neshta | 41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f

Analysis

max time kernel
19s
max time network
154s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
15/06/2024, 20:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
Size

2.5MB
MD5

690ddd392e73000de2f1524ef21b377b
SHA1

a28425a36562a41b727440746b3a9f02e64ec517
SHA256

41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f
SHA512

19ed296326b2db53badfd1885040f67fdf3074d7876b660cb9547bd83c597b12da9153c6e62f249ecd5b54ffcbfb633f27e40989546357021229f5c05bf27dff
SSDEEP

49152:JHyjtk2MYC5GDVHyjtk2MYC5GDNHyjtk2MYC5GDBnanhn9:Jmtk2acmtk2aEmtk2aCnanhn9

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 64 IoCs

resource	yara_rule
behavioral1/files/0x0026000000014497-2.dat	family_neshta
behavioral1/files/0x0001000000010315-14.dat	family_neshta
behavioral1/files/0x00070000000147d5-20.dat	family_neshta
behavioral1/files/0x000900000001469e-39.dat	family_neshta
behavioral1/files/0x000100000001048f-40.dat	family_neshta
behavioral1/files/0x001100000001449f-46.dat	family_neshta
behavioral1/files/0x0001000000010313-43.dat	family_neshta
behavioral1/files/0x000b000000010328-41.dat	family_neshta
behavioral1/memory/1644-62-0x0000000000400000-0x0000000000674000-memory.dmp	family_neshta
behavioral1/memory/2836-65-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/files/0x0008000000015c58-83.dat	family_neshta
behavioral1/memory/2664-90-0x0000000000400000-0x00000000005AD000-memory.dmp	family_neshta
behavioral1/memory/2484-94-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/files/0x0006000000015c79-119.dat	family_neshta
behavioral1/memory/1500-126-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2148-125-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2460-149-0x0000000000400000-0x0000000000674000-memory.dmp	family_neshta
behavioral1/files/0x0006000000015c91-142.dat	family_neshta
behavioral1/memory/1416-167-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/548-173-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1212-155-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1484-138-0x0000000000400000-0x00000000004E7000-memory.dmp	family_neshta
behavioral1/memory/332-106-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2192-185-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1840-225-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/592-212-0x0000000000400000-0x00000000005AD000-memory.dmp	family_neshta
behavioral1/memory/2188-233-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/288-235-0x0000000000400000-0x00000000004E7000-memory.dmp	family_neshta
behavioral1/memory/1576-250-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2536-256-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1232-259-0x0000000000400000-0x00000000005AD000-memory.dmp	family_neshta
behavioral1/memory/2788-266-0x0000000000400000-0x00000000005AD000-memory.dmp	family_neshta
behavioral1/memory/2184-258-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2604-278-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1896-284-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/3060-294-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2744-291-0x0000000000400000-0x00000000005AD000-memory.dmp	family_neshta
behavioral1/memory/2980-323-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2508-319-0x0000000000400000-0x00000000004E7000-memory.dmp	family_neshta
behavioral1/memory/1144-340-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2828-328-0x0000000000400000-0x00000000005AD000-memory.dmp	family_neshta
behavioral1/memory/1588-341-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2992-347-0x0000000000400000-0x00000000005AD000-memory.dmp	family_neshta
behavioral1/memory/1176-348-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2568-349-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2320-350-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/640-353-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1476-359-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1908-362-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2960-377-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/632-381-0x0000000000400000-0x00000000005AD000-memory.dmp	family_neshta
behavioral1/memory/1612-387-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2256-388-0x0000000000400000-0x00000000005AD000-memory.dmp	family_neshta
behavioral1/memory/1300-399-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1132-405-0x0000000000400000-0x00000000004E7000-memory.dmp	family_neshta
behavioral1/memory/268-411-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/764-409-0x0000000000400000-0x00000000004E7000-memory.dmp	family_neshta
behavioral1/memory/1952-417-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1604-426-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2572-427-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/3040-428-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2740-434-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2568-436-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1176-435-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Executes dropped EXE 59 IoCs

pid	Process
1644	41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
2568	._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
2836	svchost.com
2664	_CACHE~1.EXE
2460	Synaptics.exe
332	._cache_Synaptics.exe
2484	._cache__CACHE~1.EXE
1500	svchost.com
2148	svchost.com
592	_CACHE~2.EXE
1484	_CACHE~3.EXE
1416	._cache__CACHE~3.EXE
1212	._cache__CACHE~2.EXE
2192	svchost.com
548	svchost.com
1776	_CACHE~4.EXE
288	_CCC23~1.EXE
1840	._cache__CCC23~1.EXE
1232	Synaptics.exe
2188	svchost.com
236	_CACHE~1.EXE
2788	Synaptics.exe
1288	Process not Found
1576	._cache_Synaptics.exe
2536	svchost.com
2744	_CACHE~2.EXE
2184	._cache_Synaptics.exe
1896	svchost.com
2604	._cache__CACHE~2.EXE
2992	_CACHE~2.EXE
3060	svchost.com
2508	_CCC23~1.EXE
2828	Synaptics.exe
2980	._cache__CCC23~1.EXE
1588	._cache__CACHE~2.EXE
1144	svchost.com
2784	Synaptics.exe
2320	svchost.com
1940	_CACHE~1.EXE
1132	_CCC23~1.EXE
632	Synaptics.exe
1908	._cache_Synaptics.exe
640	._cache__CCC23~1.EXE
1476	svchost.com
2064	_CACHE~1.EXE
2960	svchost.com
2256	_CACHE~2.EXE
1612	._cache__CACHE~2.EXE
1300	svchost.com
764	_CCC23~1.EXE
772	Synaptics.exe
268	._cache__CCC23~1.EXE
1088	Synaptics.exe
1952	svchost.com
2856	_CACHE~1.EXE
1604	._cache_Synaptics.exe
3040	._cache_Synaptics.exe
2572	svchost.com
2740	svchost.com

Loads dropped DLL 64 IoCs

pid	Process
1176	41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
1176	41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
1644	41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
1644	41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
1644	41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
2836	svchost.com
2836	svchost.com
1644	41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
1644	41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
2460	Synaptics.exe
2460	Synaptics.exe
2460	Synaptics.exe
2664	_CACHE~1.EXE
2664	_CACHE~1.EXE
2664	_CACHE~1.EXE
1500	svchost.com
1500	svchost.com
2148	svchost.com
2148	svchost.com
1484	_CACHE~3.EXE
1484	_CACHE~3.EXE
1484	_CACHE~3.EXE
592	_CACHE~2.EXE
592	_CACHE~2.EXE
592	_CACHE~2.EXE
2192	svchost.com
548	svchost.com
2192	svchost.com
288	_CCC23~1.EXE
288	_CCC23~1.EXE
288	_CCC23~1.EXE
592	_CACHE~2.EXE
592	_CACHE~2.EXE
2568	._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
1176	41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
1232	Synaptics.exe
2188	svchost.com
288	_CCC23~1.EXE
2568	._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
2788	Synaptics.exe
1232	Synaptics.exe
1232	Synaptics.exe
1232	Synaptics.exe
1176	41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
2536	svchost.com
2536	svchost.com
2744	_CACHE~2.EXE
2788	Synaptics.exe
2788	Synaptics.exe
2788	Synaptics.exe
2744	_CACHE~2.EXE
2744	_CACHE~2.EXE
2744	_CACHE~2.EXE
1896	svchost.com
1896	svchost.com
2992	_CACHE~2.EXE
3060	svchost.com
3060	svchost.com
2744	_CACHE~2.EXE
2744	_CACHE~2.EXE
2508	_CCC23~1.EXE
2828	Synaptics.exe
2508	_CCC23~1.EXE
2508	_CCC23~1.EXE

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	_CCC23~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	_CACHE~2.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	_CCC23~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	_CACHE~2.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	_CCC23~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	_CACHE~2.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	_CCC23~1.EXE

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
File opened for modification	C:\PROGRA~3\SYNAPT~1\SYNAPT~1.EXE	._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	._cache__CCC23~1.EXE
File opened for modification	C:\Windows\svchost.com	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	._cache_Synaptics.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	._cache__CACHE~3.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	._cache__CCC23~1.EXE
File opened for modification	C:\Windows\directx.sys	._cache__CACHE~2.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	._cache_Synaptics.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	._cache__CCC23~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	._cache__CCC23~1.EXE
File opened for modification	C:\Windows\svchost.com	._cache_Synaptics.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	._cache__CCC23~1.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
File opened for modification	C:\Windows\svchost.com	._cache_Synaptics.exe
File opened for modification	C:\Windows\directx.sys	._cache__CACHE~2.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	._cache_Synaptics.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
File opened for modification	C:\Windows\directx.sys	._cache__CACHE~2.EXE
File opened for modification	C:\Windows\svchost.com	._cache__CCC23~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	._cache_Synaptics.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	._cache__CACHE~2.EXE
File opened for modification	C:\Windows\directx.sys	._cache__CCC23~1.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	._cache__CACHE~2.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	._cache__CACHE~3.EXE
File opened for modification	C:\Windows\directx.sys	._cache_Synaptics.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	._cache__CACHE~2.EXE
File opened for modification	C:\Windows\directx.sys	._cache_Synaptics.exe
File opened for modification	C:\Windows\directx.sys	._cache__CACHE~1.EXE
File opened for modification	C:\Windows\svchost.com	._cache__CACHE~2.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	._cache_Synaptics.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	._cache_Synaptics.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	._cache_Synaptics.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	._cache__CACHE~2.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
592	_CACHE~2.EXE
592	_CACHE~2.EXE
592	_CACHE~2.EXE
592	_CACHE~2.EXE
592	_CACHE~2.EXE
592	_CACHE~2.EXE
592	_CACHE~2.EXE
592	_CACHE~2.EXE
592	_CACHE~2.EXE
592	_CACHE~2.EXE
592	_CACHE~2.EXE
592	_CACHE~2.EXE
592	_CACHE~2.EXE
592	_CACHE~2.EXE
592	_CACHE~2.EXE
592	_CACHE~2.EXE
592	_CACHE~2.EXE
592	_CACHE~2.EXE
592	_CACHE~2.EXE
592	_CACHE~2.EXE
592	_CACHE~2.EXE
592	_CACHE~2.EXE
592	_CACHE~2.EXE
592	_CACHE~2.EXE
592	_CACHE~2.EXE
592	_CACHE~2.EXE
592	_CACHE~2.EXE
592	_CACHE~2.EXE
592	_CACHE~2.EXE
592	_CACHE~2.EXE
592	_CACHE~2.EXE
592	_CACHE~2.EXE
592	_CACHE~2.EXE
592	_CACHE~2.EXE
592	_CACHE~2.EXE
592	_CACHE~2.EXE
592	_CACHE~2.EXE
592	_CACHE~2.EXE
592	_CACHE~2.EXE
592	_CACHE~2.EXE
592	_CACHE~2.EXE
592	_CACHE~2.EXE
592	_CACHE~2.EXE
592	_CACHE~2.EXE
592	_CACHE~2.EXE
592	_CACHE~2.EXE
592	_CACHE~2.EXE
592	_CACHE~2.EXE
592	_CACHE~2.EXE
592	_CACHE~2.EXE
592	_CACHE~2.EXE
592	_CACHE~2.EXE
592	_CACHE~2.EXE
592	_CACHE~2.EXE
592	_CACHE~2.EXE
592	_CACHE~2.EXE
592	_CACHE~2.EXE
592	_CACHE~2.EXE
592	_CACHE~2.EXE
592	_CACHE~2.EXE
592	_CACHE~2.EXE
592	_CACHE~2.EXE
592	_CACHE~2.EXE
592	_CACHE~2.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSystemProfilePrivilege	592	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	592	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	592	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	592	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	592	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	592	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	592	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	592	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	592	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	592	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	592	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	592	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	592	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	592	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	592	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	592	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	592	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	592	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	592	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	592	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	592	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	592	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	592	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	592	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	592	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	592	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	592	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	592	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	592	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	592	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	592	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	592	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	592	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	592	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	592	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	592	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	592	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	592	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	592	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	592	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	592	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	592	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	592	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	592	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	592	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	592	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	592	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	592	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	592	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	592	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	592	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	592	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	592	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	592	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	592	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	592	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	592	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	592	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	592	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	592	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	592	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	592	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	592	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	592	_CACHE~2.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1176 wrote to memory of 1644	1176	41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe	28
PID 1176 wrote to memory of 1644	1176	41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe	28
PID 1176 wrote to memory of 1644	1176	41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe	28
PID 1176 wrote to memory of 1644	1176	41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe	28
PID 1644 wrote to memory of 2568	1644	41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe	29
PID 1644 wrote to memory of 2568	1644	41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe	29
PID 1644 wrote to memory of 2568	1644	41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe	29
PID 1644 wrote to memory of 2568	1644	41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe	29
PID 2568 wrote to memory of 2836	2568	._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe	30
PID 2568 wrote to memory of 2836	2568	._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe	30
PID 2568 wrote to memory of 2836	2568	._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe	30
PID 2568 wrote to memory of 2836	2568	._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe	30
PID 2836 wrote to memory of 2664	2836	svchost.com	31
PID 2836 wrote to memory of 2664	2836	svchost.com	31
PID 2836 wrote to memory of 2664	2836	svchost.com	31
PID 2836 wrote to memory of 2664	2836	svchost.com	31
PID 1644 wrote to memory of 2460	1644	41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe	32
PID 1644 wrote to memory of 2460	1644	41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe	32
PID 1644 wrote to memory of 2460	1644	41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe	32
PID 1644 wrote to memory of 2460	1644	41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe	32
PID 2460 wrote to memory of 332	2460	Synaptics.exe	33
PID 2460 wrote to memory of 332	2460	Synaptics.exe	33
PID 2460 wrote to memory of 332	2460	Synaptics.exe	33
PID 2460 wrote to memory of 332	2460	Synaptics.exe	33
PID 2664 wrote to memory of 2484	2664	_CACHE~1.EXE	34
PID 2664 wrote to memory of 2484	2664	_CACHE~1.EXE	34
PID 2664 wrote to memory of 2484	2664	_CACHE~1.EXE	34
PID 2664 wrote to memory of 2484	2664	_CACHE~1.EXE	34
PID 2484 wrote to memory of 2148	2484	._cache__CACHE~1.EXE	35
PID 2484 wrote to memory of 2148	2484	._cache__CACHE~1.EXE	35
PID 2484 wrote to memory of 2148	2484	._cache__CACHE~1.EXE	35
PID 2484 wrote to memory of 2148	2484	._cache__CACHE~1.EXE	35
PID 332 wrote to memory of 1500	332	._cache_Synaptics.exe	36
PID 332 wrote to memory of 1500	332	._cache_Synaptics.exe	36
PID 332 wrote to memory of 1500	332	._cache_Synaptics.exe	36
PID 332 wrote to memory of 1500	332	._cache_Synaptics.exe	36
PID 1500 wrote to memory of 592	1500	svchost.com	37
PID 1500 wrote to memory of 592	1500	svchost.com	37
PID 1500 wrote to memory of 592	1500	svchost.com	37
PID 1500 wrote to memory of 592	1500	svchost.com	37
PID 2148 wrote to memory of 1484	2148	svchost.com	38
PID 2148 wrote to memory of 1484	2148	svchost.com	38
PID 2148 wrote to memory of 1484	2148	svchost.com	38
PID 2148 wrote to memory of 1484	2148	svchost.com	38
PID 1484 wrote to memory of 1416	1484	_CACHE~3.EXE	39
PID 1484 wrote to memory of 1416	1484	_CACHE~3.EXE	39
PID 1484 wrote to memory of 1416	1484	_CACHE~3.EXE	39
PID 1484 wrote to memory of 1416	1484	_CACHE~3.EXE	39
PID 592 wrote to memory of 1212	592	_CACHE~2.EXE	40
PID 592 wrote to memory of 1212	592	_CACHE~2.EXE	40
PID 592 wrote to memory of 1212	592	_CACHE~2.EXE	40
PID 592 wrote to memory of 1212	592	_CACHE~2.EXE	40
PID 1212 wrote to memory of 2192	1212	._cache__CACHE~2.EXE	41
PID 1212 wrote to memory of 2192	1212	._cache__CACHE~2.EXE	41
PID 1212 wrote to memory of 2192	1212	._cache__CACHE~2.EXE	41
PID 1212 wrote to memory of 2192	1212	._cache__CACHE~2.EXE	41
PID 1416 wrote to memory of 548	1416	._cache__CACHE~3.EXE	43
PID 1416 wrote to memory of 548	1416	._cache__CACHE~3.EXE	43
PID 1416 wrote to memory of 548	1416	._cache__CACHE~3.EXE	43
PID 1416 wrote to memory of 548	1416	._cache__CACHE~3.EXE	43
PID 548 wrote to memory of 1776	548	svchost.com	44
PID 548 wrote to memory of 1776	548	svchost.com	44
PID 548 wrote to memory of 1776	548	svchost.com	44
PID 548 wrote to memory of 1776	548	svchost.com	44

C:\Users\Admin\AppData\Local\Temp\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
"C:\Users\Admin\AppData\Local\Temp\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe"
1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1176
- C:\Users\Admin\AppData\Local\Temp\3582-490\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:2568
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:2836
    - - C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2664
      - C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE"
        9⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:1416
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE
        11⤵
        Executes dropped EXE
        
        PID:1776
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2460
  - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:332
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:1500
      - C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:592
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:1212
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CCC23~1.EXE" InjUpdate
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CCC23~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CCC23~1.EXE InjUpdate
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:288
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CCC23~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CCC23~1.EXE" InjUpdate
        10⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1840
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate
        12⤵
        Executes dropped EXE
        
        PID:236
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        11⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2184
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
        14⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1588
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CCC23~1.EXE" InjUpdate
        15⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CCC23~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CCC23~1.EXE InjUpdate
        16⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CCC23~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CCC23~1.EXE" InjUpdate
        17⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:640
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate
        18⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate
        19⤵
        Executes dropped EXE
        
        PID:2064
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        17⤵
        Executes dropped EXE
        
        PID:772
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        18⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1604
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_Synaptics.exe" InjUpdate
        19⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2572
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        14⤵
        Executes dropped EXE
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        15⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1908
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
        16⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
        17⤵
        Executes dropped EXE
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
        18⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1612
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CCC23~1.EXE" InjUpdate
        19⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CCC23~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CCC23~1.EXE InjUpdate
        20⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CCC23~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CCC23~1.EXE" InjUpdate
        21⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:268
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate
        22⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate
        23⤵
        Executes dropped EXE
        
        PID:2856
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        21⤵
        Executes dropped EXE
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        22⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3040
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_Synaptics.exe" InjUpdate
        23⤵
        Executes dropped EXE
        
        PID:2740
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1232
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1576
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
        11⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2604
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CCC23~1.EXE" InjUpdate
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CCC23~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CCC23~1.EXE InjUpdate
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CCC23~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CCC23~1.EXE" InjUpdate
        14⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2980
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate
        15⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate
        16⤵
        Executes dropped EXE
        
        PID:1940
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        14⤵
        Executes dropped EXE
        
        PID:2784
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2828

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
1⤵
PID:1896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE

Filesize
859KB

MD5
02ee6a3424782531461fb2f10713d3c1

SHA1
b581a2c365d93ebb629e8363fd9f69afc673123f

SHA256
ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc

SHA512
6c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec

Download Submit
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

Filesize
547KB

MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe

Filesize
186KB

MD5
58b58875a50a0d8b5e7be7d6ac685164

SHA1
1e0b89c1b2585c76e758e9141b846ed4477b0662

SHA256
2a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae

SHA512
d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe

Filesize
1.1MB

MD5
566ed4f62fdc96f175afedd811fa0370

SHA1
d4b47adc40e0d5a9391d3f6f2942d1889dd2a451

SHA256
e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460

SHA512
cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7

Download Submit
C:\ProgramData\Synaptics\RCX7B29.tmp

Filesize
753KB

MD5
24c43a46e3ce028d3487a991e3b5f202

SHA1
3e47a2fbcfc35f7ee787e59f5e7f578d5cb54d69

SHA256
a4d6976ec3d988f43d3960623a8513de6cc46ca54af289a7e827982a0dee3a2e

SHA512
8e17d67efb54e679115b6b0265be3b15e1dc09bfd648c20a54f2712b6915095364febaedd1ca713b87c365c3861b6e3668d31190395b9ab18bf47fb0d862deba

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE

Filesize
146KB

MD5
a006f909b0796ead9fb69b3ec0f8ea54

SHA1
b564d0eda3e9c25acdeda1ea0fff98b80c2f82cf

SHA256
4bfb8af9700edb5978c99f6d39f03424061d8a7f7cc34cc92eb0b81839f456a2

SHA512
649ef95b606f9ca16328e651686efd8a7cb0897e5ad0041629730c35a617c47396c014460e4ce50f597d0ca2a565c3bb66f7370106eb17fe3f62329916f6b342

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\._cache__CCC23~1.EXE

Filesize
105KB

MD5
89c5a593dcc807a5f846fce1708a4c1c

SHA1
ffbdda4bef05555404210e260c75eae8743e9333

SHA256
49c114e38ecd858ddad5cc6f9860f3d2eb80fb429758b4ecfc974e856fe6e377

SHA512
c1aa27a147cd95efc48bb3c08a011d83b5cf517fa3eb1d617ecb68da07c1780eff426073c7295f0964eb2fee1e6440b40b548ddfacc3a63d6f955fc39448b643

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE

Filesize
1.7MB

MD5
0b1682829f285e65ec1cca2663c91ebc

SHA1
3ea00c76951ff82d0d3d521490bde6b2b688b943

SHA256
8d98ea6e8805a668cf23cc6d74c0caf29671642cb9e764c939c4a56f6dc6e9f9

SHA512
ef4e1bb89d7a7169b7323e5ea2ae4e61b4ebbcab3d337a1b3bc0a4a035084aaa504e593ddb430b83fad2decb966688508e66fffb61d52892e5912b8b35745425

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
6b3bfceb3942a9508a2148acbee89007

SHA1
3622ac7466cc40f50515eb6fcdc15d1f34ad3be3

SHA256
e0a7bae2a9ac263cff5d725922e40272d8854278d901233a93a5267859c00a3c

SHA512
fa222bfcade636824af32124b45450c92b1abec7a33e6e647a9248eef5371c127d22ccb7cc5a096b4d5d52e2457f3841293a1b34304e8e5523549856ac02f224

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
b42f2603883dadf133cee3ae5d767bb2

SHA1
dc4161551044405353e870b029afff27c8030e22

SHA256
998e1546bc98d29ffccb70e81ed00a01f3dbd3015e947d1aabca4cb01775ce28

SHA512
a4c33c9b87f84b4aba84ecf8b0b2d8a90703ef8523f1d057824196e584451072ab5bbc96e0c95a319baaffd16ba7a26f940fec2e28e9228e1275c87fb061c02d

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
8e4bd9619c227ef2bc20a2cb2aa55e7b

SHA1
a6214b7678b83c4db74b210625b4812300df3a74

SHA256
84ba3f2b07e112efaff6ee034b84db960521db9e504a4ac77a5e8e5e988d86d9

SHA512
12a6a559b89441983e9aab70f0ea17dc790bc48c7938dd573c888e33811db8fb210539ebebaa6c8f5c04971d72d037be6603de15ea3a1ffc0f5ea3dd5132b4bf

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
56abc40d1e45c091d8afddb90a4ce6b4

SHA1
08db549484467b32b79958700300cabefc659848

SHA256
a43fa861957415e3b0f25e2b54d931961cd309ff1d5354a9362852895b90b3e1

SHA512
51625c015a7c8fcf6fb51d3396aa08d2068772e3fcacaf32c409e82071af4ba1eb2ee94f36c06a98c32ba59d23bbaa6b540f7bd418a9472303cc225151daa698

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
92baef4d0a742dec35d64b4e3a1f128d

SHA1
f6de62e7fcd3e4887759171264033f9fa8e06a81

SHA256
7fce5bcabc98bb18bbdde889f79c028f14067fc644d781cb6967c662e6a31d94

SHA512
ba6a9bf403892d2924c0a4c7cb0c58d7a2fc9bf802b9fa0772230d7fcd7b92dd4fcab621e651ae2a349b3eae3eadacdb0395ebb849204f3d7cc858d146de3870

Download Submit
C:\Windows\directx.sys

Filesize
66B

MD5
b0bf31abfa7b64da8a3f257366eb0e01

SHA1
958444a8449749a409f0dfbfc84f65069fb4f799

SHA256
b1304d541b965969b360d5f0a4e3441d52dd1202aecb32ec32e68b82f8951f4b

SHA512
baf49da82bf90f84bcdab2e95c5d5bff9ba715c4c502ec5036f22076c65e2dcc1b10bab4b11fb97ae257ef1b4ee68240cac8a8ce8981c5d44074acb63e045f09

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
223dd32576ace5da898257671c5cdf36

SHA1
87474af22e6a24ef24de43d2e798c87bd986514c

SHA256
8d4dbd3013a493f904e0863bb55d910bbb640ef3bdc6fcbaf3c78e95fbdd5254

SHA512
aaef06b777e4b015af8843b2955af6fbc4c6c7a0630729737a76464d9a443cf673b5b583ae7cf2ea2333f81bd083cf104bb4da9add41a5da48bc4eb1bf0dbdc7

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe

Filesize
1.7MB

MD5
67fbe98e5782b545a840c12cf4c9f3db

SHA1
0bfaf468b95c34faa9e94524650f6b10ca2e0cc5

SHA256
aa060f6bf8d7572ec9f781629c70f0068bbb034e5e94596f7c9c603a0fb392a0

SHA512
66b39e78e8f67c058dd19b2ef3d136adb6f98de9f048892b7af7aaffeff337ed9e9f2371220c7e712699e653427f60ece91ad859ffecbad449d9a7e8926b9b04

Download Submit
\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE

Filesize
940KB

MD5
be5502373b174cc60bf606200c5fc7be

SHA1
de9060f4fd57a875bca3768f04052018f5c3be9e

SHA256
f13b5b39d76a83081628a53d5e53eab04600cf542bc375191ebe322ab52b15d6

SHA512
8ffa51b7e18d447867fdd4d5288bc4633ad94da6eb52e61f455abfaffd77d55d45b5533f2adb36481d8873ef5cb44959460e43105e40bc6fc99f82a93b48691f

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe

Filesize
2.4MB

MD5
e31ba8bc807ae7b8330f824bc52f3104

SHA1
21a4824bd4914eac7349f323b80a7399b6e5c199

SHA256
f364c51d99d573d88ec469944e331f00709ea67bd98be30252d4522eacb4b496

SHA512
c20dcd03fdae62ecaa4a68398521dff37aadfdfe029c1efafd104301007330c5e81e349dfb7e845eefa9cc9e9cd4d5b015063e7b9d23b410f23a36ee96a0871f

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE

Filesize
900KB

MD5
ff586f54c1196f80d8982f3826d049f7

SHA1
b401af3d06c3a37a260b53851a573332b9ac7e75

SHA256
ddceb6e5dff7a70c4f5d6df5b46ee207c624545049679004a012ceb49282be3e

SHA512
bf8bc03ffd386b1263306a6f75cb4fd404b3dda090e0fb8706a5fcdac239a9e7d1e76a83ccc5f741fc1e075c9fd2510a3b3ced20d7c59df9b6a9932b7ff894a7

Download Submit
memory/268-411-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/288-235-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/332-106-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/548-173-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/592-212-0x0000000000400000-0x00000000005AD000-memory.dmp

Filesize
1.7MB

Download
memory/632-381-0x0000000000400000-0x00000000005AD000-memory.dmp

Filesize
1.7MB

Download
memory/640-353-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/764-409-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/772-445-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/772-441-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/772-437-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1088-438-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1132-405-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1144-340-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1176-443-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1176-435-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1176-348-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1176-447-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1176-439-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1212-155-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1232-259-0x0000000000400000-0x00000000005AD000-memory.dmp

Filesize
1.7MB

Download
memory/1300-399-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1416-167-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1476-359-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1484-138-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1500-126-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1576-250-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1588-341-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1604-426-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1612-387-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1644-13-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1644-62-0x0000000000400000-0x0000000000674000-memory.dmp

Filesize
2.5MB

Download
memory/1840-225-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1896-284-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1908-362-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1952-417-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2148-125-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2184-258-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2188-233-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2192-185-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2256-388-0x0000000000400000-0x00000000005AD000-memory.dmp

Filesize
1.7MB

Download
memory/2320-350-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2460-149-0x0000000000400000-0x0000000000674000-memory.dmp

Filesize
2.5MB

Download
memory/2484-94-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2508-319-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2536-256-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2568-349-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2568-444-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2568-440-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2568-436-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2572-427-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2604-278-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2664-90-0x0000000000400000-0x00000000005AD000-memory.dmp

Filesize
1.7MB

Download
memory/2740-434-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2744-291-0x0000000000400000-0x00000000005AD000-memory.dmp

Filesize
1.7MB

Download
memory/2788-266-0x0000000000400000-0x00000000005AD000-memory.dmp

Filesize
1.7MB

Download
memory/2828-328-0x0000000000400000-0x00000000005AD000-memory.dmp

Filesize
1.7MB

Download
memory/2836-65-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2960-377-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2980-323-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2992-347-0x0000000000400000-0x00000000005AD000-memory.dmp

Filesize
1.7MB

Download
memory/3040-428-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3060-294-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download