Analysis
-
max time kernel
15s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
18-06-2024 20:12
Behavioral task
behavioral1
Sample
337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe
Resource
win10v2004-20240611-en
General
-
Target
337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe
-
Size
7.0MB
-
MD5
01d6bee58c67f08936db8f7541a8c9f7
-
SHA1
4f3a0644079ec977cfdc21bc11675c3e18494f08
-
SHA256
337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37
-
SHA512
c45daf00a1235db948f2995c1bb8f7f32748a197cbdd4f91c3ba282ee7ab21449dc4036820dbe86432d89ba23e93160fa65bfdbc5370fb4368cb4f0c7f0a4ae7
-
SSDEEP
98304:6mtk2ahmtk2apmtk2a5mtk2aBmtk2ahmtk2a3dFbnunkn6nQnGn9:ppV59ZAwK0u49
Malware Config
Signatures
-
Detect Neshta payload 64 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\3582-490\337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe family_neshta C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe family_neshta \Users\Admin\AppData\Local\Temp\._cache_337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe family_neshta C:\Windows\svchost.com family_neshta C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE family_neshta C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe family_neshta C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe family_neshta C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE family_neshta behavioral1/memory/2320-59-0x0000000000400000-0x0000000000B00000-memory.dmp family_neshta behavioral1/memory/2556-65-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE family_neshta C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE family_neshta behavioral1/memory/2996-108-0x0000000000400000-0x00000000009DF000-memory.dmp family_neshta C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE family_neshta C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE family_neshta C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE family_neshta C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE family_neshta C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE family_neshta C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE family_neshta behavioral1/memory/1928-196-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE family_neshta C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE family_neshta C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE family_neshta behavioral1/memory/2940-245-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1632-244-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1196-238-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/840-232-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/544-228-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1572-253-0x0000000000400000-0x00000000008BE000-memory.dmp family_neshta behavioral1/memory/2272-257-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1500-263-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2064-265-0x0000000000400000-0x000000000079E000-memory.dmp family_neshta behavioral1/memory/1072-272-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1080-295-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/3024-296-0x0000000000400000-0x00000000008BE000-memory.dmp family_neshta behavioral1/memory/2688-300-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2404-306-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2648-307-0x0000000000400000-0x000000000079E000-memory.dmp family_neshta behavioral1/memory/1544-311-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1596-317-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1692-318-0x0000000000400000-0x00000000008BE000-memory.dmp family_neshta behavioral1/memory/2724-322-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta C:\Users\Admin\AppData\Local\Temp\3582-490\._cache__CACHE~2.EXE family_neshta behavioral1/memory/1660-328-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1284-329-0x0000000000400000-0x000000000079E000-memory.dmp family_neshta behavioral1/memory/3000-333-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2560-339-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2384-341-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2776-342-0x0000000000400000-0x0000000000B00000-memory.dmp family_neshta behavioral1/memory/2760-343-0x0000000000400000-0x00000000008BE000-memory.dmp family_neshta behavioral1/memory/2228-340-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2504-347-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2392-353-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1640-354-0x0000000000400000-0x000000000079E000-memory.dmp family_neshta behavioral1/memory/1644-358-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1096-364-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1728-365-0x0000000000400000-0x00000000008BE000-memory.dmp family_neshta behavioral1/memory/712-369-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1420-375-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1952-376-0x0000000000400000-0x000000000079E000-memory.dmp family_neshta behavioral1/memory/2092-380-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2500-386-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1044-387-0x0000000000400000-0x00000000008BE000-memory.dmp family_neshta behavioral1/memory/752-396-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 58 IoCs
Processes:
337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe._cache_337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exesvchost.comSynaptics.exe_CACHE~1.EXE._cache__CACHE~1.EXESynaptics.exe._cache_Synaptics.exesvchost.com._cache_Synaptics.exe_CACHE~2.EXEsvchost.comsvchost.com._cache__CACHE~2.EXEsvchost.com_CACHE~1.EXE._cache__CACHE~1.EXEsvchost.com_CACHE~2.EXE._cache__CACHE~2.EXEsvchost.com_CACHE~1.EXE._cache__CACHE~1.EXEsvchost.com_CACHE~2.EXE._cache__CACHE~2.EXEsvchost.com_CACHE~1.EXE._cache__CACHE~1.EXEsvchost.com_CACHE~2.EXE._cache__CACHE~2.EXEsvchost.com_CACHE~1.EXE._cache__CACHE~1.EXEsvchost.com_CACHE~2.EXE._cache__CACHE~2.EXEsvchost.com_CACHE~1.EXE._cache__CACHE~1.EXEsvchost.com_CACHE~2.EXE._cache__CACHE~2.EXEsvchost.com_CACHE~1.EXE._cache__CACHE~1.EXEsvchost.com_CACHE~2.EXE._cache__CACHE~2.EXEsvchost.com_CACHE~1.EXE._cache__CACHE~1.EXEsvchost.com_CACHE~2.EXE._cache__CACHE~2.EXEsvchost.com_CACHE~1.EXEpid process 2320 337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe 2384 ._cache_337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe 2556 svchost.com 2776 Synaptics.exe 2996 _CACHE~1.EXE 1928 ._cache__CACHE~1.EXE 1932 Synaptics.exe 544 ._cache_Synaptics.exe 2940 svchost.com 840 ._cache_Synaptics.exe 1572 _CACHE~2.EXE 1196 svchost.com 1632 svchost.com 2272 ._cache__CACHE~2.EXE 1500 svchost.com 2064 _CACHE~1.EXE 1072 ._cache__CACHE~1.EXE 1080 svchost.com 3024 _CACHE~2.EXE 2688 ._cache__CACHE~2.EXE 2404 svchost.com 2648 _CACHE~1.EXE 1544 ._cache__CACHE~1.EXE 1596 svchost.com 1692 _CACHE~2.EXE 2724 ._cache__CACHE~2.EXE 1660 svchost.com 1284 _CACHE~1.EXE 3000 ._cache__CACHE~1.EXE 2560 svchost.com 2760 _CACHE~2.EXE 2504 ._cache__CACHE~2.EXE 2392 svchost.com 1640 _CACHE~1.EXE 1644 ._cache__CACHE~1.EXE 1096 svchost.com 1728 _CACHE~2.EXE 712 ._cache__CACHE~2.EXE 1420 svchost.com 1952 _CACHE~1.EXE 2092 ._cache__CACHE~1.EXE 2500 svchost.com 1044 _CACHE~2.EXE 752 ._cache__CACHE~2.EXE 2444 svchost.com 880 _CACHE~1.EXE 2464 ._cache__CACHE~1.EXE 1600 svchost.com 1616 _CACHE~2.EXE 2428 ._cache__CACHE~2.EXE 2708 svchost.com 2768 _CACHE~1.EXE 2896 ._cache__CACHE~1.EXE 2576 svchost.com 2532 _CACHE~2.EXE 2756 ._cache__CACHE~2.EXE 1224 svchost.com 1624 _CACHE~1.EXE -
Loads dropped DLL 64 IoCs
Processes:
337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exesvchost.com._cache_337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe_CACHE~1.EXESynaptics.exeSynaptics.exesvchost.com_CACHE~2.EXEEXCEL.EXEsvchost.com_CACHE~1.EXEsvchost.com_CACHE~2.EXEsvchost.com_CACHE~1.EXEsvchost.com_CACHE~2.EXEsvchost.com_CACHE~1.EXEpid process 2228 337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe 2228 337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe 2320 337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe 2320 337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe 2320 337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe 2320 337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe 2320 337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe 2556 svchost.com 2556 svchost.com 2384 ._cache_337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe 2228 337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe 2996 _CACHE~1.EXE 2996 _CACHE~1.EXE 2996 _CACHE~1.EXE 2996 _CACHE~1.EXE 1932 Synaptics.exe 2776 Synaptics.exe 2776 Synaptics.exe 2776 Synaptics.exe 2940 svchost.com 1932 Synaptics.exe 1932 Synaptics.exe 1932 Synaptics.exe 2228 337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe 2384 ._cache_337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe 2228 337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe 2384 ._cache_337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe 1572 _CACHE~2.EXE 1572 _CACHE~2.EXE 1572 _CACHE~2.EXE 1808 EXCEL.EXE 1808 EXCEL.EXE 1808 EXCEL.EXE 1808 EXCEL.EXE 1500 svchost.com 1500 svchost.com 2064 _CACHE~1.EXE 2064 _CACHE~1.EXE 2064 _CACHE~1.EXE 2064 _CACHE~1.EXE 1080 svchost.com 1080 svchost.com 3024 _CACHE~2.EXE 3024 _CACHE~2.EXE 3024 _CACHE~2.EXE 3024 _CACHE~2.EXE 2404 svchost.com 2404 svchost.com 2648 _CACHE~1.EXE 2648 _CACHE~1.EXE 2648 _CACHE~1.EXE 2648 _CACHE~1.EXE 1596 svchost.com 1596 svchost.com 1692 _CACHE~2.EXE 1692 _CACHE~2.EXE 1692 _CACHE~2.EXE 1692 _CACHE~2.EXE 1660 svchost.com 1660 svchost.com 1284 _CACHE~1.EXE 1284 _CACHE~1.EXE 1284 _CACHE~1.EXE 1284 _CACHE~1.EXE -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe_CACHE~1.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" 337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~1.EXE -
Drops file in Program Files directory 64 IoCs
Processes:
337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe._cache_337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exedescription ioc process File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE 337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe 337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE 337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE ._cache_337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE ._cache_337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe 337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE 337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe 337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE 337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE ._cache_337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE ._cache_337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE 337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe 337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE 337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE ._cache_337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE 337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe ._cache_337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE ._cache_337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE ._cache_337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE 337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE ._cache_337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe ._cache_337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE 337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe ._cache_337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE ._cache_337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE 337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE 337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE ._cache_337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE ._cache_337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe ._cache_337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE 337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe ._cache_337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE ._cache_337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE ._cache_337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe 337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE ._cache_337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe ._cache_337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE ._cache_337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE ._cache_337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE 337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE 337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE ._cache_337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe ._cache_337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE 337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE ._cache_337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE 337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE 337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE 337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe ._cache_337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe 337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE 337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE ._cache_337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE 337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe ._cache_337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE ._cache_337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE 337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe 337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE 337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE ._cache_337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE ._cache_337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE ._cache_337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe ._cache_337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE ._cache_337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE 337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe -
Drops file in Windows directory 64 IoCs
Processes:
svchost.comsvchost.com._cache__CACHE~1.EXEsvchost.comsvchost.com._cache__CACHE~1.EXE._cache__CACHE~2.EXE._cache__CACHE~1.EXEsvchost.comsvchost.comsvchost.comsvchost.com._cache__CACHE~2.EXE._cache__CACHE~2.EXE337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exesvchost.com._cache__CACHE~1.EXE._cache__CACHE~2.EXE._cache__CACHE~1.EXE._cache__CACHE~2.EXEsvchost.com._cache_337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exesvchost.comsvchost.com._cache_Synaptics.exesvchost.comsvchost.com._cache__CACHE~1.EXE._cache__CACHE~1.EXE._cache__CACHE~2.EXE._cache__CACHE~2.EXEsvchost.comsvchost.comsvchost.comsvchost.comsvchost.com._cache_Synaptics.exe._cache__CACHE~1.EXEdescription ioc process File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys ._cache__CACHE~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys ._cache__CACHE~1.EXE File opened for modification C:\Windows\svchost.com ._cache__CACHE~2.EXE File opened for modification C:\Windows\svchost.com ._cache__CACHE~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com ._cache__CACHE~2.EXE File opened for modification C:\Windows\directx.sys ._cache__CACHE~2.EXE File opened for modification C:\Windows\svchost.com 337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys ._cache__CACHE~1.EXE File opened for modification C:\Windows\directx.sys ._cache__CACHE~1.EXE File opened for modification C:\Windows\svchost.com ._cache__CACHE~2.EXE File opened for modification C:\Windows\svchost.com ._cache__CACHE~1.EXE File opened for modification C:\Windows\svchost.com ._cache__CACHE~2.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com ._cache_337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys ._cache_Synaptics.exe File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com ._cache__CACHE~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com ._cache__CACHE~1.EXE File opened for modification C:\Windows\directx.sys ._cache__CACHE~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com ._cache__CACHE~1.EXE File opened for modification C:\Windows\svchost.com ._cache__CACHE~2.EXE File opened for modification C:\Windows\directx.sys ._cache__CACHE~2.EXE File opened for modification C:\Windows\svchost.com ._cache__CACHE~1.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com ._cache_Synaptics.exe File opened for modification C:\Windows\directx.sys ._cache__CACHE~2.EXE File opened for modification C:\Windows\directx.sys ._cache__CACHE~1.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys ._cache__CACHE~1.EXE File opened for modification C:\Windows\svchost.com ._cache__CACHE~2.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com ._cache__CACHE~1.EXE File opened for modification C:\Windows\directx.sys ._cache__CACHE~2.EXE File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys ._cache__CACHE~2.EXE File opened for modification C:\Windows\directx.sys ._cache__CACHE~2.EXE File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com ._cache_Synaptics.exe File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys ._cache__CACHE~1.EXE File opened for modification C:\Windows\svchost.com ._cache__CACHE~1.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Processes:
EXCEL.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE -
Modifies registry class 64 IoCs
Processes:
337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exeEXCEL.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1808 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
EXCEL.EXEpid process 1808 EXCEL.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe._cache_337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exesvchost.com_CACHE~1.EXESynaptics.exe._cache__CACHE~1.EXEsvchost.comSynaptics.exe._cache_Synaptics.exe._cache_Synaptics.exe_CACHE~2.EXE._cache__CACHE~2.EXEsvchost.comdescription pid process target process PID 2228 wrote to memory of 2320 2228 337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe 337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe PID 2228 wrote to memory of 2320 2228 337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe 337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe PID 2228 wrote to memory of 2320 2228 337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe 337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe PID 2228 wrote to memory of 2320 2228 337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe 337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe PID 2320 wrote to memory of 2384 2320 337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe ._cache_337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe PID 2320 wrote to memory of 2384 2320 337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe ._cache_337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe PID 2320 wrote to memory of 2384 2320 337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe ._cache_337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe PID 2320 wrote to memory of 2384 2320 337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe ._cache_337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe PID 2384 wrote to memory of 2556 2384 ._cache_337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe svchost.com PID 2384 wrote to memory of 2556 2384 ._cache_337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe svchost.com PID 2384 wrote to memory of 2556 2384 ._cache_337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe svchost.com PID 2384 wrote to memory of 2556 2384 ._cache_337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe svchost.com PID 2320 wrote to memory of 2776 2320 337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe Synaptics.exe PID 2320 wrote to memory of 2776 2320 337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe Synaptics.exe PID 2320 wrote to memory of 2776 2320 337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe Synaptics.exe PID 2320 wrote to memory of 2776 2320 337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe Synaptics.exe PID 2556 wrote to memory of 2996 2556 svchost.com ._cache__CACHE~1.EXE PID 2556 wrote to memory of 2996 2556 svchost.com ._cache__CACHE~1.EXE PID 2556 wrote to memory of 2996 2556 svchost.com ._cache__CACHE~1.EXE PID 2556 wrote to memory of 2996 2556 svchost.com ._cache__CACHE~1.EXE PID 2996 wrote to memory of 1928 2996 _CACHE~1.EXE ._cache__CACHE~1.EXE PID 2996 wrote to memory of 1928 2996 _CACHE~1.EXE ._cache__CACHE~1.EXE PID 2996 wrote to memory of 1928 2996 _CACHE~1.EXE ._cache__CACHE~1.EXE PID 2996 wrote to memory of 1928 2996 _CACHE~1.EXE ._cache__CACHE~1.EXE PID 2996 wrote to memory of 1932 2996 _CACHE~1.EXE Synaptics.exe PID 2996 wrote to memory of 1932 2996 _CACHE~1.EXE Synaptics.exe PID 2996 wrote to memory of 1932 2996 _CACHE~1.EXE Synaptics.exe PID 2996 wrote to memory of 1932 2996 _CACHE~1.EXE Synaptics.exe PID 2776 wrote to memory of 544 2776 Synaptics.exe ._cache_Synaptics.exe PID 2776 wrote to memory of 544 2776 Synaptics.exe ._cache_Synaptics.exe PID 2776 wrote to memory of 544 2776 Synaptics.exe ._cache_Synaptics.exe PID 2776 wrote to memory of 544 2776 Synaptics.exe ._cache_Synaptics.exe PID 1928 wrote to memory of 2940 1928 ._cache__CACHE~1.EXE svchost.com PID 1928 wrote to memory of 2940 1928 ._cache__CACHE~1.EXE svchost.com PID 1928 wrote to memory of 2940 1928 ._cache__CACHE~1.EXE svchost.com PID 1928 wrote to memory of 2940 1928 ._cache__CACHE~1.EXE svchost.com PID 2940 wrote to memory of 1572 2940 svchost.com _CACHE~2.EXE PID 2940 wrote to memory of 1572 2940 svchost.com _CACHE~2.EXE PID 2940 wrote to memory of 1572 2940 svchost.com _CACHE~2.EXE PID 2940 wrote to memory of 1572 2940 svchost.com _CACHE~2.EXE PID 1932 wrote to memory of 840 1932 Synaptics.exe ._cache_Synaptics.exe PID 1932 wrote to memory of 840 1932 Synaptics.exe ._cache_Synaptics.exe PID 1932 wrote to memory of 840 1932 Synaptics.exe ._cache_Synaptics.exe PID 1932 wrote to memory of 840 1932 Synaptics.exe ._cache_Synaptics.exe PID 840 wrote to memory of 1196 840 ._cache_Synaptics.exe svchost.com PID 840 wrote to memory of 1196 840 ._cache_Synaptics.exe svchost.com PID 840 wrote to memory of 1196 840 ._cache_Synaptics.exe svchost.com PID 840 wrote to memory of 1196 840 ._cache_Synaptics.exe svchost.com PID 544 wrote to memory of 1632 544 ._cache_Synaptics.exe svchost.com PID 544 wrote to memory of 1632 544 ._cache_Synaptics.exe svchost.com PID 544 wrote to memory of 1632 544 ._cache_Synaptics.exe svchost.com PID 544 wrote to memory of 1632 544 ._cache_Synaptics.exe svchost.com PID 1572 wrote to memory of 2272 1572 _CACHE~2.EXE svchost.com PID 1572 wrote to memory of 2272 1572 _CACHE~2.EXE svchost.com PID 1572 wrote to memory of 2272 1572 _CACHE~2.EXE svchost.com PID 1572 wrote to memory of 2272 1572 _CACHE~2.EXE svchost.com PID 2272 wrote to memory of 1500 2272 ._cache__CACHE~2.EXE ._cache__CACHE~1.EXE PID 2272 wrote to memory of 1500 2272 ._cache__CACHE~2.EXE ._cache__CACHE~1.EXE PID 2272 wrote to memory of 1500 2272 ._cache__CACHE~2.EXE ._cache__CACHE~1.EXE PID 2272 wrote to memory of 1500 2272 ._cache__CACHE~2.EXE ._cache__CACHE~1.EXE PID 1500 wrote to memory of 2064 1500 svchost.com svchost.com PID 1500 wrote to memory of 2064 1500 svchost.com svchost.com PID 1500 wrote to memory of 2064 1500 svchost.com svchost.com PID 1500 wrote to memory of 2064 1500 svchost.com svchost.com
Processes
-
C:\Users\Admin\AppData\Local\Temp\337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe"C:\Users\Admin\AppData\Local\Temp\337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe"1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe"C:\Users\Admin\AppData\Local\Temp\._cache_337c65e3feece9ee169eacbd90f6f7635ccc794feec31139e5416507d0354e37.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"6⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"9⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE11⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"12⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE14⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"15⤵
- Executes dropped EXE
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE17⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"18⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE20⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"21⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE23⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"24⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"25⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE26⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"27⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"28⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE29⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"30⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"31⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE32⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"33⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"34⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE35⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"36⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"37⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE38⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"39⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"40⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE41⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"42⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"43⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE44⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"45⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"46⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE47⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"48⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"49⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE50⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"51⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"52⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE53⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"54⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"55⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE56⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"57⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"58⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE59⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"60⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"61⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE62⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"63⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"64⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE65⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"66⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"67⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE68⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"69⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"70⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE71⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"72⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"73⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE74⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"75⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"76⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE77⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"78⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"79⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE80⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"81⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"82⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE83⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"84⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"85⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE86⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"87⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"88⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE89⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"90⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"91⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE92⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"93⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"94⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE95⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"96⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"97⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE98⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"99⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"100⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE101⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"102⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"103⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE104⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"105⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"106⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE107⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"108⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"109⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE110⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"111⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"112⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE113⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"114⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"115⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE116⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"117⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"118⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE119⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"120⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"121⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE122⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"123⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"124⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE125⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"126⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"127⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE128⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"129⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"130⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE131⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"132⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"133⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE134⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"135⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"136⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE137⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"138⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"139⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE140⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"141⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"142⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE143⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"144⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"145⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE146⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"147⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"148⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE149⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"150⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"151⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE152⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"153⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"154⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE155⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"156⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"157⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE158⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"159⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"160⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE161⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"162⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"163⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE164⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"165⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"166⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE167⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"168⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"169⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE170⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"171⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"172⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE173⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"174⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"175⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE176⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"177⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"178⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE179⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"180⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"181⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE182⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"183⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"184⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE185⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"186⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"187⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE188⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"189⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"190⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE191⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"192⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"193⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE194⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"195⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"196⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE197⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"198⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"199⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE200⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"201⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"202⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE203⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"204⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"205⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE206⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"207⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"208⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE209⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"210⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"211⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE212⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"213⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"214⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE215⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"216⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"217⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE218⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"219⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"220⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE221⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"222⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"223⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE224⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"225⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"226⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE227⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"228⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"229⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE230⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"231⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"232⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE233⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"234⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"235⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE236⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"237⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"238⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE239⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"240⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"241⤵