Analysis
-
max time kernel
26s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
18-06-2024 20:09
Behavioral task
behavioral1
Sample
19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe
Resource
win10v2004-20240226-en
General
-
Target
19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe
-
Size
2.5MB
-
MD5
764f4baced7ef6823e658d10cf71b392
-
SHA1
e8c24ea84679d6cf8ed4dd1dff934edecd63fb81
-
SHA256
19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d
-
SHA512
174a27d27e358f4e9c1f6f82e694e1ed86857e7abb34a1f4ad964cc3990f6267f91ff7ea5ca4469b0ac6956f43de652a176194244f3d801789e778fbae2b4e85
-
SSDEEP
49152:6Hyjtk2MYC5GDIHyjtk2MYC5GDhEh5Cenun9:6mtk2aZmtk2aiQCenun9
Malware Config
Signatures
-
Detect Neshta payload 45 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\3582-490\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe family_neshta C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe family_neshta C:\Windows\svchost.com family_neshta C:\odt\OFFICE~1.EXE family_neshta behavioral2/memory/4072-133-0x0000000000400000-0x0000000000680000-memory.dmp family_neshta behavioral2/memory/856-136-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3700-245-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4084-257-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/232-321-0x0000000000400000-0x0000000000680000-memory.dmp family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe family_neshta behavioral2/memory/3580-414-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4016-431-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2200-444-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE family_neshta C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe family_neshta C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe family_neshta C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaws.exe family_neshta C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\java.exe family_neshta C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE family_neshta C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE family_neshta C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE family_neshta C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE family_neshta C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\INSTAL~1\setup.exe family_neshta C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\identity_helper.exe family_neshta C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\msedgewebview2.exe family_neshta C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\pwahelper.exe family_neshta C:\PROGRA~2\MICROS~1\EdgeCore\122023~1.52\MSEDGE~3.EXE family_neshta C:\PROGRA~2\MICROS~1\EdgeCore\122023~1.52\NOTIFI~1.EXE family_neshta C:\PROGRA~2\MICROS~1\EdgeCore\122023~1.52\MSEDGE~2.EXE family_neshta C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MICROS~4.EXE family_neshta C:\PROGRA~2\MICROS~1\EdgeCore\122023~1.52\msedge.exe family_neshta C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MICROS~1.EXE family_neshta C:\PROGRA~2\MICROS~1\EdgeCore\122023~1.52\ELEVAT~1.EXE family_neshta C:\PROGRA~2\MICROS~1\EdgeCore\122023~1.52\COOKIE~1.EXE family_neshta C:\PROGRA~2\MICROS~1\EdgeCore\122023~1.52\BHO\IE_TO_~1.EXE family_neshta behavioral2/memory/2572-608-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3580-607-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3576-633-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4084-639-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/552-739-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3744-740-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2572-741-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/5096-830-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3012-831-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3580-832-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Checks computer location settings 2 TTPs 13 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
_CACHE~1.EXE_CACHE~2.EXE._cache_Synaptics.exe._cache_Synaptics.exe19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exeSynaptics.exeSynaptics.exe._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe._cache_Synaptics.exe19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exeSynaptics.exe_CACHE~2.EXE_CACHE~2.EXEdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation _CACHE~1.EXE Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation _CACHE~2.EXE Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation ._cache_Synaptics.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation ._cache_Synaptics.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation Synaptics.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation Synaptics.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation ._cache_Synaptics.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation Synaptics.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation _CACHE~2.EXE Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation _CACHE~2.EXE -
Executes dropped EXE 19 IoCs
Processes:
19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exesvchost.com_CACHE~1.EXESynaptics.exe._cache_Synaptics.exe._cache__CACHE~1.EXEsvchost.com_CACHE~2.EXE._cache__CACHE~2.EXESynaptics.exe._cache_Synaptics.exesvchost.com_CACHE~2.EXE._cache__CACHE~2.EXESynaptics.exe._cache_Synaptics.exesvchost.com_CACHE~2.EXEpid process 4072 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe 2572 ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe 856 svchost.com 4228 _CACHE~1.EXE 232 Synaptics.exe 3700 ._cache_Synaptics.exe 732 ._cache__CACHE~1.EXE 4084 svchost.com 3576 _CACHE~2.EXE 2908 ._cache__CACHE~2.EXE 4228 Synaptics.exe 4016 ._cache_Synaptics.exe 2200 svchost.com 4612 _CACHE~2.EXE 2440 ._cache__CACHE~2.EXE 3792 Synaptics.exe 3576 ._cache_Synaptics.exe 4084 svchost.com 4668 _CACHE~2.EXE -
Loads dropped DLL 8 IoCs
Processes:
Synaptics.exe_CACHE~2.EXESynaptics.exe_CACHE~2.EXEpid process 4228 Synaptics.exe 4228 Synaptics.exe 4612 _CACHE~2.EXE 4612 _CACHE~2.EXE 3792 Synaptics.exe 3792 Synaptics.exe 4668 _CACHE~2.EXE 4668 _CACHE~2.EXE -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe_CACHE~2.EXE_CACHE~2.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~2.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" _CACHE~2.EXE -
Drops file in Program Files directory 64 IoCs
Processes:
._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exedescription ioc process File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MICROS~4.EXE ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\notification_helper.exe ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13185~1.17\MICROS~1.EXE ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\msedge_proxy.exe 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13185~1.17\MICROS~1.EXE 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~3\PACKAG~1\{17316~1\WINDOW~1.EXE 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\elevation_service.exe 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\cookie_exporter.exe 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~3\SYNAPT~1\SYNAPT~1.EXE ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\INSTAL~1\setup.exe 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MI9C33~1.EXE 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MIA062~1.EXE 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\cookie_exporter.exe ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\msedgewebview2.exe 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\notification_click_helper.exe 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MICROS~3.EXE 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MICROS~2.EXE 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe -
Drops file in Windows directory 17 IoCs
Processes:
._cache_Synaptics.exesvchost.com._cache_Synaptics.exe19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exesvchost.comsvchost.com._cache_Synaptics.exe._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exesvchost.comdescription ioc process File opened for modification C:\Windows\svchost.com ._cache_Synaptics.exe File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys ._cache_Synaptics.exe File opened for modification C:\Windows\svchost.com 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys ._cache_Synaptics.exe File opened for modification C:\Windows\svchost.com ._cache_Synaptics.exe File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\Windows\svchost.com ._cache_Synaptics.exe File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe File opened for modification C:\Windows\directx.sys ._cache_Synaptics.exe File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 9 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEEXCEL.EXEEXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 9 IoCs
Processes:
EXCEL.EXEEXCEL.EXEEXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
Modifies registry class 13 IoCs
Processes:
Synaptics.exe._cache_Synaptics.exeSynaptics.exe_CACHE~2.EXE._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe_CACHE~2.EXESynaptics.exe._cache_Synaptics.exe_CACHE~2.EXE19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe_CACHE~1.EXE19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe._cache_Synaptics.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Synaptics.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings ._cache_Synaptics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Synaptics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ _CACHE~2.EXE Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ _CACHE~2.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Synaptics.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings ._cache_Synaptics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ _CACHE~2.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ _CACHE~1.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings ._cache_Synaptics.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 464 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 44 IoCs
Processes:
_CACHE~2.EXE_CACHE~2.EXEpid process 3576 _CACHE~2.EXE 3576 _CACHE~2.EXE 3576 _CACHE~2.EXE 3576 _CACHE~2.EXE 3576 _CACHE~2.EXE 3576 _CACHE~2.EXE 3576 _CACHE~2.EXE 3576 _CACHE~2.EXE 3576 _CACHE~2.EXE 3576 _CACHE~2.EXE 3576 _CACHE~2.EXE 3576 _CACHE~2.EXE 3576 _CACHE~2.EXE 3576 _CACHE~2.EXE 4612 _CACHE~2.EXE 4612 _CACHE~2.EXE 4612 _CACHE~2.EXE 4612 _CACHE~2.EXE 4612 _CACHE~2.EXE 4612 _CACHE~2.EXE 4612 _CACHE~2.EXE 4612 _CACHE~2.EXE 4612 _CACHE~2.EXE 4612 _CACHE~2.EXE 4612 _CACHE~2.EXE 4612 _CACHE~2.EXE 4612 _CACHE~2.EXE 4612 _CACHE~2.EXE 4612 _CACHE~2.EXE 4612 _CACHE~2.EXE 4612 _CACHE~2.EXE 4612 _CACHE~2.EXE 4612 _CACHE~2.EXE 4612 _CACHE~2.EXE 4612 _CACHE~2.EXE 4612 _CACHE~2.EXE 4612 _CACHE~2.EXE 4612 _CACHE~2.EXE 4612 _CACHE~2.EXE 4612 _CACHE~2.EXE 4612 _CACHE~2.EXE 4612 _CACHE~2.EXE 4612 _CACHE~2.EXE 4612 _CACHE~2.EXE -
Suspicious use of AdjustPrivilegeToken 22 IoCs
Processes:
_CACHE~2.EXE_CACHE~2.EXEdescription pid process Token: SeSystemProfilePrivilege 3576 _CACHE~2.EXE Token: SeSystemProfilePrivilege 3576 _CACHE~2.EXE Token: SeSystemProfilePrivilege 3576 _CACHE~2.EXE Token: SeSystemProfilePrivilege 3576 _CACHE~2.EXE Token: SeSystemProfilePrivilege 3576 _CACHE~2.EXE Token: SeSystemProfilePrivilege 3576 _CACHE~2.EXE Token: SeSystemProfilePrivilege 3576 _CACHE~2.EXE Token: SeSystemProfilePrivilege 4612 _CACHE~2.EXE Token: SeSystemProfilePrivilege 4612 _CACHE~2.EXE Token: SeSystemProfilePrivilege 4612 _CACHE~2.EXE Token: SeSystemProfilePrivilege 4612 _CACHE~2.EXE Token: SeSystemProfilePrivilege 4612 _CACHE~2.EXE Token: SeSystemProfilePrivilege 4612 _CACHE~2.EXE Token: SeSystemProfilePrivilege 4612 _CACHE~2.EXE Token: SeSystemProfilePrivilege 4612 _CACHE~2.EXE Token: SeSystemProfilePrivilege 4612 _CACHE~2.EXE Token: SeSystemProfilePrivilege 4612 _CACHE~2.EXE Token: SeSystemProfilePrivilege 4612 _CACHE~2.EXE Token: SeSystemProfilePrivilege 4612 _CACHE~2.EXE Token: SeSystemProfilePrivilege 4612 _CACHE~2.EXE Token: SeSystemProfilePrivilege 4612 _CACHE~2.EXE Token: SeSystemProfilePrivilege 4612 _CACHE~2.EXE -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
EXCEL.EXEEXCEL.EXEEXCEL.EXEpid process 464 EXCEL.EXE 464 EXCEL.EXE 3796 EXCEL.EXE 3796 EXCEL.EXE 3120 EXCEL.EXE 3120 EXCEL.EXE -
Suspicious use of WriteProcessMemory 57 IoCs
Processes:
19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exesvchost.comSynaptics.exe_CACHE~1.EXE._cache_Synaptics.exesvchost.com_CACHE~2.EXESynaptics.exe._cache_Synaptics.exesvchost.com_CACHE~2.EXESynaptics.exe._cache_Synaptics.exesvchost.comdescription pid process target process PID 3580 wrote to memory of 4072 3580 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe PID 3580 wrote to memory of 4072 3580 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe PID 3580 wrote to memory of 4072 3580 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe PID 4072 wrote to memory of 2572 4072 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe PID 4072 wrote to memory of 2572 4072 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe PID 4072 wrote to memory of 2572 4072 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe PID 2572 wrote to memory of 856 2572 ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe svchost.com PID 2572 wrote to memory of 856 2572 ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe svchost.com PID 2572 wrote to memory of 856 2572 ._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe svchost.com PID 856 wrote to memory of 4228 856 svchost.com ._cache__CACHE~2.EXE PID 856 wrote to memory of 4228 856 svchost.com ._cache__CACHE~2.EXE PID 856 wrote to memory of 4228 856 svchost.com ._cache__CACHE~2.EXE PID 4072 wrote to memory of 232 4072 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe Synaptics.exe PID 4072 wrote to memory of 232 4072 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe Synaptics.exe PID 4072 wrote to memory of 232 4072 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe Synaptics.exe PID 232 wrote to memory of 3700 232 Synaptics.exe ._cache_Synaptics.exe PID 232 wrote to memory of 3700 232 Synaptics.exe ._cache_Synaptics.exe PID 232 wrote to memory of 3700 232 Synaptics.exe ._cache_Synaptics.exe PID 4228 wrote to memory of 732 4228 _CACHE~1.EXE ._cache__CACHE~1.EXE PID 4228 wrote to memory of 732 4228 _CACHE~1.EXE ._cache__CACHE~1.EXE PID 4228 wrote to memory of 732 4228 _CACHE~1.EXE ._cache__CACHE~1.EXE PID 3700 wrote to memory of 4084 3700 ._cache_Synaptics.exe svchost.com PID 3700 wrote to memory of 4084 3700 ._cache_Synaptics.exe svchost.com PID 3700 wrote to memory of 4084 3700 ._cache_Synaptics.exe svchost.com PID 4084 wrote to memory of 3576 4084 svchost.com ._cache_Synaptics.exe PID 4084 wrote to memory of 3576 4084 svchost.com ._cache_Synaptics.exe PID 4084 wrote to memory of 3576 4084 svchost.com ._cache_Synaptics.exe PID 3576 wrote to memory of 2908 3576 _CACHE~2.EXE ._cache__CACHE~2.EXE PID 3576 wrote to memory of 2908 3576 _CACHE~2.EXE ._cache__CACHE~2.EXE PID 3576 wrote to memory of 2908 3576 _CACHE~2.EXE ._cache__CACHE~2.EXE PID 3576 wrote to memory of 4228 3576 _CACHE~2.EXE ._cache__CACHE~2.EXE PID 3576 wrote to memory of 4228 3576 _CACHE~2.EXE ._cache__CACHE~2.EXE PID 3576 wrote to memory of 4228 3576 _CACHE~2.EXE ._cache__CACHE~2.EXE PID 4228 wrote to memory of 4016 4228 Synaptics.exe ._cache_Synaptics.exe PID 4228 wrote to memory of 4016 4228 Synaptics.exe ._cache_Synaptics.exe PID 4228 wrote to memory of 4016 4228 Synaptics.exe ._cache_Synaptics.exe PID 4016 wrote to memory of 2200 4016 ._cache_Synaptics.exe svchost.com PID 4016 wrote to memory of 2200 4016 ._cache_Synaptics.exe svchost.com PID 4016 wrote to memory of 2200 4016 ._cache_Synaptics.exe svchost.com PID 2200 wrote to memory of 4612 2200 svchost.com _CACHE~2.EXE PID 2200 wrote to memory of 4612 2200 svchost.com _CACHE~2.EXE PID 2200 wrote to memory of 4612 2200 svchost.com _CACHE~2.EXE PID 4612 wrote to memory of 2440 4612 _CACHE~2.EXE ._cache_Synaptics.exe PID 4612 wrote to memory of 2440 4612 _CACHE~2.EXE ._cache_Synaptics.exe PID 4612 wrote to memory of 2440 4612 _CACHE~2.EXE ._cache_Synaptics.exe PID 4612 wrote to memory of 3792 4612 _CACHE~2.EXE Synaptics.exe PID 4612 wrote to memory of 3792 4612 _CACHE~2.EXE Synaptics.exe PID 4612 wrote to memory of 3792 4612 _CACHE~2.EXE Synaptics.exe PID 3792 wrote to memory of 3576 3792 Synaptics.exe ._cache_Synaptics.exe PID 3792 wrote to memory of 3576 3792 Synaptics.exe ._cache_Synaptics.exe PID 3792 wrote to memory of 3576 3792 Synaptics.exe ._cache_Synaptics.exe PID 3576 wrote to memory of 4084 3576 ._cache_Synaptics.exe svchost.com PID 3576 wrote to memory of 4084 3576 ._cache_Synaptics.exe svchost.com PID 3576 wrote to memory of 4084 3576 ._cache_Synaptics.exe svchost.com PID 4084 wrote to memory of 4668 4084 svchost.com _CACHE~2.EXE PID 4084 wrote to memory of 4668 4084 svchost.com _CACHE~2.EXE PID 4084 wrote to memory of 4668 4084 svchost.com _CACHE~2.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe"C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe"1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe"C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE5⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"6⤵
- Executes dropped EXE
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate5⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate6⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate7⤵
- Executes dropped EXE
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate7⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate8⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate9⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate10⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate11⤵
- Executes dropped EXE
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate11⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate12⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate13⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate14⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate15⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate15⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate16⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate17⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate18⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate19⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate19⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate20⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate21⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate22⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate23⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate23⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate24⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate25⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate26⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate27⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate27⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate28⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate29⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate30⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate31⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate31⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate32⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate33⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate34⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate35⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate35⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate36⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate37⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate38⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate39⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate39⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate40⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate41⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate42⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate43⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate43⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate44⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate45⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate46⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate47⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate47⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate48⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate49⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate50⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate51⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate51⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate52⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate53⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate54⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate55⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate55⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate56⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate57⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate58⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate59⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate59⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate60⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate61⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate62⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate63⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate63⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate64⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate65⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate66⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate67⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate67⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate68⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate69⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate70⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate71⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate71⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate72⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate73⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate74⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate75⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate75⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate76⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate77⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate78⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate79⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate79⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate80⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate81⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate82⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate83⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate83⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate84⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate85⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate86⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate87⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate87⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate88⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate89⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate90⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate91⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate91⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate92⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate93⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate94⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate95⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate95⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate96⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate97⤵
-
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate98⤵
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate99⤵
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3700 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:81⤵
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Event Triggered Execution
1Change Default File Association
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exeFilesize
175KB
MD5576410de51e63c3b5442540c8fdacbee
SHA18de673b679e0fee6e460cbf4f21ab728e41e0973
SHA2563f00404dd591c2856e6f71bd78423ed47199902e0b85f228e6c4de72c59ddffe
SHA512f7761f3878775b30cc3d756fa122e74548dfc0a27e38fa4109e34a59a009df333d074bf14a227549ae347605f271be47984c55148685faac479aeb481f7191db
-
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXEFilesize
454KB
MD5bcd0f32f28d3c2ba8f53d1052d05252d
SHA1c29b4591df930dabc1a4bd0fa2c0ad91500eafb2
SHA256bb07d817b8b1b6b4c25e62b6120e51dec10118557d7b6b696ad084a5ba5bfdeb
SHA51279f407735853f82f46870c52058ceee4d91857a89db14868ee1169abd5c0fd2e3fa1ed230ab90b5f479a9581b88998643d69b0df498defea29e73b0d487f3b10
-
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exeFilesize
1.2MB
MD5d1c48274711d83d4a1a0cfb2abdf8d31
SHA1b4367dd7201ef0cc22d56613e428efda07da57a8
SHA256ade1db79870327538841d5470483c6474083f08d871bb7d56cfc9e76971c8640
SHA5127a3e7927b8be3dc1706e6511bf04475558da076696435f937c4eafa94111c378f3bcaa1ea4e5063e91e3e333c91f086a75baaff6c5cc190d3d314c5eee1687a3
-
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\java.exeFilesize
325KB
MD59a8d683f9f884ddd9160a5912ca06995
SHA198dc8682a0c44727ee039298665f5d95b057c854
SHA2565e2e22ead49ce9cc11141dbeebbe5b93a530c966695d8efc2083f00e6be53423
SHA5126aecf8c5cb5796d6879f8643e20c653f58bad70820896b0019c39623604d5b3c8a4420562ab051c6685edce60aa068d9c2dbb4413a7b16c6d01a9ac10dc22c12
-
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaws.exeFilesize
546KB
MD52fbf8e73fc690c57c64459cb4c349ddb
SHA11038053aff4e542a8dbb77fc4d100fe083493e50
SHA256408ad7354171bc8d51846bbe8238e8fbd6a5bf9b0b12b3f55b43f61e03371bf2
SHA5127e29b6ae75865dc9e7004665f6c90513e5b8f593509cbd209f523ea5602ea9e242ef1fee867f8d293781a51fa816d502456bbe97414de2e7ecbc6f6f640a49fc
-
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exeFilesize
325KB
MD5892cf4fc5398e07bf652c50ef2aa3b88
SHA1c399e55756b23938057a0ecae597bd9dbe481866
SHA256e2262c798729169f697e6c30e5211cde604fd8b14769311ff4ea81abba8c2781
SHA512f16a9e4b1150098c5936ec6107c36d47246dafd5a43e9f4ad9a31ecab69cc789c768691fa23a1440fae7f6e93e8e62566b5c86f7ed6bb4cfe26368149ea8c167
-
C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXEFilesize
230KB
MD5e5589ec1e4edb74cc7facdaac2acabfd
SHA19b12220318e848ed87bb7604d6f6f5df5dbc6b3f
SHA2566ce92587a138ec07dac387a294d0bbe8ab629599d1a2868d2afaccea3b245d67
SHA512f36ab33894681f51b9cec7ea5a738eb081a56bcd7625bdd2f5ef2c084e4beb7378be8f292af3aeae79d9317ba57cc41df89f00aef52e58987bdb2eac3f48171a
-
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXEFilesize
207KB
MD53b0e91f9bb6c1f38f7b058c91300e582
SHA16e2e650941b1a96bb0bb19ff26a5d304bb09df5f
SHA25657c993cadf4bf84810cea23a7112c6e260624beaab48d0e4332d3462900fec1d
SHA512a4fbe28a0135f4632e0a5b6bd775f8d010250b0fbfe223db1fe81d18552a6bc166ebce807853ba02e6a476e9829454805e415ca828a5e043bd1e63dc53599d0f
-
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXEFilesize
265KB
MD525e165d6a9c6c0c77ee1f94c9e58754b
SHA19b614c1280c75d058508bba2a468f376444b10c1
SHA2568bbe59987228dd9ab297f9ea34143ea1e926bfb19f3d81c2904ab877f31e1217
SHA5127d55c7d86ccabb6e9769ebca44764f4d89e221d5756e5c5d211e52c271e3ce222df90bc9938248e2e210d6695f30f6280d929d19ef41c09d3ea31688ae24d4bf
-
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXEFilesize
439KB
MD5400836f307cf7dbfb469cefd3b0391e7
SHA17af3cbb12d3b2d8b5d9553c687c6129d1dd90a10
SHA256cb5c5abb625a812d47007c75e3855be3f29da527a41cf03730ad5c81f3eb629a
SHA512aa53cb304478585d6f83b19a6de4a7938ba2570d380a565a56ff5365aed073d5f56b95ad3228eb7d1e7e6110c6172a58b97bd6a5e57e4a8d39e762ed31dc17c8
-
C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MICROS~1.EXEFilesize
242KB
MD5247348036dbe419034c3289f577ec6ea
SHA16adfd450bd84a629c612c7a2f8b2a613afb49245
SHA25629af76a6a5c935cae799cba744b4604da06d69f30e272a873f15ecfd57043b1d
SHA5121c8c636f9a1c3c0e4f92ef026f9509fd29d696823bb1c7086b877f6f32663c2c42a83ea51c9751192cae331ad25733b417030dba81654fd747903cc3eae11025
-
C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MICROS~4.EXEFilesize
264KB
MD587a9a3c1e1477e659286afd59790e1b3
SHA119909ca38a6c2be2fefce3f10357b7cf210f1739
SHA256863824b473ecc45e018a7e394c4c3926e56a244134ac08b849a05d1177fc18d4
SHA512d15502a82bf5c6ff8abf3bad088bf833000e2e8253d4af8e7182d2d7479497f20bb153062984a7bc0afeee24d03e1d7dcd01d868fc2d2ac3bc73dc0d2b318105
-
C:\PROGRA~2\MICROS~1\EdgeCore\122023~1.52\BHO\IE_TO_~1.EXEFilesize
555KB
MD546bda7f4ac4ec1457af4aceec4b0951e
SHA19038a90a2b4f6363fd20dc45984405e1d1e2a2d6
SHA2565eb1cd925ce4a5c5dd035a0de64bb7249303e53d1efff96ea510b0930470524f
SHA51236e917760e250ad7550b73b20471c5c8264a6ab12984e95d4bba1f3f15602aa8ac1acbb0af3fa8fbd9aba80f002eeb444d1fb49a6d64b720e5368a7a8ce58465
-
C:\PROGRA~2\MICROS~1\EdgeCore\122023~1.52\COOKIE~1.EXEFilesize
157KB
MD5fe0269e24575d8a8590185540f7b4f6c
SHA1e133f0f269ac97b93caf93fe6f7ecf55e929cef1
SHA2561b3d321b505dd2f13e8b669f554b31e6e00f5a5ab4f98160a8f7a0dd96c3b9fa
SHA512b30ce7aad664d2ad7ad9ff046e16a80bbf13caa70c981c12ee164f45f570b7e2013dacb630d6341ee67d4821519a9c33277f2801ad87521329b984e66873e6c0
-
C:\PROGRA~2\MICROS~1\EdgeCore\122023~1.52\ELEVAT~1.EXEFilesize
1.7MB
MD5f31b25bb1e8bd429892a63eaac0bce5d
SHA1f007774635ef84623a7b4e0c892a8ee14c4b6221
SHA25635e16cb335e2e73dc5a8ea0117598cebc98aa2e3550b32a4fb2b3d1f60be17d9
SHA512f9515824dc4de6968903471bcc842e97acc30489d2054357c61098af190aae30ec7027c5e99aa9da1f527d53cddc209dd793db937e69f316ba1c9206884dff0a
-
C:\PROGRA~2\MICROS~1\EdgeCore\122023~1.52\MSEDGE~2.EXEFilesize
1.2MB
MD57f88f3f90ac64568f91d7886f56ff0b6
SHA12ef4a4496c09928a09da0af641e3c092ade4f03b
SHA2561dc1ebb5939a050cd9eff7b7011afbf877cb33f21950fff127d7481f3e9d38b2
SHA512412345a84eeffd2ddd1bd66230d4eef5fa29e35891a4b5f329626f4b557fb2fc972f05f131b8c4c94c8296c774545b288da7ba2fda93e6654733a03d247f33e3
-
C:\PROGRA~2\MICROS~1\EdgeCore\122023~1.52\MSEDGE~3.EXEFilesize
1.6MB
MD5037eb09ec7455bed1c2cc12ead01b246
SHA1821ca5516402d68a0e6aa8d807abb2f3e2a78554
SHA256fe404e589880c9a7065f3e2cfcfa4675953dccc5250f26715f29986d7580d924
SHA512bfae4a3f1ef8a8036e5c3c7700796bb2e5b534fd602a2ed9f209e0974b111ace42f7f82683388f2fdefbf7939bc504b57901af0cc881b2e06c74036bf802760b
-
C:\PROGRA~2\MICROS~1\EdgeCore\122023~1.52\NOTIFI~1.EXEFilesize
1.4MB
MD59265ab18f47b9624d04a7bcc4794cd89
SHA14589d080807701f5a4813326a1b72d62e71d2880
SHA2560cb11ab79f1810b4589f2a28a12dee99c8c913428b6c6e497123800e2134ec3c
SHA512aa7870c60af1a278e78569c487950f6b9868b4941a25783fad63ea4bc07ba2959a8bb1b2242fc492a2ec85df610dcfcda08013501a2dd9fd9b8dcd728c0d5ead
-
C:\PROGRA~2\MICROS~1\EdgeCore\122023~1.52\msedge.exeFilesize
3.9MB
MD55d756a0168c787760258a53087193fcd
SHA13a1190370ec84df9cbc2d0b8dc2c3c040268e667
SHA2564dcb3cc3b7e87ea4fdfe524d5d24a32eab1f87f1d477620879edbf8ac99c25d8
SHA512213c39edbce4602f5e2882ba39d59ab51552b5e1c384c5e274addf3ddaafecd50fd9763a888fac7b406f136dcca63ca29a696ba407ae5e1e0446bee95ad24af4
-
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\INSTAL~1\setup.exeFilesize
6.8MB
MD51cae3b29628f35e661eab78f1c8b4a99
SHA197fb011f97340a0687204a2f35e0e7e85112c97f
SHA256643df72069bacb87065bfa4a0b552c97655c9497aeadea96e48e3d5df10cf3b0
SHA51230924f452425afe598f4f21d59433c05c4bd217bf313363c22be4e9d23e712f96cef905a2411cdbf23da08b3f8d61e20f127fd4d2ab3aab35483f46b4e32759b
-
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\identity_helper.exeFilesize
1.2MB
MD5a4c554903ffddf2c66eca876c614a75d
SHA1cc789ac39fea72c579a5ec64970d2b6cc9daeac1
SHA25609f2820a2ee73dc9ee5288fd25b3cde313e400f99f730464a31b71cfdbbd7f31
SHA512d1feb67afcbacc1cb8c76c8774687546ab9ac6c0962ca62a8059a2b04b7332e9a0d8575ef37f9887a367b3f4f47b4bd5ea9010f754fdf0049498a58ba9fee088
-
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\msedgewebview2.exeFilesize
3.5MB
MD5a4b214a072e3b243c4ebc478e6eb36a7
SHA103d0e04d345971141a1cd5f56e31e7f8480974f7
SHA25677411e2933273fb7b04fd0dec90ea0a620b2293b6fbdbd5c29afa0cd7536fa51
SHA512e32edd286477a52cbeaea9a0d20c49328bf78e86698620cee8c6900b672c0cc7feed5d2a5426770e9c2c70fe2a339814db4468d9fc960070e61e928ca3866a8d
-
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\pwahelper.exeFilesize
1.2MB
MD56aa892c7d9621d5388526f832195fc0f
SHA19f77f2fe1166734a4eda02222b5ec080091b68c9
SHA256e5f38ea31c0d27d3d0435d4f19e3da0e023a9fa94bf611d5d522b72d9a2b3b66
SHA5126bf56ce59afcf84265cd757ff99b8d664361f0f23d521386b0092b1574d34eb619184c6f8925b57fa0b94f5edf30453d6cec3b39273f8735cfe1835961ac0e3c
-
C:\ProgramData\Synaptics\RCX1519.tmpFilesize
1.1MB
MD5e4a7eb2876ffd171ff603b1c2888348c
SHA1c04ba85968b72370a1839cfe4062a4726c1c12d1
SHA256ba74794ef25aa8148fe3cede53880bce6a702b154538178362ae3c5aded0497b
SHA5120db4a73f570aa7659db581f6fe44bcf6555b41c225e9c542fd3b1d5b75e7ad17cf0b002167e8556f02d0a966051ce3e5b426ec7004b3b3b2f0dc87224dce96b2
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\71274F68-5B29-4D28-BB3B-689642AEF5A6Filesize
167KB
MD5a85b5ec08f3b0e06fda515545d1ecd56
SHA184492f691d8ddf28734a6ca964415cbbc91f925e
SHA256005866230944be1d38adaafe1d82348ca80e450ab036b77e904503d809c10416
SHA5120a94e718d92c41905f5a9e44fbda87485d7fac2afb0f7862500f4063fcd5ceb4902e4893ed9dbd149fe6de0528cdfdba39516961f18171a8e91c0b0404456e20
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbresFilesize
2KB
MD5b2c766e2d8b5b26e189f0c4f84cd2aa8
SHA16248b51576750abaf4534a05d3d2662f63aca17a
SHA2563f13bf03c4ddc7fd5db223769bd37ce5cd0f235c2451d720cf283556c0fae25a
SHA512e0b66841060032433a28bc9cd973d6078c62c1a139efc378f8555cb2256af2d44ddd70eb4d25cddf5a43fe74aa28a3e036ab2c058562763b86c49288568aa878
-
C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exeFilesize
1.4MB
MD5c6b7d88af09bed8ef817c3ad1f68f9f4
SHA1c49df92061197098f62c7e5031e8b9ce406d911c
SHA256b116d954ddce3d3df3ef09a44aac5433c91ea2fee317dbf33fc5c4e5cec06af5
SHA51275452e228ccfc14f144d4ce777b5898ace42ca5638c2607cc00b1dd1ba1ff05e3074af33bfad39979b0e3b035daad4a7503a1c88f3c3a5ecf2ce3266d0a33c2d
-
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXEFilesize
266KB
MD5c08ebf3a175b66593b27a3c071df5115
SHA14acafe7abdf85c922cac6065c9e4d0c909c22c85
SHA2561a7cebff8a5859fcd9847bef3695ee9f8d29ddca361d8f52a6b23d824deba968
SHA51279b17d05ebc6e5b17f25f0ce1c202e1ef4c959246073e1b242edc4c4c45a2bcf4b3ffac2f01f4394112eadc961c6b8934208a071658493ef7a7c34e810e567a9
-
C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exeFilesize
1.3MB
MD594e5f271b702947d8c96c432a77e99e7
SHA1a284a7fb14c9576a380052f16e1aadf4c82a2105
SHA256a3c7ec7dbd6ef0b778f0f05e140b965f5c1af8bce1a729ed5f8e183822dc10b9
SHA51260dfef773155ce6a70b3c37f08c9d210fb4e9ae6aba4ed2b230ec1577f5484fd154cfbe27de7dd795ec171c6d24814813f89165d7011f14a224d64a2bf1dcb71
-
C:\Users\Admin\AppData\Local\Temp\3582-490\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exeFilesize
2.5MB
MD544cce607c901188b1ceca88705a3edfb
SHA1104192763c1994a8686e1b813dde36109e83a1b6
SHA256f85efbd3d02c72fc85aabcf5549b6803fd9968cc301dbf7dc4c745c3d3da1309
SHA5121a4116c0fbb63cdf1ac1ab30b542286e501b2d94e9090ef0812d2b8c5a076c9a1b83295f3d333929df72c47e97faac683db473c74d915e8452a83b0d9492bdab
-
C:\Users\Admin\AppData\Local\Temp\lBtUbPTN.xlsmFilesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04
-
C:\Windows\directx.sysMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Windows\directx.sysFilesize
57B
MD56b3bfceb3942a9508a2148acbee89007
SHA13622ac7466cc40f50515eb6fcdc15d1f34ad3be3
SHA256e0a7bae2a9ac263cff5d725922e40272d8854278d901233a93a5267859c00a3c
SHA512fa222bfcade636824af32124b45450c92b1abec7a33e6e647a9248eef5371c127d22ccb7cc5a096b4d5d52e2457f3841293a1b34304e8e5523549856ac02f224
-
C:\Windows\svchost.comFilesize
40KB
MD52ff724ca136d4a831421dfd891e167c6
SHA15416f8de17ae4a8d9ea2e2d4570c5dd9ba7e5eb8
SHA256ff787f8231bb6f6a30eb61f46d56920e742ae22dd047622f8fbe6266d8bb864d
SHA5125ad202eb3222b9a95695ee1ffcebdaa3cd7235dbc8a1bf845e560736f514d9d7c92bc509c7089f53ff391bcd1d053050ccf0d889102a2b53b373d211dfbd9dc0
-
C:\odt\OFFICE~1.EXEFilesize
5.1MB
MD502c3d242fe142b0eabec69211b34bc55
SHA1ea0a4a6d6078b362f7b3a4ad1505ce49957dc16e
SHA2562a1ed24be7e3859b46ec3ebc316789ead5f12055853f86a9656e04b4bb771842
SHA5120efb08492eaaa2e923beddc21566e98fbbef3a102f9415ff310ec616f5c84fd2ba3a7025b05e01c0bdf37e5e2f64dfd845f9254a376144cc7d827e7577dbb099
-
memory/232-321-0x0000000000400000-0x0000000000680000-memory.dmpFilesize
2.5MB
-
memory/464-230-0x00007FF9642F0000-0x00007FF964300000-memory.dmpFilesize
64KB
-
memory/464-232-0x00007FF9642F0000-0x00007FF964300000-memory.dmpFilesize
64KB
-
memory/464-231-0x00007FF9642F0000-0x00007FF964300000-memory.dmpFilesize
64KB
-
memory/464-320-0x00007FF962170000-0x00007FF962180000-memory.dmpFilesize
64KB
-
memory/464-233-0x00007FF9642F0000-0x00007FF964300000-memory.dmpFilesize
64KB
-
memory/464-234-0x00007FF9642F0000-0x00007FF964300000-memory.dmpFilesize
64KB
-
memory/464-259-0x00007FF962170000-0x00007FF962180000-memory.dmpFilesize
64KB
-
memory/552-739-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/732-258-0x0000000005530000-0x00000000055CC000-memory.dmpFilesize
624KB
-
memory/732-308-0x0000000005BD0000-0x0000000006174000-memory.dmpFilesize
5.6MB
-
memory/732-256-0x0000000000B30000-0x0000000000B78000-memory.dmpFilesize
288KB
-
memory/732-380-0x0000000005860000-0x00000000058B6000-memory.dmpFilesize
344KB
-
memory/732-379-0x00000000055D0000-0x00000000055DA000-memory.dmpFilesize
40KB
-
memory/732-309-0x0000000005620000-0x00000000056B2000-memory.dmpFilesize
584KB
-
memory/856-136-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1936-738-0x00007FF962170000-0x00007FF962180000-memory.dmpFilesize
64KB
-
memory/1936-726-0x00007FF962170000-0x00007FF962180000-memory.dmpFilesize
64KB
-
memory/2032-823-0x00007FF962170000-0x00007FF962180000-memory.dmpFilesize
64KB
-
memory/2032-815-0x00007FF962170000-0x00007FF962180000-memory.dmpFilesize
64KB
-
memory/2192-742-0x0000000000400000-0x000000000055F000-memory.dmpFilesize
1.4MB
-
memory/2200-444-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2572-741-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2572-608-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3012-831-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3120-624-0x00007FF962170000-0x00007FF962180000-memory.dmpFilesize
64KB
-
memory/3120-613-0x00007FF962170000-0x00007FF962180000-memory.dmpFilesize
64KB
-
memory/3516-808-0x0000000000400000-0x000000000055F000-memory.dmpFilesize
1.4MB
-
memory/3576-410-0x0000000000400000-0x000000000055F000-memory.dmpFilesize
1.4MB
-
memory/3576-633-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3580-607-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3580-832-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3580-414-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3700-245-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3744-740-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3792-651-0x0000000000400000-0x000000000055F000-memory.dmpFilesize
1.4MB
-
memory/3796-441-0x00007FF962170000-0x00007FF962180000-memory.dmpFilesize
64KB
-
memory/3796-445-0x00007FF962170000-0x00007FF962180000-memory.dmpFilesize
64KB
-
memory/4016-431-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/4072-13-0x0000000002410000-0x0000000002411000-memory.dmpFilesize
4KB
-
memory/4072-133-0x0000000000400000-0x0000000000680000-memory.dmpFilesize
2.5MB
-
memory/4084-257-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/4084-639-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/4228-481-0x0000000000400000-0x000000000055F000-memory.dmpFilesize
1.4MB
-
memory/4228-227-0x0000000000400000-0x000000000055F000-memory.dmpFilesize
1.4MB
-
memory/4612-591-0x0000000000400000-0x000000000055F000-memory.dmpFilesize
1.4MB
-
memory/4668-717-0x0000000000400000-0x000000000055F000-memory.dmpFilesize
1.4MB
-
memory/5076-899-0x0000000000400000-0x000000000055F000-memory.dmpFilesize
1.4MB
-
memory/5096-830-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/5100-833-0x0000000000400000-0x000000000055F000-memory.dmpFilesize
1.4MB