
PID:4108

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
102⤵
- Checks computer location settings
- Modifies registry class
PID:1540

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"
103⤵
- Drops file in Windows directory
PID:228

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
104⤵
- Checks computer location settings
- Loads dropped DLL
- Modifies registry class
PID:3968

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"
105⤵
- Modifies registry class
PID:3932

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
106⤵
- Drops file in Windows directory
PID:2264

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
107⤵
- Checks computer location settings
- Modifies registry class
PID:5040

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
108⤵
- Drops file in Windows directory
PID:4200

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"
109⤵
- Drops file in Windows directory
PID:3872

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
110⤵
- Checks computer location settings
PID:636

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"
111⤵
- Checks computer location settings
PID:3180

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
112⤵
- Drops file in Windows directory
PID:3916

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
113⤵
- Modifies registry class
PID:1872

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
114⤵
- Drops file in Windows directory
PID:2752

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"
115⤵
PID:2368

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
116⤵
- Checks computer location settings
PID:3824

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"
117⤵
- Checks computer location settings
- Modifies registry class
PID:4724

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
118⤵
- Drops file in Windows directory
PID:1896

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
119⤵
- Checks computer location settings
PID:4760

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
120⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
PID:4036

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"
121⤵
PID:5048

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
122⤵
PID:1744

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"
123⤵
- Checks computer location settings
PID:4748

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
124⤵
PID:4632

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
125⤵
PID:3168

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
126⤵
- Modifies registry class
PID:2672

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"
127⤵
PID:3868

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
128⤵
- Checks computer location settings
PID:396

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"
129⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
PID:4204

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
130⤵
PID:1280

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
131⤵
- Checks computer location settings
- Modifies registry class
PID:2960

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
132⤵
- Checks computer location settings
- Drops file in Windows directory
PID:2968

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"
133⤵
PID:4904

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
134⤵
- Modifies registry class
PID:4320

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"
135⤵
PID:4332

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
136⤵
PID:3256

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
137⤵
- Checks computer location settings
- Modifies registry class
PID:3328

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
138⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
PID:1348

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"
139⤵
- Drops file in Windows directory
PID:5100

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
140⤵
PID:4220

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"
141⤵
- Checks computer location settings
- Modifies registry class
PID:1956

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
142⤵
PID:4268

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
143⤵
PID:392

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
144⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
PID:3484

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"
145⤵
- Drops file in Windows directory
PID:2384

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
146⤵
PID:1108

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"
147⤵
- Checks computer location settings
PID:2296

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
148⤵
PID:3880

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
149⤵
- Modifies registry class
PID:4200

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
150⤵
- Drops file in Windows directory
PID:3692

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"
151⤵
PID:4452

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
152⤵
- Modifies registry class
PID:4496

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"
153⤵
- Checks computer location settings
- Modifies registry class
PID:4348

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
154⤵
PID:1872

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
155⤵
- Checks computer location settings
PID:5028

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
156⤵
- Drops file in Windows directory
PID:3280

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"
157⤵
PID:1760

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
158⤵
- Checks computer location settings
- Modifies registry class
PID:4180

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"
159⤵
- Checks computer location settings
- Modifies registry class
PID:3340

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
160⤵
PID:860

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
161⤵
- Checks computer location settings
- Modifies registry class
PID:4592

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
162⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
PID:3120

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"
163⤵
- Drops file in Windows directory
PID:2248

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
164⤵
- Modifies registry class
PID:4964

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"
165⤵
- Checks computer location settings
- Modifies registry class
PID:796

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
166⤵
PID:4632

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
167⤵
- Modifies registry class
PID:1004

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
168⤵
PID:4628

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"
169⤵
PID:2872

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
170⤵
PID:2812

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"
171⤵
PID:2032

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
172⤵
PID:364

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
173⤵
PID:384

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
174⤵
PID:1520

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"
175⤵
PID:3688

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
176⤵
PID:4060

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"
177⤵
PID:4260

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
178⤵
PID:4900

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
179⤵
PID:1148

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
180⤵
PID:4392

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"
181⤵
PID:3216

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
182⤵
PID:644

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"
183⤵
PID:3336

C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
3⤵
- Executes dropped EXE
PID:792

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4596

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe
Filesize
9.4MB

MD5
322302633e36360a24252f6291cdfc91

SHA1
238ed62353776c646957efefc0174c545c2afa3d

SHA256
31da9632f5d25806b77b617d48da52a14afc574bbe1653120f97705284ea566c

SHA512
5a1f7c44ce7f5036bffc18ebac39e2bf70e6f35fa252617d665b26448f4c4473adfa115467b7e2d9b7068823e448f74410cdcdfef1ac1c09021e051921787373

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE
Filesize
183KB

MD5
9dfcdd1ab508b26917bb2461488d8605

SHA1
4ba6342bcf4942ade05fb12db83da89dc8c56a21

SHA256
ecd5e94da88c653e4c34b6ab325e0aca8824247b290336f75c410caa16381bc5

SHA512
1afc1b95f160333f1ff2fa14b3f22a28ae33850699c6b5498915a8b6bec1cfc40f33cb69583240aa9206bc2ea7ab14e05e071275b836502a92aa8c529fc1b137

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe
Filesize
131KB

MD5
5791075058b526842f4601c46abd59f5

SHA1
b2748f7542e2eebcd0353c3720d92bbffad8678f

SHA256
5c3ef3ec7594c040146e908014791dd15201ba58b4d70032770bb661b6a0e394

SHA512
83e303971ed64019fde9e4ba6f6e889f8fb105088490dfa7dcf579a12baff20ef491f563d132d60c7b24a4fd3cac29bd9dc974571cd162000fae8fba4e0e54fb

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE
Filesize
147KB

MD5
3b35b268659965ab93b6ee42f8193395

SHA1
8faefc346e99c9b2488f2414234c9e4740b96d88

SHA256
750824b5f75c91a6c2eeb8c5e60ae28d7a81e323d3762c8652255bfea5cba0bb

SHA512
035259a7598584ddb770db3da4e066b64dc65638501cdd8ff9f8e2646f23b76e3dfffa1fb5ed57c9bd15bb4efa3f7dd33fdc2e769e5cc195c25de0e340eb89ab

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe
Filesize
125KB

MD5
cce8964848413b49f18a44da9cb0a79b

SHA1
0b7452100d400acebb1c1887542f322a92cbd7ae

SHA256
fe44ca8d5050932851aa54c23133277e66db939501af58e5aeb7b67ec1dde7b5

SHA512
bf8fc270229d46a083ced30da6637f3ca510b0ce44624a9b21ec6aacac81666dffd41855053a936aa9e8ea6e745a09b820b506ec7bf1173b6f1837828a35103d

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE
Filesize
494KB

MD5
3ad3461ef1d630f38ed3749838bbedc3

SHA1
8d85b0b392ae75c5d0b004ee9cf5a7b80b1b79e6

SHA256
32be2bca2b848da78c02140a288f1bb771cb66757f90d20126b1bcfd5bb40e62

SHA512
0e95e5181eab14d5820a3a4952018ac9b290fa3b17add8a5e13d893052f1d2a90a2323c62843f6a9e9af00f27e00108b60e0bce2f848e0a4d8ce0cce153db1ba

Download Submit
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe
Filesize
942KB

MD5
2d3cc5612a414f556f925a3c1cb6a1d6

SHA1
0fee45317280ed326e941cc2d0df848c4e74e894

SHA256
fe46de1265b6fe2e316aca33d7f7f45c6ffdf7c49a044b464fd9dc88ec92091b

SHA512
cc49b200adf92a915da6f9b73417543d4dcc77414e0c4bd2ce3bfdfc5d151e0b28249f8d64f6b7087cf8c3bab6aeeab5b152ac6199cb7cc63e64a66b4f03a9f5

Download Submit
C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE
Filesize
138KB

MD5
950000c930454e0c30644f13ed60e9c3

SHA1
5f6b06e8a02e1390e7499722b277135b4950723d

SHA256
09786f64db91266470b56046098d9825253ba5d6a5361c2f4e6dbc8ec28c9bb2

SHA512
22e3c677c83c755e53a7bf8735734541223f57151d588c3380bc758e5433b706441666d0d95c42bd23a720b093a6942a62346dab24ee3f0a18bee3e5ad1cd9d9

Download Submit
C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE
Filesize
217KB

MD5
ad0efa1df844814c2e8ddc188cb0e3b5

SHA1
b1a8a09f2223aab8b8e3e9bc0e58cc83d402f8ab

SHA256
c87fd5b223cb6dc716815b442b4964d4670a30b5c79f4fb9f1c3a65ec9072e5a

SHA512
532cc173d9ef27098ff10b6b652c64231b4a14f99df3b5de2eb1423370c19590e2a6032023d3ed02e2080f2f087b620ebbbd079e4a47a584ef11f3eaa0eb8520

Download Submit
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE
Filesize
251KB

MD5
33cb4562e84c8bbbc8184b961e2e49ee

SHA1
d6549a52911eaeebcceb5bc39d71272d3b8f5111

SHA256
1f455ea6bab09377e5fdfbd5df102f79c5cbbb5fe5ce456f2fbb34f94ec848bb

SHA512
0b638a6e86816ba5d83de5fc381c85371f2f4fe0a2fdff40141859a42e255a082903e5692a49ef253265a42ec99924e5a0aa150cb7ed6cd5521f42f6c9fe27a9

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\13157~1.61\MI391D~1.EXE
Filesize
138KB

MD5
26eb9940d3b1cf551683b6ec381c5360

SHA1
efd88e94913681e4fe0354ba4db3384a1528c6ca

SHA256
6ad8ead4ee578408e834aa8488bbd0d0dc1680065deca5a6259ed7ab55023163

SHA512
6c889006b5924d5f4c69e67d17acaa5fad28cdee6d5bf7e97c1d00789ca1086d4c4ff4cd440223cd2ef4410aaf5552ffa290088b89f1a8b1fecb944ecb174529

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\13157~1.61\MI9C33~1.EXE
Filesize
138KB

MD5
5d148fcec5d7db587269d9401f06220c

SHA1
3f3af9940bd548ad9449280b49a031d9615a4bdf

SHA256
b7c3c79145dfde8c85b9e88e25dd5052f4241ec32c054dc2558a07a7fc330b9c

SHA512
be0efde6e31851481b61f62a46457cb06b084a8dd400d78dc85cc4e27fa9476e1825a630aa64d871a77e92b06ec4f3423ed37e6d0c9a54260ec38cc80c37d4c8

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\13157~1.61\MICROS~2.EXE
Filesize
287KB

MD5
748fc9c2ffb9200f05fe163041cb3fac

SHA1
6f654ec414f855d67dfdfcfc029cec4a0cd40186

SHA256
2ef40c8797547f8411e4428edfcd90ba0ba499a183632d1d87acada5a9968bb9

SHA512
5c525020645b41290d4fc3a5959fd24fa17abb92c67cd1ac1324c5d1627d4cc52722af4b767328c9d43ce2c43d7016676c864a9a31ba07d131c23428832d2914

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\13157~1.61\MICROS~3.EXE
Filesize
244KB

MD5
d36d29fce977e2a4df731d36a2ecfe82

SHA1
2efedf15318b0f6b176b2afbed7d981991ab33b5

SHA256
63f61df4f82596933c92001d9716a3f76ce9e36ad50ff32b8db400cda430a14c

SHA512
5e7ab07afead7743f6727ba04e82fe9d9ea0d4013e2f6ff31c2019799d20f9bfafff9894648e3b4c18dfaf4b693e421443def0d27dcf7156dcc533cc92fc6c32

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe
Filesize
250KB

MD5
5d656c152b22ddd4f875306ca928243a

SHA1
177ff847aa898afa1b786077ae87b5ae0c7687c7

SHA256
4d87b0eb331443b473c90650d31b893d00373ff88dcbcb3747f494407799af69

SHA512
d5e50ee909ea06e69fc0d9999c6d142f9154e6f63462312b4e950cf6e26a7d395dbb50c8e2a8c4f4e1cfb7b2c6ae8ad19e3b7c204c20e7557daa1a0deb454160

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE
Filesize
509KB

MD5
7c73e01bd682dc67ef2fbb679be99866

SHA1
ad3834bd9f95f8bf64eb5be0a610427940407117

SHA256
da333c92fdfd2e8092f5b56686b94f713f8fa27ef8f333e7222259ad1eb08f5d

SHA512
b2f3398e486cde482cb6bea18f4e5312fa2db7382ca25cea17bcba5ab1ff0e891d59328bc567641a9da05caca4d7c61dc102289d46e7135f947ce6155e295711

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE
Filesize
178KB

MD5
dade08ddaac4b11179c9e93e082c7f6c

SHA1
43f696aa351b7acd936183be1ceac422ff38c5c7

SHA256
b73d3eb495ccd1fa156b8ff202a7386033f6ee235e186197f9731ff506345076

SHA512
6a86ab50fa5ae38723819be8a435af47570a793e3b8c9c9d7908ceeef4d33ecf040b633cb9d4425c2197234027a8789b99827d75f07c427276c8c602b0a41b3e

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE
Filesize
1.6MB

MD5
41b1e87b538616c6020369134cbce857

SHA1
a255c7fef7ba2fc1a7c45d992270d5af023c5f67

SHA256
08465cc139ee50a7497f8c842f74730d3a8f1a73c0b7caca95e9e6d37d3beed3

SHA512
3a354d3577b45f6736203d5a35a2d1d543da2d1e268cefeffe6bdb723ff63c720ceb2838701144f5fec611470d77649846e0fb4770d6439f321f6b819f03e4db

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE
Filesize
1.1MB

MD5
301d7f5daa3b48c83df5f6b35de99982

SHA1
17e68d91f3ec1eabde1451351cc690a1978d2cd4

SHA256
abe398284d90be5e5e78f98654b88664e2e14478f7eb3f55c5fd1c1bcf1bebee

SHA512
4a72a24dec461d116fe8324c651913273ccaa50cb036ccdacb3ae300e417cf4a64aa458869b8d2f3b4c298c59977437d11b241d08b391a481c3226954bba22e4

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE
Filesize
1.1MB

MD5
5c78384d8eb1f6cb8cb23d515cfe7c98

SHA1
b732ab6c3fbf2ded8a4d6c8962554d119f59082e

SHA256
9abd7f0aa942ee6b263cdc4b32a4110ddb95e43ad411190f0ea48c0064884564

SHA512
99324af5f8fb70a9d01f97d845a4c6999053d6567ba5b80830a843a1634b02eaf3c0c04ced924cf1b1be9b4d1dbbcb95538385f7f85ad84d3eaaa6dcdebcc8a6

Download Submit
C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE
Filesize
279KB

MD5
f2056a3543ba9b6b6dde4346614b7f82

SHA1
139129616c3a9025a5cb16f9ad69018246bd9e2d

SHA256
2bab7d64d5327ca21ffd13df88b30431d0b8c0dd6cad8f4bb4db33eeb2b37d1e

SHA512
e11d1c65e046a0a6817cec4d17df1b7f5849fdb5b95527fdef78f0c433294fd2186037116a581ec3a66b07f1ab75cd8e60e408005cd64bc5eacc61a582da0942

Download Submit
C:\PROGRA~2\MOZILL~1\UNINST~1.EXE
Filesize
129KB

MD5
e7d2d4bedb99f13e7be8338171e56dbf

SHA1
8dafd75ae2c13d99e5ef8c0e9362a445536c31b5

SHA256
c8ef54853df3a3b64aa4b1ecfb91615d616c7ff998589e5a3434118611ad2a24

SHA512
2017dea799cc03b02a17e3616fb6fbe8c86ab2450b1aaf147fce1e67cc472ded12befd686d395386ffdaa992145996eb421d61d3a922cea45e94ac40eef76adc

Download Submit
C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE
Filesize
714KB

MD5
e19544c111fefa491cfe53b99f8bebc2

SHA1
a05e096689dd82751ccd0a4eec0db54a5f972830

SHA256
82a14caee30a4f86dd143015fc852220a36cc96cdbb9f65aaca87d80f2c43762

SHA512
0f017e3aeea8de42195687c2745b9eccc174e6430149edf22a8f4b5fc24e7881654ba7c55ed2327b9c710787dffa3c438c0d99b06e7e12f6126bc3e86392d4db

Download Submit
C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE
Filesize
495KB

MD5
9597098cfbc45fae685d9480d135ed13

SHA1
84401f03a7942a7e4fcd26e4414b227edd9b0f09

SHA256
45966655baaed42df92cd6d8094b4172c0e7a0320528b59cf63fca7c25d66e9c

SHA512
16afbdffe4b4b2e54b4cc96fe74e49ca367dea50752321ddf334756519812ba8ce147ef5459e421dc42e103bc3456aab1d185588cc86b35fa2315ac86b2a0164

Download Submit
C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE
Filesize
495KB

MD5
07e194ce831b1846111eb6c8b176c86e

SHA1
b9c83ec3b0949cb661878fb1a8b43a073e15baf1

SHA256
d882f673ddf40a7ea6d89ce25e4ee55d94a5ef0b5403aa8d86656fd960d0e4ac

SHA512
55f9b6d3199aa60d836b6792ae55731236fb2a99c79ce8522e07e579c64eabb88fa413c02632deb87a361dd8490361aa1424beed2e01ba28be220f8c676a1bb5

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe
Filesize
753KB

MD5
7a2469fb379933efb249d02662edae71

SHA1
2ce7fa489db984fffeaaf79e02582c6ac879e440

SHA256
7b6a0941706a341f69707f1c6d8d274a5590f844fa606766317bc7d41c8979e2

SHA512
16d60874e897817ce55611678f316d42920a6a5de2534419a5b9e57be49f483aa8fb8da81e8e06238c579e55f5d33806563284d34ada1b6e8e49987d8dc259c4

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe
Filesize
753KB

MD5
7a2469fb379933efb249d02662edae71

SHA1
2ce7fa489db984fffeaaf79e02582c6ac879e440

SHA256
7b6a0941706a341f69707f1c6d8d274a5590f844fa606766317bc7d41c8979e2

SHA512
16d60874e897817ce55611678f316d42920a6a5de2534419a5b9e57be49f483aa8fb8da81e8e06238c579e55f5d33806563284d34ada1b6e8e49987d8dc259c4

Download Submit
C:\Users\ALLUSE~1\Adobe\Setup\{AC76B~1\setup.exe
Filesize
534KB

MD5
8a403bc371b84920c641afa3cf9fef2f

SHA1
d6c9d38f3e571b54132dd7ee31a169c683abfd63

SHA256
614a701b90739e7dbf66b14fbdb6854394290030cc87bbcb3f47e1c45d1f06c3

SHA512
b376ef1f49b793a8cd8b7af587f538cf87cb2fffa70fc144e1d1b7e2e8e365ba4ad0568321a0b1c04e69b4b8b694d77e812597a66be1c59eda626cbf132e2c72

Download Submit
C:\Users\ALLUSE~1\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE
Filesize
6.7MB

MD5
63dc05e27a0b43bf25f151751b481b8c

SHA1
b20321483dac62bce0aa0cef1d193d247747e189

SHA256
7d607fb69c69a72a5bf4305599279f46318312ce1082b6a34ac9100b8c7762ce

SHA512
374d705704d456cc5f9f79b7f465f6ec7c775dc43001c840e9d6efbbdef20926ed1fa97f8a9b1e73161e17f72520b96c05fa58ac86b3945208b405f9166e7ba3

Download Submit
C:\Users\Admin\AppData\Local\MICROS~1\OneDrive\181510~1.001\FILESY~1.EXE
Filesize
293KB

MD5
f3228c24035b3f54f78bb4fd11c36aeb

SHA1
2fe73d1f64575bc4abf1d47a9dddfe7e2d9c9cbb

SHA256
d2767c9c52835f19f6695c604081bf03cdd772a3731cd2e320d9db5e477d8af7

SHA512
b526c63338d9167060bc40ffa1d13a8c2e871f46680cd4a0efc2333d9f15bf21ae75af45f8932de857678c5bf785011a28862ce7879f4bffdb9753c8bc2c19b5

Download Submit
C:\Users\Admin\AppData\Local\MICROS~1\OneDrive\ONEDRI~1.EXE
Filesize
2.4MB

MD5
1319acbba64ecbcd5e3f16fc3acd693c

SHA1
f5d64f97194846bd0564d20ee290d35dd3df40b0

SHA256
8c6f9493c2045bb7c08630cf3709a63e221001f04289b311efb259de3eb76bce

SHA512
abbbb0abfff1698e2d3c4d27d84421b90abba1238b45884b82ace20d11ddfdd92bf206519fc01714235fb840258bb1c647c544b9a19d36f155bf3224916805b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
Filesize
1.7MB

MD5
d1a0b7695a30f65f9b8bd50fffa019b9

SHA1
85a398baa5b4422195e8bb0aad2e64125d5407c7

SHA256
91994ed0a582b837d66e5f957150e3981ec94b1a1645a94c3475b57f45dd7835

SHA512
ae3ecbb14a9128008df00866b34405f5bc793c0a030d42c995187b02cf44dd65fcf6e548e8a6bd4db34ef46b6bc0e82d837e858210f1d884d98ac53e5eae894b

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
Filesize
1.7MB

MD5
d1a0b7695a30f65f9b8bd50fffa019b9

SHA1
85a398baa5b4422195e8bb0aad2e64125d5407c7

SHA256
91994ed0a582b837d66e5f957150e3981ec94b1a1645a94c3475b57f45dd7835

SHA512
ae3ecbb14a9128008df00866b34405f5bc793c0a030d42c995187b02cf44dd65fcf6e548e8a6bd4db34ef46b6bc0e82d837e858210f1d884d98ac53e5eae894b

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
Filesize
1.7MB

MD5
d1a0b7695a30f65f9b8bd50fffa019b9

SHA1
85a398baa5b4422195e8bb0aad2e64125d5407c7

SHA256
91994ed0a582b837d66e5f957150e3981ec94b1a1645a94c3475b57f45dd7835

SHA512
ae3ecbb14a9128008df00866b34405f5bc793c0a030d42c995187b02cf44dd65fcf6e548e8a6bd4db34ef46b6bc0e82d837e858210f1d884d98ac53e5eae894b

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
Filesize
1.7MB

MD5
d1a0b7695a30f65f9b8bd50fffa019b9

SHA1
85a398baa5b4422195e8bb0aad2e64125d5407c7

SHA256
91994ed0a582b837d66e5f957150e3981ec94b1a1645a94c3475b57f45dd7835

SHA512
ae3ecbb14a9128008df00866b34405f5bc793c0a030d42c995187b02cf44dd65fcf6e548e8a6bd4db34ef46b6bc0e82d837e858210f1d884d98ac53e5eae894b

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
Filesize
1.7MB

MD5
d1a0b7695a30f65f9b8bd50fffa019b9

SHA1
85a398baa5b4422195e8bb0aad2e64125d5407c7

SHA256
91994ed0a582b837d66e5f957150e3981ec94b1a1645a94c3475b57f45dd7835

SHA512
ae3ecbb14a9128008df00866b34405f5bc793c0a030d42c995187b02cf44dd65fcf6e548e8a6bd4db34ef46b6bc0e82d837e858210f1d884d98ac53e5eae894b

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
Filesize
899KB

MD5
a62a30e87f89044cc4695871713fb0dd

SHA1
6c06f3dc150dc769ca6ba33b0b9ac8590d2980a5

SHA256
37e14c7fce8d2b2e2226b7abc489617d1ad1d0ee79ccc83afbfd784e28a737be

SHA512
34237c5c163358234b8e9eb18a23ae73cca054f624fe22fdfc3551dc8fc261b2dd5035160ffdbe4ab2b669128ccf9d1ae2501dc75eebc8dbd66571528fe51bc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
Filesize
899KB

MD5
a62a30e87f89044cc4695871713fb0dd

SHA1
6c06f3dc150dc769ca6ba33b0b9ac8590d2980a5

SHA256
37e14c7fce8d2b2e2226b7abc489617d1ad1d0ee79ccc83afbfd784e28a737be

SHA512
34237c5c163358234b8e9eb18a23ae73cca054f624fe22fdfc3551dc8fc261b2dd5035160ffdbe4ab2b669128ccf9d1ae2501dc75eebc8dbd66571528fe51bc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
Filesize
2.4MB

MD5
587b526d6e9f2e0375ba0f092023a35b

SHA1
d1a86048d02d9e211eea6d87820993f67f3c9f84

SHA256
e5dce39a9ee125e0d99fe289303fb59ad40ef60d7caeab4574a9fac64e3030ea

SHA512
4495e1d6a93d4ea23b8f91689a26d234868ba0948f97c1ed4caf75a84ce8fa119408fbcca19d20e71312f0f73271dd1fcac531b630b1f5a9ce8b4a70bf6ed6fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
Filesize
2.4MB

MD5
587b526d6e9f2e0375ba0f092023a35b

SHA1
d1a86048d02d9e211eea6d87820993f67f3c9f84

SHA256
e5dce39a9ee125e0d99fe289303fb59ad40ef60d7caeab4574a9fac64e3030ea

SHA512
4495e1d6a93d4ea23b8f91689a26d234868ba0948f97c1ed4caf75a84ce8fa119408fbcca19d20e71312f0f73271dd1fcac531b630b1f5a9ce8b4a70bf6ed6fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\._cache__CACHE~1.EXE
Filesize
1.6MB

MD5
60cc7cedd88babb661bf3305e6de4e42

SHA1
add34eefb620d6ece72d42dc07986fde1d018222

SHA256
eeb252bbc294dc47d041faa2210109698fb09d1dcab2ef8de36e8dfcc736ecb7

SHA512
8b651c80d4da9a7572e9f4e0a99822717b9b050d97db449cc313211ade4cf5b837d5a9de1aee78ba0382b93ada912ae570683f9a395046c7b280bf8683d26a96

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\._cache__CACHE~2.EXE
Filesize
859KB

MD5
ee2e70d5174a3a929f349b282320f145

SHA1
6cfb28ed085a9679c500681922d584bbad44445e

SHA256
a461be738ae78a06e0ff9d3df84c4be29f41942146a356264c799d767278dc51

SHA512
a6de7a46d770a918314d15ebe2a3779bfc6c16f54d61f57c1ad0c0a3c4120f953e7d974aa5b0cdfb340629a319a6088d50a6c8967c932bd3b57ade3cf42cbfe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
Filesize
2.4MB

MD5
1c4056919197a1a47be522c54c0e2765

SHA1
7ccd88b07da34821e5eab78df5d21e49222bd06b

SHA256
03db1da57422fab2306ac201389ba21345015538909fd7dc68a68bc724960c4f

SHA512
335be370b0099912d51c04fb502e686a9a8cc67d96231515ad893a1d4e0fa39cf4fd7d6244de883cbf76f8786d07905a310ee3250d48ab0cdea3a2b930ef170f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
Filesize
2.4MB

MD5
1c4056919197a1a47be522c54c0e2765

SHA1
7ccd88b07da34821e5eab78df5d21e49222bd06b

SHA256
03db1da57422fab2306ac201389ba21345015538909fd7dc68a68bc724960c4f

SHA512
335be370b0099912d51c04fb502e686a9a8cc67d96231515ad893a1d4e0fa39cf4fd7d6244de883cbf76f8786d07905a310ee3250d48ab0cdea3a2b930ef170f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
Filesize
859KB

MD5
ee2e70d5174a3a929f349b282320f145

SHA1
6cfb28ed085a9679c500681922d584bbad44445e

SHA256
a461be738ae78a06e0ff9d3df84c4be29f41942146a356264c799d767278dc51

SHA512
a6de7a46d770a918314d15ebe2a3779bfc6c16f54d61f57c1ad0c0a3c4120f953e7d974aa5b0cdfb340629a319a6088d50a6c8967c932bd3b57ade3cf42cbfe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
Filesize
1.6MB

MD5
60cc7cedd88babb661bf3305e6de4e42

SHA1
add34eefb620d6ece72d42dc07986fde1d018222

SHA256
eeb252bbc294dc47d041faa2210109698fb09d1dcab2ef8de36e8dfcc736ecb7

SHA512
8b651c80d4da9a7572e9f4e0a99822717b9b050d97db449cc313211ade4cf5b837d5a9de1aee78ba0382b93ada912ae570683f9a395046c7b280bf8683d26a96

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
Filesize
1.6MB

MD5
60cc7cedd88babb661bf3305e6de4e42

SHA1
add34eefb620d6ece72d42dc07986fde1d018222

SHA256
eeb252bbc294dc47d041faa2210109698fb09d1dcab2ef8de36e8dfcc736ecb7

SHA512
8b651c80d4da9a7572e9f4e0a99822717b9b050d97db449cc313211ade4cf5b837d5a9de1aee78ba0382b93ada912ae570683f9a395046c7b280bf8683d26a96

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
Filesize
3.2MB

MD5
5b6a8e12c7e0a556c312719df5d3a9be

SHA1
3f0bdcb2bda238efd25f3d7f18dd5cf11f94f7e9

SHA256
8182c39980c252ff582d95024e25053c3f3c4d24a42aaa92b0e25c03b3ad8a95

SHA512
433f5c64f02b99e1a6ee8d0e142e9977f588c7de48ae6a7db005b14673cc84405623884f8fba15428bca481c731653423ecfc08a1a27518d27f0d17b985133c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\a89bc4b9bd1d8f77cbba8c0c6249cb0495b1b0bb3706a1c2be5f0c54cd4691dc.exe
Filesize
3.2MB

MD5
5b6a8e12c7e0a556c312719df5d3a9be

SHA1
3f0bdcb2bda238efd25f3d7f18dd5cf11f94f7e9

SHA256
8182c39980c252ff582d95024e25053c3f3c4d24a42aaa92b0e25c03b3ad8a95

SHA512
433f5c64f02b99e1a6ee8d0e142e9977f588c7de48ae6a7db005b14673cc84405623884f8fba15428bca481c731653423ecfc08a1a27518d27f0d17b985133c2

Download Submit
C:\Windows\directx.sys
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\directx.sys
Filesize
57B

MD5
6b3bfceb3942a9508a2148acbee89007

SHA1
3622ac7466cc40f50515eb6fcdc15d1f34ad3be3

SHA256
e0a7bae2a9ac263cff5d725922e40272d8854278d901233a93a5267859c00a3c

SHA512
fa222bfcade636824af32124b45450c92b1abec7a33e6e647a9248eef5371c127d22ccb7cc5a096b4d5d52e2457f3841293a1b34304e8e5523549856ac02f224

Download Submit
C:\Windows\directx.sys
Filesize
57B

MD5
6b3bfceb3942a9508a2148acbee89007

SHA1
3622ac7466cc40f50515eb6fcdc15d1f34ad3be3

SHA256
e0a7bae2a9ac263cff5d725922e40272d8854278d901233a93a5267859c00a3c

SHA512
fa222bfcade636824af32124b45450c92b1abec7a33e6e647a9248eef5371c127d22ccb7cc5a096b4d5d52e2457f3841293a1b34304e8e5523549856ac02f224

Download Submit
C:\Windows\directx.sys
Filesize
57B

MD5
56abc40d1e45c091d8afddb90a4ce6b4

SHA1
08db549484467b32b79958700300cabefc659848

SHA256
a43fa861957415e3b0f25e2b54d931961cd309ff1d5354a9362852895b90b3e1

SHA512
51625c015a7c8fcf6fb51d3396aa08d2068772e3fcacaf32c409e82071af4ba1eb2ee94f36c06a98c32ba59d23bbaa6b540f7bd418a9472303cc225151daa698

Download Submit
C:\Windows\directx.sys
Filesize
57B

MD5
56abc40d1e45c091d8afddb90a4ce6b4

SHA1
08db549484467b32b79958700300cabefc659848

SHA256
a43fa861957415e3b0f25e2b54d931961cd309ff1d5354a9362852895b90b3e1

SHA512
51625c015a7c8fcf6fb51d3396aa08d2068772e3fcacaf32c409e82071af4ba1eb2ee94f36c06a98c32ba59d23bbaa6b540f7bd418a9472303cc225151daa698

Download Submit
C:\Windows\directx.sys
Filesize
57B

MD5
6b3bfceb3942a9508a2148acbee89007

SHA1
3622ac7466cc40f50515eb6fcdc15d1f34ad3be3

SHA256
e0a7bae2a9ac263cff5d725922e40272d8854278d901233a93a5267859c00a3c

SHA512
fa222bfcade636824af32124b45450c92b1abec7a33e6e647a9248eef5371c127d22ccb7cc5a096b4d5d52e2457f3841293a1b34304e8e5523549856ac02f224

Download Submit
C:\Windows\directx.sys
Filesize
57B

MD5
6b3bfceb3942a9508a2148acbee89007

SHA1
3622ac7466cc40f50515eb6fcdc15d1f34ad3be3

SHA256
e0a7bae2a9ac263cff5d725922e40272d8854278d901233a93a5267859c00a3c

SHA512
fa222bfcade636824af32124b45450c92b1abec7a33e6e647a9248eef5371c127d22ccb7cc5a096b4d5d52e2457f3841293a1b34304e8e5523549856ac02f224

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
a3c562fce85f4cc4d2fb7b71c9c8254c

SHA1
3eb744dff72d01ca8a097c2fb4eb8341d39e6088

SHA256
6eb99699d97fa257ab586ad139dc40b70ee9d6be51af7ad7be226a1b7ab84df3

SHA512
824a676a1d138c10dac37236db51440da496b50ec477d279296ef555f4a6108977315d962965826d209e707d6eb63f26766f2a1dd7a0404a5c0b6c2e9fd369bd

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
a3c562fce85f4cc4d2fb7b71c9c8254c

SHA1
3eb744dff72d01ca8a097c2fb4eb8341d39e6088

SHA256
6eb99699d97fa257ab586ad139dc40b70ee9d6be51af7ad7be226a1b7ab84df3

SHA512
824a676a1d138c10dac37236db51440da496b50ec477d279296ef555f4a6108977315d962965826d209e707d6eb63f26766f2a1dd7a0404a5c0b6c2e9fd369bd

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
a3c562fce85f4cc4d2fb7b71c9c8254c

SHA1
3eb744dff72d01ca8a097c2fb4eb8341d39e6088

SHA256
6eb99699d97fa257ab586ad139dc40b70ee9d6be51af7ad7be226a1b7ab84df3

SHA512
824a676a1d138c10dac37236db51440da496b50ec477d279296ef555f4a6108977315d962965826d209e707d6eb63f26766f2a1dd7a0404a5c0b6c2e9fd369bd

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
a3c562fce85f4cc4d2fb7b71c9c8254c

SHA1
3eb744dff72d01ca8a097c2fb4eb8341d39e6088

SHA256
6eb99699d97fa257ab586ad139dc40b70ee9d6be51af7ad7be226a1b7ab84df3

SHA512
824a676a1d138c10dac37236db51440da496b50ec477d279296ef555f4a6108977315d962965826d209e707d6eb63f26766f2a1dd7a0404a5c0b6c2e9fd369bd

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
a3c562fce85f4cc4d2fb7b71c9c8254c

SHA1
3eb744dff72d01ca8a097c2fb4eb8341d39e6088

SHA256
6eb99699d97fa257ab586ad139dc40b70ee9d6be51af7ad7be226a1b7ab84df3

SHA512
824a676a1d138c10dac37236db51440da496b50ec477d279296ef555f4a6108977315d962965826d209e707d6eb63f26766f2a1dd7a0404a5c0b6c2e9fd369bd

Download Submit
C:\odt\OFFICE~1.EXE
Filesize
5.1MB

MD5
02c3d242fe142b0eabec69211b34bc55

SHA1
ea0a4a6d6078b362f7b3a4ad1505ce49957dc16e

SHA256
2a1ed24be7e3859b46ec3ebc316789ead5f12055853f86a9656e04b4bb771842

SHA512
0efb08492eaaa2e923beddc21566e98fbbef3a102f9415ff310ec616f5c84fd2ba3a7025b05e01c0bdf37e5e2f64dfd845f9254a376144cc7d827e7577dbb099

Download Submit
memory/116-237-0x0000000000000000-mapping.dmp

Download
memory/364-232-0x0000000000000000-mapping.dmp

Download
memory/792-136-0x0000000000000000-mapping.dmp

Download
memory/916-216-0x0000000000000000-mapping.dmp

Download
memory/920-226-0x0000000000000000-mapping.dmp

Download
memory/924-222-0x0000000000000000-mapping.dmp

Download
memory/1040-186-0x0000000000000000-mapping.dmp

Download
memory/1188-217-0x0000000000000000-mapping.dmp

Download
memory/1264-253-0x0000000000000000-mapping.dmp

Download
memory/1280-145-0x0000000000000000-mapping.dmp

Download
memory/1336-221-0x0000000000000000-mapping.dmp

Download
memory/1460-243-0x0000000000000000-mapping.dmp

Download
memory/1608-130-0x0000000000000000-mapping.dmp

Download
memory/1652-227-0x0000000000000000-mapping.dmp

Download
memory/1660-230-0x0000000000000000-mapping.dmp

Download
memory/1736-224-0x0000000000000000-mapping.dmp

Download
memory/1740-137-0x0000000000000000-mapping.dmp

Download
memory/1744-252-0x0000000000000000-mapping.dmp

Download
memory/1876-259-0x0000000000000000-mapping.dmp

Download
memory/1876-229-0x0000000000000000-mapping.dmp

Download
memory/1904-255-0x0000000000000000-mapping.dmp

Download
memory/1928-133-0x0000000000000000-mapping.dmp

Download
memory/2032-258-0x0000000000000000-mapping.dmp

Download
memory/2068-261-0x0000000000000000-mapping.dmp

Download
memory/2280-159-0x0000000000000000-mapping.dmp

Download
memory/2316-242-0x0000000000000000-mapping.dmp

Download
memory/2320-245-0x0000000000000000-mapping.dmp

Download
memory/2488-215-0x0000000000000000-mapping.dmp

Download
memory/2492-205-0x0000000000000000-mapping.dmp

Download
memory/2512-223-0x0000000000000000-mapping.dmp

Download
memory/2580-250-0x0000000000000000-mapping.dmp

Download
memory/2732-219-0x0000000000000000-mapping.dmp

Download
memory/2920-240-0x0000000000000000-mapping.dmp

Download
memory/2968-260-0x0000000000000000-mapping.dmp

Download
memory/3104-151-0x0000000000000000-mapping.dmp

Download
memory/3168-254-0x0000000000000000-mapping.dmp

Download
memory/3188-210-0x0000000000000000-mapping.dmp

Download
memory/3208-247-0x0000000000000000-mapping.dmp

Download
memory/3248-238-0x0000000000000000-mapping.dmp

Download
memory/3340-249-0x0000000000000000-mapping.dmp

Download
memory/3348-228-0x0000000000000000-mapping.dmp

Download
memory/3484-201-0x0000000000000000-mapping.dmp

Download
memory/3536-239-0x0000000000000000-mapping.dmp

Download
memory/3604-218-0x0000000000000000-mapping.dmp

Download
memory/3604-248-0x0000000000000000-mapping.dmp

Download
memory/3816-236-0x0000000000000000-mapping.dmp

Download
memory/3972-244-0x0000000000000000-mapping.dmp

Download
memory/4200-241-0x0000000000000000-mapping.dmp

Download
memory/4204-257-0x0000000000000000-mapping.dmp

Download
memory/4384-234-0x0000000000000000-mapping.dmp

Download
memory/4560-180-0x0000000000000000-mapping.dmp

Download
memory/4596-169-0x00007FFC9A050000-0x00007FFC9A060000-memory.dmp

Filesize
64KB

Download
memory/4596-158-0x00007FFC9C0B0000-0x00007FFC9C0C0000-memory.dmp

Filesize
64KB

Download
memory/4596-154-0x00007FFC9C0B0000-0x00007FFC9C0C0000-memory.dmp

Filesize
64KB

Download
memory/4596-155-0x00007FFC9C0B0000-0x00007FFC9C0C0000-memory.dmp

Filesize
64KB

Download
memory/4596-156-0x00007FFC9C0B0000-0x00007FFC9C0C0000-memory.dmp

Filesize
64KB

Download
memory/4596-194-0x00007FFC9A050000-0x00007FFC9A060000-memory.dmp

Filesize
64KB

Download
memory/4596-157-0x00007FFC9C0B0000-0x00007FFC9C0C0000-memory.dmp

Filesize
64KB

Download
memory/4636-256-0x0000000000000000-mapping.dmp

Download
memory/4644-213-0x0000000000000000-mapping.dmp

Download
memory/4672-246-0x0000000000000000-mapping.dmp

Download
memory/4764-251-0x0000000000000000-mapping.dmp

Download
memory/4820-233-0x0000000000000000-mapping.dmp

Download
memory/4824-231-0x0000000000000000-mapping.dmp

Download
memory/4900-262-0x0000000000000000-mapping.dmp

Download
memory/4948-214-0x0000000000000000-mapping.dmp

Download
memory/5004-235-0x0000000000000000-mapping.dmp

Download
memory/5024-220-0x0000000000000000-mapping.dmp

Download
memory/5064-177-0x0000000000000000-mapping.dmp

Download
memory/5068-225-0x0000000000000000-mapping.dmp

Download
memory/5100-164-0x0000000000000000-mapping.dmp

Download