neshta | 41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f

Analysis

max time kernel
21s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15/06/2024, 20:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
Size

2.5MB
MD5

690ddd392e73000de2f1524ef21b377b
SHA1

a28425a36562a41b727440746b3a9f02e64ec517
SHA256

41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f
SHA512

19ed296326b2db53badfd1885040f67fdf3074d7876b660cb9547bd83c597b12da9153c6e62f249ecd5b54ffcbfb633f27e40989546357021229f5c05bf27dff
SSDEEP

49152:JHyjtk2MYC5GDVHyjtk2MYC5GDNHyjtk2MYC5GDBnanhn9:Jmtk2acmtk2aEmtk2aCnanhn9

Score

10^/10

neshta persistence spyware

Malware Config

Signatures

Detect Neshta payload 64 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023247-4.dat	family_neshta
behavioral2/memory/4068-13-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x000800000002324c-17.dat	family_neshta
behavioral2/memory/2448-118-0x0000000000400000-0x0000000000674000-memory.dmp	family_neshta
behavioral2/files/0x0007000000023251-120.dat	family_neshta
behavioral2/files/0x000800000002324a-125.dat	family_neshta
behavioral2/files/0x0004000000009f86-135.dat	family_neshta
behavioral2/memory/4844-163-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1576-202-0x0000000000400000-0x00000000005AD000-memory.dmp	family_neshta
behavioral2/files/0x0007000000023253-201.dat	family_neshta
behavioral2/memory/2876-223-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x0007000000023255-227.dat	family_neshta
behavioral2/memory/4384-236-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4772-244-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4068-246-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4188-273-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2152-305-0x0000000000400000-0x0000000000674000-memory.dmp	family_neshta
behavioral2/memory/4788-388-0x0000000000400000-0x00000000004E7000-memory.dmp	family_neshta
behavioral2/files/0x0007000000023257-389.dat	family_neshta
behavioral2/memory/1620-379-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3600-403-0x0000000000400000-0x00000000005AD000-memory.dmp	family_neshta
behavioral2/memory/916-404-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4100-419-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/460-423-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x0006000000020049-439.dat	family_neshta
behavioral2/files/0x000400000002016d-446.dat	family_neshta
behavioral2/files/0x000400000002017f-449.dat	family_neshta
behavioral2/files/0x00010000000200cb-445.dat	family_neshta
behavioral2/memory/2472-455-0x0000000000400000-0x00000000004E7000-memory.dmp	family_neshta
behavioral2/memory/1912-478-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2144-477-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4924-476-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4404-486-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1732-487-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1344-488-0x0000000000400000-0x00000000005AD000-memory.dmp	family_neshta
behavioral2/memory/1752-489-0x0000000000400000-0x00000000005AD000-memory.dmp	family_neshta
behavioral2/memory/1564-562-0x0000000000400000-0x00000000005AD000-memory.dmp	family_neshta
behavioral2/memory/2996-570-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3772-569-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1868-553-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4072-571-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1500-611-0x0000000000400000-0x00000000005AD000-memory.dmp	family_neshta
behavioral2/memory/3600-623-0x0000000000400000-0x00000000005AD000-memory.dmp	family_neshta
behavioral2/memory/3140-624-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/972-642-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4728-643-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1752-645-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1340-658-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4816-659-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4708-718-0x0000000000400000-0x00000000004E7000-memory.dmp	family_neshta
behavioral2/memory/4068-729-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1412-730-0x0000000000400000-0x00000000004E7000-memory.dmp	family_neshta
behavioral2/memory/384-754-0x0000000000400000-0x00000000004E7000-memory.dmp	family_neshta
behavioral2/memory/1784-755-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2752-753-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4480-756-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/368-757-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2884-767-0x0000000000400000-0x00000000004E7000-memory.dmp	family_neshta
behavioral2/memory/4320-816-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1580-817-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/952-836-0x0000000000400000-0x00000000005AD000-memory.dmp	family_neshta
behavioral2/memory/3024-842-0x0000000000400000-0x00000000005AD000-memory.dmp	family_neshta
behavioral2/memory/2160-857-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2848-856-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	_CACHE~1.EXE

Executes dropped EXE 6 IoCs

pid	Process
2448	41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
4404	._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
2152	Synaptics.exe
4844	svchost.com
1576	_CACHE~1.EXE
2876	._cache_Synaptics.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
File opened for modification	C:\Windows\svchost.com	._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
File opened for modification	C:\Windows\svchost.com	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	_CACHE~1.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4068 wrote to memory of 2448	4068	41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe	90
PID 4068 wrote to memory of 2448	4068	41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe	90
PID 4068 wrote to memory of 2448	4068	41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe	90
PID 2448 wrote to memory of 4404	2448	41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe	91
PID 2448 wrote to memory of 4404	2448	41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe	91
PID 2448 wrote to memory of 4404	2448	41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe	91
PID 2448 wrote to memory of 2152	2448	41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe	92
PID 2448 wrote to memory of 2152	2448	41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe	92
PID 2448 wrote to memory of 2152	2448	41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe	92
PID 4404 wrote to memory of 4844	4404	._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe	93
PID 4404 wrote to memory of 4844	4404	._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe	93
PID 4404 wrote to memory of 4844	4404	._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe	93
PID 4844 wrote to memory of 1576	4844	svchost.com	94
PID 4844 wrote to memory of 1576	4844	svchost.com	94
PID 4844 wrote to memory of 1576	4844	svchost.com	94
PID 2152 wrote to memory of 2876	2152	Synaptics.exe	95
PID 2152 wrote to memory of 2876	2152	Synaptics.exe	95
PID 2152 wrote to memory of 2876	2152	Synaptics.exe	95

C:\Users\Admin\AppData\Local\Temp\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
"C:\Users\Admin\AppData\Local\Temp\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe"
1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4068
- C:\Users\Admin\AppData\Local\Temp\3582-490\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4404
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:4844
    - - C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:1576
      - C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
        6⤵
        
        PID:4772
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE"
        7⤵
        
        PID:4188
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE
        8⤵
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE"
        9⤵
        
        PID:460
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE"
        10⤵
        
        PID:4100
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE
        11⤵
        
        PID:1464
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2152
  - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      PID:2876
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
        5⤵
        
        PID:4384
      - C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
        6⤵
        
        PID:3600
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
        7⤵
        
        PID:1620
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate
        8⤵
        
        PID:916
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate
        9⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate
        10⤵
        
        PID:4924
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\._cache__CACHE~1.EXE" InjUpdate
        11⤵
        
        PID:2144
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        10⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        11⤵
        
        PID:1868
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
        12⤵
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
        13⤵
        
        PID:3600
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
        14⤵
        
        PID:3140
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate
        15⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate
        16⤵
        
        PID:384
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate
        17⤵
        
        PID:1784
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate
        18⤵
        
        PID:4320
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate
        19⤵
        
        PID:412
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate
        20⤵
        
        PID:2160
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate
        21⤵
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate
        22⤵
        
        PID:4208
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        20⤵
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        21⤵
        
        PID:3952
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
        22⤵
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
        23⤵
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
        24⤵
        
        PID:4988
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate
        25⤵
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate
        26⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate
        27⤵
        
        PID:916
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate
        28⤵
        
        PID:3704
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate
        29⤵
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate
        30⤵
        
        PID:4072
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate
        31⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate
        32⤵
        
        PID:4028
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        30⤵
        
        PID:868
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        27⤵
        
        PID:4736
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        24⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        25⤵
        
        PID:3004
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_Synaptics.exe" InjUpdate
        26⤵
        
        PID:2024
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        17⤵
        
        PID:3612
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        14⤵
        
        PID:4384
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        7⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        8⤵
        
        PID:1912
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
        9⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
        10⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
        11⤵
        
        PID:3772
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate
        12⤵
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate
        13⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate
        14⤵
        
        PID:1340
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate
        15⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate
        16⤵
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate
        17⤵
        
        PID:4480
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate
        18⤵
        
        PID:368
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate
        19⤵
        
        PID:1668
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        14⤵
        
        PID:1412
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        11⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        12⤵
        
        PID:4728
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
        13⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
        14⤵
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
        15⤵
        
        PID:2752
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate
        16⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate
        17⤵
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate
        18⤵
        
        PID:1340
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate
        19⤵
        
        PID:3152
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate
        20⤵
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate
        21⤵
        
        PID:4632
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate
        22⤵
        
        PID:224
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate
        23⤵
        
        PID:4308
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        21⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        22⤵
        
        PID:2108
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
        23⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
        24⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
        25⤵
        
        PID:1120
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate
        26⤵
        
        PID:3408
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate
        27⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate
        28⤵
        
        PID:1476
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate
        29⤵
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate
        30⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate
        31⤵
        
        PID:4632
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate
        32⤵
        
        PID:4168
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate
        33⤵
        
        PID:984
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        31⤵
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        32⤵
        
        PID:4988
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
        33⤵
        
        PID:3140
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
        34⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
        35⤵
        
        PID:4036
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate
        36⤵
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate
        37⤵
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate
        38⤵
        
        PID:224
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\._cache__CACHE~1.EXE" InjUpdate
        39⤵
        
        PID:1664
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        38⤵
        
        PID:3336
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        39⤵
        
        PID:5112
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
        40⤵
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
        41⤵
        
        PID:752
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
        42⤵
        
        PID:5072
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate
        43⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate
        44⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate
        45⤵
        
        PID:216
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate
        46⤵
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate
        47⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate
        48⤵
        
        PID:1796
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
        49⤵
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
        50⤵
        
        PID:4980
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        42⤵
        
        PID:4532
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        43⤵
        
        PID:3800
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
        44⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
        45⤵
        
        PID:3600
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
        46⤵
        
        PID:368
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate
        47⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate
        48⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate
        49⤵
        
        PID:3336
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate
        50⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate
        51⤵
        
        PID:3508
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate
        52⤵
        
        PID:2068
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
        53⤵
        
        PID:3192
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
        54⤵
        
        PID:2516
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        46⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        47⤵
        
        PID:1868
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
        48⤵
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
        49⤵
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
        50⤵
        
        PID:1112
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate
        51⤵
        
        PID:3792
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate
        52⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate
        53⤵
        
        PID:1356
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate
        54⤵
        
        PID:4580
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate
        55⤵
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate
        56⤵
        
        PID:1668
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
        57⤵
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
        58⤵
        
        PID:5096
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        50⤵
        
        PID:1412
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        35⤵
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        36⤵
        
        PID:5068
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
        37⤵
        
        PID:648
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
        38⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
        39⤵
        
        PID:3140
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate
        40⤵
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate
        41⤵
        
        PID:4268
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate
        42⤵
        
        PID:1456
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate
        43⤵
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate
        44⤵
        
        PID:3268
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate
        45⤵
        
        PID:3772
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
        46⤵
        
        PID:3156
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
        47⤵
        
        PID:2704
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        39⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        40⤵
        
        PID:2108
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
        41⤵
        
        PID:1312
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
        42⤵
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
        43⤵
        
        PID:2904
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate
        44⤵
        
        PID:3720
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate
        45⤵
        
        PID:3620
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate
        46⤵
        
        PID:3384
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate
        47⤵
        
        PID:3612
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate
        48⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate
        49⤵
        
        PID:2144
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
        50⤵
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
        51⤵
        
        PID:3420
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        43⤵
        
        PID:4552
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        44⤵
        
        PID:2612
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
        45⤵
        
        PID:4412
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
        46⤵
        
        PID:3920
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
        47⤵
        
        PID:1120
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate
        48⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate
        49⤵
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate
        50⤵
        
        PID:1476
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate
        51⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate
        52⤵
        
        PID:504
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate
        53⤵
        
        PID:4500
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
        54⤵
        
        PID:3800
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
        55⤵
        
        PID:2500
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        47⤵
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        48⤵
        
        PID:496
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
        49⤵
        
        PID:3800
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        28⤵
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        29⤵
        
        PID:2308
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        25⤵
        
        PID:504
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        18⤵
        
        PID:4988
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        15⤵
        
        PID:3024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3692 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8
1⤵
PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe

Filesize
175KB

MD5
576410de51e63c3b5442540c8fdacbee

SHA1
8de673b679e0fee6e460cbf4f21ab728e41e0973

SHA256
3f00404dd591c2856e6f71bd78423ed47199902e0b85f228e6c4de72c59ddffe

SHA512
f7761f3878775b30cc3d756fa122e74548dfc0a27e38fa4109e34a59a009df333d074bf14a227549ae347605f271be47984c55148685faac479aeb481f7191db

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE

Filesize
183KB

MD5
9dfcdd1ab508b26917bb2461488d8605

SHA1
4ba6342bcf4942ade05fb12db83da89dc8c56a21

SHA256
ecd5e94da88c653e4c34b6ab325e0aca8824247b290336f75c410caa16381bc5

SHA512
1afc1b95f160333f1ff2fa14b3f22a28ae33850699c6b5498915a8b6bec1cfc40f33cb69583240aa9206bc2ea7ab14e05e071275b836502a92aa8c529fc1b137

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe

Filesize
131KB

MD5
5791075058b526842f4601c46abd59f5

SHA1
b2748f7542e2eebcd0353c3720d92bbffad8678f

SHA256
5c3ef3ec7594c040146e908014791dd15201ba58b4d70032770bb661b6a0e394

SHA512
83e303971ed64019fde9e4ba6f6e889f8fb105088490dfa7dcf579a12baff20ef491f563d132d60c7b24a4fd3cac29bd9dc974571cd162000fae8fba4e0e54fb

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE

Filesize
386KB

MD5
8c753d6448183dea5269445738486e01

SHA1
ebbbdc0022ca7487cd6294714cd3fbcb70923af9

SHA256
473eb551101caeaf2d18f811342e21de323c8dd19ed21011997716871defe997

SHA512
4f6fddefc42455540448eac0b693a4847e21b68467486376a4186776bfe137337733d3075b7b87ed7dac532478dc9afc63883607ec8205df3f155fee64c7a9be

Download Submit
C:\ProgramData\Synaptics\RCX3AA3.tmp

Filesize
753KB

MD5
24c43a46e3ce028d3487a991e3b5f202

SHA1
3e47a2fbcfc35f7ee787e59f5e7f578d5cb54d69

SHA256
a4d6976ec3d988f43d3960623a8513de6cc46ca54af289a7e827982a0dee3a2e

SHA512
8e17d67efb54e679115b6b0265be3b15e1dc09bfd648c20a54f2712b6915095364febaedd1ca713b87c365c3861b6e3668d31190395b9ab18bf47fb0d862deba

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe

Filesize
1.7MB

MD5
67fbe98e5782b545a840c12cf4c9f3db

SHA1
0bfaf468b95c34faa9e94524650f6b10ca2e0cc5

SHA256
aa060f6bf8d7572ec9f781629c70f0068bbb034e5e94596f7c9c603a0fb392a0

SHA512
66b39e78e8f67c058dd19b2ef3d136adb6f98de9f048892b7af7aaffeff337ed9e9f2371220c7e712699e653427f60ece91ad859ffecbad449d9a7e8926b9b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE

Filesize
940KB

MD5
be5502373b174cc60bf606200c5fc7be

SHA1
de9060f4fd57a875bca3768f04052018f5c3be9e

SHA256
f13b5b39d76a83081628a53d5e53eab04600cf542bc375191ebe322ab52b15d6

SHA512
8ffa51b7e18d447867fdd4d5288bc4633ad94da6eb52e61f455abfaffd77d55d45b5533f2adb36481d8873ef5cb44959460e43105e40bc6fc99f82a93b48691f

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE

Filesize
146KB

MD5
a006f909b0796ead9fb69b3ec0f8ea54

SHA1
b564d0eda3e9c25acdeda1ea0fff98b80c2f82cf

SHA256
4bfb8af9700edb5978c99f6d39f03424061d8a7f7cc34cc92eb0b81839f456a2

SHA512
649ef95b606f9ca16328e651686efd8a7cb0897e5ad0041629730c35a617c47396c014460e4ce50f597d0ca2a565c3bb66f7370106eb17fe3f62329916f6b342

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe

Filesize
1.7MB

MD5
0b1682829f285e65ec1cca2663c91ebc

SHA1
3ea00c76951ff82d0d3d521490bde6b2b688b943

SHA256
8d98ea6e8805a668cf23cc6d74c0caf29671642cb9e764c939c4a56f6dc6e9f9

SHA512
ef4e1bb89d7a7169b7323e5ea2ae4e61b4ebbcab3d337a1b3bc0a4a035084aaa504e593ddb430b83fad2decb966688508e66fffb61d52892e5912b8b35745425

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\._cache__CACHE~1.EXE

Filesize
900KB

MD5
ff586f54c1196f80d8982f3826d049f7

SHA1
b401af3d06c3a37a260b53851a573332b9ac7e75

SHA256
ddceb6e5dff7a70c4f5d6df5b46ee207c624545049679004a012ceb49282be3e

SHA512
bf8bc03ffd386b1263306a6f75cb4fd404b3dda090e0fb8706a5fcdac239a9e7d1e76a83ccc5f741fc1e075c9fd2510a3b3ced20d7c59df9b6a9932b7ff894a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\._cache__CACHE~3.EXE

Filesize
105KB

MD5
89c5a593dcc807a5f846fce1708a4c1c

SHA1
ffbdda4bef05555404210e260c75eae8743e9333

SHA256
49c114e38ecd858ddad5cc6f9860f3d2eb80fb429758b4ecfc974e856fe6e377

SHA512
c1aa27a147cd95efc48bb3c08a011d83b5cf517fa3eb1d617ecb68da07c1780eff426073c7295f0964eb2fee1e6440b40b548ddfacc3a63d6f955fc39448b643

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe

Filesize
2.4MB

MD5
e31ba8bc807ae7b8330f824bc52f3104

SHA1
21a4824bd4914eac7349f323b80a7399b6e5c199

SHA256
f364c51d99d573d88ec469944e331f00709ea67bd98be30252d4522eacb4b496

SHA512
c20dcd03fdae62ecaa4a68398521dff37aadfdfe029c1efafd104301007330c5e81e349dfb7e845eefa9cc9e9cd4d5b015063e7b9d23b410f23a36ee96a0871f

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
6b3bfceb3942a9508a2148acbee89007

SHA1
3622ac7466cc40f50515eb6fcdc15d1f34ad3be3

SHA256
e0a7bae2a9ac263cff5d725922e40272d8854278d901233a93a5267859c00a3c

SHA512
fa222bfcade636824af32124b45450c92b1abec7a33e6e647a9248eef5371c127d22ccb7cc5a096b4d5d52e2457f3841293a1b34304e8e5523549856ac02f224

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
b42f2603883dadf133cee3ae5d767bb2

SHA1
dc4161551044405353e870b029afff27c8030e22

SHA256
998e1546bc98d29ffccb70e81ed00a01f3dbd3015e947d1aabca4cb01775ce28

SHA512
a4c33c9b87f84b4aba84ecf8b0b2d8a90703ef8523f1d057824196e584451072ab5bbc96e0c95a319baaffd16ba7a26f940fec2e28e9228e1275c87fb061c02d

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
56abc40d1e45c091d8afddb90a4ce6b4

SHA1
08db549484467b32b79958700300cabefc659848

SHA256
a43fa861957415e3b0f25e2b54d931961cd309ff1d5354a9362852895b90b3e1

SHA512
51625c015a7c8fcf6fb51d3396aa08d2068772e3fcacaf32c409e82071af4ba1eb2ee94f36c06a98c32ba59d23bbaa6b540f7bd418a9472303cc225151daa698

Download Submit
C:\Windows\directx.sys

Filesize
65B

MD5
48666032bcbce70055a4b8477879c103

SHA1
080069095e146772bae92f4281c9a8245b4bce69

SHA256
4476a30a9745e1ce4ff339c4d4e3fea9be5dc2238e4b74f4106c24f14f3d88f4

SHA512
88488a7545aa2225864c3ccbeb41edeada19402131f34cae7d4981612efb868f7ba071dded738299e1a6dd9b081bcc43eb3921d6d6c3e453597a3f02af4b18b3

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
223dd32576ace5da898257671c5cdf36

SHA1
87474af22e6a24ef24de43d2e798c87bd986514c

SHA256
8d4dbd3013a493f904e0863bb55d910bbb640ef3bdc6fcbaf3c78e95fbdd5254

SHA512
aaef06b777e4b015af8843b2955af6fbc4c6c7a0630729737a76464d9a443cf673b5b583ae7cf2ea2333f81bd083cf104bb4da9add41a5da48bc4eb1bf0dbdc7

Download Submit
C:\odt\OFFICE~1.EXE

Filesize
5.1MB

MD5
02c3d242fe142b0eabec69211b34bc55

SHA1
ea0a4a6d6078b362f7b3a4ad1505ce49957dc16e

SHA256
2a1ed24be7e3859b46ec3ebc316789ead5f12055853f86a9656e04b4bb771842

SHA512
0efb08492eaaa2e923beddc21566e98fbbef3a102f9415ff310ec616f5c84fd2ba3a7025b05e01c0bdf37e5e2f64dfd845f9254a376144cc7d827e7577dbb099

Download Submit
memory/224-939-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/368-757-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/384-754-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/412-927-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/460-423-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/916-404-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/952-836-0x0000000000400000-0x00000000005AD000-memory.dmp

Filesize
1.7MB

Download
memory/972-642-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1340-855-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1340-658-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1344-488-0x0000000000400000-0x00000000005AD000-memory.dmp

Filesize
1.7MB

Download
memory/1352-932-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1412-730-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1500-611-0x0000000000400000-0x00000000005AD000-memory.dmp

Filesize
1.7MB

Download
memory/1564-562-0x0000000000400000-0x00000000005AD000-memory.dmp

Filesize
1.7MB

Download
memory/1576-202-0x0000000000400000-0x00000000005AD000-memory.dmp

Filesize
1.7MB

Download
memory/1580-817-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1620-379-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1732-487-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1752-645-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1752-489-0x0000000000400000-0x00000000005AD000-memory.dmp

Filesize
1.7MB

Download
memory/1784-755-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1868-553-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1912-478-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2108-966-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2144-477-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2152-305-0x0000000000400000-0x0000000000674000-memory.dmp

Filesize
2.5MB

Download
memory/2160-857-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2228-967-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2448-118-0x0000000000400000-0x0000000000674000-memory.dmp

Filesize
2.5MB

Download
memory/2448-14-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download
memory/2472-455-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2752-753-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2848-856-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2876-223-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2884-767-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2996-570-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3024-842-0x0000000000400000-0x00000000005AD000-memory.dmp

Filesize
1.7MB

Download
memory/3140-624-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3152-864-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3600-403-0x0000000000400000-0x00000000005AD000-memory.dmp

Filesize
1.7MB

Download
memory/3600-623-0x0000000000400000-0x00000000005AD000-memory.dmp

Filesize
1.7MB

Download
memory/3772-569-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3952-952-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4068-729-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4068-246-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4068-13-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4072-571-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4100-419-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4188-273-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4320-816-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4384-236-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4404-486-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4404-941-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4480-756-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4632-938-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4708-718-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/4728-643-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4772-244-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4788-388-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/4816-659-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4844-163-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4924-858-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/4924-476-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5000-959-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads