neshta | e533e9171cd5be1442ac411b60af0e29bcef9ecd53cc27236aeb200ad18c7271

Analysis

max time kernel
42s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-01-2025 15:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NL Brute 1.2.exe
Size

10.1MB
MD5

50b072669d250694e04f3e2d27153ece
SHA1

616d07f52763be900b56eafdf54e996e1183da4a
SHA256

3837bbb589f027fe75534ac85223641d8cb3f162420e8843aa94ade7045fa35a
SHA512

f556f495692011df4170c2e2a21378d9fbb4bb6769d87116f31afca3f9200a9eb22f24e275d087098ffed5a5b0108d04b52296892fd9b6c15399ac5e53b28682
SSDEEP

196608:RL1f+fCWf+fCufu0p8Y4DFbBJ5dIa82Vou2j09a3XAydVdODHMD16UAsdfPL9:RxWJWhn8YwFV/dIa8wp2j09qXAyYDHMD

Score

10^/10

neshta xred backdoor discovery evasion persistence spyware stealer

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta
Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	._cache__CACHE~4.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	._cache__CACHE~4.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	._cache__CACHE~4.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	._cache__CACHE~4.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	._cache__CACHE~4.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	._cache__CACHE~4.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	._cache__CACHE~4.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	._cache__CACHE~3.EXE

Checks BIOS information in registry 2 TTPs 14 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	._cache__CACHE~4.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	._cache__CACHE~4.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	._cache__CACHE~4.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	._cache__CACHE~4.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	._cache__CACHE~4.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	._cache__CACHE~4.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	._cache__CACHE~4.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	._cache__CACHE~3.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	._cache__CACHE~3.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	._cache__CACHE~4.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	._cache__CACHE~4.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	._cache__CACHE~4.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	._cache__CACHE~4.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	._cache__CACHE~4.EXE

Executes dropped EXE 64 IoCs

pid	Process
2712	._cache_NL Brute 1.2.exe
2556	._cache_NL Brute 1.2.exe
2404	Synaptics.exe
2836	._cache_Synaptics.exe
2216	._cache_._cache_NL Brute 1.2.exe
1964	svchost.com
1628	_CACHE~3.EXE
2568	svchost.com
1800	_CACHE~2.EXE
2104	._cache__CACHE~3.EXE
2548	._cache__CACHE~2.EXE
1608	Synaptics.exe
2420	svchost.com
2308	_CACHE~4.EXE
2348	._cache_Synaptics.exe
3040	svchost.com
2504	_CACHE~2.EXE
2664	._cache__CACHE~4.EXE
2856	Synaptics.exe
1776	._cache__CACHE~2.EXE
1412	Synaptics.exe
1392	svchost.com
1484	_CACHE~4.EXE
1480	._cache_Synaptics.exe
2452	svchost.com
1864	_CACHE~2.EXE
992	._cache_Synaptics.exe
2428	._cache__CACHE~4.EXE
2324	svchost.com
2040	_CACHE~2.EXE
2264	Synaptics.exe
1936	._cache__CACHE~2.EXE
1372	svchost.com
2268	_CACHE~4.EXE
1844	Synaptics.exe
2612	._cache__CACHE~2.EXE
2636	._cache_Synaptics.exe
748	Synaptics.exe
2896	svchost.com
1744	._cache__CACHE~4.EXE
2864	svchost.com
2188	_CACHE~4.EXE
1516	_CACHE~2.EXE
1316	Synaptics.exe
1480	._cache__CACHE~4.EXE
1760	._cache_Synaptics.exe
1920	._cache__CACHE~2.EXE
2596	Synaptics.exe
1772	svchost.com
2044	svchost.com
2344	_CACHE~4.EXE
2804	_CACHE~2.EXE
1736	Synaptics.exe
1544	._cache__CACHE~4.EXE
1708	._cache_Synaptics.exe
2516	._cache__CACHE~2.EXE
264	svchost.com
632	svchost.com
2228	_CACHE~2.EXE
3060	_CACHE~4.EXE
1344	Synaptics.exe
2964	Synaptics.exe
2248	._cache__CACHE~2.EXE
2404	._cache_Synaptics.exe

Identifies Wine through registry keys 2 TTPs 8 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine	._cache__CACHE~4.EXE
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine	._cache__CACHE~4.EXE
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine	._cache__CACHE~4.EXE
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine	._cache__CACHE~4.EXE
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine	._cache__CACHE~4.EXE
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine	._cache__CACHE~4.EXE
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine	._cache__CACHE~3.EXE
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine	._cache__CACHE~4.EXE

Loads dropped DLL 64 IoCs

pid	Process
2980	NL Brute 1.2.exe
2980	NL Brute 1.2.exe
2712	._cache_NL Brute 1.2.exe
2712	._cache_NL Brute 1.2.exe
2980	NL Brute 1.2.exe
2980	NL Brute 1.2.exe
2404	Synaptics.exe
2404	Synaptics.exe
2404	Synaptics.exe
2556	._cache_NL Brute 1.2.exe
2556	._cache_NL Brute 1.2.exe
2556	._cache_NL Brute 1.2.exe
1964	svchost.com
1964	svchost.com
2568	svchost.com
2568	svchost.com
1628	_CACHE~3.EXE
1628	_CACHE~3.EXE
1628	_CACHE~3.EXE
2216	._cache_._cache_NL Brute 1.2.exe
2712	._cache_NL Brute 1.2.exe
1800	_CACHE~2.EXE
1800	_CACHE~2.EXE
1800	_CACHE~2.EXE
2712	._cache_NL Brute 1.2.exe
2712	._cache_NL Brute 1.2.exe
1800	_CACHE~2.EXE
2420	svchost.com
2420	svchost.com
2712	._cache_NL Brute 1.2.exe
1608	Synaptics.exe
1608	Synaptics.exe
1608	Synaptics.exe
1608	Synaptics.exe
3040	svchost.com
3040	svchost.com
2308	_CACHE~4.EXE
2504	_CACHE~2.EXE
2308	_CACHE~4.EXE
2308	_CACHE~4.EXE
2308	_CACHE~4.EXE
2308	_CACHE~4.EXE
2856	Synaptics.exe
2504	_CACHE~2.EXE
2504	_CACHE~2.EXE
2504	_CACHE~2.EXE
2504	_CACHE~2.EXE
1392	svchost.com
1392	svchost.com
1412	Synaptics.exe
1484	_CACHE~4.EXE
2856	Synaptics.exe
2856	Synaptics.exe
2856	Synaptics.exe
2452	svchost.com
2452	svchost.com
1864	_CACHE~2.EXE
1412	Synaptics.exe
1412	Synaptics.exe
1412	Synaptics.exe
1484	_CACHE~4.EXE
1484	_CACHE~4.EXE
1484	_CACHE~4.EXE
2324	svchost.com

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	._cache_NL Brute 1.2.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	_CACHE~2.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	_CACHE~4.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	_CACHE~4.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	_CACHE~2.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	_CACHE~2.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	_CACHE~4.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	_CACHE~2.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	_CACHE~2.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	_CACHE~4.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	_CACHE~2.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	_CACHE~2.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	NL Brute 1.2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	_CACHE~2.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	_CACHE~4.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	_CACHE~4.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	_CACHE~4.EXE

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

pid	Process
2104	._cache__CACHE~3.EXE
2664	._cache__CACHE~4.EXE
2428	._cache__CACHE~4.EXE
1744	._cache__CACHE~4.EXE
1480	._cache__CACHE~4.EXE
1544	._cache__CACHE~4.EXE
748	._cache__CACHE~4.EXE

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	._cache_._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	._cache_._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	._cache_._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	._cache_._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	._cache_._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	._cache_._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	._cache_._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	._cache_._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	._cache_._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	._cache_._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	._cache_._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	._cache_._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	._cache_._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	._cache_._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	._cache_._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	._cache_._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	._cache_._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	._cache_._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	._cache_._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	._cache_._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	._cache_._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	._cache_._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	._cache_._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	._cache_._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	._cache_._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	._cache_._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	._cache_._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	._cache_._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	._cache_._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	._cache_._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	._cache_._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	._cache_._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	._cache_._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	._cache_NL Brute 1.2.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	._cache_._cache_NL Brute 1.2.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\directx.sys	._cache_Synaptics.exe
File opened for modification	C:\Windows\svchost.com	._cache__CACHE~2.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	._cache_Synaptics.exe
File opened for modification	C:\Windows\svchost.com	._cache__CACHE~2.EXE
File opened for modification	C:\Windows\directx.sys	._cache__CACHE~2.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	._cache__CACHE~2.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	._cache__CACHE~2.EXE
File opened for modification	C:\Windows\svchost.com	._cache__CACHE~2.EXE
File opened for modification	C:\Windows\directx.sys	._cache__CACHE~2.EXE
File opened for modification	C:\Windows\svchost.com	._cache_Synaptics.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	._cache_Synaptics.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	._cache_Synaptics.exe
File opened for modification	C:\Windows\svchost.com	._cache_Synaptics.exe
File opened for modification	C:\Windows\svchost.com	._cache_Synaptics.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	._cache_Synaptics.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	._cache__CACHE~2.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	._cache_Synaptics.exe
File opened for modification	C:\Windows\svchost.com	._cache__CACHE~2.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	._cache__CACHE~2.EXE
File opened for modification	C:\Windows\directx.sys	._cache_Synaptics.exe
File opened for modification	C:\Windows\directx.sys	._cache__CACHE~2.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	._cache__CACHE~2.EXE
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	._cache__CACHE~2.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	._cache_._cache_NL Brute 1.2.exe
File opened for modification	C:\Windows\directx.sys	._cache__CACHE~2.EXE
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	._cache_Synaptics.exe
File opened for modification	C:\Windows\svchost.com	._cache_NL Brute 1.2.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	._cache_Synaptics.exe
File opened for modification	C:\Windows\svchost.com	._cache_Synaptics.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	._cache_Synaptics.exe
File opened for modification	C:\Windows\directx.sys	._cache_Synaptics.exe
File opened for modification	C:\Windows\directx.sys	._cache_Synaptics.exe
File opened for modification	C:\Windows\directx.sys	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	_CACHE~4.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	_CACHE~2.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache__CACHE~2.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NL Brute 1.2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache__CACHE~2.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	_CACHE~4.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache__CACHE~2.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	_CACHE~4.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	_CACHE~2.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	_CACHE~2.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache__CACHE~3.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	_CACHE~4.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache__CACHE~4.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	_CACHE~2.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	_CACHE~4.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_NL Brute 1.2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	_CACHE~2.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_NL Brute 1.2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_._cache_NL Brute 1.2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache__CACHE~2.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache__CACHE~2.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache__CACHE~4.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache__CACHE~4.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	_CACHE~4.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache__CACHE~2.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	_CACHE~2.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	_CACHE~2.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	_CACHE~2.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	_CACHE~3.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	_CACHE~4.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache__CACHE~2.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	._cache_NL Brute 1.2.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1800	_CACHE~2.EXE
1800	_CACHE~2.EXE
1800	_CACHE~2.EXE
2104	._cache__CACHE~3.EXE
2308	_CACHE~4.EXE
2308	_CACHE~4.EXE
2308	_CACHE~4.EXE
2664	._cache__CACHE~4.EXE
1484	_CACHE~4.EXE
1484	_CACHE~4.EXE
1484	_CACHE~4.EXE
1484	_CACHE~4.EXE
1484	_CACHE~4.EXE
1484	_CACHE~4.EXE
1484	_CACHE~4.EXE
1484	_CACHE~4.EXE
1484	_CACHE~4.EXE
1484	_CACHE~4.EXE
1484	_CACHE~4.EXE
1484	_CACHE~4.EXE
1484	_CACHE~4.EXE
1484	_CACHE~4.EXE
1484	_CACHE~4.EXE
1484	_CACHE~4.EXE
1484	_CACHE~4.EXE
1484	_CACHE~4.EXE
1484	_CACHE~4.EXE
1484	_CACHE~4.EXE
1484	_CACHE~4.EXE
1484	_CACHE~4.EXE
1484	_CACHE~4.EXE
1484	_CACHE~4.EXE
1484	_CACHE~4.EXE
1484	_CACHE~4.EXE
1484	_CACHE~4.EXE
1484	_CACHE~4.EXE
1484	_CACHE~4.EXE
1484	_CACHE~4.EXE
1484	_CACHE~4.EXE
1484	_CACHE~4.EXE
1484	_CACHE~4.EXE
1484	_CACHE~4.EXE
1484	_CACHE~4.EXE
1484	_CACHE~4.EXE
1484	_CACHE~4.EXE
1484	_CACHE~4.EXE
1484	_CACHE~4.EXE
1484	_CACHE~4.EXE
1484	_CACHE~4.EXE
1484	_CACHE~4.EXE
1484	_CACHE~4.EXE
1484	_CACHE~4.EXE
1484	_CACHE~4.EXE
1484	_CACHE~4.EXE
1484	_CACHE~4.EXE
1484	_CACHE~4.EXE
1484	_CACHE~4.EXE
1484	_CACHE~4.EXE
1484	_CACHE~4.EXE
1484	_CACHE~4.EXE
1484	_CACHE~4.EXE
1484	_CACHE~4.EXE
1484	_CACHE~4.EXE
1484	_CACHE~4.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSystemProfilePrivilege	1800	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	1800	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	1800	_CACHE~2.EXE
Token: SeSystemProfilePrivilege	2308	_CACHE~4.EXE
Token: SeSystemProfilePrivilege	2308	_CACHE~4.EXE
Token: SeSystemProfilePrivilege	2308	_CACHE~4.EXE
Token: SeSystemProfilePrivilege	1484	_CACHE~4.EXE
Token: SeSystemProfilePrivilege	1484	_CACHE~4.EXE
Token: SeSystemProfilePrivilege	1484	_CACHE~4.EXE
Token: SeSystemProfilePrivilege	1484	_CACHE~4.EXE
Token: SeSystemProfilePrivilege	1484	_CACHE~4.EXE
Token: SeSystemProfilePrivilege	1484	_CACHE~4.EXE
Token: SeSystemProfilePrivilege	1484	_CACHE~4.EXE
Token: SeSystemProfilePrivilege	1484	_CACHE~4.EXE
Token: SeSystemProfilePrivilege	1484	_CACHE~4.EXE
Token: SeSystemProfilePrivilege	1484	_CACHE~4.EXE
Token: SeSystemProfilePrivilege	1484	_CACHE~4.EXE
Token: SeSystemProfilePrivilege	1484	_CACHE~4.EXE
Token: SeSystemProfilePrivilege	1484	_CACHE~4.EXE
Token: SeSystemProfilePrivilege	1484	_CACHE~4.EXE
Token: SeSystemProfilePrivilege	1484	_CACHE~4.EXE
Token: SeSystemProfilePrivilege	1484	_CACHE~4.EXE
Token: SeSystemProfilePrivilege	1484	_CACHE~4.EXE
Token: SeSystemProfilePrivilege	1484	_CACHE~4.EXE
Token: SeSystemProfilePrivilege	1484	_CACHE~4.EXE
Token: SeSystemProfilePrivilege	1484	_CACHE~4.EXE
Token: SeSystemProfilePrivilege	1484	_CACHE~4.EXE
Token: SeSystemProfilePrivilege	1484	_CACHE~4.EXE
Token: SeSystemProfilePrivilege	1484	_CACHE~4.EXE
Token: SeSystemProfilePrivilege	1484	_CACHE~4.EXE
Token: SeSystemProfilePrivilege	1484	_CACHE~4.EXE
Token: SeSystemProfilePrivilege	1484	_CACHE~4.EXE
Token: SeSystemProfilePrivilege	1484	_CACHE~4.EXE
Token: SeSystemProfilePrivilege	1484	_CACHE~4.EXE
Token: SeSystemProfilePrivilege	1484	_CACHE~4.EXE
Token: SeSystemProfilePrivilege	1484	_CACHE~4.EXE
Token: SeSystemProfilePrivilege	1484	_CACHE~4.EXE
Token: SeSystemProfilePrivilege	1484	_CACHE~4.EXE
Token: SeSystemProfilePrivilege	1484	_CACHE~4.EXE
Token: SeSystemProfilePrivilege	1484	_CACHE~4.EXE
Token: SeSystemProfilePrivilege	1484	_CACHE~4.EXE
Token: SeSystemProfilePrivilege	1484	_CACHE~4.EXE
Token: SeSystemProfilePrivilege	1484	_CACHE~4.EXE
Token: SeSystemProfilePrivilege	1484	_CACHE~4.EXE
Token: SeSystemProfilePrivilege	1484	_CACHE~4.EXE
Token: SeSystemProfilePrivilege	1484	_CACHE~4.EXE
Token: SeSystemProfilePrivilege	1484	_CACHE~4.EXE
Token: SeSystemProfilePrivilege	1484	_CACHE~4.EXE
Token: SeSystemProfilePrivilege	1484	_CACHE~4.EXE
Token: SeSystemProfilePrivilege	1484	_CACHE~4.EXE
Token: SeSystemProfilePrivilege	1484	_CACHE~4.EXE
Token: SeSystemProfilePrivilege	1484	_CACHE~4.EXE
Token: SeSystemProfilePrivilege	1484	_CACHE~4.EXE
Token: SeSystemProfilePrivilege	1484	_CACHE~4.EXE
Token: SeSystemProfilePrivilege	1484	_CACHE~4.EXE
Token: SeSystemProfilePrivilege	1484	_CACHE~4.EXE
Token: SeSystemProfilePrivilege	1484	_CACHE~4.EXE
Token: SeSystemProfilePrivilege	1484	_CACHE~4.EXE
Token: SeSystemProfilePrivilege	1484	_CACHE~4.EXE
Token: SeSystemProfilePrivilege	1484	_CACHE~4.EXE
Token: SeSystemProfilePrivilege	1484	_CACHE~4.EXE
Token: SeSystemProfilePrivilege	1484	_CACHE~4.EXE
Token: SeSystemProfilePrivilege	1484	_CACHE~4.EXE
Token: SeSystemProfilePrivilege	1484	_CACHE~4.EXE

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2664	._cache__CACHE~4.EXE
2104	._cache__CACHE~3.EXE
2104	._cache__CACHE~3.EXE
2664	._cache__CACHE~4.EXE
2428	._cache__CACHE~4.EXE
2428	._cache__CACHE~4.EXE
1744	._cache__CACHE~4.EXE
1744	._cache__CACHE~4.EXE

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
2664	._cache__CACHE~4.EXE
2104	._cache__CACHE~3.EXE
2104	._cache__CACHE~3.EXE
2664	._cache__CACHE~4.EXE
2428	._cache__CACHE~4.EXE
2428	._cache__CACHE~4.EXE
1744	._cache__CACHE~4.EXE
1744	._cache__CACHE~4.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2104	._cache__CACHE~3.EXE
2664	._cache__CACHE~4.EXE
2428	._cache__CACHE~4.EXE
1744	._cache__CACHE~4.EXE
1480	._cache__CACHE~4.EXE
1544	._cache__CACHE~4.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 2712	2980	NL Brute 1.2.exe	30
PID 2980 wrote to memory of 2712	2980	NL Brute 1.2.exe	30
PID 2980 wrote to memory of 2712	2980	NL Brute 1.2.exe	30
PID 2980 wrote to memory of 2712	2980	NL Brute 1.2.exe	30
PID 2712 wrote to memory of 2556	2712	._cache_NL Brute 1.2.exe	31
PID 2712 wrote to memory of 2556	2712	._cache_NL Brute 1.2.exe	31
PID 2712 wrote to memory of 2556	2712	._cache_NL Brute 1.2.exe	31
PID 2712 wrote to memory of 2556	2712	._cache_NL Brute 1.2.exe	31
PID 2980 wrote to memory of 2404	2980	NL Brute 1.2.exe	32
PID 2980 wrote to memory of 2404	2980	NL Brute 1.2.exe	32
PID 2980 wrote to memory of 2404	2980	NL Brute 1.2.exe	32
PID 2980 wrote to memory of 2404	2980	NL Brute 1.2.exe	32
PID 2404 wrote to memory of 2836	2404	Synaptics.exe	33
PID 2404 wrote to memory of 2836	2404	Synaptics.exe	33
PID 2404 wrote to memory of 2836	2404	Synaptics.exe	33
PID 2404 wrote to memory of 2836	2404	Synaptics.exe	33
PID 2556 wrote to memory of 2216	2556	._cache_NL Brute 1.2.exe	34
PID 2556 wrote to memory of 2216	2556	._cache_NL Brute 1.2.exe	34
PID 2556 wrote to memory of 2216	2556	._cache_NL Brute 1.2.exe	34
PID 2556 wrote to memory of 2216	2556	._cache_NL Brute 1.2.exe	34
PID 2216 wrote to memory of 1964	2216	._cache_._cache_NL Brute 1.2.exe	35
PID 2216 wrote to memory of 1964	2216	._cache_._cache_NL Brute 1.2.exe	35
PID 2216 wrote to memory of 1964	2216	._cache_._cache_NL Brute 1.2.exe	35
PID 2216 wrote to memory of 1964	2216	._cache_._cache_NL Brute 1.2.exe	35
PID 2836 wrote to memory of 2568	2836	._cache_Synaptics.exe	37
PID 2836 wrote to memory of 2568	2836	._cache_Synaptics.exe	37
PID 2836 wrote to memory of 2568	2836	._cache_Synaptics.exe	37
PID 2836 wrote to memory of 2568	2836	._cache_Synaptics.exe	37
PID 1964 wrote to memory of 1628	1964	svchost.com	36
PID 1964 wrote to memory of 1628	1964	svchost.com	36
PID 1964 wrote to memory of 1628	1964	svchost.com	36
PID 1964 wrote to memory of 1628	1964	svchost.com	36
PID 2568 wrote to memory of 1800	2568	svchost.com	38
PID 2568 wrote to memory of 1800	2568	svchost.com	38
PID 2568 wrote to memory of 1800	2568	svchost.com	38
PID 2568 wrote to memory of 1800	2568	svchost.com	38
PID 1628 wrote to memory of 2104	1628	_CACHE~3.EXE	39
PID 1628 wrote to memory of 2104	1628	_CACHE~3.EXE	39
PID 1628 wrote to memory of 2104	1628	_CACHE~3.EXE	39
PID 1628 wrote to memory of 2104	1628	_CACHE~3.EXE	39
PID 1800 wrote to memory of 2548	1800	_CACHE~2.EXE	40
PID 1800 wrote to memory of 2548	1800	_CACHE~2.EXE	40
PID 1800 wrote to memory of 2548	1800	_CACHE~2.EXE	40
PID 1800 wrote to memory of 2548	1800	_CACHE~2.EXE	40
PID 1800 wrote to memory of 1608	1800	_CACHE~2.EXE	41
PID 1800 wrote to memory of 1608	1800	_CACHE~2.EXE	41
PID 1800 wrote to memory of 1608	1800	_CACHE~2.EXE	41
PID 1800 wrote to memory of 1608	1800	_CACHE~2.EXE	41
PID 2548 wrote to memory of 2420	2548	._cache__CACHE~2.EXE	42
PID 2548 wrote to memory of 2420	2548	._cache__CACHE~2.EXE	42
PID 2548 wrote to memory of 2420	2548	._cache__CACHE~2.EXE	42
PID 2548 wrote to memory of 2420	2548	._cache__CACHE~2.EXE	42
PID 2420 wrote to memory of 2308	2420	svchost.com	43
PID 2420 wrote to memory of 2308	2420	svchost.com	43
PID 2420 wrote to memory of 2308	2420	svchost.com	43
PID 2420 wrote to memory of 2308	2420	svchost.com	43
PID 1608 wrote to memory of 2348	1608	Synaptics.exe	44
PID 1608 wrote to memory of 2348	1608	Synaptics.exe	44
PID 1608 wrote to memory of 2348	1608	Synaptics.exe	44
PID 1608 wrote to memory of 2348	1608	Synaptics.exe	44
PID 2348 wrote to memory of 3040	2348	._cache_Synaptics.exe	45
PID 2348 wrote to memory of 3040	2348	._cache_Synaptics.exe	45
PID 2348 wrote to memory of 3040	2348	._cache_Synaptics.exe	45
PID 2348 wrote to memory of 3040	2348	._cache_Synaptics.exe	45

C:\Users\Admin\AppData\Local\Temp\NL Brute 1.2.exe
"C:\Users\Admin\AppData\Local\Temp\NL Brute 1.2.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_NL Brute 1.2.exe
    "C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_NL Brute 1.2.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - C:\Users\Admin\AppData\Local\Temp\._cache_._cache_NL Brute 1.2.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_NL Brute 1.2.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2216
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1964
      - C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE"
        7⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2104
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2404
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2568
    - - C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1800
      - C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE" InjUpdate
        9⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2664
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        10⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1480
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
        13⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1936
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate
        14⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate
        15⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE" InjUpdate
        16⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1744
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        17⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1760
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
        18⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
        19⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
        20⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2516
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate
        21⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:264
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate
        22⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE" InjUpdate
        23⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:748
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        24⤵
        
        PID:2916
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
        25⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
        26⤵
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
        27⤵
        
        PID:264
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate
        28⤵
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate
        29⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE" InjUpdate
        30⤵
        
        PID:3584
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        30⤵
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        31⤵
        
        PID:4036
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
        32⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
        33⤵
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
        34⤵
        
        PID:3268
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate
        35⤵
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate
        36⤵
        
        PID:3220
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE" InjUpdate
        37⤵
        
        PID:1032
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        37⤵
        
        PID:3320
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        34⤵
        
        PID:3228
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        35⤵
        
        PID:2592
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
        36⤵
        
        PID:3880
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
        37⤵
        
        PID:4000
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
        38⤵
        
        PID:2056
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate
        39⤵
        
        PID:3840
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate
        40⤵
        
        PID:3828
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE" InjUpdate
        41⤵
        
        PID:3076
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        41⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        42⤵
        
        PID:3140
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
        43⤵
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
        44⤵
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
        45⤵
        
        PID:3652
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate
        46⤵
        
        PID:3648
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate
        47⤵
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE" InjUpdate
        48⤵
        
        PID:1988
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        48⤵
        
        PID:3580
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        45⤵
        
        PID:3828
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        38⤵
        
        PID:2888
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        21⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2404
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
        22⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
        23⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:1556
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate
        25⤵
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate
        26⤵
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE" InjUpdate
        27⤵
        
        PID:1736
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        27⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        28⤵
        
        PID:3208
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
        29⤵
        
        PID:3316
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
        30⤵
        
        PID:3352
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
        31⤵
        
        PID:3864
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate
        32⤵
        
        PID:3896
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate
        33⤵
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE" InjUpdate
        34⤵
        
        PID:4076
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        34⤵
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        35⤵
        
        PID:1980
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
        36⤵
        
        PID:3360
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
        37⤵
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
        38⤵
        
        PID:3660
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate
        39⤵
        
        PID:3352
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate
        40⤵
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE" InjUpdate
        41⤵
        
        PID:1732
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        41⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        42⤵
        
        PID:3948
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
        43⤵
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
        44⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
        45⤵
        
        PID:3936
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate
        46⤵
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate
        47⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE" InjUpdate
        48⤵
        
        PID:4056
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        48⤵
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        49⤵
        
        PID:3180
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
        50⤵
        
        PID:3936
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
        51⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
        52⤵
        
        PID:3640
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate
        53⤵
        
        PID:3352
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate
        54⤵
        
        PID:3620
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE" InjUpdate
        55⤵
        
        PID:4208
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        45⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        46⤵
        
        PID:1760
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
        47⤵
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
        48⤵
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
        49⤵
        
        PID:3320
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate
        50⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate
        51⤵
        
        PID:3604
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE" InjUpdate
        52⤵
        
        PID:1868
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        31⤵
        
        PID:3944
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        24⤵
        
        PID:1232
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        25⤵
        
        PID:2660
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
        26⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
        27⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
        28⤵
        
        PID:2708
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate
        29⤵
        
        PID:156
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate
        30⤵
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE" InjUpdate
        31⤵
        
        PID:3272
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        31⤵
        
        PID:3604
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        28⤵
        
        PID:2344
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        14⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2636
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
        15⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
        16⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
        17⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1920
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate
        18⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate
        19⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE" InjUpdate
        20⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1544
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        20⤵
        Executes dropped EXE
        
        PID:1344
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        17⤵
        Executes dropped EXE
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        18⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1708
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
        19⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
        20⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
        21⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2248
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate
        22⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate
        23⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE" InjUpdate
        24⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Identifies Wine through registry keys
        
        PID:2600
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        25⤵
        
        PID:2964
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
        26⤵
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
        27⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
        28⤵
        
        PID:2480
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate
        29⤵
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate
        30⤵
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE" InjUpdate
        31⤵
        
        PID:3232
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        28⤵
        
        PID:3048
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:1980
      - C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
        10⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1776
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE" InjUpdate
        13⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2428
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        13⤵
        Executes dropped EXE
        
        PID:2264
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1412
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        11⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:992
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
        13⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
        14⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2612
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate
        15⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate
        16⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE" InjUpdate
        17⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:1480
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        17⤵
        Executes dropped EXE
        
        PID:2596
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        14⤵
        Executes dropped EXE
        
        PID:748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE

Filesize
859KB

MD5
754309b7b83050a50768236ee966224f

SHA1
10ed7efc2e594417ddeb00a42deb8fd9f804ed53

SHA256
acd32dd903e5464b0ecd153fb3f71da520d2e59a63d4c355d9c1874c919d04e6

SHA512
e5aaddf62c08c8fcc1ae3f29df220c5c730a2efa96dd18685ee19f5a9d66c4735bb4416c4828033661990604669ed345415ef2dc096ec75e1ab378dd804b1614

Download Submit
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

Filesize
547KB

MD5
ad98b20199243808cde0b5f0fd14b98f

SHA1
f95ce4c4c1bb507da8ed379503b7f597ee2016cd

SHA256
214f478e94658fa2bd7f0bc17022831baee707756798addb41d9c5bee050e70b

SHA512
ee1251c62530b3027e2cd5669533c633577ffbcf854e137a551148fc0de3ee6cc34253a0bdefdbd4843929843b0790f1de893aa6fbae1c969f057b9f8486afef

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe

Filesize
186KB

MD5
248a8df8e662dfca1db4f7160e1a972b

SHA1
dca22df5bca069f90d84d59988abe73a24704304

SHA256
6c7abeebd50487ca33315f5e507c9a5346e6e7a4b732103b35b8006ed58d7bb2

SHA512
0042e806d50c938fb1f08506327c87cd99e4f5f9520636b20695d94a696bb8b3f500f6d9507cb46fdba27c60cc0cb9e3c1e7c35dcfb7fcf4dadac3270e654f75

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe

Filesize
1.1MB

MD5
dc6114cf663ccdb1e55d37e6501c54cc

SHA1
8007df78476f6e723ddcb3ad6d515e558dcb97c9

SHA256
d566164c874ef66149b493e3220616cdb9090a8cebb4a1325c48c705aea5c348

SHA512
677464e6dab367f9158655533cade6e1ec4b39c4e64b05395e72e4099ca7f8fa82b8e49846932956da5fef760cc109a348e1c599d986166998e4d2623022a28c

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE

Filesize
285KB

MD5
2142b0fff4fbaaaa52bb901730f4b58c

SHA1
8c139ed4e04bb6413200716f0567bf76262e3051

SHA256
da7c7e2a69816a8e1c3cd016bdd461c5b55963ef6f198287098b193893d37a54

SHA512
f9055d72c535836ec3f06278a7891572665e943ca5af52f84ee368504e82a1f2ce330d455b8420a61e8576b9c8daa08063905df50c76248c58d8c9c97a03c7a0

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE

Filesize
313KB

MD5
46990c189f267e44f1927f68380102a7

SHA1
01eb9127bcda65186295003420683f3b4385659c

SHA256
323942be693446177d1e1f3686ccf142c31f812501a4b96aba2465c5291280cf

SHA512
3d1b342922f6fbb55aab224c705202d8607108ed459eb3dfecd7deece986f8818961c31930858f9576afeb9f7114cb64ad68d50768a9a61103be44d668d53296

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe

Filesize
381KB

MD5
2352318f01171370a31048e3ef80a4a9

SHA1
aeca009b93c80a3a51eaefa035b09f8a5aa6d252

SHA256
88b241c269c0b657ed4a2b09b0835f15f4dee77d0bb8fec3240bb14d93ba0b62

SHA512
7783abcc2a0e448ea476c53d70b8d04f4c90c3b30b72a1b89310fb6f9f05efcc7e511276cc045c3e3f476e932874c3aef30366872b408fa257561aba2d907b3b

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE

Filesize
125KB

MD5
437e3b3206cacd8458c1a2fbdef78b35

SHA1
f32832fbb0421e73ede442f97706716a59c46e4a

SHA256
41ae8e5d20a3bbf8bafa4f7bbc24603c266b84ebe491e48fe39cd40879f03e83

SHA512
dc55edbb72b4a1ea6fd95933d304c7fc93a3a1c772acdc6391b21dc8c0a46557252d25c587136c480e23f1dd8823edc4f3b88738e017db9f2ce828987e6cd5e0

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE

Filesize
155KB

MD5
6e2056a06a20c59fa9bfdef3490accf0

SHA1
4f84138c0c61e1c37e7c0b316c77b48a6401c3e1

SHA256
3ec70e2e58fc40e7031e37af2ea1f0ed1202d9608b91b29d5cef568a8900d387

SHA512
191a9a19d2eee3af36571177109a394a5f0582fc5c763c38b4490253c7f58329bb391981bf1702dda672e5a6b908585ddb92cf4ece71c082311b1e096430bd3d

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE

Filesize
230KB

MD5
94a6f89a6391389a41d4ab2f660ccbad

SHA1
61a95366a8fee5c11120f25d5d2f5202f4a550da

SHA256
da4ac3ca15fae5fa60717bf9a20e113d4108c7be883be4fe39d9e1fa91059325

SHA512
cf27c8767ebedb492a4f3eff73ac2884cde945eadc1c75ea20df5e981770423b0b5a7b76083c8d0499469d33f83d61c2c5608ff0b618d1fd420cf9e3163ad39d

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE

Filesize
155KB

MD5
156aa268fa5236c9f16110863dc383d1

SHA1
4d1a29a4a5b74716cb9a4a0c945aee511ef3cbf5

SHA256
0537d77d6e447a2ec34321c61828e9f3690a9b846995b6da5de6729692f7a31f

SHA512
2c7f5d2465f483a0cdfc01bc3962c6a31f46b04c91f3db6164e3a24504c76dba035fbbd0a6b0c959af505872395c77f9db614df2cf898850a3663ec97b2e06ad

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE

Filesize
207KB

MD5
137088e3f14337e7dd22e79ad53bf6bd

SHA1
fa12820a19d300a11e839457c4db2c4f9b19a93b

SHA256
d10e2f064a6beac6affab5cb5e7105961f5671f73dc22e2ab4a0a23dd91e0e21

SHA512
52056afdc54c16f8db18ea10769d44a98df8a2974edf9d0abf6e7677dd4b5505183d5d472142ec8998ce69da3471df940f424383a572d23ccfee11105dd33646

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE

Filesize
265KB

MD5
f38304be865a9f773dcac807b42684a4

SHA1
5dfb3d4424b20bec9a93cac785c4d6b65ec847d9

SHA256
0cd50ff5ddf00cdcf95370e5f169038293b1f4783380f88d2ce12e14eb73eafd

SHA512
ec81d5b8859937281e0018ba9ee9874e1de59f1f413440b5a3115662154c71546433efacf7e51d71c2893f81ebb41cd2268134849b07625e9861ba1d370ed3a0

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE

Filesize
342KB

MD5
0cde1fa887c8ea745774ce63ba6be5b8

SHA1
299de942f1b3318eece2fa1c3c094ff75c5ee034

SHA256
725df16261e3b528efb8b4d96313d1e98fabe575843bab72eb54eed6fa453079

SHA512
c4baaa6767c0ac6a8271634bcec7e19714dbf21bad2abce23e86165189809efbbd25cf9360c581ed8cc7765c154d0248bde36fbda1bd6b49bb4a6eb6e018d98f

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE

Filesize
439KB

MD5
e9228ebf8b765c170034519a798bc2a3

SHA1
a28837f4aca4e86450ed38557f5f9dd4bec7eee0

SHA256
6a7e5d2f0c486637a27014308bb90944b571b3b1b09d70d37cfbfbc56ff575c9

SHA512
3139cf9ff431a5091512919718da45e86517c63511d90f1643897369d95af0bddaadb00a51bc3da82ebab6c76616d3ee9d3ee7f9f29e98802bf0b28737102423

Download Submit
C:\ProgramData\Synaptics\RCX4579.tmp

Filesize
753KB

MD5
50891fdf662153bd82aadddeb9c11f4f

SHA1
3e6dbe704e58ed48b0a92bc04b83cd77510a5e89

SHA256
876f13848ccc16b4771440887df15c89e43c4811b6f34b977c0da8e6fea8cc26

SHA512
8dd3689711326005e9673608b35db760f02d3d30cfc37b3d749d7d8f5eaf81e2fcd3484fb5aedd4dcb4b86e89e3bc1da2694148b3886a05c2ef055e48120ccde

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
10.1MB

MD5
50b072669d250694e04f3e2d27153ece

SHA1
616d07f52763be900b56eafdf54e996e1183da4a

SHA256
3837bbb589f027fe75534ac85223641d8cb3f162420e8843aa94ade7045fa35a

SHA512
f556f495692011df4170c2e2a21378d9fbb4bb6769d87116f31afca3f9200a9eb22f24e275d087098ffed5a5b0108d04b52296892fd9b6c15399ac5e53b28682

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_._cache_NL Brute 1.2.exe

Filesize
8.6MB

MD5
29a056a84cf2cbaace260906b558c9bf

SHA1
5a5199d4cb1e8fa63f738baf443e002c546d031c

SHA256
cf68e068a071f44ea5b40b6f514cc4f9cfd16279652f85c3221cdfc5e0184e15

SHA512
8eecaa3efb4744dbd85ae413213803e5d09bb82d590ad3df4ca477120f72c04c611ced971a8e6b462e67e23186137e975006ca89c893d67bd39d2bd030f14901

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE

Filesize
7.8MB

MD5
025c1c35c3198e6e3497d5dbf97ae81f

SHA1
6d390038003c298c7ab8f2cbe35a50b07e096554

SHA256
ffa28db79daca3b93a283ce2a6ff24791956a768cb5fc791c075b638416b51f4

SHA512
1d4cf52062b4f1aa9349ee96b234fc51e693ea8231230ec2b35fa896c2c27f47158d6493e26a1881b070b3f86e6c7d9d2ed3f5f161d456eb011551d434e06b50

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_NL Brute 1.2.exe

Filesize
9.3MB

MD5
a30763c11386537891860bb31ae2332c

SHA1
812c4e600b097ec74d6fcba24889994b458c452f

SHA256
af5aadcf55a696d1725b4d91d0a49afd9ba122ccc003618506eff255b7a2dcbc

SHA512
9fc786154505280591d915897b769be022af3f1beea3473f6f1be2e385382348305dd09b7bf0bf281f7b511dc4eedb9c14fdc3c343d9355a0a344e4bac70cc90

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE

Filesize
8.5MB

MD5
e6bf3f31987645cbbfe74e2fbcb87331

SHA1
f38f57cb3bcc28047f200d9fdd1fca400a9eafb1

SHA256
69e61da1dda3a4c7cfd589000ecf831c2739b4ffe578bdfb1456b59b3b1ec233

SHA512
7fadd83caa14497837d0d900cf40e706ef6e33815b861a602e0e83b3b1aa3c753ece3b084968919c7adc453bc368de8fe1e531e30e6ea6d1e9465b5628bc8605

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
8e4bd9619c227ef2bc20a2cb2aa55e7b

SHA1
a6214b7678b83c4db74b210625b4812300df3a74

SHA256
84ba3f2b07e112efaff6ee034b84db960521db9e504a4ac77a5e8e5e988d86d9

SHA512
12a6a559b89441983e9aab70f0ea17dc790bc48c7938dd573c888e33811db8fb210539ebebaa6c8f5c04971d72d037be6603de15ea3a1ffc0f5ea3dd5132b4bf

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
6b3bfceb3942a9508a2148acbee89007

SHA1
3622ac7466cc40f50515eb6fcdc15d1f34ad3be3

SHA256
e0a7bae2a9ac263cff5d725922e40272d8854278d901233a93a5267859c00a3c

SHA512
fa222bfcade636824af32124b45450c92b1abec7a33e6e647a9248eef5371c127d22ccb7cc5a096b4d5d52e2457f3841293a1b34304e8e5523549856ac02f224

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
f2d9d8bfa7e66046f928920c14a99994

SHA1
aa3f3f7a16b54b65b55c27f862ad1f9169c102d1

SHA256
b6dabbe8027291860a9251351464485a38e600087ffb08f5a030ac82ddfc9010

SHA512
081d8b0f4491e10c23ae1edb8853e23c68be1642d2762f2e3632967f77d152c67ff008ddff1e53608bdc2c8b629abf561b6fca8b0089cedcf1c9a8be21905e21

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe

Filesize
9.3MB

MD5
ad581ec2abb20785ac61234ec270509b

SHA1
4c46f335468f76e5eecd444f55074834725f8fc1

SHA256
ec1ef94580cfeef624d395ca70bb824d4d1522f5e003d4fa1126230ced3795cd

SHA512
b9ad5ebdfd5f9069a8e9be9d12cf5fa6ab0ad21d1c428114414a9253e3768f6029352a6b4cb4b1de48f092827e4d8cae4bbd5cfaa90cfd9d0c721f238ce29ad1

Download Submit
memory/264-440-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/632-441-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/748-358-0x0000000000400000-0x0000000000D53000-memory.dmp

Filesize
9.3MB

Download
memory/992-297-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1316-380-0x0000000000400000-0x0000000000D53000-memory.dmp

Filesize
9.3MB

Download
memory/1372-330-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1392-283-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1412-298-0x0000000000400000-0x0000000000C8D000-memory.dmp

Filesize
8.6MB

Download
memory/1480-287-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1484-313-0x0000000000400000-0x0000000000C8D000-memory.dmp

Filesize
8.6MB

Download
memory/1516-410-0x0000000000400000-0x0000000000D53000-memory.dmp

Filesize
9.3MB

Download
memory/1608-255-0x0000000000400000-0x0000000000E1A000-memory.dmp

Filesize
10.1MB

Download
memory/1628-118-0x0000000005C90000-0x0000000007530000-memory.dmp

Filesize
24.6MB

Download
memory/1628-240-0x0000000005C90000-0x0000000007530000-memory.dmp

Filesize
24.6MB

Download
memory/1628-117-0x0000000000400000-0x0000000000C8D000-memory.dmp

Filesize
8.6MB

Download
memory/1708-419-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1736-415-0x0000000000400000-0x0000000000D53000-memory.dmp

Filesize
9.3MB

Download
memory/1744-451-0x0000000000400000-0x0000000001C9F400-memory.dmp

Filesize
24.6MB

Download
memory/1760-382-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1772-405-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1776-276-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1800-226-0x0000000000400000-0x0000000000D53000-memory.dmp

Filesize
9.3MB

Download
memory/1844-337-0x0000000000400000-0x0000000000D53000-memory.dmp

Filesize
9.3MB

Download
memory/1864-336-0x0000000000400000-0x0000000000D53000-memory.dmp

Filesize
9.3MB

Download
memory/1920-394-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1936-324-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1964-102-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2040-355-0x0000000000400000-0x0000000000D53000-memory.dmp

Filesize
9.3MB

Download
memory/2044-395-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2104-354-0x0000000000400000-0x0000000001C9F400-memory.dmp

Filesize
24.6MB

Download
memory/2104-120-0x0000000000400000-0x0000000001C9F400-memory.dmp

Filesize
24.6MB

Download
memory/2104-250-0x0000000000400000-0x0000000001C9F400-memory.dmp

Filesize
24.6MB

Download
memory/2104-449-0x0000000000400000-0x0000000001C9F400-memory.dmp

Filesize
24.6MB

Download
memory/2188-379-0x0000000000400000-0x0000000000C8D000-memory.dmp

Filesize
8.6MB

Download
memory/2216-448-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2216-241-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2216-347-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2228-457-0x0000000000400000-0x0000000000D53000-memory.dmp

Filesize
9.3MB

Download
memory/2248-456-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2268-374-0x0000000000400000-0x0000000000C8D000-memory.dmp

Filesize
8.6MB

Download
memory/2308-271-0x0000000000400000-0x0000000000C8D000-memory.dmp

Filesize
8.6MB

Download
memory/2308-265-0x0000000005E30000-0x00000000076D0000-memory.dmp

Filesize
24.6MB

Download
memory/2324-307-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2344-430-0x0000000000400000-0x0000000000C8D000-memory.dmp

Filesize
8.6MB

Download
memory/2348-242-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2404-140-0x0000000000400000-0x0000000000E1A000-memory.dmp

Filesize
10.1MB

Download
memory/2420-238-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2428-447-0x0000000000400000-0x0000000001C9F400-memory.dmp

Filesize
24.6MB

Download
memory/2452-294-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2504-282-0x0000000000400000-0x0000000000D53000-memory.dmp

Filesize
9.3MB

Download
memory/2516-417-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2548-233-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2556-72-0x0000000000400000-0x0000000000D53000-memory.dmp

Filesize
9.3MB

Download
memory/2568-116-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2612-353-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2636-357-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2664-450-0x0000000000400000-0x0000000001C9F400-memory.dmp

Filesize
24.6MB

Download
memory/2664-369-0x0000000000400000-0x0000000001C9F400-memory.dmp

Filesize
24.6MB

Download
memory/2712-411-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2712-214-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2712-293-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2804-446-0x0000000000400000-0x0000000000D53000-memory.dmp

Filesize
9.3MB

Download
memory/2836-89-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2856-295-0x0000000000400000-0x0000000000C8D000-memory.dmp

Filesize
8.6MB

Download
memory/2864-375-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2896-373-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2980-46-0x0000000000400000-0x0000000000E1A000-memory.dmp

Filesize
10.1MB

Download
memory/2980-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/3040-249-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download