Malware Analysis Report

2024-09-11 00:55

Sample ID 240615-zmzhdaxflq
Target 41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f
SHA256 41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f
Tags
neshta persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f

Threat Level: Known bad

The file 41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f was found to be: Known bad.

Malicious Activity Summary

neshta persistence spyware stealer

Neshta family

Neshta

Detect Neshta payload

Loads dropped DLL

Modifies system executable filetype association

Checks computer location settings

Reads user/profile data of web browsers

Executes dropped EXE

Adds Run key to start application

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-15 20:50

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A

Neshta family

neshta

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 20:50

Reported

2024-06-15 20:53

Platform

win7-20240611-en

Max time kernel

19s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CCC23~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache__CCC23~1.EXE N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CCC23~1.EXE N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache__CCC23~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CCC23~1.EXE N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache__CCC23~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CCC23~1.EXE N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache__CCC23~1.EXE N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CCC23~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CCC23~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CCC23~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CCC23~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CCC23~1.EXE N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CCC23~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CCC23~1.EXE N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\3582-490\_CCC23~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\3582-490\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\3582-490\_CCC23~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\3582-490\_CCC23~1.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\3582-490\_CCC23~1.EXE N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe C:\Users\Admin\AppData\Local\Temp\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Local\Temp\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe C:\Users\Admin\AppData\Local\Temp\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE C:\Users\Admin\AppData\Local\Temp\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe C:\Users\Admin\AppData\Local\Temp\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe C:\Users\Admin\AppData\Local\Temp\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE C:\Users\Admin\AppData\Local\Temp\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE C:\Users\Admin\AppData\Local\Temp\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
File opened for modification C:\PROGRA~3\SYNAPT~1\SYNAPT~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe C:\Users\Admin\AppData\Local\Temp\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE C:\Users\Admin\AppData\Local\Temp\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE C:\Users\Admin\AppData\Local\Temp\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE C:\Users\Admin\AppData\Local\Temp\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE C:\Users\Admin\AppData\Local\Temp\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE C:\Users\Admin\AppData\Local\Temp\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE C:\Users\Admin\AppData\Local\Temp\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE C:\Users\Admin\AppData\Local\Temp\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\._cache__CCC23~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\._cache__CCC23~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\._cache__CCC23~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\._cache__CCC23~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\._cache__CCC23~1.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\._cache__CCC23~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\._cache__CCC23~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1176 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe C:\Users\Admin\AppData\Local\Temp\3582-490\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
PID 1176 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe C:\Users\Admin\AppData\Local\Temp\3582-490\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
PID 1176 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe C:\Users\Admin\AppData\Local\Temp\3582-490\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
PID 1176 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe C:\Users\Admin\AppData\Local\Temp\3582-490\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
PID 1644 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
PID 1644 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
PID 1644 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
PID 1644 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
PID 2568 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe C:\Windows\svchost.com
PID 2568 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe C:\Windows\svchost.com
PID 2568 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe C:\Windows\svchost.com
PID 2568 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe C:\Windows\svchost.com
PID 2836 wrote to memory of 2664 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
PID 2836 wrote to memory of 2664 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
PID 2836 wrote to memory of 2664 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
PID 2836 wrote to memory of 2664 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
PID 1644 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 1644 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 1644 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 1644 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2460 wrote to memory of 332 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2460 wrote to memory of 332 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2460 wrote to memory of 332 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2460 wrote to memory of 332 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2664 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
PID 2664 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
PID 2664 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
PID 2664 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
PID 2484 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE C:\Windows\svchost.com
PID 2484 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE C:\Windows\svchost.com
PID 2484 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE C:\Windows\svchost.com
PID 2484 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE C:\Windows\svchost.com
PID 332 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Windows\svchost.com
PID 332 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Windows\svchost.com
PID 332 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Windows\svchost.com
PID 332 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Windows\svchost.com
PID 1500 wrote to memory of 592 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
PID 1500 wrote to memory of 592 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
PID 1500 wrote to memory of 592 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
PID 1500 wrote to memory of 592 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
PID 2148 wrote to memory of 1484 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE
PID 2148 wrote to memory of 1484 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE
PID 2148 wrote to memory of 1484 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE
PID 2148 wrote to memory of 1484 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE
PID 1484 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE
PID 1484 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE
PID 1484 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE
PID 1484 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE
PID 592 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
PID 592 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
PID 592 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
PID 592 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
PID 1212 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE C:\Windows\svchost.com
PID 1212 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE C:\Windows\svchost.com
PID 1212 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE C:\Windows\svchost.com
PID 1212 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE C:\Windows\svchost.com
PID 1416 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE C:\Windows\svchost.com
PID 1416 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE C:\Windows\svchost.com
PID 1416 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE C:\Windows\svchost.com
PID 1416 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE C:\Windows\svchost.com
PID 548 wrote to memory of 1776 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE
PID 548 wrote to memory of 1776 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE
PID 548 wrote to memory of 1776 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE
PID 548 wrote to memory of 1776 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe

"C:\Users\Admin\AppData\Local\Temp\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe"

C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE"

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CCC23~1.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CCC23~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CCC23~1.EXE InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE

C:\Users\Admin\AppData\Local\Temp\._cache__CCC23~1.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CCC23~1.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CCC23~1.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CCC23~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CCC23~1.EXE InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CCC23~1.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CCC23~1.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CCC23~1.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CCC23~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CCC23~1.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CCC23~1.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CCC23~1.EXE" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CCC23~1.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CCC23~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CCC23~1.EXE InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CCC23~1.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CCC23~1.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_Synaptics.exe" InjUpdate

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 xred.mooo.com udp
US 8.8.8.8:53 freedns.afraid.org udp
US 69.42.215.252:80 freedns.afraid.org tcp
US 8.8.8.8:53 docs.google.com udp
GB 142.250.200.14:443 docs.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 142.250.179.225:443 drive.usercontent.google.com tcp

Files

\Users\Admin\AppData\Local\Temp\3582-490\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe

MD5 e31ba8bc807ae7b8330f824bc52f3104
SHA1 21a4824bd4914eac7349f323b80a7399b6e5c199
SHA256 f364c51d99d573d88ec469944e331f00709ea67bd98be30252d4522eacb4b496
SHA512 c20dcd03fdae62ecaa4a68398521dff37aadfdfe029c1efafd104301007330c5e81e349dfb7e845eefa9cc9e9cd4d5b015063e7b9d23b410f23a36ee96a0871f

memory/1644-13-0x00000000002A0000-0x00000000002A1000-memory.dmp

C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

MD5 cf6c595d3e5e9667667af096762fd9c4
SHA1 9bb44da8d7f6457099cb56e4f7d1026963dce7ce
SHA256 593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d
SHA512 ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe

MD5 67fbe98e5782b545a840c12cf4c9f3db
SHA1 0bfaf468b95c34faa9e94524650f6b10ca2e0cc5
SHA256 aa060f6bf8d7572ec9f781629c70f0068bbb034e5e94596f7c9c603a0fb392a0
SHA512 66b39e78e8f67c058dd19b2ef3d136adb6f98de9f048892b7af7aaffeff337ed9e9f2371220c7e712699e653427f60ece91ad859ffecbad449d9a7e8926b9b04

C:\Windows\svchost.com

MD5 223dd32576ace5da898257671c5cdf36
SHA1 87474af22e6a24ef24de43d2e798c87bd986514c
SHA256 8d4dbd3013a493f904e0863bb55d910bbb640ef3bdc6fcbaf3c78e95fbdd5254
SHA512 aaef06b777e4b015af8843b2955af6fbc4c6c7a0630729737a76464d9a443cf673b5b583ae7cf2ea2333f81bd083cf104bb4da9add41a5da48bc4eb1bf0dbdc7

C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe

MD5 58b58875a50a0d8b5e7be7d6ac685164
SHA1 1e0b89c1b2585c76e758e9141b846ed4477b0662
SHA256 2a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae
SHA512 d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE

MD5 0b1682829f285e65ec1cca2663c91ebc
SHA1 3ea00c76951ff82d0d3d521490bde6b2b688b943
SHA256 8d98ea6e8805a668cf23cc6d74c0caf29671642cb9e764c939c4a56f6dc6e9f9
SHA512 ef4e1bb89d7a7169b7323e5ea2ae4e61b4ebbcab3d337a1b3bc0a4a035084aaa504e593ddb430b83fad2decb966688508e66fffb61d52892e5912b8b35745425

C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE

MD5 02ee6a3424782531461fb2f10713d3c1
SHA1 b581a2c365d93ebb629e8363fd9f69afc673123f
SHA256 ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc
SHA512 6c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec

C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe

MD5 566ed4f62fdc96f175afedd811fa0370
SHA1 d4b47adc40e0d5a9391d3f6f2942d1889dd2a451
SHA256 e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460
SHA512 cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7

memory/1644-62-0x0000000000400000-0x0000000000674000-memory.dmp

memory/2836-65-0x0000000000400000-0x000000000041B000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE

MD5 be5502373b174cc60bf606200c5fc7be
SHA1 de9060f4fd57a875bca3768f04052018f5c3be9e
SHA256 f13b5b39d76a83081628a53d5e53eab04600cf542bc375191ebe322ab52b15d6
SHA512 8ffa51b7e18d447867fdd4d5288bc4633ad94da6eb52e61f455abfaffd77d55d45b5533f2adb36481d8873ef5cb44959460e43105e40bc6fc99f82a93b48691f

memory/2664-90-0x0000000000400000-0x00000000005AD000-memory.dmp

C:\Windows\directx.sys

MD5 6b3bfceb3942a9508a2148acbee89007
SHA1 3622ac7466cc40f50515eb6fcdc15d1f34ad3be3
SHA256 e0a7bae2a9ac263cff5d725922e40272d8854278d901233a93a5267859c00a3c
SHA512 fa222bfcade636824af32124b45450c92b1abec7a33e6e647a9248eef5371c127d22ccb7cc5a096b4d5d52e2457f3841293a1b34304e8e5523549856ac02f224

memory/2484-94-0x0000000000400000-0x000000000041B000-memory.dmp

\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE

MD5 ff586f54c1196f80d8982f3826d049f7
SHA1 b401af3d06c3a37a260b53851a573332b9ac7e75
SHA256 ddceb6e5dff7a70c4f5d6df5b46ee207c624545049679004a012ceb49282be3e
SHA512 bf8bc03ffd386b1263306a6f75cb4fd404b3dda090e0fb8706a5fcdac239a9e7d1e76a83ccc5f741fc1e075c9fd2510a3b3ced20d7c59df9b6a9932b7ff894a7

memory/1500-126-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2148-125-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2460-149-0x0000000000400000-0x0000000000674000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE

MD5 a006f909b0796ead9fb69b3ec0f8ea54
SHA1 b564d0eda3e9c25acdeda1ea0fff98b80c2f82cf
SHA256 4bfb8af9700edb5978c99f6d39f03424061d8a7f7cc34cc92eb0b81839f456a2
SHA512 649ef95b606f9ca16328e651686efd8a7cb0897e5ad0041629730c35a617c47396c014460e4ce50f597d0ca2a565c3bb66f7370106eb17fe3f62329916f6b342

C:\Windows\directx.sys

MD5 8e4bd9619c227ef2bc20a2cb2aa55e7b
SHA1 a6214b7678b83c4db74b210625b4812300df3a74
SHA256 84ba3f2b07e112efaff6ee034b84db960521db9e504a4ac77a5e8e5e988d86d9
SHA512 12a6a559b89441983e9aab70f0ea17dc790bc48c7938dd573c888e33811db8fb210539ebebaa6c8f5c04971d72d037be6603de15ea3a1ffc0f5ea3dd5132b4bf

memory/1416-167-0x0000000000400000-0x000000000041B000-memory.dmp

memory/548-173-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1212-155-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1484-138-0x0000000000400000-0x00000000004E7000-memory.dmp

C:\Windows\directx.sys

MD5 b42f2603883dadf133cee3ae5d767bb2
SHA1 dc4161551044405353e870b029afff27c8030e22
SHA256 998e1546bc98d29ffccb70e81ed00a01f3dbd3015e947d1aabca4cb01775ce28
SHA512 a4c33c9b87f84b4aba84ecf8b0b2d8a90703ef8523f1d057824196e584451072ab5bbc96e0c95a319baaffd16ba7a26f940fec2e28e9228e1275c87fb061c02d

memory/332-106-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2192-185-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Windows\directx.sys

MD5 56abc40d1e45c091d8afddb90a4ce6b4
SHA1 08db549484467b32b79958700300cabefc659848
SHA256 a43fa861957415e3b0f25e2b54d931961cd309ff1d5354a9362852895b90b3e1
SHA512 51625c015a7c8fcf6fb51d3396aa08d2068772e3fcacaf32c409e82071af4ba1eb2ee94f36c06a98c32ba59d23bbaa6b540f7bd418a9472303cc225151daa698

memory/1840-225-0x0000000000400000-0x000000000041B000-memory.dmp

memory/592-212-0x0000000000400000-0x00000000005AD000-memory.dmp

C:\ProgramData\Synaptics\RCX7B29.tmp

MD5 24c43a46e3ce028d3487a991e3b5f202
SHA1 3e47a2fbcfc35f7ee787e59f5e7f578d5cb54d69
SHA256 a4d6976ec3d988f43d3960623a8513de6cc46ca54af289a7e827982a0dee3a2e
SHA512 8e17d67efb54e679115b6b0265be3b15e1dc09bfd648c20a54f2712b6915095364febaedd1ca713b87c365c3861b6e3668d31190395b9ab18bf47fb0d862deba

memory/2188-233-0x0000000000400000-0x000000000041B000-memory.dmp

memory/288-235-0x0000000000400000-0x00000000004E7000-memory.dmp

memory/1576-250-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2536-256-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1232-259-0x0000000000400000-0x00000000005AD000-memory.dmp

memory/2788-266-0x0000000000400000-0x00000000005AD000-memory.dmp

memory/2184-258-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2604-278-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Windows\directx.sys

MD5 92baef4d0a742dec35d64b4e3a1f128d
SHA1 f6de62e7fcd3e4887759171264033f9fa8e06a81
SHA256 7fce5bcabc98bb18bbdde889f79c028f14067fc644d781cb6967c662e6a31d94
SHA512 ba6a9bf403892d2924c0a4c7cb0c58d7a2fc9bf802b9fa0772230d7fcd7b92dd4fcab621e651ae2a349b3eae3eadacdb0395ebb849204f3d7cc858d146de3870

memory/1896-284-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3060-294-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2744-291-0x0000000000400000-0x00000000005AD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3582-490\._cache__CCC23~1.EXE

MD5 89c5a593dcc807a5f846fce1708a4c1c
SHA1 ffbdda4bef05555404210e260c75eae8743e9333
SHA256 49c114e38ecd858ddad5cc6f9860f3d2eb80fb429758b4ecfc974e856fe6e377
SHA512 c1aa27a147cd95efc48bb3c08a011d83b5cf517fa3eb1d617ecb68da07c1780eff426073c7295f0964eb2fee1e6440b40b548ddfacc3a63d6f955fc39448b643

memory/2980-323-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2508-319-0x0000000000400000-0x00000000004E7000-memory.dmp

memory/1144-340-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2828-328-0x0000000000400000-0x00000000005AD000-memory.dmp

memory/1588-341-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2992-347-0x0000000000400000-0x00000000005AD000-memory.dmp

memory/1176-348-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2568-349-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2320-350-0x0000000000400000-0x000000000041B000-memory.dmp

memory/640-353-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1476-359-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1908-362-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2960-377-0x0000000000400000-0x000000000041B000-memory.dmp

memory/632-381-0x0000000000400000-0x00000000005AD000-memory.dmp

memory/1612-387-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2256-388-0x0000000000400000-0x00000000005AD000-memory.dmp

memory/1300-399-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1132-405-0x0000000000400000-0x00000000004E7000-memory.dmp

memory/268-411-0x0000000000400000-0x000000000041B000-memory.dmp

memory/764-409-0x0000000000400000-0x00000000004E7000-memory.dmp

memory/1952-417-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Windows\directx.sys

MD5 b0bf31abfa7b64da8a3f257366eb0e01
SHA1 958444a8449749a409f0dfbfc84f65069fb4f799
SHA256 b1304d541b965969b360d5f0a4e3441d52dd1202aecb32ec32e68b82f8951f4b
SHA512 baf49da82bf90f84bcdab2e95c5d5bff9ba715c4c502ec5036f22076c65e2dcc1b10bab4b11fb97ae257ef1b4ee68240cac8a8ce8981c5d44074acb63e045f09

memory/1604-426-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2572-427-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3040-428-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2740-434-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2568-436-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1176-435-0x0000000000400000-0x000000000041B000-memory.dmp

memory/772-437-0x0000000000400000-0x00000000004E7000-memory.dmp

memory/1088-438-0x0000000000400000-0x00000000004E7000-memory.dmp

memory/1176-439-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2568-440-0x0000000000400000-0x000000000041B000-memory.dmp

memory/772-441-0x0000000000400000-0x00000000004E7000-memory.dmp

memory/1176-443-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2568-444-0x0000000000400000-0x000000000041B000-memory.dmp

memory/772-445-0x0000000000400000-0x00000000004E7000-memory.dmp

memory/1176-447-0x0000000000400000-0x000000000041B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 20:50

Reported

2024-06-15 20:53

Platform

win10v2004-20240226-en

Max time kernel

21s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\ProgramData\Synaptics\Synaptics.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\3582-490\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\3582-490\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\ProgramData\Synaptics\Synaptics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4068 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe C:\Users\Admin\AppData\Local\Temp\3582-490\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
PID 4068 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe C:\Users\Admin\AppData\Local\Temp\3582-490\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
PID 4068 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe C:\Users\Admin\AppData\Local\Temp\3582-490\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
PID 2448 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
PID 2448 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
PID 2448 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe
PID 2448 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2448 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2448 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 4404 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe C:\Windows\svchost.com
PID 4404 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe C:\Windows\svchost.com
PID 4404 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe C:\Windows\svchost.com
PID 4844 wrote to memory of 1576 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
PID 4844 wrote to memory of 1576 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
PID 4844 wrote to memory of 1576 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
PID 2152 wrote to memory of 2876 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2152 wrote to memory of 2876 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2152 wrote to memory of 2876 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Processes

C:\Users\Admin\AppData\Local\Temp\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe

"C:\Users\Admin\AppData\Local\Temp\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe"

C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe"

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\._cache__CACHE~1.EXE" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3692 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\._cache__CACHE~1.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

Network

Country Destination Domain Proto
GB 216.58.201.106:443 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\3582-490\41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe

MD5 e31ba8bc807ae7b8330f824bc52f3104
SHA1 21a4824bd4914eac7349f323b80a7399b6e5c199
SHA256 f364c51d99d573d88ec469944e331f00709ea67bd98be30252d4522eacb4b496
SHA512 c20dcd03fdae62ecaa4a68398521dff37aadfdfe029c1efafd104301007330c5e81e349dfb7e845eefa9cc9e9cd4d5b015063e7b9d23b410f23a36ee96a0871f

memory/4068-13-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2448-14-0x0000000000980000-0x0000000000981000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe

MD5 67fbe98e5782b545a840c12cf4c9f3db
SHA1 0bfaf468b95c34faa9e94524650f6b10ca2e0cc5
SHA256 aa060f6bf8d7572ec9f781629c70f0068bbb034e5e94596f7c9c603a0fb392a0
SHA512 66b39e78e8f67c058dd19b2ef3d136adb6f98de9f048892b7af7aaffeff337ed9e9f2371220c7e712699e653427f60ece91ad859ffecbad449d9a7e8926b9b04

memory/2448-118-0x0000000000400000-0x0000000000674000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_41ae23595d66cc3b587ce1b696e7252bd7b68034452237567c19465eeecd0a1f.exe

MD5 0b1682829f285e65ec1cca2663c91ebc
SHA1 3ea00c76951ff82d0d3d521490bde6b2b688b943
SHA256 8d98ea6e8805a668cf23cc6d74c0caf29671642cb9e764c939c4a56f6dc6e9f9
SHA512 ef4e1bb89d7a7169b7323e5ea2ae4e61b4ebbcab3d337a1b3bc0a4a035084aaa504e593ddb430b83fad2decb966688508e66fffb61d52892e5912b8b35745425

C:\Windows\svchost.com

MD5 223dd32576ace5da898257671c5cdf36
SHA1 87474af22e6a24ef24de43d2e798c87bd986514c
SHA256 8d4dbd3013a493f904e0863bb55d910bbb640ef3bdc6fcbaf3c78e95fbdd5254
SHA512 aaef06b777e4b015af8843b2955af6fbc4c6c7a0630729737a76464d9a443cf673b5b583ae7cf2ea2333f81bd083cf104bb4da9add41a5da48bc4eb1bf0dbdc7

C:\odt\OFFICE~1.EXE

MD5 02c3d242fe142b0eabec69211b34bc55
SHA1 ea0a4a6d6078b362f7b3a4ad1505ce49957dc16e
SHA256 2a1ed24be7e3859b46ec3ebc316789ead5f12055853f86a9656e04b4bb771842
SHA512 0efb08492eaaa2e923beddc21566e98fbbef3a102f9415ff310ec616f5c84fd2ba3a7025b05e01c0bdf37e5e2f64dfd845f9254a376144cc7d827e7577dbb099

C:\Windows\directx.sys

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4844-163-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1576-202-0x0000000000400000-0x00000000005AD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE

MD5 be5502373b174cc60bf606200c5fc7be
SHA1 de9060f4fd57a875bca3768f04052018f5c3be9e
SHA256 f13b5b39d76a83081628a53d5e53eab04600cf542bc375191ebe322ab52b15d6
SHA512 8ffa51b7e18d447867fdd4d5288bc4633ad94da6eb52e61f455abfaffd77d55d45b5533f2adb36481d8873ef5cb44959460e43105e40bc6fc99f82a93b48691f

C:\Windows\directx.sys

MD5 6b3bfceb3942a9508a2148acbee89007
SHA1 3622ac7466cc40f50515eb6fcdc15d1f34ad3be3
SHA256 e0a7bae2a9ac263cff5d725922e40272d8854278d901233a93a5267859c00a3c
SHA512 fa222bfcade636824af32124b45450c92b1abec7a33e6e647a9248eef5371c127d22ccb7cc5a096b4d5d52e2457f3841293a1b34304e8e5523549856ac02f224

memory/2876-223-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3582-490\._cache__CACHE~1.EXE

MD5 ff586f54c1196f80d8982f3826d049f7
SHA1 b401af3d06c3a37a260b53851a573332b9ac7e75
SHA256 ddceb6e5dff7a70c4f5d6df5b46ee207c624545049679004a012ceb49282be3e
SHA512 bf8bc03ffd386b1263306a6f75cb4fd404b3dda090e0fb8706a5fcdac239a9e7d1e76a83ccc5f741fc1e075c9fd2510a3b3ced20d7c59df9b6a9932b7ff894a7

memory/4384-236-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4772-244-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Windows\directx.sys

MD5 b42f2603883dadf133cee3ae5d767bb2
SHA1 dc4161551044405353e870b029afff27c8030e22
SHA256 998e1546bc98d29ffccb70e81ed00a01f3dbd3015e947d1aabca4cb01775ce28
SHA512 a4c33c9b87f84b4aba84ecf8b0b2d8a90703ef8523f1d057824196e584451072ab5bbc96e0c95a319baaffd16ba7a26f940fec2e28e9228e1275c87fb061c02d

memory/4068-246-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4188-273-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2152-305-0x0000000000400000-0x0000000000674000-memory.dmp

memory/4788-388-0x0000000000400000-0x00000000004E7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE

MD5 a006f909b0796ead9fb69b3ec0f8ea54
SHA1 b564d0eda3e9c25acdeda1ea0fff98b80c2f82cf
SHA256 4bfb8af9700edb5978c99f6d39f03424061d8a7f7cc34cc92eb0b81839f456a2
SHA512 649ef95b606f9ca16328e651686efd8a7cb0897e5ad0041629730c35a617c47396c014460e4ce50f597d0ca2a565c3bb66f7370106eb17fe3f62329916f6b342

C:\Windows\directx.sys

MD5 56abc40d1e45c091d8afddb90a4ce6b4
SHA1 08db549484467b32b79958700300cabefc659848
SHA256 a43fa861957415e3b0f25e2b54d931961cd309ff1d5354a9362852895b90b3e1
SHA512 51625c015a7c8fcf6fb51d3396aa08d2068772e3fcacaf32c409e82071af4ba1eb2ee94f36c06a98c32ba59d23bbaa6b540f7bd418a9472303cc225151daa698

memory/1620-379-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3600-403-0x0000000000400000-0x00000000005AD000-memory.dmp

memory/916-404-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3582-490\._cache__CACHE~3.EXE

MD5 89c5a593dcc807a5f846fce1708a4c1c
SHA1 ffbdda4bef05555404210e260c75eae8743e9333
SHA256 49c114e38ecd858ddad5cc6f9860f3d2eb80fb429758b4ecfc974e856fe6e377
SHA512 c1aa27a147cd95efc48bb3c08a011d83b5cf517fa3eb1d617ecb68da07c1780eff426073c7295f0964eb2fee1e6440b40b548ddfacc3a63d6f955fc39448b643

memory/4100-419-0x0000000000400000-0x000000000041B000-memory.dmp

memory/460-423-0x0000000000400000-0x000000000041B000-memory.dmp

C:\ProgramData\Synaptics\RCX3AA3.tmp

MD5 24c43a46e3ce028d3487a991e3b5f202
SHA1 3e47a2fbcfc35f7ee787e59f5e7f578d5cb54d69
SHA256 a4d6976ec3d988f43d3960623a8513de6cc46ca54af289a7e827982a0dee3a2e
SHA512 8e17d67efb54e679115b6b0265be3b15e1dc09bfd648c20a54f2712b6915095364febaedd1ca713b87c365c3861b6e3668d31190395b9ab18bf47fb0d862deba

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe

MD5 576410de51e63c3b5442540c8fdacbee
SHA1 8de673b679e0fee6e460cbf4f21ab728e41e0973
SHA256 3f00404dd591c2856e6f71bd78423ed47199902e0b85f228e6c4de72c59ddffe
SHA512 f7761f3878775b30cc3d756fa122e74548dfc0a27e38fa4109e34a59a009df333d074bf14a227549ae347605f271be47984c55148685faac479aeb481f7191db

C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe

MD5 5791075058b526842f4601c46abd59f5
SHA1 b2748f7542e2eebcd0353c3720d92bbffad8678f
SHA256 5c3ef3ec7594c040146e908014791dd15201ba58b4d70032770bb661b6a0e394
SHA512 83e303971ed64019fde9e4ba6f6e889f8fb105088490dfa7dcf579a12baff20ef491f563d132d60c7b24a4fd3cac29bd9dc974571cd162000fae8fba4e0e54fb

C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE

MD5 8c753d6448183dea5269445738486e01
SHA1 ebbbdc0022ca7487cd6294714cd3fbcb70923af9
SHA256 473eb551101caeaf2d18f811342e21de323c8dd19ed21011997716871defe997
SHA512 4f6fddefc42455540448eac0b693a4847e21b68467486376a4186776bfe137337733d3075b7b87ed7dac532478dc9afc63883607ec8205df3f155fee64c7a9be

C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE

MD5 9dfcdd1ab508b26917bb2461488d8605
SHA1 4ba6342bcf4942ade05fb12db83da89dc8c56a21
SHA256 ecd5e94da88c653e4c34b6ab325e0aca8824247b290336f75c410caa16381bc5
SHA512 1afc1b95f160333f1ff2fa14b3f22a28ae33850699c6b5498915a8b6bec1cfc40f33cb69583240aa9206bc2ea7ab14e05e071275b836502a92aa8c529fc1b137

C:\Windows\directx.sys

MD5 48666032bcbce70055a4b8477879c103
SHA1 080069095e146772bae92f4281c9a8245b4bce69
SHA256 4476a30a9745e1ce4ff339c4d4e3fea9be5dc2238e4b74f4106c24f14f3d88f4
SHA512 88488a7545aa2225864c3ccbeb41edeada19402131f34cae7d4981612efb868f7ba071dded738299e1a6dd9b081bcc43eb3921d6d6c3e453597a3f02af4b18b3

memory/2472-455-0x0000000000400000-0x00000000004E7000-memory.dmp

memory/1912-478-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2144-477-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4924-476-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4404-486-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1732-487-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1344-488-0x0000000000400000-0x00000000005AD000-memory.dmp

memory/1752-489-0x0000000000400000-0x00000000005AD000-memory.dmp

memory/1564-562-0x0000000000400000-0x00000000005AD000-memory.dmp

memory/2996-570-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3772-569-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1868-553-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4072-571-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1500-611-0x0000000000400000-0x00000000005AD000-memory.dmp

memory/3600-623-0x0000000000400000-0x00000000005AD000-memory.dmp

memory/3140-624-0x0000000000400000-0x000000000041B000-memory.dmp

memory/972-642-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4728-643-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1752-645-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1340-658-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4816-659-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4708-718-0x0000000000400000-0x00000000004E7000-memory.dmp

memory/4068-729-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1412-730-0x0000000000400000-0x00000000004E7000-memory.dmp

memory/384-754-0x0000000000400000-0x00000000004E7000-memory.dmp

memory/1784-755-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2752-753-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4480-756-0x0000000000400000-0x000000000041B000-memory.dmp

memory/368-757-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2884-767-0x0000000000400000-0x00000000004E7000-memory.dmp

memory/4320-816-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1580-817-0x0000000000400000-0x000000000041B000-memory.dmp

memory/952-836-0x0000000000400000-0x00000000005AD000-memory.dmp

memory/3024-842-0x0000000000400000-0x00000000005AD000-memory.dmp

memory/2160-857-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2848-856-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1340-855-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4924-858-0x0000000000400000-0x00000000004E7000-memory.dmp

memory/3152-864-0x0000000000400000-0x000000000041B000-memory.dmp

memory/412-927-0x0000000000400000-0x00000000004E7000-memory.dmp

memory/1352-932-0x0000000000400000-0x00000000004E7000-memory.dmp

memory/4632-938-0x0000000000400000-0x000000000041B000-memory.dmp

memory/224-939-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4404-941-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3952-952-0x0000000000400000-0x000000000041B000-memory.dmp

memory/5000-959-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2108-966-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2228-967-0x0000000000400000-0x000000000041B000-memory.dmp