Analysis
-
max time kernel
133s -
max time network
132s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
18-06-2024 20:03
Behavioral task
behavioral1
Sample
30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe
Resource
win10v2004-20240508-en
General
-
Target
30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe
-
Size
2.7MB
-
MD5
b782699cf4c24d7bfa3d63b7f1332edf
-
SHA1
317edaf964a4e115df9a194fc84838c9790c356e
-
SHA256
30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8
-
SHA512
65fccc13d124d9ee8bfc10a4b4d73a14bf7b3972de300d7353665b6a55b42bc5d3c63203f4ea55e0466a477fffb5291e38c72f12ff42364e2f1b5bdc7d36fca2
-
SSDEEP
49152:6Hyjtk2MYC5GDFHyjtk2MYC5GDWkWZOAmn1n9:6mtk2awmtk2aPkWZhmn1n9
Malware Config
Signatures
-
Detect Neshta payload 49 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\3582-490\30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe family_neshta C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe family_neshta \Users\Admin\AppData\Local\Temp\._cache_30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe family_neshta C:\Windows\svchost.com family_neshta C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe family_neshta behavioral1/memory/2976-57-0x0000000000400000-0x00000000006A3000-memory.dmp family_neshta behavioral1/memory/2540-63-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE family_neshta C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe family_neshta C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE family_neshta C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE family_neshta C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe family_neshta C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE family_neshta behavioral1/memory/1896-100-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe family_neshta behavioral1/memory/1564-117-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2504-134-0x0000000000400000-0x00000000006A3000-memory.dmp family_neshta C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE family_neshta behavioral1/memory/824-177-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2460-178-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1992-179-0x0000000000400000-0x00000000006A3000-memory.dmp family_neshta behavioral1/memory/3048-225-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2132-231-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/956-243-0x0000000000400000-0x00000000006A3000-memory.dmp family_neshta behavioral1/memory/2604-267-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2784-268-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1772-288-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/832-294-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2432-314-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1296-320-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/688-340-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1596-346-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2712-366-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2088-372-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2524-392-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2604-398-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1416-418-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2024-424-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2068-444-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1996-450-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2356-470-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2852-476-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1868-494-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2540-497-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2424-503-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2800-523-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1464-529-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1112-549-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2272-555-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 64 IoCs
Processes:
30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe._cache_30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exesvchost.comSynaptics.exe_CACHE~1.EXE._cache__CACHE~1.EXE._cache_Synaptics.exesvchost.com_CACHE~1.EXE._cache__CACHE~1.EXESynaptics.exe._cache_Synaptics.exesvchost.com_CACHE~1.EXE._cache__CACHE~1.EXESynaptics.exe._cache_Synaptics.exesvchost.com_CACHE~1.EXE._cache__CACHE~1.EXESynaptics.exe._cache_Synaptics.exesvchost.com_CACHE~1.EXE._cache__CACHE~1.EXESynaptics.exe._cache_Synaptics.exesvchost.com_CACHE~1.EXE._cache__CACHE~1.EXESynaptics.exe._cache_Synaptics.exesvchost.com_CACHE~1.EXE._cache__CACHE~1.EXESynaptics.exe._cache_Synaptics.exesvchost.com_CACHE~1.EXE._cache__CACHE~1.EXESynaptics.exe._cache_Synaptics.exesvchost.com_CACHE~1.EXE._cache__CACHE~1.EXESynaptics.exe._cache_Synaptics.exesvchost.com_CACHE~1.EXE._cache__CACHE~1.EXESynaptics.exe._cache_Synaptics.exesvchost.com_CACHE~1.EXE._cache__CACHE~1.EXESynaptics.exe._cache_Synaptics.exesvchost.com_CACHE~1.EXE._cache__CACHE~1.EXESynaptics.exe._cache_Synaptics.exesvchost.com_CACHE~1.EXEpid process 2976 30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe 2848 ._cache_30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe 2540 svchost.com 2504 Synaptics.exe 2384 _CACHE~1.EXE 2560 ._cache__CACHE~1.EXE 1896 ._cache_Synaptics.exe 1564 svchost.com 1656 _CACHE~1.EXE 2212 ._cache__CACHE~1.EXE 1992 Synaptics.exe 824 ._cache_Synaptics.exe 2460 svchost.com 2184 _CACHE~1.EXE 1264 ._cache__CACHE~1.EXE 956 Synaptics.exe 3048 ._cache_Synaptics.exe 2132 svchost.com 1512 _CACHE~1.EXE 2912 ._cache__CACHE~1.EXE 2644 Synaptics.exe 2604 ._cache_Synaptics.exe 2784 svchost.com 2580 _CACHE~1.EXE 1560 ._cache__CACHE~1.EXE 1548 Synaptics.exe 1772 ._cache_Synaptics.exe 832 svchost.com 1564 _CACHE~1.EXE 2428 ._cache__CACHE~1.EXE 1896 Synaptics.exe 2432 ._cache_Synaptics.exe 1296 svchost.com 320 _CACHE~1.EXE 2052 ._cache__CACHE~1.EXE 1992 Synaptics.exe 688 ._cache_Synaptics.exe 1596 svchost.com 2852 _CACHE~1.EXE 1704 ._cache__CACHE~1.EXE 2152 Synaptics.exe 2712 ._cache_Synaptics.exe 2088 svchost.com 2324 _CACHE~1.EXE 1712 ._cache__CACHE~1.EXE 2468 Synaptics.exe 2524 ._cache_Synaptics.exe 2604 svchost.com 2808 _CACHE~1.EXE 1352 ._cache__CACHE~1.EXE 2340 Synaptics.exe 1416 ._cache_Synaptics.exe 2024 svchost.com 1008 _CACHE~1.EXE 2248 ._cache__CACHE~1.EXE 2364 Synaptics.exe 2068 ._cache_Synaptics.exe 1996 svchost.com 3064 _CACHE~1.EXE 2408 ._cache__CACHE~1.EXE 2456 Synaptics.exe 2356 ._cache_Synaptics.exe 2852 svchost.com 3048 _CACHE~1.EXE -
Loads dropped DLL 64 IoCs
Processes:
30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exesvchost.com_CACHE~1.EXESynaptics.exe._cache_30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exesvchost.com_CACHE~1.EXESynaptics.exesvchost.com_CACHE~1.EXESynaptics.exesvchost.com_CACHE~1.EXESynaptics.exesvchost.com_CACHE~1.EXESynaptics.exesvchost.compid process 1868 30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe 1868 30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe 2976 30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe 2976 30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe 2976 30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe 2976 30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe 2976 30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe 2540 svchost.com 2540 svchost.com 2384 _CACHE~1.EXE 2384 _CACHE~1.EXE 2504 Synaptics.exe 2504 Synaptics.exe 2504 Synaptics.exe 2848 ._cache_30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe 1868 30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe 1564 svchost.com 1564 svchost.com 1656 _CACHE~1.EXE 1656 _CACHE~1.EXE 1656 _CACHE~1.EXE 1656 _CACHE~1.EXE 1992 Synaptics.exe 1992 Synaptics.exe 1992 Synaptics.exe 1992 Synaptics.exe 2460 svchost.com 2460 svchost.com 2184 _CACHE~1.EXE 2184 _CACHE~1.EXE 2184 _CACHE~1.EXE 2184 _CACHE~1.EXE 956 Synaptics.exe 1868 30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe 956 Synaptics.exe 956 Synaptics.exe 956 Synaptics.exe 2132 svchost.com 2132 svchost.com 1512 _CACHE~1.EXE 1868 30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe 2848 ._cache_30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe 1868 30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe 2848 ._cache_30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe 1512 _CACHE~1.EXE 1512 _CACHE~1.EXE 1512 _CACHE~1.EXE 1512 _CACHE~1.EXE 2644 Synaptics.exe 2644 Synaptics.exe 2644 Synaptics.exe 2644 Synaptics.exe 2784 svchost.com 2784 svchost.com 2580 _CACHE~1.EXE 2580 _CACHE~1.EXE 2580 _CACHE~1.EXE 2580 _CACHE~1.EXE 2580 _CACHE~1.EXE 1548 Synaptics.exe 1548 Synaptics.exe 1548 Synaptics.exe 1548 Synaptics.exe 832 svchost.com -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 48 IoCs
Processes:
_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~1.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~1.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~1.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~1.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~1.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~1.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~1.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~1.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~1.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~1.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~1.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~1.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~1.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~1.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~1.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~1.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~1.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~1.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~1.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~1.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~1.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~1.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~1.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~1.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~1.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~1.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~1.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~1.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~1.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~1.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~1.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~1.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~1.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" 30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~1.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~1.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~1.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~1.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~1.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~1.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~1.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~1.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~1.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~1.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~1.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~1.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~1.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~1.EXE -
Drops file in Program Files directory 64 IoCs
Processes:
30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe._cache_30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exedescription ioc process File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE 30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE ._cache_30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE 30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE ._cache_30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE ._cache_30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe ._cache_30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE ._cache_30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE 30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe 30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe ._cache_30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE 30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE 30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe 30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe ._cache_30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE 30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe ._cache_30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE 30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE ._cache_30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE ._cache_30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE ._cache_30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE 30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe 30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE 30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe 30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe 30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE ._cache_30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE ._cache_30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE ._cache_30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE 30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE ._cache_30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe ._cache_30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE ._cache_30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE ._cache_30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE ._cache_30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE 30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE ._cache_30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe ._cache_30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE 30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE 30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE ._cache_30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE 30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe ._cache_30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe ._cache_30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe ._cache_30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe 30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe 30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE ._cache_30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE ._cache_30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE ._cache_30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe File opened for modification C:\PROGRA~3\SYNAPT~1\SYNAPT~1.EXE 30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE 30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe ._cache_30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE 30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE 30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE 30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe 30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE 30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE ._cache_30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE ._cache_30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE 30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE ._cache_30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE ._cache_30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE ._cache_30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe 30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe -
Drops file in Windows directory 64 IoCs
Processes:
._cache_Synaptics.exesvchost.comsvchost.comsvchost.com._cache_Synaptics.exe._cache_Synaptics.exesvchost.com._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exesvchost.com._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exesvchost.comsvchost.com._cache_Synaptics.exe._cache_Synaptics.exesvchost.com._cache_Synaptics.exesvchost.comsvchost.com._cache_Synaptics.exesvchost.comsvchost.com._cache_Synaptics.exe._cache_Synaptics.exesvchost.com._cache_Synaptics.exesvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.com._cache_Synaptics.exesvchost.comsvchost.comsvchost.comsvchost.comsvchost.com._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exesvchost.comsvchost.comsvchost.com._cache_Synaptics.exesvchost.comsvchost.comdescription ioc process File opened for modification C:\Windows\directx.sys ._cache_Synaptics.exe File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com ._cache_Synaptics.exe File opened for modification C:\Windows\directx.sys ._cache_Synaptics.exe File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys ._cache_Synaptics.exe File opened for modification C:\Windows\directx.sys ._cache_Synaptics.exe File opened for modification C:\Windows\svchost.com ._cache_Synaptics.exe File opened for modification C:\Windows\directx.sys ._cache_Synaptics.exe File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys ._cache_Synaptics.exe File opened for modification C:\Windows\directx.sys ._cache_Synaptics.exe File opened for modification C:\Windows\directx.sys ._cache_Synaptics.exe File opened for modification C:\Windows\svchost.com ._cache_Synaptics.exe File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com ._cache_Synaptics.exe File opened for modification C:\Windows\directx.sys ._cache_Synaptics.exe File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys ._cache_Synaptics.exe File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys ._cache_Synaptics.exe File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com ._cache_Synaptics.exe File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys ._cache_Synaptics.exe File opened for modification C:\Windows\svchost.com ._cache_Synaptics.exe File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com ._cache_Synaptics.exe File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com ._cache_Synaptics.exe File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com ._cache_Synaptics.exe File opened for modification C:\Windows\svchost.com ._cache_Synaptics.exe File opened for modification C:\Windows\directx.sys ._cache_Synaptics.exe File opened for modification C:\Windows\svchost.com ._cache_Synaptics.exe File opened for modification C:\Windows\directx.sys ._cache_Synaptics.exe File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys ._cache_Synaptics.exe File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys ._cache_Synaptics.exe File opened for modification C:\Windows\directx.sys svchost.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXEpid process 1656 _CACHE~1.EXE 1656 _CACHE~1.EXE 1656 _CACHE~1.EXE 1656 _CACHE~1.EXE 1656 _CACHE~1.EXE 1656 _CACHE~1.EXE 1656 _CACHE~1.EXE 1656 _CACHE~1.EXE 1656 _CACHE~1.EXE 1656 _CACHE~1.EXE 2184 _CACHE~1.EXE 2184 _CACHE~1.EXE 2184 _CACHE~1.EXE 2184 _CACHE~1.EXE 2184 _CACHE~1.EXE 2184 _CACHE~1.EXE 1512 _CACHE~1.EXE 1512 _CACHE~1.EXE 1512 _CACHE~1.EXE 1512 _CACHE~1.EXE 1512 _CACHE~1.EXE 1512 _CACHE~1.EXE 2580 _CACHE~1.EXE 2580 _CACHE~1.EXE 2580 _CACHE~1.EXE 2580 _CACHE~1.EXE 2580 _CACHE~1.EXE 2580 _CACHE~1.EXE 2580 _CACHE~1.EXE 2580 _CACHE~1.EXE 2580 _CACHE~1.EXE 2580 _CACHE~1.EXE 2580 _CACHE~1.EXE 2580 _CACHE~1.EXE 2580 _CACHE~1.EXE 2580 _CACHE~1.EXE 1564 _CACHE~1.EXE 1564 _CACHE~1.EXE 1564 _CACHE~1.EXE 320 _CACHE~1.EXE 320 _CACHE~1.EXE 320 _CACHE~1.EXE 2852 _CACHE~1.EXE 2852 _CACHE~1.EXE 2852 _CACHE~1.EXE 2324 _CACHE~1.EXE 2324 _CACHE~1.EXE 2324 _CACHE~1.EXE 2808 _CACHE~1.EXE 2808 _CACHE~1.EXE 2808 _CACHE~1.EXE 1008 _CACHE~1.EXE 1008 _CACHE~1.EXE 1008 _CACHE~1.EXE 3064 _CACHE~1.EXE 3064 _CACHE~1.EXE 3064 _CACHE~1.EXE 3064 _CACHE~1.EXE 3048 _CACHE~1.EXE 3048 _CACHE~1.EXE 3048 _CACHE~1.EXE 1348 _CACHE~1.EXE 1348 _CACHE~1.EXE 1348 _CACHE~1.EXE -
Suspicious behavior: GetForegroundWindowSpam 38 IoCs
Processes:
dw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exedw20.exepid process 1048 dw20.exe 300 dw20.exe 304 dw20.exe 2564 dw20.exe 1872 dw20.exe 2020 dw20.exe 2452 dw20.exe 884 dw20.exe 1500 dw20.exe 2432 dw20.exe 2612 dw20.exe 1644 dw20.exe 1892 dw20.exe 2888 dw20.exe 2900 dw20.exe 860 dw20.exe 2764 dw20.exe 1352 dw20.exe 2752 dw20.exe 2544 dw20.exe 1496 dw20.exe 1524 dw20.exe 680 dw20.exe 2740 dw20.exe 872 dw20.exe 2040 dw20.exe 2572 dw20.exe 2836 dw20.exe 2408 dw20.exe 1512 dw20.exe 1896 dw20.exe 2848 dw20.exe 756 dw20.exe 1660 dw20.exe 3428 dw20.exe 3692 dw20.exe 3972 dw20.exe 3188 dw20.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXE_CACHE~1.EXEdescription pid process Token: SeSystemProfilePrivilege 1656 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1656 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1656 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1656 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1656 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1656 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1656 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1656 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1656 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1656 _CACHE~1.EXE Token: SeSystemProfilePrivilege 2184 _CACHE~1.EXE Token: SeSystemProfilePrivilege 2184 _CACHE~1.EXE Token: SeSystemProfilePrivilege 2184 _CACHE~1.EXE Token: SeSystemProfilePrivilege 2184 _CACHE~1.EXE Token: SeSystemProfilePrivilege 2184 _CACHE~1.EXE Token: SeSystemProfilePrivilege 2184 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1512 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1512 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1512 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1512 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1512 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1512 _CACHE~1.EXE Token: SeSystemProfilePrivilege 2580 _CACHE~1.EXE Token: SeSystemProfilePrivilege 2580 _CACHE~1.EXE Token: SeSystemProfilePrivilege 2580 _CACHE~1.EXE Token: SeSystemProfilePrivilege 2580 _CACHE~1.EXE Token: SeSystemProfilePrivilege 2580 _CACHE~1.EXE Token: SeSystemProfilePrivilege 2580 _CACHE~1.EXE Token: SeSystemProfilePrivilege 2580 _CACHE~1.EXE Token: SeSystemProfilePrivilege 2580 _CACHE~1.EXE Token: SeSystemProfilePrivilege 2580 _CACHE~1.EXE Token: SeSystemProfilePrivilege 2580 _CACHE~1.EXE Token: SeSystemProfilePrivilege 2580 _CACHE~1.EXE Token: SeSystemProfilePrivilege 2580 _CACHE~1.EXE Token: SeSystemProfilePrivilege 2580 _CACHE~1.EXE Token: SeSystemProfilePrivilege 2580 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1564 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1564 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1564 _CACHE~1.EXE Token: SeSystemProfilePrivilege 320 _CACHE~1.EXE Token: SeSystemProfilePrivilege 320 _CACHE~1.EXE Token: SeSystemProfilePrivilege 320 _CACHE~1.EXE Token: SeSystemProfilePrivilege 2852 _CACHE~1.EXE Token: SeSystemProfilePrivilege 2852 _CACHE~1.EXE Token: SeSystemProfilePrivilege 2852 _CACHE~1.EXE Token: SeSystemProfilePrivilege 2324 _CACHE~1.EXE Token: SeSystemProfilePrivilege 2324 _CACHE~1.EXE Token: SeSystemProfilePrivilege 2324 _CACHE~1.EXE Token: SeSystemProfilePrivilege 2808 _CACHE~1.EXE Token: SeSystemProfilePrivilege 2808 _CACHE~1.EXE Token: SeSystemProfilePrivilege 2808 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1008 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1008 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1008 _CACHE~1.EXE Token: SeSystemProfilePrivilege 3064 _CACHE~1.EXE Token: SeSystemProfilePrivilege 3064 _CACHE~1.EXE Token: SeSystemProfilePrivilege 3064 _CACHE~1.EXE Token: SeSystemProfilePrivilege 3064 _CACHE~1.EXE Token: SeSystemProfilePrivilege 3048 _CACHE~1.EXE Token: SeSystemProfilePrivilege 3048 _CACHE~1.EXE Token: SeSystemProfilePrivilege 3048 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1348 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1348 _CACHE~1.EXE Token: SeSystemProfilePrivilege 1348 _CACHE~1.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe._cache_30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exesvchost.com_CACHE~1.EXESynaptics.exe._cache_Synaptics.exesvchost.com_CACHE~1.EXE._cache__CACHE~1.EXESynaptics.exe._cache_Synaptics.exe._cache__CACHE~1.EXEsvchost.com_CACHE~1.EXEdescription pid process target process PID 1868 wrote to memory of 2976 1868 30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe 30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe PID 1868 wrote to memory of 2976 1868 30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe 30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe PID 1868 wrote to memory of 2976 1868 30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe 30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe PID 1868 wrote to memory of 2976 1868 30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe 30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe PID 2976 wrote to memory of 2848 2976 30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe ._cache_30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe PID 2976 wrote to memory of 2848 2976 30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe ._cache_30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe PID 2976 wrote to memory of 2848 2976 30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe ._cache_30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe PID 2976 wrote to memory of 2848 2976 30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe ._cache_30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe PID 2848 wrote to memory of 2540 2848 ._cache_30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe svchost.com PID 2848 wrote to memory of 2540 2848 ._cache_30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe svchost.com PID 2848 wrote to memory of 2540 2848 ._cache_30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe svchost.com PID 2848 wrote to memory of 2540 2848 ._cache_30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe svchost.com PID 2976 wrote to memory of 2504 2976 30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe Synaptics.exe PID 2976 wrote to memory of 2504 2976 30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe Synaptics.exe PID 2976 wrote to memory of 2504 2976 30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe Synaptics.exe PID 2976 wrote to memory of 2504 2976 30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe Synaptics.exe PID 2540 wrote to memory of 2384 2540 svchost.com _CACHE~1.EXE PID 2540 wrote to memory of 2384 2540 svchost.com _CACHE~1.EXE PID 2540 wrote to memory of 2384 2540 svchost.com _CACHE~1.EXE PID 2540 wrote to memory of 2384 2540 svchost.com _CACHE~1.EXE PID 2384 wrote to memory of 2560 2384 _CACHE~1.EXE ._cache__CACHE~1.EXE PID 2384 wrote to memory of 2560 2384 _CACHE~1.EXE ._cache__CACHE~1.EXE PID 2384 wrote to memory of 2560 2384 _CACHE~1.EXE ._cache__CACHE~1.EXE PID 2384 wrote to memory of 2560 2384 _CACHE~1.EXE ._cache__CACHE~1.EXE PID 2504 wrote to memory of 1896 2504 Synaptics.exe Synaptics.exe PID 2504 wrote to memory of 1896 2504 Synaptics.exe Synaptics.exe PID 2504 wrote to memory of 1896 2504 Synaptics.exe Synaptics.exe PID 2504 wrote to memory of 1896 2504 Synaptics.exe Synaptics.exe PID 1896 wrote to memory of 1564 1896 ._cache_Synaptics.exe _CACHE~1.EXE PID 1896 wrote to memory of 1564 1896 ._cache_Synaptics.exe _CACHE~1.EXE PID 1896 wrote to memory of 1564 1896 ._cache_Synaptics.exe _CACHE~1.EXE PID 1896 wrote to memory of 1564 1896 ._cache_Synaptics.exe _CACHE~1.EXE PID 1564 wrote to memory of 1656 1564 svchost.com _CACHE~1.EXE PID 1564 wrote to memory of 1656 1564 svchost.com _CACHE~1.EXE PID 1564 wrote to memory of 1656 1564 svchost.com _CACHE~1.EXE PID 1564 wrote to memory of 1656 1564 svchost.com _CACHE~1.EXE PID 1656 wrote to memory of 2212 1656 _CACHE~1.EXE ._cache__CACHE~1.EXE PID 1656 wrote to memory of 2212 1656 _CACHE~1.EXE ._cache__CACHE~1.EXE PID 1656 wrote to memory of 2212 1656 _CACHE~1.EXE ._cache__CACHE~1.EXE PID 1656 wrote to memory of 2212 1656 _CACHE~1.EXE ._cache__CACHE~1.EXE PID 1656 wrote to memory of 1992 1656 _CACHE~1.EXE Synaptics.exe PID 1656 wrote to memory of 1992 1656 _CACHE~1.EXE Synaptics.exe PID 1656 wrote to memory of 1992 1656 _CACHE~1.EXE Synaptics.exe PID 1656 wrote to memory of 1992 1656 _CACHE~1.EXE Synaptics.exe PID 2212 wrote to memory of 1048 2212 ._cache__CACHE~1.EXE dw20.exe PID 2212 wrote to memory of 1048 2212 ._cache__CACHE~1.EXE dw20.exe PID 2212 wrote to memory of 1048 2212 ._cache__CACHE~1.EXE dw20.exe PID 1992 wrote to memory of 824 1992 Synaptics.exe ._cache_Synaptics.exe PID 1992 wrote to memory of 824 1992 Synaptics.exe ._cache_Synaptics.exe PID 1992 wrote to memory of 824 1992 Synaptics.exe ._cache_Synaptics.exe PID 1992 wrote to memory of 824 1992 Synaptics.exe ._cache_Synaptics.exe PID 824 wrote to memory of 2460 824 ._cache_Synaptics.exe svchost.com PID 824 wrote to memory of 2460 824 ._cache_Synaptics.exe svchost.com PID 824 wrote to memory of 2460 824 ._cache_Synaptics.exe svchost.com PID 824 wrote to memory of 2460 824 ._cache_Synaptics.exe svchost.com PID 2560 wrote to memory of 300 2560 ._cache__CACHE~1.EXE dw20.exe PID 2560 wrote to memory of 300 2560 ._cache__CACHE~1.EXE dw20.exe PID 2560 wrote to memory of 300 2560 ._cache__CACHE~1.EXE dw20.exe PID 2460 wrote to memory of 2184 2460 svchost.com _CACHE~1.EXE PID 2460 wrote to memory of 2184 2460 svchost.com _CACHE~1.EXE PID 2460 wrote to memory of 2184 2460 svchost.com _CACHE~1.EXE PID 2460 wrote to memory of 2184 2460 svchost.com _CACHE~1.EXE PID 2184 wrote to memory of 1264 2184 _CACHE~1.EXE ._cache__CACHE~1.EXE PID 2184 wrote to memory of 1264 2184 _CACHE~1.EXE ._cache__CACHE~1.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe"C:\Users\Admin\AppData\Local\Temp\30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe"1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe"C:\Users\Admin\AppData\Local\Temp\._cache_30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 6487⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate6⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 6968⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate8⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate10⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate11⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 65212⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate11⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate12⤵
- Executes dropped EXE
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate13⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate14⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate15⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 64816⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate15⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate16⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate17⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate18⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate19⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 64820⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate19⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate20⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate22⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate23⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 64424⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate23⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate24⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate25⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate26⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate27⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 64828⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate27⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate28⤵
- Executes dropped EXE
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate29⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate30⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate31⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 64832⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate31⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate32⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate33⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate34⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate35⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 65236⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate35⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate36⤵
- Executes dropped EXE
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate37⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate38⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate39⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 64440⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate39⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate40⤵
- Executes dropped EXE
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate41⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate42⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate43⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 64844⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate43⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate44⤵
- Executes dropped EXE
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate45⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate46⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate47⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 64848⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate47⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate48⤵
- Executes dropped EXE
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate49⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate50⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate51⤵
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 64852⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate51⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate52⤵
- Drops file in Windows directory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate53⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate54⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate55⤵
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 64856⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate55⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate56⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate57⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate58⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate59⤵
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 65260⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate59⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate60⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate61⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate62⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate63⤵
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 65264⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate63⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate64⤵
- Drops file in Windows directory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate65⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate66⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate67⤵
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 65268⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate67⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate68⤵
- Drops file in Windows directory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate69⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate70⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate71⤵
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 64472⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate71⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate72⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate73⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate74⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate75⤵
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 65276⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate75⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate76⤵
- Drops file in Windows directory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate77⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate78⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate79⤵
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 65280⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate79⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate80⤵
- Drops file in Windows directory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate81⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate82⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate83⤵
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 64884⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate83⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate84⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate85⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate86⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate87⤵
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 65288⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate87⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate88⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate89⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate90⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate91⤵
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 65292⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate91⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate92⤵
- Drops file in Windows directory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate93⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate94⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate95⤵
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 65296⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate95⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate96⤵
- Drops file in Windows directory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate97⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate98⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate99⤵
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 652100⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate99⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate100⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate101⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate102⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate103⤵
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 652104⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate103⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate104⤵
- Drops file in Windows directory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate105⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate106⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate107⤵
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 652108⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate107⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate108⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate109⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate110⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate111⤵
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 648112⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate111⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate112⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate113⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate114⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate115⤵
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 652116⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate115⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate116⤵
- Drops file in Windows directory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate117⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate118⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate119⤵
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 652120⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate119⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate120⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate121⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate122⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate123⤵
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 652124⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate123⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate124⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate125⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate126⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate127⤵
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 652128⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate127⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate128⤵
- Drops file in Windows directory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate129⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate130⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate131⤵
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 648132⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate131⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate132⤵
- Drops file in Windows directory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate133⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate134⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate135⤵
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 644136⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate135⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate136⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate137⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate138⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate139⤵
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 648140⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate139⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate140⤵
- Drops file in Windows directory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate141⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate142⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate143⤵
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 648144⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate143⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate144⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate145⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate146⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate147⤵
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 652148⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate147⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate148⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate149⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate150⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate151⤵
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 648152⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate151⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate152⤵
- Drops file in Windows directory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate153⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate154⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate155⤵
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 652156⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate155⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate156⤵
- Drops file in Windows directory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate157⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate158⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate159⤵
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 652160⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate159⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate160⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate161⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate162⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate163⤵
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 652164⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate163⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate164⤵
- Drops file in Windows directory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate165⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate166⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate167⤵
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 652168⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate167⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate168⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate169⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate170⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate171⤵
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 648172⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate171⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate172⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate173⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate174⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate175⤵
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 652176⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate175⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate176⤵
- Drops file in Windows directory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate177⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate178⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate179⤵
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 648180⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate179⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate180⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate181⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate182⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate183⤵
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 652184⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate183⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate184⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate185⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate186⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate187⤵
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 652188⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate187⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate188⤵
- Drops file in Windows directory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate189⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate190⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate191⤵
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 652192⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate191⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Event Triggered Execution
1Change Default File Association
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXEFilesize
859KB
MD502ee6a3424782531461fb2f10713d3c1
SHA1b581a2c365d93ebb629e8363fd9f69afc673123f
SHA256ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc
SHA5126c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec
-
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exeFilesize
547KB
MD5cf6c595d3e5e9667667af096762fd9c4
SHA19bb44da8d7f6457099cb56e4f7d1026963dce7ce
SHA256593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d
SHA512ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80
-
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exeFilesize
186KB
MD558b58875a50a0d8b5e7be7d6ac685164
SHA11e0b89c1b2585c76e758e9141b846ed4477b0662
SHA2562a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae
SHA512d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b
-
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exeFilesize
1.1MB
MD5566ed4f62fdc96f175afedd811fa0370
SHA1d4b47adc40e0d5a9391d3f6f2942d1889dd2a451
SHA256e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460
SHA512cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7
-
C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXEFilesize
285KB
MD5831270ac3db358cdbef5535b0b3a44e6
SHA1c0423685c09bbe465f6bb7f8672c936e768f05a3
SHA256a8f78ac26c738b13564252f1048ca784bf152ef048b829d3d22650b7f62078f0
SHA512f64a00977d4b6f8c43f53cee7bb450f3c8cbef08525975055fde5d8c515db32d2bfad92e99313b3a10a72a50dd09b4ffe28e9af4c148c6480622ba486776e450
-
C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXEFilesize
313KB
MD58c4f4eb73490ca2445d8577cf4bb3c81
SHA10f7d1914b7aeabdb1f1e4caedd344878f48be075
SHA25685f7249bfac06b5ee9b20c7f520e3fdc905be7d64cfbefb7dcd82cd8d44686d5
SHA51265453075c71016b06430246c1ee2876b7762a03112caf13cff4699b7b40487616c88a1160d31e86697083e2992e0dd88ebf1721679981077799187efaa0a1769
-
C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXEFilesize
569KB
MD5eef2f834c8d65585af63916d23b07c36
SHA18cb85449d2cdb21bd6def735e1833c8408b8a9c6
SHA2563cd34a88e3ae7bd3681a7e3c55832af026834055020add33e6bd6f552fc0aabd
SHA5122ee8766e56e5b1e71c86f7d1a1aa1882706d0bca8f84b2b2c54dd4c255e04f037a6eb265302449950e5f5937b0e57f17a6aa45e88a407ace4b3945e65043d9b7
-
C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exeFilesize
381KB
MD53ec4922dbca2d07815cf28144193ded9
SHA175cda36469743fbc292da2684e76a26473f04a6d
SHA2560587fd366ea7e94b3ae500874b1c5d684b5357fcc7389682d5a13c3301a28801
SHA512956c3a1f2689cb72600edd2e90d652b77592a8a81d319dce026e88f6c02231af06aebd57d68460eb406de00c113522173423cb1b339a41a3918f379c7dc311f7
-
C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exeFilesize
137KB
MD5e1833678885f02b5e3cf1b3953456557
SHA1c197e763500002bc76a8d503933f1f6082a8507a
SHA256bd9a16d8d7590a2ec827913db5173f8beb1d1ef44dab1920ef52a307f922bc14
SHA512fe107e1c8631ec6ac94f772e6a7be1fdc2a533fe3cfcf36b1ff018c8d01bd7f1f818f0a2448f736838c953cd516ea7327c416dea20706ed2420327af8ef01abe
-
C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXEFilesize
125KB
MD546e43f94482a27df61e1df44d764826b
SHA18b4eab017e85f8103c60932c5efe8dff12dc5429
SHA256dc6658dec5bf89f65f2d4b9bdb27634bac0bf5354c792bc8970a2b39f535facd
SHA512ce5bdd3f9a2394ffda83c93fc5604d972f90bd72e6aded357bdf27a2b21a0469f6ac71ce40d9fb4ed8c845468c4171a3c5b4501edbae79447c4f4e08342d4560
-
C:\ProgramData\Synaptics\RCX2397.tmpFilesize
1.1MB
MD5a8f261369db6c6d9f8a9a7d044a47fd4
SHA19297381b9ab51baabdd976e1c11904abd0a10ed3
SHA2568c39b98d9223eb2fcfbb37c237cb206995384463432b2eb1884585cbf901db31
SHA512ef7318be247bc2cee2a0ccbd7bd11c84dda49a6e19056e0545dd2c90cfbaffb2c3c89a070820ea28ff427eadecf029e28ba2435cbe82e98d69d1fda78f2c112c
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEFilesize
1.5MB
MD5bb09e8a04b12b8f3c6a9adf81378a418
SHA11a834be83c2c9a023e80e394553cb21e594f2863
SHA256e58e8b813b4d63f41b8d0f7680da122757f18fd268460a4b9154b73baca6bf1c
SHA5128a2ec25f88d75ed7e4ec5856073d5912560ee4c2d3122fff3e26c0d821fbf9ba716f5d0aabf371c31c9719dc7a040a8315c259c89f6e7034623b2d3f9862c561
-
C:\Windows\directx.sysFilesize
57B
MD556abc40d1e45c091d8afddb90a4ce6b4
SHA108db549484467b32b79958700300cabefc659848
SHA256a43fa861957415e3b0f25e2b54d931961cd309ff1d5354a9362852895b90b3e1
SHA51251625c015a7c8fcf6fb51d3396aa08d2068772e3fcacaf32c409e82071af4ba1eb2ee94f36c06a98c32ba59d23bbaa6b540f7bd418a9472303cc225151daa698
-
C:\Windows\svchost.comFilesize
40KB
MD52ff724ca136d4a831421dfd891e167c6
SHA15416f8de17ae4a8d9ea2e2d4570c5dd9ba7e5eb8
SHA256ff787f8231bb6f6a30eb61f46d56920e742ae22dd047622f8fbe6266d8bb864d
SHA5125ad202eb3222b9a95695ee1ffcebdaa3cd7235dbc8a1bf845e560736f514d9d7c92bc509c7089f53ff391bcd1d053050ccf0d889102a2b53b373d211dfbd9dc0
-
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXEFilesize
252KB
MD59e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
\Users\Admin\AppData\Local\Temp\._cache_30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exeFilesize
1.5MB
MD58ea2d162376c31995fdc741ccbc07188
SHA1eea36211eb7697a6dea5cfe80de206e23360186a
SHA256eefebfdfcf030a300c844e66a14f1069ad4c1f14bddab467f69cf31773442d9f
SHA5123ba8a277792f0c188681464f9318ff287774b8675856a413553ada5c7b6dd498cf55d12fac685043b0caabc1e61bee747bda2bc3b66b439408425b22c0266460
-
\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXEFilesize
406KB
MD5e66924b8922c67fe30f74852ce7956a5
SHA10ca5067011668ef5276a0ca66f00145bc7fe96ff
SHA25686d8cfc0c718b6bf4c42bb8982315e87237de567e54fee80883bf7dd7e46f383
SHA51235a17b0fa05a2149e4ebd8d43249972f05cb0c462634817c67031463b01f43d4fff01e4c1aa432370d5de543671a97d74f245fe19ffec2e7e814b2ba054bb2fe
-
\Users\Admin\AppData\Local\Temp\3582-490\30b988ea4d19e7657f3c01fd7569040cf925b207c467fed8e1cfbe1f28b5a5a8.exeFilesize
2.6MB
MD5d461184db61186c2107891739efaa31e
SHA19b1e9c80bc55b95a6639508d39a635d27a176b35
SHA2563e5ca516334e1a769ceba44729c13413b6d295bbaa384f063c6acc8fa4c7fbfd
SHA5126ce3b9bdd1ada0db1bf389e7c49bff4ec33453eef40c2c80ebcef1b48ab5886953c0e7d108cff2a73adbb41ce755063ad3cbf4948c40e8049888db7fe7404509
-
memory/320-336-0x0000000000400000-0x0000000000582000-memory.dmpFilesize
1.5MB
-
memory/688-340-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/824-177-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/832-294-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/956-243-0x0000000000400000-0x00000000006A3000-memory.dmpFilesize
2.6MB
-
memory/1004-530-0x0000000000400000-0x0000000000582000-memory.dmpFilesize
1.5MB
-
memory/1008-440-0x0000000000400000-0x0000000000582000-memory.dmpFilesize
1.5MB
-
memory/1112-549-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1296-320-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1312-504-0x0000000000400000-0x0000000000582000-memory.dmpFilesize
1.5MB
-
memory/1348-519-0x0000000000400000-0x0000000000582000-memory.dmpFilesize
1.5MB
-
memory/1416-418-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1464-529-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1512-258-0x0000000000400000-0x0000000000582000-memory.dmpFilesize
1.5MB
-
memory/1548-295-0x0000000000400000-0x0000000000582000-memory.dmpFilesize
1.5MB
-
memory/1564-117-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1564-310-0x0000000000400000-0x0000000000582000-memory.dmpFilesize
1.5MB
-
memory/1596-346-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1656-143-0x0000000000400000-0x0000000000582000-memory.dmpFilesize
1.5MB
-
memory/1772-545-0x0000000000400000-0x0000000000582000-memory.dmpFilesize
1.5MB
-
memory/1772-288-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1868-494-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1896-321-0x0000000000400000-0x0000000000582000-memory.dmpFilesize
1.5MB
-
memory/1896-100-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1992-347-0x0000000000400000-0x0000000000582000-memory.dmpFilesize
1.5MB
-
memory/1992-179-0x0000000000400000-0x00000000006A3000-memory.dmpFilesize
2.6MB
-
memory/1996-450-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2024-424-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2068-444-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2088-372-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2132-231-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2152-373-0x0000000000400000-0x0000000000582000-memory.dmpFilesize
1.5MB
-
memory/2180-571-0x0000000000400000-0x0000000000582000-memory.dmpFilesize
1.5MB
-
memory/2184-180-0x0000000000400000-0x0000000000582000-memory.dmpFilesize
1.5MB
-
memory/2232-556-0x0000000000400000-0x0000000000582000-memory.dmpFilesize
1.5MB
-
memory/2272-555-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2324-388-0x0000000000400000-0x0000000000582000-memory.dmpFilesize
1.5MB
-
memory/2340-425-0x0000000000400000-0x0000000000582000-memory.dmpFilesize
1.5MB
-
memory/2356-470-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2364-451-0x0000000000400000-0x0000000000582000-memory.dmpFilesize
1.5MB
-
memory/2384-68-0x0000000000400000-0x0000000000582000-memory.dmpFilesize
1.5MB
-
memory/2424-503-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2432-314-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2456-477-0x0000000000400000-0x0000000000582000-memory.dmpFilesize
1.5MB
-
memory/2460-178-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2468-399-0x0000000000400000-0x0000000000582000-memory.dmpFilesize
1.5MB
-
memory/2504-134-0x0000000000400000-0x00000000006A3000-memory.dmpFilesize
2.6MB
-
memory/2524-392-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2540-63-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2540-497-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2580-284-0x0000000000400000-0x0000000000582000-memory.dmpFilesize
1.5MB
-
memory/2604-267-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2604-398-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2644-269-0x0000000000400000-0x0000000000582000-memory.dmpFilesize
1.5MB
-
memory/2712-366-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2784-268-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2800-523-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2808-414-0x0000000000400000-0x0000000000582000-memory.dmpFilesize
1.5MB
-
memory/2852-476-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2852-362-0x0000000000400000-0x0000000000582000-memory.dmpFilesize
1.5MB
-
memory/2976-13-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/2976-57-0x0000000000400000-0x00000000006A3000-memory.dmpFilesize
2.6MB
-
memory/3048-225-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3048-492-0x0000000000400000-0x0000000000582000-memory.dmpFilesize
1.5MB
-
memory/3064-466-0x0000000000400000-0x0000000000582000-memory.dmpFilesize
1.5MB