Malware analysis cache.exe Malicious activity | ANY.RUN

Add for printing

File name:	cache.exe
Full analysis:	https://app.any.run/tasks/fb143b36-d011-456a-981c-09aad66401ad
Verdict:	Malicious activity
Analysis date:	May 02, 2024, 19:53:37
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	pykspa evasion leak service-scan persistence
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	BF78AC2C1076B63B14BF63F93266DAAF
SHA1:	C5BA1F3953D3D6361F8B2A4FCEB2BE3BDC617359
SHA256:	56A4EBDE6F5146038418753B4374F02D5B0B1DC590103B96012A98A446F2AC74
SSDEEP:	24576:0QbPRgBoCss4ROxLeW8pe2fQg41fSvIc+rW0abJ077n:0QTRgBoCss4ROxKW8pe2og41fSgc+rWe

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.19596 KB4534251
Adobe Acrobat Reader DC (20.013.20064)
Adobe Acrobat Reader DC (20.013.20064)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Refresh Manager (1.8.0)
Adobe Refresh Manager (1.8.0)
CCleaner (6.14)
CCleaner (6.14)
FileZilla 3.65.0 (3.65.0)
FileZilla 3.65.0 (3.65.0)
Google Chrome (109.0.5414.120)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.36.31)
Google Update Helper (1.3.36.31)
Java 8 Update 271 (8.0.2710.9)
Java 8 Update 271 (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Java Auto Updater (2.8.271.9)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft Edge (109.0.1518.115)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.175.29)
Microsoft Edge Update (1.3.175.29)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (32-bit x86) (7.9.1)
Notepad++ (32-bit x86) (7.9.1)
PowerShell 7-x86 (7.2.11.0)
PowerShell 7-x86 (7.2.11.0)
Skype version 8.110 (8.110)
Skype version 8.110 (8.110)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
VLC media player (3.0.11)
VLC media player (3.0.11)
WinRAR 5.91 (32-bit) (5.91.0)
WinRAR 5.91 (32-bit) (5.91.0)

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - cache.exe (PID: 3968)
  - gegcazmfdfb.exe (PID: 4028)
  - gegcazmfdfb.exe (PID: 2224)
- UAC/LUA settings modification
  - gegcazmfdfb.exe (PID: 4028)
  - ccors.exe (PID: 4064)
  - ccors.exe (PID: 4072)
  - regedit.exe (PID: 312)
  - gegcazmfdfb.exe (PID: 2224)
  - ccors.exe (PID: 2364)
  - ccors.exe (PID: 2356)
  - gegcazmfdfb.exe (PID: 3252)
- Changes the login/logoff helper path in the registry
  - gegcazmfdfb.exe (PID: 4028)
  - ccors.exe (PID: 4064)
  - ccors.exe (PID: 4072)
  - gegcazmfdfb.exe (PID: 2224)
  - ccors.exe (PID: 2364)
  - ccors.exe (PID: 2356)
  - gegcazmfdfb.exe (PID: 3252)
- Changes appearance of the Explorer extensions
  - gegcazmfdfb.exe (PID: 4028)
  - ccors.exe (PID: 4064)
  - ccors.exe (PID: 4072)
  - gegcazmfdfb.exe (PID: 2224)
  - ccors.exe (PID: 2356)
  - ccors.exe (PID: 2364)
- Changes the autorun value in the registry
  - gegcazmfdfb.exe (PID: 4028)
  - ccors.exe (PID: 4064)
  - ccors.exe (PID: 4072)
  - gegcazmfdfb.exe (PID: 2224)
  - ccors.exe (PID: 2356)
  - ccors.exe (PID: 2364)
  - gegcazmfdfb.exe (PID: 3252)
- Creates a writable file in the system directory
  - ccors.exe (PID: 4064)
  - gegcazmfdfb.exe (PID: 2224)
  - ccors.exe (PID: 2356)
- Modify registry editing tools (regedit)
  - ccors.exe (PID: 2356)
  - ccors.exe (PID: 2364)
- Deletes the SafeBoot registry key
  - ccors.exe (PID: 2356)
SUSPICIOUS
- Executable content was dropped or overwritten
  - cache.exe (PID: 3968)
  - gegcazmfdfb.exe (PID: 4028)
  - gegcazmfdfb.exe (PID: 2224)
- Reads the Internet Settings
  - cache.exe (PID: 3968)
  - gegcazmfdfb.exe (PID: 4028)
  - ccors.exe (PID: 4064)
  - sipnotify.exe (PID: 1632)
  - csunebrmkfqykqyhevlng.exe (PID: 2128)
  - zkhvhzkatjpszadh.exe (PID: 2144)
  - gegcazmfdfb.exe (PID: 2224)
- Reads security settings of Internet Explorer
  - cache.exe (PID: 3968)
  - gegcazmfdfb.exe (PID: 4028)
  - ccors.exe (PID: 4064)
  - zkhvhzkatjpszadh.exe (PID: 2144)
  - csunebrmkfqykqyhevlng.exe (PID: 2128)
  - gegcazmfdfb.exe (PID: 2224)
- The process executes via Task Scheduler
  - sipnotify.exe (PID: 1632)
  - ctfmon.exe (PID: 1548)
- Reads settings of System Certificates
  - sipnotify.exe (PID: 1632)
- Potential Corporate Privacy Violation
  - ccors.exe (PID: 2356)
- Reads the date of Windows installation
  - pwsh.exe (PID: 2712)
- Checks for external IP
  - ccors.exe (PID: 2356)
- Suspected information leak
  - ccors.exe (PID: 2356)
INFO
- Reads the computer name
  - cache.exe (PID: 3968)
  - gegcazmfdfb.exe (PID: 4028)
  - ccors.exe (PID: 4072)
  - ccors.exe (PID: 4064)
  - IMEKLMG.EXE (PID: 2108)
  - IMEKLMG.EXE (PID: 2100)
  - csunebrmkfqykqyhevlng.exe (PID: 2128)
  - zkhvhzkatjpszadh.exe (PID: 2144)
  - gegcazmfdfb.exe (PID: 2216)
  - gegcazmfdfb.exe (PID: 2224)
  - ccors.exe (PID: 2356)
  - ccors.exe (PID: 2364)
  - wmpnscfg.exe (PID: 2504)
  - wmpnscfg.exe (PID: 2532)
  - pwsh.exe (PID: 2712)
  - gegcazmfdfb.exe (PID: 3252)
- Create files in a temporary directory
  - cache.exe (PID: 3968)
  - gegcazmfdfb.exe (PID: 4028)
  - ccors.exe (PID: 4064)
  - gegcazmfdfb.exe (PID: 2224)
  - ccors.exe (PID: 2356)
- Checks supported languages
  - cache.exe (PID: 3968)
  - gegcazmfdfb.exe (PID: 4028)
  - ccors.exe (PID: 4064)
  - ccors.exe (PID: 4072)
  - IMEKLMG.EXE (PID: 2100)
  - IMEKLMG.EXE (PID: 2108)
  - csunebrmkfqykqyhevlng.exe (PID: 2128)
  - zkhvhzkatjpszadh.exe (PID: 2144)
  - gegcazmfdfb.exe (PID: 2216)
  - gegcazmfdfb.exe (PID: 2224)
  - ccors.exe (PID: 2356)
  - ccors.exe (PID: 2364)
  - wmpnscfg.exe (PID: 2504)
  - pwsh.exe (PID: 2712)
  - wmpnscfg.exe (PID: 2532)
  - gegcazmfdfb.exe (PID: 3252)
- Process checks whether UAC notifications are on
  - gegcazmfdfb.exe (PID: 4028)
  - ccors.exe (PID: 4064)
  - ccors.exe (PID: 4072)
  - IMEKLMG.EXE (PID: 2100)
  - IMEKLMG.EXE (PID: 2108)
  - gegcazmfdfb.exe (PID: 2224)
  - ccors.exe (PID: 2356)
  - ccors.exe (PID: 2364)
  - gegcazmfdfb.exe (PID: 3252)
- Creates files or folders in the user directory
  - ccors.exe (PID: 4064)
  - ccors.exe (PID: 2356)
- Manual execution by a user
  - IMEKLMG.EXE (PID: 2108)
  - csunebrmkfqykqyhevlng.exe (PID: 2128)
  - zkhvhzkatjpszadh.exe (PID: 2144)
  - IMEKLMG.EXE (PID: 2100)
  - wmpnscfg.exe (PID: 2532)
  - wmpnscfg.exe (PID: 2504)
  - pwsh.exe (PID: 2712)
- Reads security settings of Internet Explorer
  - sipnotify.exe (PID: 1632)
- Reads the software policy settings
  - sipnotify.exe (PID: 1632)
- Creates files in the program directory
  - ccors.exe (PID: 2356)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2009:03:19 17:31:48+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	7.1
CodeSize:	20480
InitializedDataSize:	573440
UninitializedDataSize:	-
EntryPoint:	0x1ff5
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

103

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

112

"regedit.exe" "C:\Users\admin\AppData\Local\Temp\zevdjvakxh.reg"

C:\Windows\regedit.exe

—

ccors.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Registry Editor

Exit code:

3221226540

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\regedit.exe
c:\windows\system32\ntdll.dll

312

"regedit.exe" "C:\Users\admin\AppData\Local\Temp\zevdjvakxh.reg"

C:\Windows\regedit.exe

ccors.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Registry Editor

Exit code:

1073807364

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\regedit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll

1548

C:\Windows\System32\ctfmon.exe

—

taskeng.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

CTF Loader

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\ctfmon.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msctfmonitor.dll
c:\windows\system32\msctf.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll

1632

C:\Windows\system32\sipnotify.exe -LogonOrUnlock

C:\Windows\System32\sipnotify.exe

taskeng.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

sipnotify

Exit code:

Version:

6.1.7602.20480 (win7sp1_ldr_escrow.191010-1716)

Modules

Images
c:\windows\system32\sipnotify.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

2100

"C:\Program Files\Common Files\microsoft shared\IME14\SHARED\IMEKLMG.EXE" /SetPreload /JPN /Log

C:\Program Files\Common Files\microsoft shared\IME14\SHARED\IMEKLMG.EXE

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft Office IME 2010

Exit code:

Version:

14.0.4734.1000

Modules

Images
c:\program files\common files\microsoft shared\ime14\shared\imeklmg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\userenv.dll

2108

"C:\Program Files\Common Files\microsoft shared\IME14\SHARED\IMEKLMG.EXE" /SetPreload /KOR /Log

C:\Program Files\Common Files\microsoft shared\IME14\SHARED\IMEKLMG.EXE

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft Office IME 2010

Exit code:

Version:

14.0.4734.1000

Modules

Images
c:\program files\common files\microsoft shared\ime14\shared\imeklmg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\userenv.dll

2128

"C:\Users\admin\AppData\Local\Temp\csunebrmkfqykqyhevlng.exe"

C:\Users\admin\AppData\Local\Temp\csunebrmkfqykqyhevlng.exe

—

explorer.exe

User:

admin

Integrity Level:

HIGH

Modules

Images
c:\users\admin\appdata\local\temp\csunebrmkfqykqyhevlng.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll

2144

"C:\Users\admin\AppData\Local\Temp\zkhvhzkatjpszadh.exe" .

C:\Users\admin\AppData\Local\Temp\zkhvhzkatjpszadh.exe

—

explorer.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\zkhvhzkatjpszadh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll

2216

"C:\Users\admin\AppData\Local\Temp\gegcazmfdfb.exe" "c:\users\admin\appdata\local\temp\zkhvhzkatjpszadh.exe*."

C:\Users\admin\AppData\Local\Temp\gegcazmfdfb.exe

—

zkhvhzkatjpszadh.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\gegcazmfdfb.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll

2224

"C:\Users\admin\AppData\Local\Temp\gegcazmfdfb.exe" "c:\users\admin\appdata\local\temp\csunebrmkfqykqyhevlng.exe*"

C:\Users\admin\AppData\Local\Temp\gegcazmfdfb.exe

csunebrmkfqykqyhevlng.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\gegcazmfdfb.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll

Add for printing

Total events

29 753

Read events

28 309

Write events

1 378

Delete events

Modification events


(PID) Process:	(3968) cache.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(3968) cache.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(3968) cache.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(3968) cache.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(4028) gegcazmfdfb.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:	write	Name:	EnableLUA
Value: 0
(PID) Process:	(4028) gegcazmfdfb.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Operation:	write	Name:	Shell
Value: Explorer.exe
(PID) Process:	(4028) gegcazmfdfb.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	acqvyhj
Value: gsqfslxoizgksuydw.exe
(PID) Process:	(4028) gegcazmfdfb.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:	write	Name:	pshnrbem
Value: gsqfslxoizgksuydw.exe .
(PID) Process:	(4028) gegcazmfdfb.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	zevdjvakxh
Value: aoofupdwsluakoubwlz.exe
(PID) Process:	(4028) gegcazmfdfb.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
Operation:	write	Name:	uasbivbmalm
Value: aoofupdwsluakoubwlz.exe .

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
4064	ccors.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\mkuvuzxagjcsmaqhmljtutywz.ibr		—
		MD5:—	SHA256:—
4064	ccors.exe	C:\Users\admin\AppData\Local\mkuvuzxagjcsmaqhmljtutywz.ibr		—
		MD5:—	SHA256:—
4064	ccors.exe	C:\Users\admin\AppData\Local\VirtualStore\Windows\mkuvuzxagjcsmaqhmljtutywz.ibr		—
		MD5:—	SHA256:—
4064	ccors.exe	C:\Users\admin\AppData\Local\Temp\mkuvuzxagjcsmaqhmljtutywz.ibr		—
		MD5:—	SHA256:—
3968	cache.exe	C:\Users\admin\AppData\Local\Temp\gegcazmfdfb.exe		executable
		MD5:85CB856B920E7B0B7B75115336FC2AF2	SHA256:6FFF20AABE8265B6E811C9DBCB987F9C15CF07D1D8B80CED7B287D96900F5C62
4028	gegcazmfdfb.exe	C:\Users\admin\AppData\Local\Temp\ccors.exe		executable
		MD5:85CB856B920E7B0B7B75115336FC2AF2	SHA256:6FFF20AABE8265B6E811C9DBCB987F9C15CF07D1D8B80CED7B287D96900F5C62
4064	ccors.exe	C:\Users\admin\AppData\Local\VirtualStore\Windows\System32\mkuvuzxagjcsmaqhmljtutywz.ibr		binary
		MD5:9D227DC2C69211BA2AFD9D295E609FBC	SHA256:EE801F176E5E3ADF7902A06FAE3E4B653A083CA72E99C1694B9FB0CA1888629A
2224	gegcazmfdfb.exe	C:\Windows\system32\gsqfslxoizgksuydw.exe		executable
		MD5:BF78AC2C1076B63B14BF63F93266DAAF	SHA256:56A4EBDE6F5146038418753B4374F02D5B0B1DC590103B96012A98A446F2AC74
2224	gegcazmfdfb.exe	C:\Windows\system32\csunebrmkfqykqyhevlng.exe		executable
		MD5:BF78AC2C1076B63B14BF63F93266DAAF	SHA256:56A4EBDE6F5146038418753B4374F02D5B0B1DC590103B96012A98A446F2AC74
2224	gegcazmfdfb.exe	C:\Windows\system32\aoofupdwsluakoubwlz.exe		executable
		MD5:BF78AC2C1076B63B14BF63F93266DAAF	SHA256:56A4EBDE6F5146038418753B4374F02D5B0B1DC590103B96012A98A446F2AC74

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1632	sipnotify.exe	HEAD	200	104.64.171.144:80	http://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2JgkA?v=133591569151400000	unknown	—	—	unknown
2356	ccors.exe	GET	403	104.19.223.79:80	http://whatismyipaddress.com/	unknown	—	—	unknown
2356	ccors.exe	GET	301	104.27.206.92:80	http://www.whatismyip.com/	unknown	—	—	unknown
2356	ccors.exe	GET	301	104.27.206.92:80	http://www.whatismyip.com/	unknown	—	—	unknown
2356	ccors.exe	GET	301	188.114.96.3:80	http://www.showmyipaddress.com/	unknown	—	—	unknown
2356	ccors.exe	GET	301	188.114.96.3:80	http://www.showmyipaddress.com/	unknown	—	—	unknown
2356	ccors.exe	GET	403	104.19.223.79:80	http://whatismyipaddress.com/	unknown	—	—	unknown
2356	ccors.exe	GET	—	104.27.206.92:80	http://www.whatismyip.com/	unknown	—	—	unknown
2356	ccors.exe	GET	301	104.27.206.92:80	http://www.whatismyip.com/	unknown	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
1088	svchost.exe	224.0.0.252:5355	—	—	—	unknown
—	—	224.0.0.252:5355	—	—	—	unknown
1468	svchost.exe	239.255.255.250:3702	—	—	—	unknown
1112	svchost.exe	224.0.0.252:5355	—	—	—	unknown
1632	sipnotify.exe	104.64.171.144:80	query.prod.cms.rt.microsoft.com	AKAMAI-AS	CZ	unknown
2356	ccors.exe	49.13.77.253:80	www.whatismyip.ca	Hetzner Online GmbH	DE	unknown
2356	ccors.exe	104.19.223.79:80	whatismyipaddress.com	CLOUDFLARENET	—	unknown
2356	ccors.exe	104.27.206.92:80	www.whatismyip.com	CLOUDFLARENET	US	unknown

DNS requests

Domain	IP	Reputation
query.prod.cms.rt.microsoft.com	104.64.171.144	whitelisted
www.whatismyip.ca	49.13.77.253	malicious
dns.msftncsi.com	131.107.255.255	shared
whatismyipaddress.com	104.19.223.79 104.19.222.79	shared
www.whatismyip.com	104.27.206.92 104.27.207.92	shared
www.showmyipaddress.com	188.114.96.3 188.114.97.3	malicious
aka.ms	2.20.158.181	whitelisted
pscoretestdata.blob.core.windows.net	52.239.160.36	unknown

Threats

PID	Process	Class	Message
2356	ccors.exe	A Network Trojan was detected	ET MALWARE Win32/Pykspa.C Public IP Check
—	—	A Network Trojan was detected	ET MALWARE Win32/Pykspa.C Public IP Check
—	—	Attempted Information Leak	ET POLICY IP Check Domain (whatismyip in HTTP Host)
2356	ccors.exe	Potential Corporate Privacy Violation	ET POLICY IP Check Domain (showmyipaddress .com in HTTP Host)
—	—	A Network Trojan was detected	ET MALWARE Win32/Pykspa.C Public IP Check
2356	ccors.exe	A Network Trojan was detected	ET MALWARE Win32/Pykspa.C Public IP Check
2356	ccors.exe	Potential Corporate Privacy Violation	ET POLICY IP Check Domain (showmyipaddress .com in HTTP Host)
2356	ccors.exe	A Network Trojan was detected	ET MALWARE Win32/Pykspa.C Public IP Check
2356	ccors.exe	A Network Trojan was detected	ET MALWARE Win32/Pykspa.C Public IP Check
2356	ccors.exe	Attempted Information Leak	ET POLICY IP Check Domain (whatismyip in HTTP Host)

2 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

cache.exe

BF78AC2C1076B63B14BF63F93266DAAF

C5BA1F3953D3D6361F8B2A4FCEB2BE3BDC617359

56A4EBDE6F5146038418753B4374F02D5B0B1DC590103B96012A98A446F2AC74

24576:0QbPRgBoCss4ROxLeW8pe2fQg41fSvIc+rW0abJ077n:0QTRgBoCss4ROxKW8pe2og41fSgc+rWe

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

UAC/LUA settings modification

Changes the login/logoff helper path in the registry

Changes appearance of the Explorer extensions

Changes the autorun value in the registry

Creates a writable file in the system directory

Modify registry editing tools (regedit)

Deletes the SafeBoot registry key

SUSPICIOUS

Executable content was dropped or overwritten

Reads the Internet Settings

Reads security settings of Internet Explorer

The process executes via Task Scheduler

Reads settings of System Certificates

Potential Corporate Privacy Violation

Reads the date of Windows installation

Checks for external IP

Suspected information leak

INFO

Reads the computer name

Create files in a temporary directory

Checks supported languages

Process checks whether UAC notifications are on

Creates files or folders in the user directory

Manual execution by a user

Reads security settings of Internet Explorer

Reads the software policy settings

Creates files in the program directory

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings