Analysis Overview
SHA256
41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f
Threat Level: Known bad
The file 41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f was found to be: Known bad.
Malicious Activity Summary
Neshta family
Neshta
Detect Neshta payload
Loads dropped DLL
Modifies system executable filetype association
Checks computer location settings
Reads user/profile data of web browsers
Executes dropped EXE
Adds Run key to start application
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-15 20:50
Signatures
Detect Neshta payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Neshta family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-15 20:50
Reported
2024-06-15 20:53
Platform
win7-20240611-en
Max time kernel
19s
Max time network
154s
Command Line
Signatures
Detect Neshta payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Neshta
Executes dropped EXE
Loads dropped DLL
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" | C:\Users\Admin\AppData\Local\Temp\3582-490\_CCC23~1.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" | C:\Users\Admin\AppData\Local\Temp\3582-490\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" | C:\Users\Admin\AppData\Local\Temp\3582-490\_CCC23~1.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" | C:\Users\Admin\AppData\Local\Temp\3582-490\_CCC23~1.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" | C:\Users\Admin\AppData\Local\Temp\3582-490\_CCC23~1.EXE | N/A |
Drops file in Program Files directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\._cache__CCC23~1.EXE | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Users\Admin\AppData\Local\Temp\._cache__CCC23~1.EXE | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Users\Admin\AppData\Local\Temp\._cache__CCC23~1.EXE | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Users\Admin\AppData\Local\Temp\._cache__CCC23~1.EXE | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\._cache__CCC23~1.EXE | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\._cache__CCC23~1.EXE | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Users\Admin\AppData\Local\Temp\._cache__CCC23~1.EXE | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
"C:\Users\Admin\AppData\Local\Temp\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe"
C:\Users\Admin\AppData\Local\Temp\3582-490\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe"
C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe"
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE"
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE"
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CCC23~1.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CCC23~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CCC23~1.EXE InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE
C:\Users\Admin\AppData\Local\Temp\._cache__CCC23~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CCC23~1.EXE" InjUpdate
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CCC23~1.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CCC23~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CCC23~1.EXE InjUpdate
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CCC23~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CCC23~1.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CCC23~1.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CCC23~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CCC23~1.EXE InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CCC23~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CCC23~1.EXE" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CCC23~1.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CCC23~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CCC23~1.EXE InjUpdate
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CCC23~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CCC23~1.EXE" InjUpdate
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_Synaptics.exe" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_Synaptics.exe" InjUpdate
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xred.mooo.com | udp |
| US | 8.8.8.8:53 | freedns.afraid.org | udp |
| US | 69.42.215.252:80 | freedns.afraid.org | tcp |
| US | 8.8.8.8:53 | docs.google.com | udp |
| GB | 142.250.200.14:443 | docs.google.com | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| GB | 142.250.179.225:443 | drive.usercontent.google.com | tcp |
Files
\Users\Admin\AppData\Local\Temp\3582-490\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
| MD5 | e31ba8bc807ae7b8330f824bc52f3104 |
| SHA1 | 21a4824bd4914eac7349f323b80a7399b6e5c199 |
| SHA256 | f364c51d99d573d88ec469944e331f00709ea67bd98be30252d4522eacb4b496 |
| SHA512 | c20dcd03fdae62ecaa4a68398521dff37aadfdfe029c1efafd104301007330c5e81e349dfb7e845eefa9cc9e9cd4d5b015063e7b9d23b410f23a36ee96a0871f |
memory/1644-13-0x00000000002A0000-0x00000000002A1000-memory.dmp
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe
| MD5 | cf6c595d3e5e9667667af096762fd9c4 |
| SHA1 | 9bb44da8d7f6457099cb56e4f7d1026963dce7ce |
| SHA256 | 593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d |
| SHA512 | ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80 |
\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
| MD5 | 67fbe98e5782b545a840c12cf4c9f3db |
| SHA1 | 0bfaf468b95c34faa9e94524650f6b10ca2e0cc5 |
| SHA256 | aa060f6bf8d7572ec9f781629c70f0068bbb034e5e94596f7c9c603a0fb392a0 |
| SHA512 | 66b39e78e8f67c058dd19b2ef3d136adb6f98de9f048892b7af7aaffeff337ed9e9f2371220c7e712699e653427f60ece91ad859ffecbad449d9a7e8926b9b04 |
C:\Windows\svchost.com
| MD5 | 223dd32576ace5da898257671c5cdf36 |
| SHA1 | 87474af22e6a24ef24de43d2e798c87bd986514c |
| SHA256 | 8d4dbd3013a493f904e0863bb55d910bbb640ef3bdc6fcbaf3c78e95fbdd5254 |
| SHA512 | aaef06b777e4b015af8843b2955af6fbc4c6c7a0630729737a76464d9a443cf673b5b583ae7cf2ea2333f81bd083cf104bb4da9add41a5da48bc4eb1bf0dbdc7 |
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe
| MD5 | 58b58875a50a0d8b5e7be7d6ac685164 |
| SHA1 | 1e0b89c1b2585c76e758e9141b846ed4477b0662 |
| SHA256 | 2a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae |
| SHA512 | d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b |
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
| MD5 | 0b1682829f285e65ec1cca2663c91ebc |
| SHA1 | 3ea00c76951ff82d0d3d521490bde6b2b688b943 |
| SHA256 | 8d98ea6e8805a668cf23cc6d74c0caf29671642cb9e764c939c4a56f6dc6e9f9 |
| SHA512 | ef4e1bb89d7a7169b7323e5ea2ae4e61b4ebbcab3d337a1b3bc0a4a035084aaa504e593ddb430b83fad2decb966688508e66fffb61d52892e5912b8b35745425 |
C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE
| MD5 | 02ee6a3424782531461fb2f10713d3c1 |
| SHA1 | b581a2c365d93ebb629e8363fd9f69afc673123f |
| SHA256 | ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc |
| SHA512 | 6c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec |
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe
| MD5 | 566ed4f62fdc96f175afedd811fa0370 |
| SHA1 | d4b47adc40e0d5a9391d3f6f2942d1889dd2a451 |
| SHA256 | e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460 |
| SHA512 | cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7 |
memory/1644-62-0x0000000000400000-0x0000000000674000-memory.dmp
memory/2836-65-0x0000000000400000-0x000000000041B000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
| MD5 | be5502373b174cc60bf606200c5fc7be |
| SHA1 | de9060f4fd57a875bca3768f04052018f5c3be9e |
| SHA256 | f13b5b39d76a83081628a53d5e53eab04600cf542bc375191ebe322ab52b15d6 |
| SHA512 | 8ffa51b7e18d447867fdd4d5288bc4633ad94da6eb52e61f455abfaffd77d55d45b5533f2adb36481d8873ef5cb44959460e43105e40bc6fc99f82a93b48691f |
memory/2664-90-0x0000000000400000-0x00000000005AD000-memory.dmp
C:\Windows\directx.sys
| MD5 | 6b3bfceb3942a9508a2148acbee89007 |
| SHA1 | 3622ac7466cc40f50515eb6fcdc15d1f34ad3be3 |
| SHA256 | e0a7bae2a9ac263cff5d725922e40272d8854278d901233a93a5267859c00a3c |
| SHA512 | fa222bfcade636824af32124b45450c92b1abec7a33e6e647a9248eef5371c127d22ccb7cc5a096b4d5d52e2457f3841293a1b34304e8e5523549856ac02f224 |
memory/2484-94-0x0000000000400000-0x000000000041B000-memory.dmp
\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE
| MD5 | ff586f54c1196f80d8982f3826d049f7 |
| SHA1 | b401af3d06c3a37a260b53851a573332b9ac7e75 |
| SHA256 | ddceb6e5dff7a70c4f5d6df5b46ee207c624545049679004a012ceb49282be3e |
| SHA512 | bf8bc03ffd386b1263306a6f75cb4fd404b3dda090e0fb8706a5fcdac239a9e7d1e76a83ccc5f741fc1e075c9fd2510a3b3ced20d7c59df9b6a9932b7ff894a7 |
memory/1500-126-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2148-125-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2460-149-0x0000000000400000-0x0000000000674000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE
| MD5 | a006f909b0796ead9fb69b3ec0f8ea54 |
| SHA1 | b564d0eda3e9c25acdeda1ea0fff98b80c2f82cf |
| SHA256 | 4bfb8af9700edb5978c99f6d39f03424061d8a7f7cc34cc92eb0b81839f456a2 |
| SHA512 | 649ef95b606f9ca16328e651686efd8a7cb0897e5ad0041629730c35a617c47396c014460e4ce50f597d0ca2a565c3bb66f7370106eb17fe3f62329916f6b342 |
C:\Windows\directx.sys
| MD5 | 8e4bd9619c227ef2bc20a2cb2aa55e7b |
| SHA1 | a6214b7678b83c4db74b210625b4812300df3a74 |
| SHA256 | 84ba3f2b07e112efaff6ee034b84db960521db9e504a4ac77a5e8e5e988d86d9 |
| SHA512 | 12a6a559b89441983e9aab70f0ea17dc790bc48c7938dd573c888e33811db8fb210539ebebaa6c8f5c04971d72d037be6603de15ea3a1ffc0f5ea3dd5132b4bf |
memory/1416-167-0x0000000000400000-0x000000000041B000-memory.dmp
memory/548-173-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1212-155-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1484-138-0x0000000000400000-0x00000000004E7000-memory.dmp
C:\Windows\directx.sys
| MD5 | b42f2603883dadf133cee3ae5d767bb2 |
| SHA1 | dc4161551044405353e870b029afff27c8030e22 |
| SHA256 | 998e1546bc98d29ffccb70e81ed00a01f3dbd3015e947d1aabca4cb01775ce28 |
| SHA512 | a4c33c9b87f84b4aba84ecf8b0b2d8a90703ef8523f1d057824196e584451072ab5bbc96e0c95a319baaffd16ba7a26f940fec2e28e9228e1275c87fb061c02d |
memory/332-106-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2192-185-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Windows\directx.sys
| MD5 | 56abc40d1e45c091d8afddb90a4ce6b4 |
| SHA1 | 08db549484467b32b79958700300cabefc659848 |
| SHA256 | a43fa861957415e3b0f25e2b54d931961cd309ff1d5354a9362852895b90b3e1 |
| SHA512 | 51625c015a7c8fcf6fb51d3396aa08d2068772e3fcacaf32c409e82071af4ba1eb2ee94f36c06a98c32ba59d23bbaa6b540f7bd418a9472303cc225151daa698 |
memory/1840-225-0x0000000000400000-0x000000000041B000-memory.dmp
memory/592-212-0x0000000000400000-0x00000000005AD000-memory.dmp
C:\ProgramData\Synaptics\RCX7B29.tmp
| MD5 | 24c43a46e3ce028d3487a991e3b5f202 |
| SHA1 | 3e47a2fbcfc35f7ee787e59f5e7f578d5cb54d69 |
| SHA256 | a4d6976ec3d988f43d3960623a8513de6cc46ca54af289a7e827982a0dee3a2e |
| SHA512 | 8e17d67efb54e679115b6b0265be3b15e1dc09bfd648c20a54f2712b6915095364febaedd1ca713b87c365c3861b6e3668d31190395b9ab18bf47fb0d862deba |
memory/2188-233-0x0000000000400000-0x000000000041B000-memory.dmp
memory/288-235-0x0000000000400000-0x00000000004E7000-memory.dmp
memory/1576-250-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2536-256-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1232-259-0x0000000000400000-0x00000000005AD000-memory.dmp
memory/2788-266-0x0000000000400000-0x00000000005AD000-memory.dmp
memory/2184-258-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2604-278-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Windows\directx.sys
| MD5 | 92baef4d0a742dec35d64b4e3a1f128d |
| SHA1 | f6de62e7fcd3e4887759171264033f9fa8e06a81 |
| SHA256 | 7fce5bcabc98bb18bbdde889f79c028f14067fc644d781cb6967c662e6a31d94 |
| SHA512 | ba6a9bf403892d2924c0a4c7cb0c58d7a2fc9bf802b9fa0772230d7fcd7b92dd4fcab621e651ae2a349b3eae3eadacdb0395ebb849204f3d7cc858d146de3870 |
memory/1896-284-0x0000000000400000-0x000000000041B000-memory.dmp
memory/3060-294-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2744-291-0x0000000000400000-0x00000000005AD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3582-490\._cache__CCC23~1.EXE
| MD5 | 89c5a593dcc807a5f846fce1708a4c1c |
| SHA1 | ffbdda4bef05555404210e260c75eae8743e9333 |
| SHA256 | 49c114e38ecd858ddad5cc6f9860f3d2eb80fb429758b4ecfc974e856fe6e377 |
| SHA512 | c1aa27a147cd95efc48bb3c08a011d83b5cf517fa3eb1d617ecb68da07c1780eff426073c7295f0964eb2fee1e6440b40b548ddfacc3a63d6f955fc39448b643 |
memory/2980-323-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2508-319-0x0000000000400000-0x00000000004E7000-memory.dmp
memory/1144-340-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2828-328-0x0000000000400000-0x00000000005AD000-memory.dmp
memory/1588-341-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2992-347-0x0000000000400000-0x00000000005AD000-memory.dmp
memory/1176-348-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2568-349-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2320-350-0x0000000000400000-0x000000000041B000-memory.dmp
memory/640-353-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1476-359-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1908-362-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2960-377-0x0000000000400000-0x000000000041B000-memory.dmp
memory/632-381-0x0000000000400000-0x00000000005AD000-memory.dmp
memory/1612-387-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2256-388-0x0000000000400000-0x00000000005AD000-memory.dmp
memory/1300-399-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1132-405-0x0000000000400000-0x00000000004E7000-memory.dmp
memory/268-411-0x0000000000400000-0x000000000041B000-memory.dmp
memory/764-409-0x0000000000400000-0x00000000004E7000-memory.dmp
memory/1952-417-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Windows\directx.sys
| MD5 | b0bf31abfa7b64da8a3f257366eb0e01 |
| SHA1 | 958444a8449749a409f0dfbfc84f65069fb4f799 |
| SHA256 | b1304d541b965969b360d5f0a4e3441d52dd1202aecb32ec32e68b82f8951f4b |
| SHA512 | baf49da82bf90f84bcdab2e95c5d5bff9ba715c4c502ec5036f22076c65e2dcc1b10bab4b11fb97ae257ef1b4ee68240cac8a8ce8981c5d44074acb63e045f09 |
memory/1604-426-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2572-427-0x0000000000400000-0x000000000041B000-memory.dmp
memory/3040-428-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2740-434-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2568-436-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1176-435-0x0000000000400000-0x000000000041B000-memory.dmp
memory/772-437-0x0000000000400000-0x00000000004E7000-memory.dmp
memory/1088-438-0x0000000000400000-0x00000000004E7000-memory.dmp
memory/1176-439-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2568-440-0x0000000000400000-0x000000000041B000-memory.dmp
memory/772-441-0x0000000000400000-0x00000000004E7000-memory.dmp
memory/1176-443-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2568-444-0x0000000000400000-0x000000000041B000-memory.dmp
memory/772-445-0x0000000000400000-0x00000000004E7000-memory.dmp
memory/1176-447-0x0000000000400000-0x000000000041B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-15 20:50
Reported
2024-06-15 20:53
Platform
win10v2004-20240226-en
Max time kernel
21s
Max time network
159s
Command Line
Signatures
Detect Neshta payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Neshta
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe | N/A |
| N/A | N/A | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| N/A | N/A | C:\Windows\svchost.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" | C:\Users\Admin\AppData\Local\Temp\3582-490\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\3582-490\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
"C:\Users\Admin\AppData\Local\Temp\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe"
C:\Users\Admin\AppData\Local\Temp\3582-490\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe"
C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe"
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\._cache__CACHE~1.EXE" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_Synaptics.exe" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3692 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\._cache__CACHE~1.EXE" InjUpdate
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
Network
| Country | Destination | Domain | Proto |
| GB | 216.58.201.106:443 | tcp | |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\3582-490\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
| MD5 | e31ba8bc807ae7b8330f824bc52f3104 |
| SHA1 | 21a4824bd4914eac7349f323b80a7399b6e5c199 |
| SHA256 | f364c51d99d573d88ec469944e331f00709ea67bd98be30252d4522eacb4b496 |
| SHA512 | c20dcd03fdae62ecaa4a68398521dff37aadfdfe029c1efafd104301007330c5e81e349dfb7e845eefa9cc9e9cd4d5b015063e7b9d23b410f23a36ee96a0871f |
memory/4068-13-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2448-14-0x0000000000980000-0x0000000000981000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
| MD5 | 67fbe98e5782b545a840c12cf4c9f3db |
| SHA1 | 0bfaf468b95c34faa9e94524650f6b10ca2e0cc5 |
| SHA256 | aa060f6bf8d7572ec9f781629c70f0068bbb034e5e94596f7c9c603a0fb392a0 |
| SHA512 | 66b39e78e8f67c058dd19b2ef3d136adb6f98de9f048892b7af7aaffeff337ed9e9f2371220c7e712699e653427f60ece91ad859ffecbad449d9a7e8926b9b04 |
memory/2448-118-0x0000000000400000-0x0000000000674000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
| MD5 | 0b1682829f285e65ec1cca2663c91ebc |
| SHA1 | 3ea00c76951ff82d0d3d521490bde6b2b688b943 |
| SHA256 | 8d98ea6e8805a668cf23cc6d74c0caf29671642cb9e764c939c4a56f6dc6e9f9 |
| SHA512 | ef4e1bb89d7a7169b7323e5ea2ae4e61b4ebbcab3d337a1b3bc0a4a035084aaa504e593ddb430b83fad2decb966688508e66fffb61d52892e5912b8b35745425 |
C:\Windows\svchost.com
| MD5 | 223dd32576ace5da898257671c5cdf36 |
| SHA1 | 87474af22e6a24ef24de43d2e798c87bd986514c |
| SHA256 | 8d4dbd3013a493f904e0863bb55d910bbb640ef3bdc6fcbaf3c78e95fbdd5254 |
| SHA512 | aaef06b777e4b015af8843b2955af6fbc4c6c7a0630729737a76464d9a443cf673b5b583ae7cf2ea2333f81bd083cf104bb4da9add41a5da48bc4eb1bf0dbdc7 |
C:\odt\OFFICE~1.EXE
| MD5 | 02c3d242fe142b0eabec69211b34bc55 |
| SHA1 | ea0a4a6d6078b362f7b3a4ad1505ce49957dc16e |
| SHA256 | 2a1ed24be7e3859b46ec3ebc316789ead5f12055853f86a9656e04b4bb771842 |
| SHA512 | 0efb08492eaaa2e923beddc21566e98fbbef3a102f9415ff310ec616f5c84fd2ba3a7025b05e01c0bdf37e5e2f64dfd845f9254a376144cc7d827e7577dbb099 |
C:\Windows\directx.sys
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/4844-163-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1576-202-0x0000000000400000-0x00000000005AD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
| MD5 | be5502373b174cc60bf606200c5fc7be |
| SHA1 | de9060f4fd57a875bca3768f04052018f5c3be9e |
| SHA256 | f13b5b39d76a83081628a53d5e53eab04600cf542bc375191ebe322ab52b15d6 |
| SHA512 | 8ffa51b7e18d447867fdd4d5288bc4633ad94da6eb52e61f455abfaffd77d55d45b5533f2adb36481d8873ef5cb44959460e43105e40bc6fc99f82a93b48691f |
C:\Windows\directx.sys
| MD5 | 6b3bfceb3942a9508a2148acbee89007 |
| SHA1 | 3622ac7466cc40f50515eb6fcdc15d1f34ad3be3 |
| SHA256 | e0a7bae2a9ac263cff5d725922e40272d8854278d901233a93a5267859c00a3c |
| SHA512 | fa222bfcade636824af32124b45450c92b1abec7a33e6e647a9248eef5371c127d22ccb7cc5a096b4d5d52e2457f3841293a1b34304e8e5523549856ac02f224 |
memory/2876-223-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3582-490\._cache__CACHE~1.EXE
| MD5 | ff586f54c1196f80d8982f3826d049f7 |
| SHA1 | b401af3d06c3a37a260b53851a573332b9ac7e75 |
| SHA256 | ddceb6e5dff7a70c4f5d6df5b46ee207c624545049679004a012ceb49282be3e |
| SHA512 | bf8bc03ffd386b1263306a6f75cb4fd404b3dda090e0fb8706a5fcdac239a9e7d1e76a83ccc5f741fc1e075c9fd2510a3b3ced20d7c59df9b6a9932b7ff894a7 |
memory/4384-236-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4772-244-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Windows\directx.sys
| MD5 | b42f2603883dadf133cee3ae5d767bb2 |
| SHA1 | dc4161551044405353e870b029afff27c8030e22 |
| SHA256 | 998e1546bc98d29ffccb70e81ed00a01f3dbd3015e947d1aabca4cb01775ce28 |
| SHA512 | a4c33c9b87f84b4aba84ecf8b0b2d8a90703ef8523f1d057824196e584451072ab5bbc96e0c95a319baaffd16ba7a26f940fec2e28e9228e1275c87fb061c02d |
memory/4068-246-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4188-273-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2152-305-0x0000000000400000-0x0000000000674000-memory.dmp
memory/4788-388-0x0000000000400000-0x00000000004E7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE
| MD5 | a006f909b0796ead9fb69b3ec0f8ea54 |
| SHA1 | b564d0eda3e9c25acdeda1ea0fff98b80c2f82cf |
| SHA256 | 4bfb8af9700edb5978c99f6d39f03424061d8a7f7cc34cc92eb0b81839f456a2 |
| SHA512 | 649ef95b606f9ca16328e651686efd8a7cb0897e5ad0041629730c35a617c47396c014460e4ce50f597d0ca2a565c3bb66f7370106eb17fe3f62329916f6b342 |
C:\Windows\directx.sys
| MD5 | 56abc40d1e45c091d8afddb90a4ce6b4 |
| SHA1 | 08db549484467b32b79958700300cabefc659848 |
| SHA256 | a43fa861957415e3b0f25e2b54d931961cd309ff1d5354a9362852895b90b3e1 |
| SHA512 | 51625c015a7c8fcf6fb51d3396aa08d2068772e3fcacaf32c409e82071af4ba1eb2ee94f36c06a98c32ba59d23bbaa6b540f7bd418a9472303cc225151daa698 |
memory/1620-379-0x0000000000400000-0x000000000041B000-memory.dmp
memory/3600-403-0x0000000000400000-0x00000000005AD000-memory.dmp
memory/916-404-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3582-490\._cache__CACHE~3.EXE
| MD5 | 89c5a593dcc807a5f846fce1708a4c1c |
| SHA1 | ffbdda4bef05555404210e260c75eae8743e9333 |
| SHA256 | 49c114e38ecd858ddad5cc6f9860f3d2eb80fb429758b4ecfc974e856fe6e377 |
| SHA512 | c1aa27a147cd95efc48bb3c08a011d83b5cf517fa3eb1d617ecb68da07c1780eff426073c7295f0964eb2fee1e6440b40b548ddfacc3a63d6f955fc39448b643 |
memory/4100-419-0x0000000000400000-0x000000000041B000-memory.dmp
memory/460-423-0x0000000000400000-0x000000000041B000-memory.dmp
C:\ProgramData\Synaptics\RCX3AA3.tmp
| MD5 | 24c43a46e3ce028d3487a991e3b5f202 |
| SHA1 | 3e47a2fbcfc35f7ee787e59f5e7f578d5cb54d69 |
| SHA256 | a4d6976ec3d988f43d3960623a8513de6cc46ca54af289a7e827982a0dee3a2e |
| SHA512 | 8e17d67efb54e679115b6b0265be3b15e1dc09bfd648c20a54f2712b6915095364febaedd1ca713b87c365c3861b6e3668d31190395b9ab18bf47fb0d862deba |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe
| MD5 | 576410de51e63c3b5442540c8fdacbee |
| SHA1 | 8de673b679e0fee6e460cbf4f21ab728e41e0973 |
| SHA256 | 3f00404dd591c2856e6f71bd78423ed47199902e0b85f228e6c4de72c59ddffe |
| SHA512 | f7761f3878775b30cc3d756fa122e74548dfc0a27e38fa4109e34a59a009df333d074bf14a227549ae347605f271be47984c55148685faac479aeb481f7191db |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe
| MD5 | 5791075058b526842f4601c46abd59f5 |
| SHA1 | b2748f7542e2eebcd0353c3720d92bbffad8678f |
| SHA256 | 5c3ef3ec7594c040146e908014791dd15201ba58b4d70032770bb661b6a0e394 |
| SHA512 | 83e303971ed64019fde9e4ba6f6e889f8fb105088490dfa7dcf579a12baff20ef491f563d132d60c7b24a4fd3cac29bd9dc974571cd162000fae8fba4e0e54fb |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE
| MD5 | 8c753d6448183dea5269445738486e01 |
| SHA1 | ebbbdc0022ca7487cd6294714cd3fbcb70923af9 |
| SHA256 | 473eb551101caeaf2d18f811342e21de323c8dd19ed21011997716871defe997 |
| SHA512 | 4f6fddefc42455540448eac0b693a4847e21b68467486376a4186776bfe137337733d3075b7b87ed7dac532478dc9afc63883607ec8205df3f155fee64c7a9be |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE
| MD5 | 9dfcdd1ab508b26917bb2461488d8605 |
| SHA1 | 4ba6342bcf4942ade05fb12db83da89dc8c56a21 |
| SHA256 | ecd5e94da88c653e4c34b6ab325e0aca8824247b290336f75c410caa16381bc5 |
| SHA512 | 1afc1b95f160333f1ff2fa14b3f22a28ae33850699c6b5498915a8b6bec1cfc40f33cb69583240aa9206bc2ea7ab14e05e071275b836502a92aa8c529fc1b137 |
C:\Windows\directx.sys
| MD5 | 48666032bcbce70055a4b8477879c103 |
| SHA1 | 080069095e146772bae92f4281c9a8245b4bce69 |
| SHA256 | 4476a30a9745e1ce4ff339c4d4e3fea9be5dc2238e4b74f4106c24f14f3d88f4 |
| SHA512 | 88488a7545aa2225864c3ccbeb41edeada19402131f34cae7d4981612efb868f7ba071dded738299e1a6dd9b081bcc43eb3921d6d6c3e453597a3f02af4b18b3 |
memory/2472-455-0x0000000000400000-0x00000000004E7000-memory.dmp
memory/1912-478-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2144-477-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4924-476-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4404-486-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1732-487-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1344-488-0x0000000000400000-0x00000000005AD000-memory.dmp
memory/1752-489-0x0000000000400000-0x00000000005AD000-memory.dmp
memory/1564-562-0x0000000000400000-0x00000000005AD000-memory.dmp
memory/2996-570-0x0000000000400000-0x000000000041B000-memory.dmp
memory/3772-569-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1868-553-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4072-571-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1500-611-0x0000000000400000-0x00000000005AD000-memory.dmp
memory/3600-623-0x0000000000400000-0x00000000005AD000-memory.dmp
memory/3140-624-0x0000000000400000-0x000000000041B000-memory.dmp
memory/972-642-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4728-643-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1752-645-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1340-658-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4816-659-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4708-718-0x0000000000400000-0x00000000004E7000-memory.dmp
memory/4068-729-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1412-730-0x0000000000400000-0x00000000004E7000-memory.dmp
memory/384-754-0x0000000000400000-0x00000000004E7000-memory.dmp
memory/1784-755-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2752-753-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4480-756-0x0000000000400000-0x000000000041B000-memory.dmp
memory/368-757-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2884-767-0x0000000000400000-0x00000000004E7000-memory.dmp
memory/4320-816-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1580-817-0x0000000000400000-0x000000000041B000-memory.dmp
memory/952-836-0x0000000000400000-0x00000000005AD000-memory.dmp
memory/3024-842-0x0000000000400000-0x00000000005AD000-memory.dmp
memory/2160-857-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2848-856-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1340-855-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4924-858-0x0000000000400000-0x00000000004E7000-memory.dmp
memory/3152-864-0x0000000000400000-0x000000000041B000-memory.dmp
memory/412-927-0x0000000000400000-0x00000000004E7000-memory.dmp
memory/1352-932-0x0000000000400000-0x00000000004E7000-memory.dmp
memory/4632-938-0x0000000000400000-0x000000000041B000-memory.dmp
memory/224-939-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4404-941-0x0000000000400000-0x000000000041B000-memory.dmp
memory/3952-952-0x0000000000400000-0x000000000041B000-memory.dmp
memory/5000-959-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2108-966-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2228-967-0x0000000000400000-0x000000000041B000-memory.dmp