Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
18-06-2024 19:05
Behavioral task
behavioral1
Sample
19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe
Resource
win10v2004-20240508-en
General
-
Target
19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe
-
Size
2.5MB
-
MD5
764f4baced7ef6823e658d10cf71b392
-
SHA1
e8c24ea84679d6cf8ed4dd1dff934edecd63fb81
-
SHA256
19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d
-
SHA512
174a27d27e358f4e9c1f6f82e694e1ed86857e7abb34a1f4ad964cc3990f6267f91ff7ea5ca4469b0ac6956f43de652a176194244f3d801789e778fbae2b4e85
-
SSDEEP
49152:6Hyjtk2MYC5GDIHyjtk2MYC5GDhEh5Cenun9:6mtk2aZmtk2aiQCenun9
Malware Config
Signatures
-
Detect Neshta payload 30 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\3582-490\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe family_neshta C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe family_neshta \Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe family_neshta C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE family_neshta C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe family_neshta C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe family_neshta C:\Windows\svchost.com family_neshta behavioral1/memory/1140-54-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE family_neshta C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe family_neshta behavioral1/memory/2164-82-0x0000000000400000-0x0000000000680000-memory.dmp family_neshta C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE family_neshta C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE family_neshta behavioral1/memory/1512-133-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE family_neshta behavioral1/memory/2308-154-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE family_neshta C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE family_neshta behavioral1/memory/2572-180-0x0000000000400000-0x0000000000680000-memory.dmp family_neshta C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE family_neshta C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE family_neshta C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXE family_neshta C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXE family_neshta C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXE family_neshta behavioral1/memory/2296-217-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2992-223-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1928-243-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2932-244-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2932-250-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1928-248-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 15 IoCs
Processes:
19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exesvchost.com_CACHE~1.EXESynaptics.exe._cache__CACHE~1.EXE._cache_Synaptics.exesvchost.com_CACHE~1.EXE._cache__CACHE~1.EXESynaptics.exe._cache_Synaptics.exesvchost.com_CACHE~1.EXE._cache__CACHE~1.EXEpid process 2164 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe 2932 ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe 1140 svchost.com 2680 _CACHE~1.EXE 2572 Synaptics.exe 2284 ._cache__CACHE~1.EXE 1512 ._cache_Synaptics.exe 2308 svchost.com 1916 _CACHE~1.EXE 1860 ._cache__CACHE~1.EXE 1820 Synaptics.exe 2296 ._cache_Synaptics.exe 2992 svchost.com 1696 _CACHE~1.EXE 1568 ._cache__CACHE~1.EXE -
Loads dropped DLL 41 IoCs
Processes:
19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exesvchost.com_CACHE~1.EXE._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exeSynaptics.exesvchost.com_CACHE~1.EXESynaptics.exesvchost.com_CACHE~1.EXEEXCEL.EXEpid process 1928 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe 1928 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe 2164 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe 2164 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe 2164 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe 1140 svchost.com 1140 svchost.com 2164 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe 2164 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe 2680 _CACHE~1.EXE 2680 _CACHE~1.EXE 1928 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe 2932 ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe 2572 Synaptics.exe 2572 Synaptics.exe 2572 Synaptics.exe 2308 svchost.com 2308 svchost.com 1916 _CACHE~1.EXE 1916 _CACHE~1.EXE 1916 _CACHE~1.EXE 1928 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe 2932 ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe 2932 ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe 2932 ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe 1928 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe 1916 _CACHE~1.EXE 1916 _CACHE~1.EXE 1820 Synaptics.exe 1820 Synaptics.exe 1820 Synaptics.exe 1820 Synaptics.exe 2992 svchost.com 2992 svchost.com 1696 _CACHE~1.EXE 2956 EXCEL.EXE 2956 EXCEL.EXE 2956 EXCEL.EXE 2956 EXCEL.EXE 1696 _CACHE~1.EXE 1696 _CACHE~1.EXE -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe_CACHE~1.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~1.EXE -
Drops file in Program Files directory 64 IoCs
Processes:
19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exedescription ioc process File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe -
Drops file in Windows directory 12 IoCs
Processes:
19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exesvchost.com._cache_Synaptics.exesvchost.com._cache_Synaptics.exesvchost.com._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exedescription ioc process File opened for modification C:\Windows\svchost.com 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys ._cache_Synaptics.exe File opened for modification C:\Windows\svchost.com ._cache_Synaptics.exe File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com ._cache_Synaptics.exe File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\Windows\directx.sys ._cache_Synaptics.exe File opened for modification C:\Windows\directx.sys svchost.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
EXCEL.EXEEXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Processes:
EXCEL.EXEdescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE -
Modifies registry class 64 IoCs
Processes:
EXCEL.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 2956 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
_CACHE~1.EXE_CACHE~1.EXEpid process 1916 _CACHE~1.EXE 1916 _CACHE~1.EXE 1916 _CACHE~1.EXE 1916 _CACHE~1.EXE 1916 _CACHE~1.EXE 1696 _CACHE~1.EXE 1696 _CACHE~1.EXE 1696 _CACHE~1.EXE 1696 _CACHE~1.EXE 1696 _CACHE~1.EXE 1696 _CACHE~1.EXE 1696 _CACHE~1.EXE 1696 _CACHE~1.EXE 1696 _CACHE~1.EXE 1696 _CACHE~1.EXE 1696 _CACHE~1.EXE 1696 _CACHE~1.EXE 1696 _CACHE~1.EXE 1696 _CACHE~1.EXE 1696 _CACHE~1.EXE 1696 _CACHE~1.EXE 1696 _CACHE~1.EXE 1696 _CACHE~1.EXE 1696 _CACHE~1.EXE 1696 _CACHE~1.EXE 1696 _CACHE~1.EXE 1696 _CACHE~1.EXE 1696 _CACHE~1.EXE 1696 _CACHE~1.EXE 1696 _CACHE~1.EXE 1696 _CACHE~1.EXE 1696 _CACHE~1.EXE 1696 _CACHE~1.EXE 1696 _CACHE~1.EXE 1696 _CACHE~1.EXE 1696 _CACHE~1.EXE 1696 _CACHE~1.EXE 1696 _CACHE~1.EXE 1696 _CACHE~1.EXE 1696 _CACHE~1.EXE 1696 _CACHE~1.EXE 1696 _CACHE~1.EXE 1696 _CACHE~1.EXE 1696 _CACHE~1.EXE 1696 _CACHE~1.EXE 1696 _CACHE~1.EXE 1696 _CACHE~1.EXE 1696 _CACHE~1.EXE 1696 _CACHE~1.EXE 1696 _CACHE~1.EXE 1696 _CACHE~1.EXE 1696 _CACHE~1.EXE 1696 _CACHE~1.EXE 1696 _CACHE~1.EXE 1696 _CACHE~1.EXE 1696 _CACHE~1.EXE 1696 _CACHE~1.EXE 1696 _CACHE~1.EXE 1696 _CACHE~1.EXE 1696 _CACHE~1.EXE 1696 _CACHE~1.EXE 1696 _CACHE~1.EXE 1696 _CACHE~1.EXE 1696 _CACHE~1.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
_CACHE~1.EXE_CACHE~1.EXEdescription pid process Token: SeSystemProfilePrivilege 1916 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1916 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1916 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1916 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1916 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1696 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1696 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1696 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1696 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1696 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1696 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1696 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1696 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1696 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1696 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1696 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1696 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1696 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1696 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1696 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1696 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1696 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1696 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1696 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1696 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1696 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1696 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1696 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1696 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1696 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1696 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1696 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1696 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1696 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1696 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1696 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1696 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1696 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1696 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1696 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1696 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1696 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1696 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1696 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1696 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1696 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1696 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1696 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1696 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1696 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1696 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1696 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1696 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1696 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1696 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1696 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1696 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1696 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1696 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1696 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1696 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1696 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1696 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1696 _CACHE~1.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
EXCEL.EXEEXCEL.EXEpid process 2956 EXCEL.EXE 1492 EXCEL.EXE -
Suspicious use of WriteProcessMemory 60 IoCs
Processes:
19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exesvchost.com_CACHE~1.EXESynaptics.exe._cache_Synaptics.exesvchost.com_CACHE~1.EXESynaptics.exe._cache_Synaptics.exesvchost.com_CACHE~1.EXEdescription pid process target process PID 1928 wrote to memory of 2164 1928 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe PID 1928 wrote to memory of 2164 1928 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe PID 1928 wrote to memory of 2164 1928 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe PID 1928 wrote to memory of 2164 1928 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe PID 2164 wrote to memory of 2932 2164 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe PID 2164 wrote to memory of 2932 2164 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe PID 2164 wrote to memory of 2932 2164 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe PID 2164 wrote to memory of 2932 2164 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe PID 2932 wrote to memory of 1140 2932 ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe svchost.com PID 2932 wrote to memory of 1140 2932 ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe svchost.com PID 2932 wrote to memory of 1140 2932 ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe svchost.com PID 2932 wrote to memory of 1140 2932 ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe svchost.com PID 1140 wrote to memory of 2680 1140 svchost.com _CACHE~1.EXE PID 1140 wrote to memory of 2680 1140 svchost.com _CACHE~1.EXE PID 1140 wrote to memory of 2680 1140 svchost.com _CACHE~1.EXE PID 1140 wrote to memory of 2680 1140 svchost.com _CACHE~1.EXE PID 2164 wrote to memory of 2572 2164 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe Synaptics.exe PID 2164 wrote to memory of 2572 2164 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe Synaptics.exe PID 2164 wrote to memory of 2572 2164 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe Synaptics.exe PID 2164 wrote to memory of 2572 2164 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe Synaptics.exe PID 2680 wrote to memory of 2284 2680 _CACHE~1.EXE ._cache__CACHE~1.EXE PID 2680 wrote to memory of 2284 2680 _CACHE~1.EXE ._cache__CACHE~1.EXE PID 2680 wrote to memory of 2284 2680 _CACHE~1.EXE ._cache__CACHE~1.EXE PID 2680 wrote to memory of 2284 2680 _CACHE~1.EXE ._cache__CACHE~1.EXE PID 2572 wrote to memory of 1512 2572 Synaptics.exe ._cache_Synaptics.exe PID 2572 wrote to memory of 1512 2572 Synaptics.exe ._cache_Synaptics.exe PID 2572 wrote to memory of 1512 2572 Synaptics.exe ._cache_Synaptics.exe PID 2572 wrote to memory of 1512 2572 Synaptics.exe ._cache_Synaptics.exe PID 1512 wrote to memory of 2308 1512 ._cache_Synaptics.exe svchost.com PID 1512 wrote to memory of 2308 1512 ._cache_Synaptics.exe svchost.com PID 1512 wrote to memory of 2308 1512 ._cache_Synaptics.exe svchost.com PID 1512 wrote to memory of 2308 1512 ._cache_Synaptics.exe svchost.com PID 2308 wrote to memory of 1916 2308 svchost.com _CACHE~1.EXE PID 2308 wrote to memory of 1916 2308 svchost.com _CACHE~1.EXE PID 2308 wrote to memory of 1916 2308 svchost.com _CACHE~1.EXE PID 2308 wrote to memory of 1916 2308 svchost.com _CACHE~1.EXE PID 1916 wrote to memory of 1860 1916 _CACHE~1.EXE ._cache__CACHE~1.EXE PID 1916 wrote to memory of 1860 1916 _CACHE~1.EXE ._cache__CACHE~1.EXE PID 1916 wrote to memory of 1860 1916 _CACHE~1.EXE ._cache__CACHE~1.EXE PID 1916 wrote to memory of 1860 1916 _CACHE~1.EXE ._cache__CACHE~1.EXE PID 1916 wrote to memory of 1820 1916 _CACHE~1.EXE Synaptics.exe PID 1916 wrote to memory of 1820 1916 _CACHE~1.EXE Synaptics.exe PID 1916 wrote to memory of 1820 1916 _CACHE~1.EXE Synaptics.exe PID 1916 wrote to memory of 1820 1916 _CACHE~1.EXE Synaptics.exe PID 1820 wrote to memory of 2296 1820 Synaptics.exe ._cache_Synaptics.exe PID 1820 wrote to memory of 2296 1820 Synaptics.exe ._cache_Synaptics.exe PID 1820 wrote to memory of 2296 1820 Synaptics.exe ._cache_Synaptics.exe PID 1820 wrote to memory of 2296 1820 Synaptics.exe ._cache_Synaptics.exe PID 2296 wrote to memory of 2992 2296 ._cache_Synaptics.exe svchost.com PID 2296 wrote to memory of 2992 2296 ._cache_Synaptics.exe svchost.com PID 2296 wrote to memory of 2992 2296 ._cache_Synaptics.exe svchost.com PID 2296 wrote to memory of 2992 2296 ._cache_Synaptics.exe svchost.com PID 2992 wrote to memory of 1696 2992 svchost.com _CACHE~1.EXE PID 2992 wrote to memory of 1696 2992 svchost.com _CACHE~1.EXE PID 2992 wrote to memory of 1696 2992 svchost.com _CACHE~1.EXE PID 2992 wrote to memory of 1696 2992 svchost.com _CACHE~1.EXE PID 1696 wrote to memory of 1568 1696 _CACHE~1.EXE ._cache__CACHE~1.EXE PID 1696 wrote to memory of 1568 1696 _CACHE~1.EXE ._cache__CACHE~1.EXE PID 1696 wrote to memory of 1568 1696 _CACHE~1.EXE ._cache__CACHE~1.EXE PID 1696 wrote to memory of 1568 1696 _CACHE~1.EXE ._cache__CACHE~1.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe"C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe"1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe"C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"6⤵
- Executes dropped EXE
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate6⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate7⤵
- Executes dropped EXE
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate8⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate11⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding1⤵
- Loads dropped DLL
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding1⤵
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Event Triggered Execution
1Change Default File Association
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXEFilesize
859KB
MD502ee6a3424782531461fb2f10713d3c1
SHA1b581a2c365d93ebb629e8363fd9f69afc673123f
SHA256ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc
SHA5126c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec
-
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exeFilesize
547KB
MD5cf6c595d3e5e9667667af096762fd9c4
SHA19bb44da8d7f6457099cb56e4f7d1026963dce7ce
SHA256593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d
SHA512ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80
-
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exeFilesize
186KB
MD558b58875a50a0d8b5e7be7d6ac685164
SHA11e0b89c1b2585c76e758e9141b846ed4477b0662
SHA2562a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae
SHA512d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b
-
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exeFilesize
1.1MB
MD5566ed4f62fdc96f175afedd811fa0370
SHA1d4b47adc40e0d5a9391d3f6f2942d1889dd2a451
SHA256e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460
SHA512cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7
-
C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXEFilesize
285KB
MD5831270ac3db358cdbef5535b0b3a44e6
SHA1c0423685c09bbe465f6bb7f8672c936e768f05a3
SHA256a8f78ac26c738b13564252f1048ca784bf152ef048b829d3d22650b7f62078f0
SHA512f64a00977d4b6f8c43f53cee7bb450f3c8cbef08525975055fde5d8c515db32d2bfad92e99313b3a10a72a50dd09b4ffe28e9af4c148c6480622ba486776e450
-
C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXEFilesize
569KB
MD5eef2f834c8d65585af63916d23b07c36
SHA18cb85449d2cdb21bd6def735e1833c8408b8a9c6
SHA2563cd34a88e3ae7bd3681a7e3c55832af026834055020add33e6bd6f552fc0aabd
SHA5122ee8766e56e5b1e71c86f7d1a1aa1882706d0bca8f84b2b2c54dd4c255e04f037a6eb265302449950e5f5937b0e57f17a6aa45e88a407ace4b3945e65043d9b7
-
C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exeFilesize
381KB
MD53ec4922dbca2d07815cf28144193ded9
SHA175cda36469743fbc292da2684e76a26473f04a6d
SHA2560587fd366ea7e94b3ae500874b1c5d684b5357fcc7389682d5a13c3301a28801
SHA512956c3a1f2689cb72600edd2e90d652b77592a8a81d319dce026e88f6c02231af06aebd57d68460eb406de00c113522173423cb1b339a41a3918f379c7dc311f7
-
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXEFilesize
439KB
MD5400836f307cf7dbfb469cefd3b0391e7
SHA17af3cbb12d3b2d8b5d9553c687c6129d1dd90a10
SHA256cb5c5abb625a812d47007c75e3855be3f29da527a41cf03730ad5c81f3eb629a
SHA512aa53cb304478585d6f83b19a6de4a7938ba2570d380a565a56ff5365aed073d5f56b95ad3228eb7d1e7e6110c6172a58b97bd6a5e57e4a8d39e762ed31dc17c8
-
C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXEFilesize
1.7MB
MD5338f328b613632e6df24a00a49864835
SHA1249a3f7c546aa66d98c4fbda2001bc649bc80013
SHA256da5cc08eb0aa368f19ce481b3f9236203a6f40303d77ad30b94912dba22ca08d
SHA512f59dc126be5bf72f802e6681f5af30ce947d7ad6e6b506612c8d6b49e2a5e2d597838311c474fd59e0b976453cf389cecb5443971019b307f2b52a1564ae69a8
-
C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXEFilesize
606KB
MD59b1c9f74ac985eab6f8e5b27441a757b
SHA19a2cf7d2518c5f5db405e5bd8d37bf62dcaf34f5
SHA2562a189b995a7283b503bb5864dd9ca57976b3812a6a34aaf89a7551336c43bc24
SHA512d72e83aeaf1d34627a6c6aa469821af8a8d464a72c764fbb064484adea509a8c1d3628e2166859286e84daae8ebdf4f800693ce203984a8c313b1f2263e101c4
-
C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXEFilesize
674KB
MD59c10a5ec52c145d340df7eafdb69c478
SHA157f3d99e41d123ad5f185fc21454367a7285db42
SHA256ccf37e88447a7afdb0ba4351b8c5606dbb05b984fb133194d71bcc00d7be4e36
SHA5122704cfd1a708bfca6db7c52467d3abf0b09313db0cdd1ea8e5d48504c8240c4bf24e677f17c5df9e3ac1f6a678e0328e73e951dc4481f35027cb03b2966dc38f
-
C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXEFilesize
485KB
MD587f15006aea3b4433e226882a56f188d
SHA1e3ad6beb8229af62b0824151dbf546c0506d4f65
SHA2568d0045c74270281c705009d49441167c8a51ac70b720f84ff941b39fad220919
SHA512b01a8af6dc836044d2adc6828654fa7a187c3f7ffe2a4db4c73021be6d121f9c1c47b1643513c3f25c0e1b5123b8ce2dc78b2ca8ce638a09c2171f158762c7c1
-
C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXEFilesize
495KB
MD507e194ce831b1846111eb6c8b176c86e
SHA1b9c83ec3b0949cb661878fb1a8b43a073e15baf1
SHA256d882f673ddf40a7ea6d89ce25e4ee55d94a5ef0b5403aa8d86656fd960d0e4ac
SHA51255f9b6d3199aa60d836b6792ae55731236fb2a99c79ce8522e07e579c64eabb88fa413c02632deb87a361dd8490361aa1424beed2e01ba28be220f8c676a1bb5
-
C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXEFilesize
485KB
MD586749cd13537a694795be5d87ef7106d
SHA1538030845680a8be8219618daee29e368dc1e06c
SHA2568c35dcc975a5c7c687686a3970306452476d17a89787bc5bd3bf21b9de0d36a5
SHA5127b6ae20515fb6b13701df422cbb0844d26c8a98087b2758427781f0bf11eb9ec5da029096e42960bf99ddd3d4f817db6e29ac172039110df6ea92547d331db4c
-
C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXEFilesize
674KB
MD597510a7d9bf0811a6ea89fad85a9f3f3
SHA12ac0c49b66a92789be65580a38ae9798237711db
SHA256c48abbc29405559e68cc9f8fc6d218aa317a9d0023839c7846ca509c1f563fea
SHA5122a93e2a3bd187fdde160f87ef777ccd1d1c398d547b7c869e6b64469b9418ad04d887cdfe94af7407476377bf2d009f576de3935c025b7aefbab26fbcd8f90fb
-
C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXEFilesize
536KB
MD5349c6f2f4e32553e8fea4d29772e40e6
SHA1e2f7856aa519006f8cbc9943cc3fb34c4461932d
SHA2567c4fd44a9cda339ac3e7fa93b0b2a24b1e0ac16996dbb19cfdcd6323170b1fd3
SHA5120b9f9aafb1a682f9e5a5dccae0dc19e3cf21c5d2aa4df3e22311f5744255f668e9a1e11ee21f2656d9f45236c484e0b7b460a57db1c34f2d344bd4cbece42588
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXEFilesize
266KB
MD5c08ebf3a175b66593b27a3c071df5115
SHA14acafe7abdf85c922cac6065c9e4d0c909c22c85
SHA2561a7cebff8a5859fcd9847bef3695ee9f8d29ddca361d8f52a6b23d824deba968
SHA51279b17d05ebc6e5b17f25f0ce1c202e1ef4c959246073e1b242edc4c4c45a2bcf4b3ffac2f01f4394112eadc961c6b8934208a071658493ef7a7c34e810e567a9
-
C:\Users\Admin\AppData\Local\Temp\3582-490\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exeFilesize
2.5MB
MD544cce607c901188b1ceca88705a3edfb
SHA1104192763c1994a8686e1b813dde36109e83a1b6
SHA256f85efbd3d02c72fc85aabcf5549b6803fd9968cc301dbf7dc4c745c3d3da1309
SHA5121a4116c0fbb63cdf1ac1ab30b542286e501b2d94e9090ef0812d2b8c5a076c9a1b83295f3d333929df72c47e97faac683db473c74d915e8452a83b0d9492bdab
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEFilesize
1.3MB
MD594e5f271b702947d8c96c432a77e99e7
SHA1a284a7fb14c9576a380052f16e1aadf4c82a2105
SHA256a3c7ec7dbd6ef0b778f0f05e140b965f5c1af8bce1a729ed5f8e183822dc10b9
SHA51260dfef773155ce6a70b3c37f08c9d210fb4e9ae6aba4ed2b230ec1577f5484fd154cfbe27de7dd795ec171c6d24814813f89165d7011f14a224d64a2bf1dcb71
-
C:\Windows\directx.sysFilesize
57B
MD556abc40d1e45c091d8afddb90a4ce6b4
SHA108db549484467b32b79958700300cabefc659848
SHA256a43fa861957415e3b0f25e2b54d931961cd309ff1d5354a9362852895b90b3e1
SHA51251625c015a7c8fcf6fb51d3396aa08d2068772e3fcacaf32c409e82071af4ba1eb2ee94f36c06a98c32ba59d23bbaa6b540f7bd418a9472303cc225151daa698
-
C:\Windows\svchost.comFilesize
40KB
MD52ff724ca136d4a831421dfd891e167c6
SHA15416f8de17ae4a8d9ea2e2d4570c5dd9ba7e5eb8
SHA256ff787f8231bb6f6a30eb61f46d56920e742ae22dd047622f8fbe6266d8bb864d
SHA5125ad202eb3222b9a95695ee1ffcebdaa3cd7235dbc8a1bf845e560736f514d9d7c92bc509c7089f53ff391bcd1d053050ccf0d889102a2b53b373d211dfbd9dc0
-
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXEFilesize
252KB
MD59e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exeFilesize
1.4MB
MD5c6b7d88af09bed8ef817c3ad1f68f9f4
SHA1c49df92061197098f62c7e5031e8b9ce406d911c
SHA256b116d954ddce3d3df3ef09a44aac5433c91ea2fee317dbf33fc5c4e5cec06af5
SHA51275452e228ccfc14f144d4ce777b5898ace42ca5638c2607cc00b1dd1ba1ff05e3074af33bfad39979b0e3b035daad4a7503a1c88f3c3a5ecf2ce3266d0a33c2d
-
memory/1140-54-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1512-133-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1696-246-0x0000000000400000-0x000000000055F000-memory.dmpFilesize
1.4MB
-
memory/1696-296-0x0000000000400000-0x000000000055F000-memory.dmpFilesize
1.4MB
-
memory/1696-252-0x0000000000400000-0x000000000055F000-memory.dmpFilesize
1.4MB
-
memory/1696-256-0x0000000000400000-0x000000000055F000-memory.dmpFilesize
1.4MB
-
memory/1696-254-0x0000000000400000-0x000000000055F000-memory.dmpFilesize
1.4MB
-
memory/1820-293-0x0000000000400000-0x000000000055F000-memory.dmpFilesize
1.4MB
-
memory/1820-245-0x0000000000400000-0x000000000055F000-memory.dmpFilesize
1.4MB
-
memory/1820-289-0x0000000000400000-0x000000000055F000-memory.dmpFilesize
1.4MB
-
memory/1916-213-0x0000000000400000-0x000000000055F000-memory.dmpFilesize
1.4MB
-
memory/1928-243-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1928-248-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2164-14-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/2164-82-0x0000000000400000-0x0000000000680000-memory.dmpFilesize
2.5MB
-
memory/2284-106-0x0000000000A70000-0x0000000000AB8000-memory.dmpFilesize
288KB
-
memory/2296-217-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2308-154-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2572-180-0x0000000000400000-0x0000000000680000-memory.dmpFilesize
2.5MB
-
memory/2680-76-0x0000000000400000-0x000000000055F000-memory.dmpFilesize
1.4MB
-
memory/2932-250-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2932-244-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2956-212-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2992-223-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB