Malware Analysis Report

2024-09-11 00:53

Sample ID 240615-ztbpwsxhmk
Target ATRTool_2.0.exe
SHA256 595eb49460b7eb4f393af28a335dcaf98317faad04a92e49e9eceaa1f7379f40
Tags
neshta persistence spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

595eb49460b7eb4f393af28a335dcaf98317faad04a92e49e9eceaa1f7379f40

Threat Level: Known bad

The file ATRTool_2.0.exe was found to be: Known bad.

Malicious Activity Summary

neshta persistence spyware

Neshta

Modifies system executable filetype association

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-15 21:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 21:00

Reported

2024-06-15 21:00

Platform

win10-20240404-en

Max time kernel

42s

Max time network

42s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ATRTool_2.0.exe"

Signatures

Neshta

persistence spyware neshta

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ATRTool_2.0.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_ATRTool_2.0.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Control Panel\International\Geo\Nation C:\ProgramData\Synaptics\Synaptics.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\._cache_ATRTool_2.0.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\ATRTool_2.0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_ATRTool_2.0.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\._cache_ATRTool_2.0.exe N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\._cache_._cache_ATRTool_2.0.exe N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\._cache_._cache_ATRTool_2.0.exe N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance C:\ProgramData\Synaptics\Synaptics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance C:\Users\Admin\AppData\Local\Temp\ATRTool_2.0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\._cache_ATRTool_2.0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_ATRTool_2.0.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\._cache_._cache_ATRTool_2.0.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2324 wrote to memory of 96 N/A C:\Users\Admin\AppData\Local\Temp\ATRTool_2.0.exe C:\Users\Admin\AppData\Local\Temp\._cache_ATRTool_2.0.exe
PID 2324 wrote to memory of 96 N/A C:\Users\Admin\AppData\Local\Temp\ATRTool_2.0.exe C:\Users\Admin\AppData\Local\Temp\._cache_ATRTool_2.0.exe
PID 2324 wrote to memory of 96 N/A C:\Users\Admin\AppData\Local\Temp\ATRTool_2.0.exe C:\Users\Admin\AppData\Local\Temp\._cache_ATRTool_2.0.exe
PID 96 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\._cache_ATRTool_2.0.exe C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_ATRTool_2.0.exe
PID 96 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\._cache_ATRTool_2.0.exe C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_ATRTool_2.0.exe
PID 96 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\._cache_ATRTool_2.0.exe C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_ATRTool_2.0.exe
PID 2324 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\ATRTool_2.0.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2324 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\ATRTool_2.0.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2324 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\ATRTool_2.0.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2636 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_ATRTool_2.0.exe C:\Users\Admin\AppData\Local\Temp\._cache_._cache_ATRTool_2.0.exe
PID 2636 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_ATRTool_2.0.exe C:\Users\Admin\AppData\Local\Temp\._cache_._cache_ATRTool_2.0.exe
PID 2636 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_ATRTool_2.0.exe C:\Users\Admin\AppData\Local\Temp\._cache_._cache_ATRTool_2.0.exe
PID 2492 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\._cache_._cache_ATRTool_2.0.exe C:\Windows\svchost.com
PID 2492 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\._cache_._cache_ATRTool_2.0.exe C:\Windows\svchost.com
PID 2492 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\._cache_._cache_ATRTool_2.0.exe C:\Windows\svchost.com
PID 2352 wrote to memory of 4860 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
PID 2352 wrote to memory of 4860 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
PID 2636 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_ATRTool_2.0.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2636 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_ATRTool_2.0.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2636 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_ATRTool_2.0.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 3356 wrote to memory of 772 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 3356 wrote to memory of 772 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 3356 wrote to memory of 772 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ATRTool_2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ATRTool_2.0.exe"

C:\Users\Admin\AppData\Local\Temp\._cache_ATRTool_2.0.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_ATRTool_2.0.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_ATRTool_2.0.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_ATRTool_2.0.exe"

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_._cache_ATRTool_2.0.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_._cache_ATRTool_2.0.exe"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 199.111.78.13.in-addr.arpa udp
US 8.8.8.8:53 13.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 93.65.42.20.in-addr.arpa udp

Files

memory/2324-0-0x0000000002340000-0x0000000002341000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\._cache_ATRTool_2.0.exe

MD5 9d48229dc6695fd4d13ad58ae8b7d8dd
SHA1 7c967634d6bf5e41e4d07d456aa41c46321cb20d
SHA256 e26fa69daafcc345413c0610a03a1c0daa82303cbf3bc49fe259a0beb1232927
SHA512 72dda935f5ebf1669f02397399c2d1a3af7ee01cd965a582610d2a0a1a7d81ae6eaa963b54f9d1801f76d629a50d4104ef53f66ad0fcd9961cb294b0759f1e44

C:\ProgramData\Synaptics\Synaptics.exe

MD5 3ae9004eaa14b935532ca38e56c364e0
SHA1 022afbf6dc5577509e031f30fe570169710f056b
SHA256 595eb49460b7eb4f393af28a335dcaf98317faad04a92e49e9eceaa1f7379f40
SHA512 694c8403c53f40eeec2efef61f98cdbd76c1c187d3abcff550cd67aa8f96f375b81260a655d842be2cc9bc519281d97cafa790ea3524aa5ad48d3c298609aba8

C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_ATRTool_2.0.exe

MD5 b8e1007adcef7c323538cf075aa95637
SHA1 048ff934f2d1c655108cfab62816528589d0d7e7
SHA256 0243b35b9e8a53cfc75fb60ec9121f4097d40fe3f9bbefb967c36af189993051
SHA512 7f673738cb448cdd15faae14fb14a7b02ad32faa9d916a07d712a7c12f254d00e285cf39a31247cecf9badd8e6512e3bac9398509178e2c048da9f433a97da04

memory/2324-100-0x0000000000400000-0x000000000062C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\._cache_._cache_ATRTool_2.0.exe

MD5 2099910ba6417aaf84a759d4982e90e6
SHA1 eced7b6852bd70e50ca8570132d3ed9062ee63de
SHA256 6ea0f0bd75c37b5217a25f56d31821735feded4b6ad6141fdcce84a7e91c8e89
SHA512 a2c7da5bf383b3e382af35caa20a04799f21c28a2e2e5456761f9e58d87e0b5630b3a574fd80dadba477857a7d5f361d21b42d46dda91476170bd36252ed881b

C:\Windows\svchost.com

MD5 f3db8ffdeb781e898aa20bc2d30f3408
SHA1 a11e57d1cc90c30db396fc4f219c7f43989c2538
SHA256 b7bda66c52f7ec1c8a97823a9fa9abb7c88f93e4382472c7e57976bd2296d08c
SHA512 d25a36baaa5fe52cf9438831733d071879eb9f360e440a5444f283b79cbd514bdd6f8f606fbaf1406f06fa879ec48d59dd97088d74a94c22aabe2f2e8e9b35bb

C:\Windows\directx.sys

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

MD5 ddf79e9c69388e228e42d9f93e179cd6
SHA1 e70fed04ff2d63a2026162e7e8888a9ec195832e
SHA256 33598c2ce7ba425ee7c95120313821562b20ce4016a3ecd5f312e7a4ee6576ad
SHA512 0433cd6a69ad69b580424d45ac2e681e682177089d8613e2cdebe5cb493790b52db2460bd204bdfb7d2ae8b5b3dc48c98f7b867cc184ee7231c06422b25b4661

memory/4860-173-0x000001EFBF7E0000-0x000001EFBF822000-memory.dmp

memory/2636-172-0x0000000000400000-0x000000000050C000-memory.dmp

memory/2352-181-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Windows\directx.sys

MD5 b42f2603883dadf133cee3ae5d767bb2
SHA1 dc4161551044405353e870b029afff27c8030e22
SHA256 998e1546bc98d29ffccb70e81ed00a01f3dbd3015e947d1aabca4cb01775ce28
SHA512 a4c33c9b87f84b4aba84ecf8b0b2d8a90703ef8523f1d057824196e584451072ab5bbc96e0c95a319baaffd16ba7a26f940fec2e28e9228e1275c87fb061c02d

memory/772-186-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3892-185-0x00007FFF55EC0000-0x00007FFF55ED0000-memory.dmp

memory/3892-196-0x00007FFF55EC0000-0x00007FFF55ED0000-memory.dmp

memory/3892-199-0x00007FFF55EC0000-0x00007FFF55ED0000-memory.dmp

memory/4860-195-0x000001EFBFC70000-0x000001EFBFC7C000-memory.dmp

memory/3892-200-0x00007FFF55EC0000-0x00007FFF55ED0000-memory.dmp

C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE

MD5 3e8712e3f8ce04d61b1c23d9494e1154
SHA1 7e28cd92992cdee55a02b5ece4b7c2fc4dd0c5e4
SHA256 7a8ee09f8a75b3e812f99a0b611c6720626c62c6985306a408694389a996c8e9
SHA512 d07d924f338bd36ca51c8e11931f7ff069e65942725a8e1f1ff6b81076a987ab7d787452a5fb08314edf1489e081f4164db1ad299a6d78401e630796f4487dc8

C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE

MD5 823cb3e3a3de255bdb0d1f362f6f48ab
SHA1 9027969c2f7b427527b23cb7ab1a0abc1898b262
SHA256 b8c5b99365f5ac318973b151fe3fe2a4ad12546371df69e1b7d749f7a4ce356f
SHA512 0652b60e07aa5a469b9cf1013a1ed98d0352996c59b9a66f612be2bc0081d8ec8a65a44a3977d2e188cd8ee3311edb251b818cf300d152ed5f633679a6cf834c

C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE

MD5 3ccfc6967bcfea597926999974eb0cf9
SHA1 6736e7886e848d41de098cd00b8279c9bc94d501
SHA256 a89d3e2109a8e35e263da363d3551258ea320a99bfb84a4b13ad563008eda8d9
SHA512 f550af4e053d89eff45c0fb00bb32e8d212645a155727d3536a3f12bb0b5550bed25516516334245b912fa4fc2e4e7c267e80da4f06d22ea128f20eb56ab4351

C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE

MD5 2e989da204d9c4c3e375a32edf4d16e7
SHA1 e8a0bf8b4ae4f26e2af5c1748de6055ba4308129
SHA256 cae320401aa01a3cef836c191c2edbd7a96bfcce9efad1a21880626a64cc4dec
SHA512 3ebf71578bef909d9411c131d0ccd38ead68cba01a8e0f845d08faa012ca2136476fe09a2859ed846641f80b7a2d9b78d49c709065a52c6b9ee149edf84c8c4f

C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE

MD5 c4a918069757a263adb9fbc9f5c9e00d
SHA1 66d749fc566763b6170080a40f54f4cda4644af4
SHA256 129a2bfe25ceabb871b65b645ef98f6799d7d273fc5ddfd33c1cb78f5b76fa3b
SHA512 4ecf32fa2c8f53ff7a08555ec5d37739dc1358352621d038669f608edf18b0dcc6dca168a2b602359c9ee098052e546e5c02603f83aad44a114192138de7b7b9

C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe

MD5 514972e16cdda8b53012ad8a14a26e60
SHA1 aa082c2fbe0b3dd5c47952f9a285636412203559
SHA256 49091e1e41980b39d8de055fe6c6a1dc69398f17817960d64743e7efb740efc4
SHA512 98bbd6f06e3ff3e94aee3620f20f89e254dde157bc8129a64cf78fefe5cf9b13c7902128c2acbd54b3def527e09a039bd1f66ba64efb85f3f0404d894cabbee4

C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE

MD5 4ab023aa6def7b300dec4fc7ef55dbe7
SHA1 aa30491eb799fa5bdf79691f8fe5e087467463f1
SHA256 8ca27077312716f79f39309156c905719a908e8ded4bf88c2ba6fa821e574673
SHA512 000e33cc2399efa9dc56c06a42f91eb64b94f30b78cf260469f45f3b876f518d2d2b62e33d8f697660ae560d595e5bd5b7a5f847c316d5f97adeb3d8f9248ab5

C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe

MD5 66a77a65eea771304e524dd844c9846a
SHA1 f7e3b403439b5f63927e8681a64f62caafe9a360
SHA256 9a7391267ab83b45a47d9fcf1e0f76002ed6640ed6a574ba51373410b94812f6
SHA512 3643ad1036075305d76dfd753b1ed29ae611b4b9f397b2520f95b1487e85155a111adc83578db8ca5d0fd1e9fe146d018e22f572c187ef468eab8d11d48fc7f4

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE

MD5 3e4c1ecf89d19b8484e386008bb37a25
SHA1 a9a92b63645928e8a92dc395713d3c5b921026b7
SHA256 1ebe469c94c2c2a5acbc3927cef19dbe2f583ba3651a55623633891c4c05cc22
SHA512 473d03abbb61609749a176a0724e427599a4f4707d72a74ed457b2198098f59fdf64b5394798db82f4064dfe964083d70af6a50a5fa2ab2674c77a99792e4e52

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe

MD5 3da833f022988fbc093129595cc8591c
SHA1 fdde5a7fb7a60169d2967ff88c6aba8273f12e36
SHA256 1ad4c736829dbcb0fcc620fd897fe0941b9c01e14ccba5d18085b3ca0416ab66
SHA512 1299d63337c958e8072d6aaa057904cbbaa51c2eec4457269ead6b72c4eb2a10882e4a5dc7afcdcab5a6910d2105c2e5ee706850074e0425ae7f87d9ea1e5537

memory/4720-219-0x0000000000400000-0x000000000041B000-memory.dmp

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

MD5 ef63e5ccbea2788d900f1c70a6159c68
SHA1 4ac2e144f9dd97a0cd061b76be89f7850887c166
SHA256 a46d1ffbe9114015050b2a778859c26248f8bab22d5d1a302b59373bc20c6b45
SHA512 913371abb54e0adc94aa08372a20f07ced9f9fdc170f9e468cd39c7387c7e30c1ae238148ccf355d5c8b88b7fd63f914bb108c6cafca9a791d02d8b36468bfac

C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe

MD5 d9e8a1fa55faebd36ed2342fedefbedd
SHA1 c25cc7f0035488de9c5df0121a09b5100e1c28e9
SHA256 bd7696911d75a9a35dfd125b24cb95003f1e9598592df47fa23a2568986a4a9a
SHA512 134644c68bd04536e9ea0a5da6e334d36b1ce8012a061fa6dabd31f85c16a1ac9eee8c40fee3d55f25c4d4edf0672de8ce204e344c800361cbcff092c09d7a33

memory/3892-241-0x00007FFF53050000-0x00007FFF53060000-memory.dmp

memory/3044-247-0x0000000000400000-0x000000000041B000-memory.dmp

C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE

MD5 961c73fd70b543a6a3c816649e5f8fce
SHA1 8dbdc7daeb83110638d192f65f6d014169e0a79b
SHA256 f94ddaf929fb16d952b79c02e78439a10dd2faa78f7f66b7d52de2675e513103
SHA512 e5d97ee63b02abc65add41f6721514515b34fd79f7db23ae04cf608c2f7e0504e00b07694047b982d14d60cccf6f833b50268c693e3baf1b697d3370c0bba0b6

C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe

MD5 e115eb174536d5fbcf5164232c89c25d
SHA1 5879354de61734962d39d13316d1fe028389cc16
SHA256 57329b38314923c17e9dd9e153e894708389dd597fcb1438d5291c7627238653
SHA512 69696a2e842e0557a57ec4d12c31d5afde0cdfb80d6028ad8d9b0b59d558ad6eaf043c9da0d31c43b16b4f12894dcea69db9366772c49c758773e6c35a9fb0c5

C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE

MD5 dc6f9d4b474492fd2c6bb0d6219b9877
SHA1 85f5550b7e51ecbf361aaba35b26d62ed4a3f907
SHA256 686bec325444e43232fb20e96365bb1f1eb7c47a4e4ce246fc900d3a9784d436
SHA512 1e9c2dfeada91e69ee91cd398145e4044bd5788a628b89441c8c6ff4067ba0a399124197fd31dad26ccb76a4d866ad99918ba8e1549983be967d31b933ad9780

memory/2616-250-0x0000000000400000-0x000000000041B000-memory.dmp

C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaw.exe

MD5 7eef306c308ec551ec34c162fb2033dc
SHA1 a760e995f6dee28c769fb5de8cad81ebb552585a
SHA256 7b2289ba6b1978189a3fbf0d98c657a82d183c516ea2123ac88a373b6d5dcb82
SHA512 b3545dd4ca8184e54770c50ae99a0278fc1a646eb248f27dfe027dde3c4bd7469c8ebebfdbfbbcbd5969eb6a1f8f8ddbe7f8de65585cf32d98b450954e7a6eda

C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE

MD5 e9228ebf8b765c170034519a798bc2a3
SHA1 a28837f4aca4e86450ed38557f5f9dd4bec7eee0
SHA256 6a7e5d2f0c486637a27014308bb90944b571b3b1b09d70d37cfbfbc56ff575c9
SHA512 3139cf9ff431a5091512919718da45e86517c63511d90f1643897369d95af0bddaadb00a51bc3da82ebab6c76616d3ee9d3ee7f9f29e98802bf0b28737102423

C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE

MD5 156aa268fa5236c9f16110863dc383d1
SHA1 4d1a29a4a5b74716cb9a4a0c945aee511ef3cbf5
SHA256 0537d77d6e447a2ec34321c61828e9f3690a9b846995b6da5de6729692f7a31f
SHA512 2c7f5d2465f483a0cdfc01bc3962c6a31f46b04c91f3db6164e3a24504c76dba035fbbd0a6b0c959af505872395c77f9db614df2cf898850a3663ec97b2e06ad

C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE

MD5 f38304be865a9f773dcac807b42684a4
SHA1 5dfb3d4424b20bec9a93cac785c4d6b65ec847d9
SHA256 0cd50ff5ddf00cdcf95370e5f169038293b1f4783380f88d2ce12e14eb73eafd
SHA512 ec81d5b8859937281e0018ba9ee9874e1de59f1f413440b5a3115662154c71546433efacf7e51d71c2893f81ebb41cd2268134849b07625e9861ba1d370ed3a0

C:\PROGRA~2\MOZILL~1\UNINST~1.EXE

MD5 0868122e03b26dd2a2d13bb420f3a2b8
SHA1 cbd9271a4dd303a0d11ef9387978d669c726b550
SHA256 56ecde530a58ca10b5ef85a6b5c4407e5b198bc46724485c06b54f27349cad77
SHA512 9befccd08405e54456dcdf8180da8ceddeb65c6eb2d3a250405ad983213db4ae263473c739d619ff71914460e9dc051e7f9cf535b7e30ef957ff4842fdc498a4

C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE

MD5 976b169c224c33c05cb771342e65caa8
SHA1 6ccee82a2f4932b5e976c48cff8db9eb08d9daf4
SHA256 141db3c587d62c70ee3bf1ac945c8a99d345d9d323cc3776127aec29b8a40acf
SHA512 7582be392ae382d6af60409c4ac8095b2f034c9f21f2f5203776a488f267383fab3238d22556ea34b1d671a178d1e30bed68a3fab4f9ae9cd6586335ed5fbeb6

C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE

MD5 6300a726756bfdf266b92f280a0e79f3
SHA1 c1d31d9e79102f137cb6825feb49090698486a22
SHA256 e4150e18e46af7fbcd5ce928dba86e3eed7f5ab0f122b2bb9d1bab99122fef4b
SHA512 2070828dc743a56866c2668337f04e7a052f501279d75bbae802424ed3ea5cc82ecb27c779a701b9d29953c07ee8eff7b61b326617001d9167389d02f068af7c

C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe

MD5 2b10fad55bb461c01d3f922c3fbf7d2e
SHA1 e899a087bc0a8b36c79d24505dc72813a25b0eb9
SHA256 8f1d9b2c820fb05556bc9ddabafc7e5cf51c5c01075bab11d68ae965ca21f68f
SHA512 2a47bf1f477dcf0070e9157cc0b816fd1563075a19286df7bb4d3fc368552d72a95505a35bba961b69b3561d1d858857c14762b7c046c6cf382d08e037f2ec61

C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE

MD5 94a6f89a6391389a41d4ab2f660ccbad
SHA1 61a95366a8fee5c11120f25d5d2f5202f4a550da
SHA256 da4ac3ca15fae5fa60717bf9a20e113d4108c7be883be4fe39d9e1fa91059325
SHA512 cf27c8767ebedb492a4f3eff73ac2884cde945eadc1c75ea20df5e981770423b0b5a7b76083c8d0499469d33f83d61c2c5608ff0b618d1fd420cf9e3163ad39d

C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE

MD5 6e2056a06a20c59fa9bfdef3490accf0
SHA1 4f84138c0c61e1c37e7c0b316c77b48a6401c3e1
SHA256 3ec70e2e58fc40e7031e37af2ea1f0ed1202d9608b91b29d5cef568a8900d387
SHA512 191a9a19d2eee3af36571177109a394a5f0582fc5c763c38b4490253c7f58329bb391981bf1702dda672e5a6b908585ddb92cf4ece71c082311b1e096430bd3d

C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE

MD5 0cde1fa887c8ea745774ce63ba6be5b8
SHA1 299de942f1b3318eece2fa1c3c094ff75c5ee034
SHA256 725df16261e3b528efb8b4d96313d1e98fabe575843bab72eb54eed6fa453079
SHA512 c4baaa6767c0ac6a8271634bcec7e19714dbf21bad2abce23e86165189809efbbd25cf9360c581ed8cc7765c154d0248bde36fbda1bd6b49bb4a6eb6e018d98f

C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\java.exe

MD5 1db15eecc17512869d465ea0b5760bbc
SHA1 666764530a8daab0206ecf8f68318526817314a3
SHA256 be475fc9380c7b69bc42745d9d41be2058eb11dbb17da040f4c0182fd66965a4
SHA512 e7af6dbc3c2c6cca02da6522b02f0ff9f6dcf4dd1e1e1b246e350434957b02bafd723863e67ee488464ced37aeebb5bb1b9298d8e24540b8685cf0f7187d96b7

C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE

MD5 6b27dd3f7c6898e7d1bcff73d6e29858
SHA1 55102c244643d43aeaf625145c6475e78dfbe9de
SHA256 53e47df12f0ce2005f4a2a773d194c9431b325b64c205dfa4cfba45c973b65f3
SHA512 52b7a596b07935f15f008c2de38c5dfd85df18b49e5083e363b90fb321d4f1bf588627dcbe94fa6434c460243b254c5ca1dbcf2c956e49baa92e13e104500f2f

C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe

MD5 e185d95baa2ca0c82cbd944bf23cc454
SHA1 7b51dfcde4a8bb9d6e7a780fbd1de7efa1d268f1
SHA256 f9c6f43e9fd88b8277484e00da36459c66eefd4255b058efa406eba5d522aa02
SHA512 2e2f67bf68e124a4e266a46a90484a09e48ec860aa8733c79975121fc0cf4e73c0d9e23a21be6ca5c05062e1ae086e5305d5c6d26c6a592f4be1a2c6d301353c

C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe

MD5 88998b45e15a7a302218a53e5b550f80
SHA1 49375e439b1090a15bb9dc3efc3c2c0a212d2837
SHA256 6977dbbbe66d730ce42d123196a960a16eed854d8a0fb40546d7cbdf8178fbe6
SHA512 458042e539c661bd1be63d506c09b7120d5a5b18d9ef71e4617a931de78736d4216337c9d7cf11becbcfbffc958579e8af1502cc64d02e300cd1ac428f8a3c99

C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe

MD5 ead399a43035cf6544c96d014436fc9a
SHA1 c8ef64abb6c56cbd02e851a98214620459c8b947
SHA256 38b06ee250af6554e6740a1bb7acfb77b99ccdb8081880e01c386afa98668766
SHA512 6fa46a36c17c9496c18843e04d78d5146cdea173a74acacd9b7c63d220c49fa3a1acb65f91fe7214a1ae82ebf63fb5366beecd7f9e0aeee0cbab5d1bd0aa6d14

memory/3892-258-0x00007FFF53050000-0x00007FFF53060000-memory.dmp

memory/3032-306-0x0000000000400000-0x000000000062C000-memory.dmp

memory/3356-305-0x0000000000400000-0x000000000062C000-memory.dmp

C:\Windows\directx.sys

MD5 8e4bd9619c227ef2bc20a2cb2aa55e7b
SHA1 a6214b7678b83c4db74b210625b4812300df3a74
SHA256 84ba3f2b07e112efaff6ee034b84db960521db9e504a4ac77a5e8e5e988d86d9
SHA512 12a6a559b89441983e9aab70f0ea17dc790bc48c7938dd573c888e33811db8fb210539ebebaa6c8f5c04971d72d037be6603de15ea3a1ffc0f5ea3dd5132b4bf

memory/1648-330-0x0000000000400000-0x000000000041B000-memory.dmp

memory/692-331-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4592-332-0x0000000000400000-0x000000000050C000-memory.dmp

memory/4188-348-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1012-374-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4296-401-0x0000000000400000-0x000000000050C000-memory.dmp

memory/4432-414-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2704-415-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2404-418-0x0000000000400000-0x000000000050C000-memory.dmp

C:\ProgramData\Synaptics\RCX7DDB.tmp

MD5 528bde327479417280fc9b445fb6ce00
SHA1 7804b169a8f6948e0d5bee5b14db9fe70b1399a3
SHA256 d486ffea61b8be0058a976ce5015d0a57611cb88f0d2a6e5576a4b6e634ce151
SHA512 535ec55bd78968af85446cfcbcbac2d163e1c1b56e853e0e5e95c294327eff4726dee946c62adbb3fc475168b8a55ade2106ed9640ab429bfcbdea29d49767cb

memory/876-471-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2824-470-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4732-486-0x0000000000400000-0x000000000050C000-memory.dmp

memory/2620-494-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2312-503-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4536-505-0x0000000000400000-0x000000000050C000-memory.dmp

memory/1796-566-0x0000000000400000-0x000000000050C000-memory.dmp

memory/2628-567-0x0000000000400000-0x000000000041B000-memory.dmp

memory/920-573-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4256-588-0x0000000000400000-0x000000000041B000-memory.dmp

memory/652-589-0x0000000000400000-0x000000000041B000-memory.dmp

memory/784-592-0x0000000000400000-0x000000000050C000-memory.dmp

memory/4940-652-0x0000000000400000-0x000000000050C000-memory.dmp

memory/4528-660-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2408-659-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2552-673-0x0000000000400000-0x000000000041B000-memory.dmp