Analysis
-
max time kernel
34s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
18-06-2024 20:09
Behavioral task
behavioral1
Sample
19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe
Resource
win10v2004-20240226-en
General
-
Target
19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe
-
Size
2.5MB
-
MD5
764f4baced7ef6823e658d10cf71b392
-
SHA1
e8c24ea84679d6cf8ed4dd1dff934edecd63fb81
-
SHA256
19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d
-
SHA512
174a27d27e358f4e9c1f6f82e694e1ed86857e7abb34a1f4ad964cc3990f6267f91ff7ea5ca4469b0ac6956f43de652a176194244f3d801789e778fbae2b4e85
-
SSDEEP
49152:6Hyjtk2MYC5GDIHyjtk2MYC5GDhEh5Cenun9:6mtk2aZmtk2aiQCenun9
Malware Config
Signatures
-
Detect Neshta payload 46 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\3582-490\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe family_neshta C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe family_neshta \Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe family_neshta C:\Windows\svchost.com family_neshta C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE family_neshta C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe family_neshta C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe family_neshta behavioral1/memory/1672-63-0x0000000000400000-0x0000000000680000-memory.dmp family_neshta behavioral1/memory/2740-55-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/264-89-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2548-102-0x0000000000400000-0x0000000000680000-memory.dmp family_neshta behavioral1/memory/2836-95-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE family_neshta C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE family_neshta C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE family_neshta C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE family_neshta behavioral1/memory/1744-178-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1060-188-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/3052-261-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2728-267-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2820-297-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2832-301-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/360-307-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2436-327-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2880-333-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2044-353-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1952-359-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2700-360-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2152-380-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1380-386-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/880-406-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/3048-407-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2624-429-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2608-435-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1904-455-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2480-461-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2464-481-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2008-487-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2820-488-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1316-508-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1772-514-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2700-531-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1576-535-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/996-541-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2884-561-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/2596-567-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 64 IoCs
Processes:
19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exesvchost.com_CACHE~1.EXESynaptics.exe._cache_Synaptics.exesvchost.com_CACHE~2.EXE._cache__CACHE~2.EXESynaptics.exe._cache__CACHE~1.EXE._cache_Synaptics.exesvchost.com_CACHE~2.EXE._cache__CACHE~2.EXESynaptics.exe._cache_Synaptics.exesvchost.com_CACHE~2.EXE._cache__CACHE~2.EXESynaptics.exe._cache_Synaptics.exesvchost.com_CACHE~2.EXE._cache__CACHE~2.EXESynaptics.exe._cache_Synaptics.exesvchost.com_CACHE~2.EXE._cache__CACHE~2.EXESynaptics.exe._cache_Synaptics.exesvchost.com_CACHE~2.EXE._cache__CACHE~2.EXESynaptics.exe._cache_Synaptics.exesvchost.com_CACHE~2.EXE._cache__CACHE~2.EXESynaptics.exe._cache_Synaptics.exesvchost.com_CACHE~2.EXE._cache__CACHE~2.EXESynaptics.exe._cache_Synaptics.exesvchost.com_CACHE~2.EXE._cache__CACHE~2.EXESynaptics.exe._cache_Synaptics.exesvchost.com_CACHE~2.EXE._cache__CACHE~2.EXESynaptics.exe._cache_Synaptics.exesvchost.com_CACHE~2.EXE._cache__CACHE~2.EXESynaptics.exe._cache_Synaptics.exesvchost.com_CACHE~2.EXEpid process 1672 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe 2700 ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe 2740 svchost.com 2524 _CACHE~1.EXE 2548 Synaptics.exe 264 ._cache_Synaptics.exe 2836 svchost.com 2900 _CACHE~2.EXE 1716 ._cache__CACHE~2.EXE 1152 Synaptics.exe 2816 ._cache__CACHE~1.EXE 1744 ._cache_Synaptics.exe 1060 svchost.com 2260 _CACHE~2.EXE 740 ._cache__CACHE~2.EXE 2924 Synaptics.exe 3052 ._cache_Synaptics.exe 2728 svchost.com 2228 _CACHE~2.EXE 2684 ._cache__CACHE~2.EXE 2520 Synaptics.exe 2832 ._cache_Synaptics.exe 360 svchost.com 2848 _CACHE~2.EXE 2756 ._cache__CACHE~2.EXE 2232 Synaptics.exe 2436 ._cache_Synaptics.exe 2880 svchost.com 2464 _CACHE~2.EXE 2900 ._cache__CACHE~2.EXE 2524 Synaptics.exe 2044 ._cache_Synaptics.exe 1952 svchost.com 2056 _CACHE~2.EXE 1072 ._cache__CACHE~2.EXE 1240 Synaptics.exe 2152 ._cache_Synaptics.exe 1380 svchost.com 1120 _CACHE~2.EXE 628 ._cache__CACHE~2.EXE 1300 Synaptics.exe 880 ._cache_Synaptics.exe 3048 svchost.com 1552 _CACHE~2.EXE 1928 ._cache__CACHE~2.EXE 2944 Synaptics.exe 2624 ._cache_Synaptics.exe 2608 svchost.com 1720 _CACHE~2.EXE 328 ._cache__CACHE~2.EXE 1616 Synaptics.exe 1904 ._cache_Synaptics.exe 2480 svchost.com 1356 _CACHE~2.EXE 2588 ._cache__CACHE~2.EXE 2784 Synaptics.exe 2464 ._cache_Synaptics.exe 2008 svchost.com 1708 _CACHE~2.EXE 2044 ._cache__CACHE~2.EXE 836 Synaptics.exe 1316 ._cache_Synaptics.exe 1772 svchost.com 2152 _CACHE~2.EXE -
Loads dropped DLL 64 IoCs
Processes:
19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exesvchost.comSynaptics.exesvchost.com_CACHE~2.EXE_CACHE~1.EXESynaptics.exe._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exesvchost.com_CACHE~2.EXESynaptics.exesvchost.com_CACHE~2.EXESynaptics.exesvchost.com_CACHE~2.EXESynaptics.exepid process 2820 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe 2820 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe 1672 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe 1672 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe 1672 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe 2740 svchost.com 2740 svchost.com 1672 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe 1672 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe 2548 Synaptics.exe 2548 Synaptics.exe 2548 Synaptics.exe 2836 svchost.com 2836 svchost.com 2900 _CACHE~2.EXE 2900 _CACHE~2.EXE 2900 _CACHE~2.EXE 2900 _CACHE~2.EXE 2524 _CACHE~1.EXE 2524 _CACHE~1.EXE 1152 Synaptics.exe 1152 Synaptics.exe 1152 Synaptics.exe 1152 Synaptics.exe 2820 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe 2700 ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe 2820 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe 1060 svchost.com 1060 svchost.com 2260 _CACHE~2.EXE 2700 ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe 2700 ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe 2260 _CACHE~2.EXE 2260 _CACHE~2.EXE 2260 _CACHE~2.EXE 2260 _CACHE~2.EXE 2924 Synaptics.exe 2820 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe 2924 Synaptics.exe 2924 Synaptics.exe 2924 Synaptics.exe 2728 svchost.com 2728 svchost.com 2228 _CACHE~2.EXE 2228 _CACHE~2.EXE 2228 _CACHE~2.EXE 2820 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe 2700 ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe 2228 _CACHE~2.EXE 2228 _CACHE~2.EXE 2700 ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe 2520 Synaptics.exe 2820 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe 2520 Synaptics.exe 2520 Synaptics.exe 2520 Synaptics.exe 360 svchost.com 360 svchost.com 2848 _CACHE~2.EXE 2848 _CACHE~2.EXE 2848 _CACHE~2.EXE 2848 _CACHE~2.EXE 2848 _CACHE~2.EXE 2232 Synaptics.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 20 IoCs
Processes:
_CACHE~2.EXE_CACHE~2.EXE_CACHE~2.EXE_CACHE~2.EXE_CACHE~2.EXE_CACHE~2.EXE_CACHE~2.EXE_CACHE~2.EXE_CACHE~2.EXE_CACHE~2.EXE_CACHE~2.EXE_CACHE~2.EXE_CACHE~2.EXE_CACHE~2.EXE_CACHE~2.EXE_CACHE~2.EXE_CACHE~2.EXE19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe_CACHE~2.EXE_CACHE~2.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~2.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~2.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~2.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~2.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~2.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~2.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~2.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~2.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~2.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~2.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~2.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~2.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~2.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~2.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~2.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~2.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~2.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~2.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~2.EXE -
Drops file in Program Files directory 64 IoCs
Processes:
19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exedescription ioc process File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~3\SYNAPT~1\SYNAPT~1.EXE ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe -
Drops file in Windows directory 64 IoCs
Processes:
._cache_Synaptics.exesvchost.com._cache_Synaptics.exesvchost.com._cache_Synaptics.exesvchost.comsvchost.com._cache_Synaptics.exe._cache_Synaptics.exesvchost.com._cache_Synaptics.exesvchost.comsvchost.com._cache_Synaptics.exesvchost.com._cache_Synaptics.exesvchost.comsvchost.comsvchost.comsvchost.com._cache_Synaptics.exesvchost.com._cache_Synaptics.exesvchost.comsvchost.comsvchost.com._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exe19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exesvchost.comsvchost.com._cache_Synaptics.exesvchost.comsvchost.com._cache_Synaptics.exe._cache_Synaptics.exe._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe._cache_Synaptics.exe._cache_Synaptics.exedescription ioc process File opened for modification C:\Windows\directx.sys ._cache_Synaptics.exe File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com ._cache_Synaptics.exe File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com ._cache_Synaptics.exe File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com ._cache_Synaptics.exe File opened for modification C:\Windows\svchost.com ._cache_Synaptics.exe File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com ._cache_Synaptics.exe File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys ._cache_Synaptics.exe File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com ._cache_Synaptics.exe File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys ._cache_Synaptics.exe File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys ._cache_Synaptics.exe File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys ._cache_Synaptics.exe File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys ._cache_Synaptics.exe File opened for modification C:\Windows\directx.sys ._cache_Synaptics.exe File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys ._cache_Synaptics.exe File opened for modification C:\Windows\svchost.com ._cache_Synaptics.exe File opened for modification C:\Windows\svchost.com ._cache_Synaptics.exe File opened for modification C:\Windows\directx.sys ._cache_Synaptics.exe File opened for modification C:\Windows\directx.sys ._cache_Synaptics.exe File opened for modification C:\Windows\svchost.com 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys ._cache_Synaptics.exe File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com ._cache_Synaptics.exe File opened for modification C:\Windows\svchost.com ._cache_Synaptics.exe File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com ._cache_Synaptics.exe File opened for modification C:\Windows\svchost.com ._cache_Synaptics.exe File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys ._cache_Synaptics.exe File opened for modification C:\Windows\svchost.com ._cache_Synaptics.exe File opened for modification C:\Windows\directx.sys ._cache_Synaptics.exe File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com ._cache_Synaptics.exe File opened for modification C:\Windows\directx.sys ._cache_Synaptics.exe File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com ._cache_Synaptics.exe File opened for modification C:\Windows\directx.sys ._cache_Synaptics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
_CACHE~2.EXEpid process 2900 _CACHE~2.EXE 2900 _CACHE~2.EXE 2900 _CACHE~2.EXE 2900 _CACHE~2.EXE 2900 _CACHE~2.EXE 2900 _CACHE~2.EXE 2900 _CACHE~2.EXE 2900 _CACHE~2.EXE 2900 _CACHE~2.EXE 2900 _CACHE~2.EXE 2900 _CACHE~2.EXE 2900 _CACHE~2.EXE 2900 _CACHE~2.EXE 2900 _CACHE~2.EXE 2900 _CACHE~2.EXE 2900 _CACHE~2.EXE 2900 _CACHE~2.EXE 2900 _CACHE~2.EXE 2900 _CACHE~2.EXE 2900 _CACHE~2.EXE 2900 _CACHE~2.EXE 2900 _CACHE~2.EXE 2900 _CACHE~2.EXE 2900 _CACHE~2.EXE 2900 _CACHE~2.EXE 2900 _CACHE~2.EXE 2900 _CACHE~2.EXE 2900 _CACHE~2.EXE 2900 _CACHE~2.EXE 2900 _CACHE~2.EXE 2900 _CACHE~2.EXE 2900 _CACHE~2.EXE 2900 _CACHE~2.EXE 2900 _CACHE~2.EXE 2900 _CACHE~2.EXE 2900 _CACHE~2.EXE 2900 _CACHE~2.EXE 2900 _CACHE~2.EXE 2900 _CACHE~2.EXE 2900 _CACHE~2.EXE 2900 _CACHE~2.EXE 2900 _CACHE~2.EXE 2900 _CACHE~2.EXE 2900 _CACHE~2.EXE 2900 _CACHE~2.EXE 2900 _CACHE~2.EXE 2900 _CACHE~2.EXE 2900 _CACHE~2.EXE 2900 _CACHE~2.EXE 2900 _CACHE~2.EXE 2900 _CACHE~2.EXE 2900 _CACHE~2.EXE 2900 _CACHE~2.EXE 2900 _CACHE~2.EXE 2900 _CACHE~2.EXE 2900 _CACHE~2.EXE 2900 _CACHE~2.EXE 2900 _CACHE~2.EXE 2900 _CACHE~2.EXE 2900 _CACHE~2.EXE 2900 _CACHE~2.EXE 2900 _CACHE~2.EXE 2900 _CACHE~2.EXE 2900 _CACHE~2.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
_CACHE~2.EXEdescription pid process Token: SeSystemProfilePrivilege 2900 _CACHE~2.EXE Token: SeSystemProfilePrivilege 2900 _CACHE~2.EXE Token: SeSystemProfilePrivilege 2900 _CACHE~2.EXE Token: SeSystemProfilePrivilege 2900 _CACHE~2.EXE Token: SeSystemProfilePrivilege 2900 _CACHE~2.EXE Token: SeSystemProfilePrivilege 2900 _CACHE~2.EXE Token: SeSystemProfilePrivilege 2900 _CACHE~2.EXE Token: SeSystemProfilePrivilege 2900 _CACHE~2.EXE Token: SeSystemProfilePrivilege 2900 _CACHE~2.EXE Token: SeSystemProfilePrivilege 2900 _CACHE~2.EXE Token: SeSystemProfilePrivilege 2900 _CACHE~2.EXE Token: SeSystemProfilePrivilege 2900 _CACHE~2.EXE Token: SeSystemProfilePrivilege 2900 _CACHE~2.EXE Token: SeSystemProfilePrivilege 2900 _CACHE~2.EXE Token: SeSystemProfilePrivilege 2900 _CACHE~2.EXE Token: SeSystemProfilePrivilege 2900 _CACHE~2.EXE Token: SeSystemProfilePrivilege 2900 _CACHE~2.EXE Token: SeSystemProfilePrivilege 2900 _CACHE~2.EXE Token: SeSystemProfilePrivilege 2900 _CACHE~2.EXE Token: SeSystemProfilePrivilege 2900 _CACHE~2.EXE Token: SeSystemProfilePrivilege 2900 _CACHE~2.EXE Token: SeSystemProfilePrivilege 2900 _CACHE~2.EXE Token: SeSystemProfilePrivilege 2900 _CACHE~2.EXE Token: SeSystemProfilePrivilege 2900 _CACHE~2.EXE Token: SeSystemProfilePrivilege 2900 _CACHE~2.EXE Token: SeSystemProfilePrivilege 2900 _CACHE~2.EXE Token: SeSystemProfilePrivilege 2900 _CACHE~2.EXE Token: SeSystemProfilePrivilege 2900 _CACHE~2.EXE Token: SeSystemProfilePrivilege 2900 _CACHE~2.EXE Token: SeSystemProfilePrivilege 2900 _CACHE~2.EXE Token: SeSystemProfilePrivilege 2900 _CACHE~2.EXE Token: SeSystemProfilePrivilege 2900 _CACHE~2.EXE Token: SeSystemProfilePrivilege 2900 _CACHE~2.EXE Token: SeSystemProfilePrivilege 2900 _CACHE~2.EXE Token: SeSystemProfilePrivilege 2900 _CACHE~2.EXE Token: SeSystemProfilePrivilege 2900 _CACHE~2.EXE Token: SeSystemProfilePrivilege 2900 _CACHE~2.EXE Token: SeSystemProfilePrivilege 2900 _CACHE~2.EXE Token: SeSystemProfilePrivilege 2900 _CACHE~2.EXE Token: SeSystemProfilePrivilege 2900 _CACHE~2.EXE Token: SeSystemProfilePrivilege 2900 _CACHE~2.EXE Token: SeSystemProfilePrivilege 2900 _CACHE~2.EXE Token: SeSystemProfilePrivilege 2900 _CACHE~2.EXE Token: SeSystemProfilePrivilege 2900 _CACHE~2.EXE Token: SeSystemProfilePrivilege 2900 _CACHE~2.EXE Token: SeSystemProfilePrivilege 2900 _CACHE~2.EXE Token: SeSystemProfilePrivilege 2900 _CACHE~2.EXE Token: SeSystemProfilePrivilege 2900 _CACHE~2.EXE Token: SeSystemProfilePrivilege 2900 _CACHE~2.EXE Token: SeSystemProfilePrivilege 2900 _CACHE~2.EXE Token: SeSystemProfilePrivilege 2900 _CACHE~2.EXE Token: SeSystemProfilePrivilege 2900 _CACHE~2.EXE Token: SeSystemProfilePrivilege 2900 _CACHE~2.EXE Token: SeSystemProfilePrivilege 2900 _CACHE~2.EXE Token: SeSystemProfilePrivilege 2900 _CACHE~2.EXE Token: SeSystemProfilePrivilege 2900 _CACHE~2.EXE Token: SeSystemProfilePrivilege 2900 _CACHE~2.EXE Token: SeSystemProfilePrivilege 2900 _CACHE~2.EXE Token: SeSystemProfilePrivilege 2900 _CACHE~2.EXE Token: SeSystemProfilePrivilege 2900 _CACHE~2.EXE Token: SeSystemProfilePrivilege 2900 _CACHE~2.EXE Token: SeSystemProfilePrivilege 2900 _CACHE~2.EXE Token: SeSystemProfilePrivilege 2900 _CACHE~2.EXE Token: SeSystemProfilePrivilege 2900 _CACHE~2.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exesvchost.comSynaptics.exe._cache_Synaptics.exesvchost.com_CACHE~2.EXE_CACHE~1.EXESynaptics.exe._cache_Synaptics.exesvchost.com_CACHE~2.EXEdescription pid process target process PID 2820 wrote to memory of 1672 2820 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe PID 2820 wrote to memory of 1672 2820 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe PID 2820 wrote to memory of 1672 2820 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe PID 2820 wrote to memory of 1672 2820 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe PID 1672 wrote to memory of 2700 1672 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe PID 1672 wrote to memory of 2700 1672 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe PID 1672 wrote to memory of 2700 1672 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe PID 1672 wrote to memory of 2700 1672 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe PID 2700 wrote to memory of 2740 2700 ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe svchost.com PID 2700 wrote to memory of 2740 2700 ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe svchost.com PID 2700 wrote to memory of 2740 2700 ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe svchost.com PID 2700 wrote to memory of 2740 2700 ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe svchost.com PID 2740 wrote to memory of 2524 2740 svchost.com Synaptics.exe PID 2740 wrote to memory of 2524 2740 svchost.com Synaptics.exe PID 2740 wrote to memory of 2524 2740 svchost.com Synaptics.exe PID 2740 wrote to memory of 2524 2740 svchost.com Synaptics.exe PID 1672 wrote to memory of 2548 1672 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe Synaptics.exe PID 1672 wrote to memory of 2548 1672 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe Synaptics.exe PID 1672 wrote to memory of 2548 1672 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe Synaptics.exe PID 1672 wrote to memory of 2548 1672 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe Synaptics.exe PID 2548 wrote to memory of 264 2548 Synaptics.exe ._cache_Synaptics.exe PID 2548 wrote to memory of 264 2548 Synaptics.exe ._cache_Synaptics.exe PID 2548 wrote to memory of 264 2548 Synaptics.exe ._cache_Synaptics.exe PID 2548 wrote to memory of 264 2548 Synaptics.exe ._cache_Synaptics.exe PID 264 wrote to memory of 2836 264 ._cache_Synaptics.exe svchost.com PID 264 wrote to memory of 2836 264 ._cache_Synaptics.exe svchost.com PID 264 wrote to memory of 2836 264 ._cache_Synaptics.exe svchost.com PID 264 wrote to memory of 2836 264 ._cache_Synaptics.exe svchost.com PID 2836 wrote to memory of 2900 2836 svchost.com ._cache__CACHE~2.EXE PID 2836 wrote to memory of 2900 2836 svchost.com ._cache__CACHE~2.EXE PID 2836 wrote to memory of 2900 2836 svchost.com ._cache__CACHE~2.EXE PID 2836 wrote to memory of 2900 2836 svchost.com ._cache__CACHE~2.EXE PID 2900 wrote to memory of 1716 2900 _CACHE~2.EXE ._cache__CACHE~2.EXE PID 2900 wrote to memory of 1716 2900 _CACHE~2.EXE ._cache__CACHE~2.EXE PID 2900 wrote to memory of 1716 2900 _CACHE~2.EXE ._cache__CACHE~2.EXE PID 2900 wrote to memory of 1716 2900 _CACHE~2.EXE ._cache__CACHE~2.EXE PID 2900 wrote to memory of 1152 2900 _CACHE~2.EXE Synaptics.exe PID 2900 wrote to memory of 1152 2900 _CACHE~2.EXE Synaptics.exe PID 2900 wrote to memory of 1152 2900 _CACHE~2.EXE Synaptics.exe PID 2900 wrote to memory of 1152 2900 _CACHE~2.EXE Synaptics.exe PID 2524 wrote to memory of 2816 2524 _CACHE~1.EXE ._cache__CACHE~1.EXE PID 2524 wrote to memory of 2816 2524 _CACHE~1.EXE ._cache__CACHE~1.EXE PID 2524 wrote to memory of 2816 2524 _CACHE~1.EXE ._cache__CACHE~1.EXE PID 2524 wrote to memory of 2816 2524 _CACHE~1.EXE ._cache__CACHE~1.EXE PID 1152 wrote to memory of 1744 1152 Synaptics.exe ._cache_Synaptics.exe PID 1152 wrote to memory of 1744 1152 Synaptics.exe ._cache_Synaptics.exe PID 1152 wrote to memory of 1744 1152 Synaptics.exe ._cache_Synaptics.exe PID 1152 wrote to memory of 1744 1152 Synaptics.exe ._cache_Synaptics.exe PID 1744 wrote to memory of 1060 1744 ._cache_Synaptics.exe svchost.com PID 1744 wrote to memory of 1060 1744 ._cache_Synaptics.exe svchost.com PID 1744 wrote to memory of 1060 1744 ._cache_Synaptics.exe svchost.com PID 1744 wrote to memory of 1060 1744 ._cache_Synaptics.exe svchost.com PID 1060 wrote to memory of 2260 1060 svchost.com _CACHE~2.EXE PID 1060 wrote to memory of 2260 1060 svchost.com _CACHE~2.EXE PID 1060 wrote to memory of 2260 1060 svchost.com _CACHE~2.EXE PID 1060 wrote to memory of 2260 1060 svchost.com _CACHE~2.EXE PID 2260 wrote to memory of 740 2260 _CACHE~2.EXE ._cache__CACHE~2.EXE PID 2260 wrote to memory of 740 2260 _CACHE~2.EXE ._cache__CACHE~2.EXE PID 2260 wrote to memory of 740 2260 _CACHE~2.EXE ._cache__CACHE~2.EXE PID 2260 wrote to memory of 740 2260 _CACHE~2.EXE ._cache__CACHE~2.EXE PID 2260 wrote to memory of 2924 2260 _CACHE~2.EXE Synaptics.exe PID 2260 wrote to memory of 2924 2260 _CACHE~2.EXE Synaptics.exe PID 2260 wrote to memory of 2924 2260 _CACHE~2.EXE Synaptics.exe PID 2260 wrote to memory of 2924 2260 _CACHE~2.EXE Synaptics.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe"C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe"1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe"C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"6⤵
- Executes dropped EXE
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate6⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate7⤵
- Executes dropped EXE
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate8⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate10⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate11⤵
- Executes dropped EXE
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate11⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate12⤵
- Executes dropped EXE
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate14⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate15⤵
- Executes dropped EXE
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate15⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate16⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate18⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate19⤵
- Executes dropped EXE
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate19⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate20⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate21⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate22⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate23⤵
- Executes dropped EXE
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate23⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate24⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate25⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate26⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate27⤵
- Executes dropped EXE
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate27⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate28⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate29⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate30⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate31⤵
- Executes dropped EXE
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate31⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate32⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate33⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate34⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate35⤵
- Executes dropped EXE
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate35⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate36⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate37⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate38⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate39⤵
- Executes dropped EXE
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate39⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate40⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate41⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate42⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate43⤵
- Executes dropped EXE
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate43⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate44⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate45⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate46⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate47⤵
- Executes dropped EXE
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate47⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate48⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate49⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate50⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate51⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate51⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate52⤵
- Drops file in Windows directory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate53⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate54⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate55⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate55⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate56⤵
- Drops file in Windows directory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate57⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate58⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate59⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate59⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate60⤵
- Drops file in Windows directory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate61⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate62⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate63⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate63⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate64⤵
- Drops file in Windows directory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate65⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate66⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate67⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate67⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate68⤵
- Drops file in Windows directory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate69⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate70⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate71⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate71⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate72⤵
- Drops file in Windows directory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate73⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate74⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate75⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate75⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate76⤵
- Drops file in Windows directory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate77⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate78⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate79⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate79⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate80⤵
- Drops file in Windows directory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate81⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate82⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate83⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate83⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate84⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate85⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate86⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate87⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate87⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate88⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate89⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate90⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate91⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate91⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate92⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate93⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate94⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate95⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate95⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate96⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate97⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate98⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate99⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate99⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate100⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate101⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate102⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate103⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate103⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate104⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate105⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate106⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate107⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate107⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate108⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate109⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate110⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate111⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate111⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate112⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate113⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate114⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate115⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate115⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate116⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate117⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate118⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate119⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate119⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate120⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate121⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate122⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate123⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate123⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate124⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate125⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate126⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate127⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate127⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate128⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate129⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate130⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate131⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate131⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate132⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate133⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate134⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate135⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate135⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate136⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate137⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate138⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate139⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate139⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate140⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate141⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate142⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate143⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate143⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate144⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate145⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate146⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate147⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate147⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate148⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate149⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate150⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate151⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate151⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate152⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate153⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate154⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate155⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate155⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate156⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate157⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate158⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate159⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate159⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate160⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate161⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate162⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate163⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate163⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Event Triggered Execution
1Change Default File Association
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXEFilesize
859KB
MD502ee6a3424782531461fb2f10713d3c1
SHA1b581a2c365d93ebb629e8363fd9f69afc673123f
SHA256ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc
SHA5126c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec
-
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exeFilesize
547KB
MD5cf6c595d3e5e9667667af096762fd9c4
SHA19bb44da8d7f6457099cb56e4f7d1026963dce7ce
SHA256593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d
SHA512ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80
-
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exeFilesize
186KB
MD558b58875a50a0d8b5e7be7d6ac685164
SHA11e0b89c1b2585c76e758e9141b846ed4477b0662
SHA2562a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae
SHA512d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b
-
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exeFilesize
1.1MB
MD5566ed4f62fdc96f175afedd811fa0370
SHA1d4b47adc40e0d5a9391d3f6f2942d1889dd2a451
SHA256e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460
SHA512cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7
-
C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXEFilesize
100KB
MD56a091285d13370abb4536604b5f2a043
SHA18bb4aad8cadbd3894c889de85e7d186369cf6ff1
SHA256909205de592f50532f01b4ac7b573b891f7e6e596b44ff94187b1ba4bcc296bb
SHA5129696e4f60a5b1166535ca8ca3fb495d718086463d1a12fa1facc08219ad5b918208ddd2a102f7955e29153b081e05985c4ae6e4302ab36d548bb62991a47db18
-
C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXEFilesize
130KB
MD57ce8bcabb035b3de517229dbe7c5e67d
SHA18e43cd79a7539d240e7645f64fd7f6e9e0f90ab9
SHA25681a3a1dc3104973a100bf8d114b6be35da03767a0cbbaf925f970ffcbe5f217c
SHA512be7fcd50b4f71b458ca001b7c019bf1169ec089d7a1ce05355134b11cbe75a5a29811f9efec803877aeb1a1d576ea2628926e0131361db23214275af6e89e80c
-
C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXEFilesize
571KB
MD5d4fdbb8de6a219f981ffda11aa2b2cc4
SHA1cca2cffd4cf39277cc56ebd050f313de15aabbf6
SHA256ba3dc87fca4641e5f5486c4d50c09d087e65264e6c5c885fa6866f6ccb23167b
SHA5127167e13dbcc8c96114fef5fc7ae19afa31173617db153dd283aa6d8256f6b8c09c8f906f5d418efe9f7f242cdfaef24b93c11c451701c4d56eb48d18de4e88bf
-
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXEFilesize
194KB
MD57ed0f5802e7fc1243b7c82862c5bf87c
SHA1e16741b5050df662da25419da6cf80517fc2a46a
SHA2563342cf175e2c42ee691ba58cf7f6d6db3116f615b5483327fed706067b265595
SHA512a006888ed6dbd9dd548f84d57c84e3baccc1ee5c09d2d127ce26c3f01af59e8531bc43b4f986aa45d8853f3d71a87dec2adbd34bd75a182e4f45111c69339fef
-
C:\ProgramData\Synaptics\RCX8076.tmpFilesize
1.1MB
MD5e4a7eb2876ffd171ff603b1c2888348c
SHA1c04ba85968b72370a1839cfe4062a4726c1c12d1
SHA256ba74794ef25aa8148fe3cede53880bce6a702b154538178362ae3c5aded0497b
SHA5120db4a73f570aa7659db581f6fe44bcf6555b41c225e9c542fd3b1d5b75e7ad17cf0b002167e8556f02d0a966051ce3e5b426ec7004b3b3b2f0dc87224dce96b2
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXEFilesize
266KB
MD5c08ebf3a175b66593b27a3c071df5115
SHA14acafe7abdf85c922cac6065c9e4d0c909c22c85
SHA2561a7cebff8a5859fcd9847bef3695ee9f8d29ddca361d8f52a6b23d824deba968
SHA51279b17d05ebc6e5b17f25f0ce1c202e1ef4c959246073e1b242edc4c4c45a2bcf4b3ffac2f01f4394112eadc961c6b8934208a071658493ef7a7c34e810e567a9
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEFilesize
1.3MB
MD594e5f271b702947d8c96c432a77e99e7
SHA1a284a7fb14c9576a380052f16e1aadf4c82a2105
SHA256a3c7ec7dbd6ef0b778f0f05e140b965f5c1af8bce1a729ed5f8e183822dc10b9
SHA51260dfef773155ce6a70b3c37f08c9d210fb4e9ae6aba4ed2b230ec1577f5484fd154cfbe27de7dd795ec171c6d24814813f89165d7011f14a224d64a2bf1dcb71
-
C:\Windows\directx.sysFilesize
57B
MD56b3bfceb3942a9508a2148acbee89007
SHA13622ac7466cc40f50515eb6fcdc15d1f34ad3be3
SHA256e0a7bae2a9ac263cff5d725922e40272d8854278d901233a93a5267859c00a3c
SHA512fa222bfcade636824af32124b45450c92b1abec7a33e6e647a9248eef5371c127d22ccb7cc5a096b4d5d52e2457f3841293a1b34304e8e5523549856ac02f224
-
C:\Windows\svchost.comFilesize
40KB
MD52ff724ca136d4a831421dfd891e167c6
SHA15416f8de17ae4a8d9ea2e2d4570c5dd9ba7e5eb8
SHA256ff787f8231bb6f6a30eb61f46d56920e742ae22dd047622f8fbe6266d8bb864d
SHA5125ad202eb3222b9a95695ee1ffcebdaa3cd7235dbc8a1bf845e560736f514d9d7c92bc509c7089f53ff391bcd1d053050ccf0d889102a2b53b373d211dfbd9dc0
-
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXEFilesize
252KB
MD59e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exeFilesize
1.4MB
MD5c6b7d88af09bed8ef817c3ad1f68f9f4
SHA1c49df92061197098f62c7e5031e8b9ce406d911c
SHA256b116d954ddce3d3df3ef09a44aac5433c91ea2fee317dbf33fc5c4e5cec06af5
SHA51275452e228ccfc14f144d4ce777b5898ace42ca5638c2607cc00b1dd1ba1ff05e3074af33bfad39979b0e3b035daad4a7503a1c88f3c3a5ecf2ce3266d0a33c2d
-
\Users\Admin\AppData\Local\Temp\3582-490\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exeFilesize
2.5MB
MD544cce607c901188b1ceca88705a3edfb
SHA1104192763c1994a8686e1b813dde36109e83a1b6
SHA256f85efbd3d02c72fc85aabcf5549b6803fd9968cc301dbf7dc4c745c3d3da1309
SHA5121a4116c0fbb63cdf1ac1ab30b542286e501b2d94e9090ef0812d2b8c5a076c9a1b83295f3d333929df72c47e97faac683db473c74d915e8452a83b0d9492bdab
-
memory/264-89-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/360-307-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/836-515-0x0000000000400000-0x000000000055F000-memory.dmpFilesize
1.4MB
-
memory/880-406-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/996-541-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1060-188-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1120-402-0x0000000000400000-0x000000000055F000-memory.dmpFilesize
1.4MB
-
memory/1152-202-0x0000000000400000-0x000000000055F000-memory.dmpFilesize
1.4MB
-
memory/1240-387-0x0000000000400000-0x000000000055F000-memory.dmpFilesize
1.4MB
-
memory/1300-410-0x0000000000400000-0x000000000055F000-memory.dmpFilesize
1.4MB
-
memory/1316-508-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1356-477-0x0000000000400000-0x000000000055F000-memory.dmpFilesize
1.4MB
-
memory/1380-386-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1552-425-0x0000000000400000-0x000000000055F000-memory.dmpFilesize
1.4MB
-
memory/1576-535-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1616-462-0x0000000000400000-0x000000000055F000-memory.dmpFilesize
1.4MB
-
memory/1672-14-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/1672-63-0x0000000000400000-0x0000000000680000-memory.dmpFilesize
2.5MB
-
memory/1708-504-0x0000000000400000-0x000000000055F000-memory.dmpFilesize
1.4MB
-
memory/1716-131-0x00000000012A0000-0x00000000012E8000-memory.dmpFilesize
288KB
-
memory/1720-451-0x0000000000400000-0x000000000055F000-memory.dmpFilesize
1.4MB
-
memory/1744-178-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1772-514-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1904-455-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1952-359-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2008-487-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2044-353-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2056-376-0x0000000000400000-0x000000000055F000-memory.dmpFilesize
1.4MB
-
memory/2152-530-0x0000000000400000-0x000000000055F000-memory.dmpFilesize
1.4MB
-
memory/2152-380-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2228-292-0x0000000000400000-0x000000000055F000-memory.dmpFilesize
1.4MB
-
memory/2232-334-0x0000000000400000-0x000000000055F000-memory.dmpFilesize
1.4MB
-
memory/2260-217-0x0000000000400000-0x000000000055F000-memory.dmpFilesize
1.4MB
-
memory/2436-327-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2464-349-0x0000000000400000-0x000000000055F000-memory.dmpFilesize
1.4MB
-
memory/2464-481-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2480-461-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2504-568-0x0000000000400000-0x000000000055F000-memory.dmpFilesize
1.4MB
-
memory/2520-308-0x0000000000400000-0x000000000055F000-memory.dmpFilesize
1.4MB
-
memory/2524-129-0x0000000000400000-0x000000000055F000-memory.dmpFilesize
1.4MB
-
memory/2524-361-0x0000000000400000-0x000000000055F000-memory.dmpFilesize
1.4MB
-
memory/2548-102-0x0000000000400000-0x0000000000680000-memory.dmpFilesize
2.5MB
-
memory/2596-567-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2600-557-0x0000000000400000-0x000000000055F000-memory.dmpFilesize
1.4MB
-
memory/2608-435-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2624-429-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2700-360-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2700-531-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2728-267-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2740-55-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2784-489-0x0000000000400000-0x000000000055F000-memory.dmpFilesize
1.4MB
-
memory/2816-130-0x0000000001060000-0x00000000010A8000-memory.dmpFilesize
288KB
-
memory/2820-297-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2820-488-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2832-301-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2836-95-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2848-323-0x0000000000400000-0x000000000055F000-memory.dmpFilesize
1.4MB
-
memory/2880-333-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2884-561-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2900-127-0x0000000000400000-0x000000000055F000-memory.dmpFilesize
1.4MB
-
memory/2924-277-0x0000000000400000-0x000000000055F000-memory.dmpFilesize
1.4MB
-
memory/2944-436-0x0000000000400000-0x000000000055F000-memory.dmpFilesize
1.4MB
-
memory/3048-407-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3048-408-0x00000000779A0000-0x0000000077ABF000-memory.dmpFilesize
1.1MB
-
memory/3048-409-0x0000000077AC0000-0x0000000077BBA000-memory.dmpFilesize
1000KB
-
memory/3052-261-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3056-542-0x0000000000400000-0x000000000055F000-memory.dmpFilesize
1.4MB