Malware Analysis Report

2024-09-11 00:04

Sample ID 240618-yxltlawamb
Target 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d
SHA256 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d
Tags
neshta persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d

Threat Level: Known bad

The file 19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d was found to be: Known bad.

Malicious Activity Summary

neshta persistence spyware stealer

Neshta family

Detect Neshta payload

Neshta

Checks computer location settings

Loads dropped DLL

Modifies system executable filetype association

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Suspicious behavior: AddClipboardFormatListener

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-18 20:09

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A

Neshta family

neshta

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 20:09

Reported

2024-06-18 20:12

Platform

win7-20240611-en

Max time kernel

34s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\3582-490\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~3\SYNAPT~1\SYNAPT~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2820 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe C:\Users\Admin\AppData\Local\Temp\3582-490\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe
PID 2820 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe C:\Users\Admin\AppData\Local\Temp\3582-490\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe
PID 2820 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe C:\Users\Admin\AppData\Local\Temp\3582-490\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe
PID 2820 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe C:\Users\Admin\AppData\Local\Temp\3582-490\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe
PID 1672 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe
PID 1672 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe
PID 1672 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe
PID 1672 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe
PID 2700 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe C:\Windows\svchost.com
PID 2700 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe C:\Windows\svchost.com
PID 2700 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe C:\Windows\svchost.com
PID 2700 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe C:\Windows\svchost.com
PID 2740 wrote to memory of 2524 N/A C:\Windows\svchost.com C:\ProgramData\Synaptics\Synaptics.exe
PID 2740 wrote to memory of 2524 N/A C:\Windows\svchost.com C:\ProgramData\Synaptics\Synaptics.exe
PID 2740 wrote to memory of 2524 N/A C:\Windows\svchost.com C:\ProgramData\Synaptics\Synaptics.exe
PID 2740 wrote to memory of 2524 N/A C:\Windows\svchost.com C:\ProgramData\Synaptics\Synaptics.exe
PID 1672 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 1672 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 1672 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 1672 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2548 wrote to memory of 264 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2548 wrote to memory of 264 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2548 wrote to memory of 264 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2548 wrote to memory of 264 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 264 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Windows\svchost.com
PID 264 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Windows\svchost.com
PID 264 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Windows\svchost.com
PID 264 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Windows\svchost.com
PID 2836 wrote to memory of 2900 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
PID 2836 wrote to memory of 2900 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
PID 2836 wrote to memory of 2900 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
PID 2836 wrote to memory of 2900 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
PID 2900 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
PID 2900 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
PID 2900 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
PID 2900 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
PID 2900 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE C:\ProgramData\Synaptics\Synaptics.exe
PID 2900 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE C:\ProgramData\Synaptics\Synaptics.exe
PID 2900 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE C:\ProgramData\Synaptics\Synaptics.exe
PID 2900 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE C:\ProgramData\Synaptics\Synaptics.exe
PID 2524 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
PID 2524 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
PID 2524 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
PID 2524 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
PID 1152 wrote to memory of 1744 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 1152 wrote to memory of 1744 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 1152 wrote to memory of 1744 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 1152 wrote to memory of 1744 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 1744 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Windows\svchost.com
PID 1744 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Windows\svchost.com
PID 1744 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Windows\svchost.com
PID 1744 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Windows\svchost.com
PID 1060 wrote to memory of 2260 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
PID 1060 wrote to memory of 2260 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
PID 1060 wrote to memory of 2260 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
PID 1060 wrote to memory of 2260 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
PID 2260 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
PID 2260 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
PID 2260 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
PID 2260 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
PID 2260 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE C:\ProgramData\Synaptics\Synaptics.exe
PID 2260 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE C:\ProgramData\Synaptics\Synaptics.exe
PID 2260 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE C:\ProgramData\Synaptics\Synaptics.exe
PID 2260 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE C:\ProgramData\Synaptics\Synaptics.exe

Processes

C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe

"C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe"

C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\3582-490\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe

MD5 44cce607c901188b1ceca88705a3edfb
SHA1 104192763c1994a8686e1b813dde36109e83a1b6
SHA256 f85efbd3d02c72fc85aabcf5549b6803fd9968cc301dbf7dc4c745c3d3da1309
SHA512 1a4116c0fbb63cdf1ac1ab30b542286e501b2d94e9090ef0812d2b8c5a076c9a1b83295f3d333929df72c47e97faac683db473c74d915e8452a83b0d9492bdab

C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

MD5 cf6c595d3e5e9667667af096762fd9c4
SHA1 9bb44da8d7f6457099cb56e4f7d1026963dce7ce
SHA256 593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d
SHA512 ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

memory/1672-14-0x0000000000220000-0x0000000000221000-memory.dmp

\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe

MD5 c6b7d88af09bed8ef817c3ad1f68f9f4
SHA1 c49df92061197098f62c7e5031e8b9ce406d911c
SHA256 b116d954ddce3d3df3ef09a44aac5433c91ea2fee317dbf33fc5c4e5cec06af5
SHA512 75452e228ccfc14f144d4ce777b5898ace42ca5638c2607cc00b1dd1ba1ff05e3074af33bfad39979b0e3b035daad4a7503a1c88f3c3a5ecf2ce3266d0a33c2d

C:\Windows\svchost.com

MD5 2ff724ca136d4a831421dfd891e167c6
SHA1 5416f8de17ae4a8d9ea2e2d4570c5dd9ba7e5eb8
SHA256 ff787f8231bb6f6a30eb61f46d56920e742ae22dd047622f8fbe6266d8bb864d
SHA512 5ad202eb3222b9a95695ee1ffcebdaa3cd7235dbc8a1bf845e560736f514d9d7c92bc509c7089f53ff391bcd1d053050ccf0d889102a2b53b373d211dfbd9dc0

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE

MD5 94e5f271b702947d8c96c432a77e99e7
SHA1 a284a7fb14c9576a380052f16e1aadf4c82a2105
SHA256 a3c7ec7dbd6ef0b778f0f05e140b965f5c1af8bce1a729ed5f8e183822dc10b9
SHA512 60dfef773155ce6a70b3c37f08c9d210fb4e9ae6aba4ed2b230ec1577f5484fd154cfbe27de7dd795ec171c6d24814813f89165d7011f14a224d64a2bf1dcb71

C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE

MD5 02ee6a3424782531461fb2f10713d3c1
SHA1 b581a2c365d93ebb629e8363fd9f69afc673123f
SHA256 ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc
SHA512 6c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec

C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe

MD5 566ed4f62fdc96f175afedd811fa0370
SHA1 d4b47adc40e0d5a9391d3f6f2942d1889dd2a451
SHA256 e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460
SHA512 cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7

C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe

MD5 58b58875a50a0d8b5e7be7d6ac685164
SHA1 1e0b89c1b2585c76e758e9141b846ed4477b0662
SHA256 2a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae
SHA512 d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b

memory/1672-63-0x0000000000400000-0x0000000000680000-memory.dmp

memory/2740-55-0x0000000000400000-0x000000000041B000-memory.dmp

memory/264-89-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Windows\directx.sys

MD5 6b3bfceb3942a9508a2148acbee89007
SHA1 3622ac7466cc40f50515eb6fcdc15d1f34ad3be3
SHA256 e0a7bae2a9ac263cff5d725922e40272d8854278d901233a93a5267859c00a3c
SHA512 fa222bfcade636824af32124b45450c92b1abec7a33e6e647a9248eef5371c127d22ccb7cc5a096b4d5d52e2457f3841293a1b34304e8e5523549856ac02f224

memory/2548-102-0x0000000000400000-0x0000000000680000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

MD5 c08ebf3a175b66593b27a3c071df5115
SHA1 4acafe7abdf85c922cac6065c9e4d0c909c22c85
SHA256 1a7cebff8a5859fcd9847bef3695ee9f8d29ddca361d8f52a6b23d824deba968
SHA512 79b17d05ebc6e5b17f25f0ce1c202e1ef4c959246073e1b242edc4c4c45a2bcf4b3ffac2f01f4394112eadc961c6b8934208a071658493ef7a7c34e810e567a9

memory/2836-95-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2900-127-0x0000000000400000-0x000000000055F000-memory.dmp

memory/2524-129-0x0000000000400000-0x000000000055F000-memory.dmp

memory/1716-131-0x00000000012A0000-0x00000000012E8000-memory.dmp

memory/2816-130-0x0000000001060000-0x00000000010A8000-memory.dmp

\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

MD5 9e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1 ec66cda99f44b62470c6930e5afda061579cde35
SHA256 8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA512 2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE

MD5 7ce8bcabb035b3de517229dbe7c5e67d
SHA1 8e43cd79a7539d240e7645f64fd7f6e9e0f90ab9
SHA256 81a3a1dc3104973a100bf8d114b6be35da03767a0cbbaf925f970ffcbe5f217c
SHA512 be7fcd50b4f71b458ca001b7c019bf1169ec089d7a1ce05355134b11cbe75a5a29811f9efec803877aeb1a1d576ea2628926e0131361db23214275af6e89e80c

C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE

MD5 6a091285d13370abb4536604b5f2a043
SHA1 8bb4aad8cadbd3894c889de85e7d186369cf6ff1
SHA256 909205de592f50532f01b4ac7b573b891f7e6e596b44ff94187b1ba4bcc296bb
SHA512 9696e4f60a5b1166535ca8ca3fb495d718086463d1a12fa1facc08219ad5b918208ddd2a102f7955e29153b081e05985c4ae6e4302ab36d548bb62991a47db18

C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE

MD5 d4fdbb8de6a219f981ffda11aa2b2cc4
SHA1 cca2cffd4cf39277cc56ebd050f313de15aabbf6
SHA256 ba3dc87fca4641e5f5486c4d50c09d087e65264e6c5c885fa6866f6ccb23167b
SHA512 7167e13dbcc8c96114fef5fc7ae19afa31173617db153dd283aa6d8256f6b8c09c8f906f5d418efe9f7f242cdfaef24b93c11c451701c4d56eb48d18de4e88bf

C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE

MD5 7ed0f5802e7fc1243b7c82862c5bf87c
SHA1 e16741b5050df662da25419da6cf80517fc2a46a
SHA256 3342cf175e2c42ee691ba58cf7f6d6db3116f615b5483327fed706067b265595
SHA512 a006888ed6dbd9dd548f84d57c84e3baccc1ee5c09d2d127ce26c3f01af59e8531bc43b4f986aa45d8853f3d71a87dec2adbd34bd75a182e4f45111c69339fef

memory/1744-178-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1060-188-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1152-202-0x0000000000400000-0x000000000055F000-memory.dmp

C:\ProgramData\Synaptics\RCX8076.tmp

MD5 e4a7eb2876ffd171ff603b1c2888348c
SHA1 c04ba85968b72370a1839cfe4062a4726c1c12d1
SHA256 ba74794ef25aa8148fe3cede53880bce6a702b154538178362ae3c5aded0497b
SHA512 0db4a73f570aa7659db581f6fe44bcf6555b41c225e9c542fd3b1d5b75e7ad17cf0b002167e8556f02d0a966051ce3e5b426ec7004b3b3b2f0dc87224dce96b2

memory/2260-217-0x0000000000400000-0x000000000055F000-memory.dmp

memory/3052-261-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2728-267-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2924-277-0x0000000000400000-0x000000000055F000-memory.dmp

memory/2228-292-0x0000000000400000-0x000000000055F000-memory.dmp

memory/2820-297-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2832-301-0x0000000000400000-0x000000000041B000-memory.dmp

memory/360-307-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2520-308-0x0000000000400000-0x000000000055F000-memory.dmp

memory/2848-323-0x0000000000400000-0x000000000055F000-memory.dmp

memory/2436-327-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2880-333-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2232-334-0x0000000000400000-0x000000000055F000-memory.dmp

memory/2464-349-0x0000000000400000-0x000000000055F000-memory.dmp

memory/2044-353-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1952-359-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2700-360-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2524-361-0x0000000000400000-0x000000000055F000-memory.dmp

memory/2056-376-0x0000000000400000-0x000000000055F000-memory.dmp

memory/2152-380-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1380-386-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1240-387-0x0000000000400000-0x000000000055F000-memory.dmp

memory/1120-402-0x0000000000400000-0x000000000055F000-memory.dmp

memory/880-406-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3048-407-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3048-409-0x0000000077AC0000-0x0000000077BBA000-memory.dmp

memory/3048-408-0x00000000779A0000-0x0000000077ABF000-memory.dmp

memory/1300-410-0x0000000000400000-0x000000000055F000-memory.dmp

memory/1552-425-0x0000000000400000-0x000000000055F000-memory.dmp

memory/2624-429-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2608-435-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2944-436-0x0000000000400000-0x000000000055F000-memory.dmp

memory/1720-451-0x0000000000400000-0x000000000055F000-memory.dmp

memory/1904-455-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2480-461-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1616-462-0x0000000000400000-0x000000000055F000-memory.dmp

memory/1356-477-0x0000000000400000-0x000000000055F000-memory.dmp

memory/2464-481-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2008-487-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2820-488-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2784-489-0x0000000000400000-0x000000000055F000-memory.dmp

memory/1708-504-0x0000000000400000-0x000000000055F000-memory.dmp

memory/1316-508-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1772-514-0x0000000000400000-0x000000000041B000-memory.dmp

memory/836-515-0x0000000000400000-0x000000000055F000-memory.dmp

memory/2152-530-0x0000000000400000-0x000000000055F000-memory.dmp

memory/2700-531-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1576-535-0x0000000000400000-0x000000000041B000-memory.dmp

memory/996-541-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3056-542-0x0000000000400000-0x000000000055F000-memory.dmp

memory/2600-557-0x0000000000400000-0x000000000055F000-memory.dmp

memory/2884-561-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2596-567-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2504-568-0x0000000000400000-0x000000000055F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 20:09

Reported

2024-06-18 20:12

Platform

win10v2004-20240226-en

Max time kernel

26s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\ProgramData\Synaptics\Synaptics.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\ProgramData\Synaptics\Synaptics.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\ProgramData\Synaptics\Synaptics.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\3582-490\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MICROS~4.EXE C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\notification_helper.exe C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13185~1.17\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\msedge_proxy.exe C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13185~1.17\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{17316~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\cookie_exporter.exe C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~3\SYNAPT~1\SYNAPT~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\INSTAL~1\setup.exe C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MI9C33~1.EXE C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MIA062~1.EXE C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\cookie_exporter.exe C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\msedgewebview2.exe C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\notification_click_helper.exe C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MICROS~3.EXE C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MICROS~2.EXE C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\ProgramData\Synaptics\Synaptics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\ProgramData\Synaptics\Synaptics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\ProgramData\Synaptics\Synaptics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\3582-490\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3580 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe C:\Users\Admin\AppData\Local\Temp\3582-490\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe
PID 3580 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe C:\Users\Admin\AppData\Local\Temp\3582-490\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe
PID 3580 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe C:\Users\Admin\AppData\Local\Temp\3582-490\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe
PID 4072 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe
PID 4072 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe
PID 4072 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe
PID 2572 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe C:\Windows\svchost.com
PID 2572 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe C:\Windows\svchost.com
PID 2572 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe C:\Windows\svchost.com
PID 856 wrote to memory of 4228 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
PID 856 wrote to memory of 4228 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
PID 856 wrote to memory of 4228 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
PID 4072 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 4072 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 4072 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 232 wrote to memory of 3700 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 232 wrote to memory of 3700 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 232 wrote to memory of 3700 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 4228 wrote to memory of 732 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
PID 4228 wrote to memory of 732 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
PID 4228 wrote to memory of 732 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
PID 3700 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Windows\svchost.com
PID 3700 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Windows\svchost.com
PID 3700 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Windows\svchost.com
PID 4084 wrote to memory of 3576 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 4084 wrote to memory of 3576 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 4084 wrote to memory of 3576 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 3576 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
PID 3576 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
PID 3576 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
PID 3576 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
PID 3576 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
PID 3576 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
PID 4228 wrote to memory of 4016 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 4228 wrote to memory of 4016 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 4228 wrote to memory of 4016 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 4016 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Windows\svchost.com
PID 4016 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Windows\svchost.com
PID 4016 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Windows\svchost.com
PID 2200 wrote to memory of 4612 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
PID 2200 wrote to memory of 4612 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
PID 2200 wrote to memory of 4612 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
PID 4612 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 4612 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 4612 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 4612 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE C:\ProgramData\Synaptics\Synaptics.exe
PID 4612 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE C:\ProgramData\Synaptics\Synaptics.exe
PID 4612 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE C:\ProgramData\Synaptics\Synaptics.exe
PID 3792 wrote to memory of 3576 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 3792 wrote to memory of 3576 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 3792 wrote to memory of 3576 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 3576 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Windows\svchost.com
PID 3576 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Windows\svchost.com
PID 3576 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Windows\svchost.com
PID 4084 wrote to memory of 4668 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
PID 4084 wrote to memory of 4668 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
PID 4084 wrote to memory of 4668 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe

"C:\Users\Admin\AppData\Local\Temp\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe"

C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3700 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 172.217.16.234:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 213.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 234.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 29.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp
US 8.8.8.8:53 225.162.46.104.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 193.98.74.40.in-addr.arpa udp
US 8.8.8.8:53 252.15.104.51.in-addr.arpa udp
US 8.8.8.8:53 93.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp
US 8.8.8.8:53 14.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\3582-490\19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe

MD5 44cce607c901188b1ceca88705a3edfb
SHA1 104192763c1994a8686e1b813dde36109e83a1b6
SHA256 f85efbd3d02c72fc85aabcf5549b6803fd9968cc301dbf7dc4c745c3d3da1309
SHA512 1a4116c0fbb63cdf1ac1ab30b542286e501b2d94e9090ef0812d2b8c5a076c9a1b83295f3d333929df72c47e97faac683db473c74d915e8452a83b0d9492bdab

memory/4072-13-0x0000000002410000-0x0000000002411000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe

MD5 c6b7d88af09bed8ef817c3ad1f68f9f4
SHA1 c49df92061197098f62c7e5031e8b9ce406d911c
SHA256 b116d954ddce3d3df3ef09a44aac5433c91ea2fee317dbf33fc5c4e5cec06af5
SHA512 75452e228ccfc14f144d4ce777b5898ace42ca5638c2607cc00b1dd1ba1ff05e3074af33bfad39979b0e3b035daad4a7503a1c88f3c3a5ecf2ce3266d0a33c2d

C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_19080603ce869f54525b8740d18dca57ee1cbc2ee4d52a4a17d1ec4963047b9d.exe

MD5 94e5f271b702947d8c96c432a77e99e7
SHA1 a284a7fb14c9576a380052f16e1aadf4c82a2105
SHA256 a3c7ec7dbd6ef0b778f0f05e140b965f5c1af8bce1a729ed5f8e183822dc10b9
SHA512 60dfef773155ce6a70b3c37f08c9d210fb4e9ae6aba4ed2b230ec1577f5484fd154cfbe27de7dd795ec171c6d24814813f89165d7011f14a224d64a2bf1dcb71

C:\Windows\svchost.com

MD5 2ff724ca136d4a831421dfd891e167c6
SHA1 5416f8de17ae4a8d9ea2e2d4570c5dd9ba7e5eb8
SHA256 ff787f8231bb6f6a30eb61f46d56920e742ae22dd047622f8fbe6266d8bb864d
SHA512 5ad202eb3222b9a95695ee1ffcebdaa3cd7235dbc8a1bf845e560736f514d9d7c92bc509c7089f53ff391bcd1d053050ccf0d889102a2b53b373d211dfbd9dc0

C:\odt\OFFICE~1.EXE

MD5 02c3d242fe142b0eabec69211b34bc55
SHA1 ea0a4a6d6078b362f7b3a4ad1505ce49957dc16e
SHA256 2a1ed24be7e3859b46ec3ebc316789ead5f12055853f86a9656e04b4bb771842
SHA512 0efb08492eaaa2e923beddc21566e98fbbef3a102f9415ff310ec616f5c84fd2ba3a7025b05e01c0bdf37e5e2f64dfd845f9254a376144cc7d827e7577dbb099

C:\Windows\directx.sys

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4072-133-0x0000000000400000-0x0000000000680000-memory.dmp

memory/856-136-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE

MD5 c08ebf3a175b66593b27a3c071df5115
SHA1 4acafe7abdf85c922cac6065c9e4d0c909c22c85
SHA256 1a7cebff8a5859fcd9847bef3695ee9f8d29ddca361d8f52a6b23d824deba968
SHA512 79b17d05ebc6e5b17f25f0ce1c202e1ef4c959246073e1b242edc4c4c45a2bcf4b3ffac2f01f4394112eadc961c6b8934208a071658493ef7a7c34e810e567a9

memory/4228-227-0x0000000000400000-0x000000000055F000-memory.dmp

memory/464-230-0x00007FF9642F0000-0x00007FF964300000-memory.dmp

memory/464-232-0x00007FF9642F0000-0x00007FF964300000-memory.dmp

memory/464-231-0x00007FF9642F0000-0x00007FF964300000-memory.dmp

memory/464-233-0x00007FF9642F0000-0x00007FF964300000-memory.dmp

memory/464-234-0x00007FF9642F0000-0x00007FF964300000-memory.dmp

C:\Windows\directx.sys

MD5 6b3bfceb3942a9508a2148acbee89007
SHA1 3622ac7466cc40f50515eb6fcdc15d1f34ad3be3
SHA256 e0a7bae2a9ac263cff5d725922e40272d8854278d901233a93a5267859c00a3c
SHA512 fa222bfcade636824af32124b45450c92b1abec7a33e6e647a9248eef5371c127d22ccb7cc5a096b4d5d52e2457f3841293a1b34304e8e5523549856ac02f224

memory/3700-245-0x0000000000400000-0x000000000041B000-memory.dmp

memory/732-256-0x0000000000B30000-0x0000000000B78000-memory.dmp

memory/4084-257-0x0000000000400000-0x000000000041B000-memory.dmp

memory/732-258-0x0000000005530000-0x00000000055CC000-memory.dmp

memory/464-259-0x00007FF962170000-0x00007FF962180000-memory.dmp

memory/732-308-0x0000000005BD0000-0x0000000006174000-memory.dmp

memory/732-309-0x0000000005620000-0x00000000056B2000-memory.dmp

memory/464-320-0x00007FF962170000-0x00007FF962180000-memory.dmp

memory/232-321-0x0000000000400000-0x0000000000680000-memory.dmp

memory/732-379-0x00000000055D0000-0x00000000055DA000-memory.dmp

memory/732-380-0x0000000005860000-0x00000000058B6000-memory.dmp

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe

MD5 576410de51e63c3b5442540c8fdacbee
SHA1 8de673b679e0fee6e460cbf4f21ab728e41e0973
SHA256 3f00404dd591c2856e6f71bd78423ed47199902e0b85f228e6c4de72c59ddffe
SHA512 f7761f3878775b30cc3d756fa122e74548dfc0a27e38fa4109e34a59a009df333d074bf14a227549ae347605f271be47984c55148685faac479aeb481f7191db

memory/3576-410-0x0000000000400000-0x000000000055F000-memory.dmp

memory/3580-414-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4016-431-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3796-441-0x00007FF962170000-0x00007FF962180000-memory.dmp

memory/2200-444-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3796-445-0x00007FF962170000-0x00007FF962180000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\71274F68-5B29-4D28-BB3B-689642AEF5A6

MD5 a85b5ec08f3b0e06fda515545d1ecd56
SHA1 84492f691d8ddf28734a6ca964415cbbc91f925e
SHA256 005866230944be1d38adaafe1d82348ca80e450ab036b77e904503d809c10416
SHA512 0a94e718d92c41905f5a9e44fbda87485d7fac2afb0f7862500f4063fcd5ceb4902e4893ed9dbd149fe6de0528cdfdba39516961f18171a8e91c0b0404456e20

C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE

MD5 bcd0f32f28d3c2ba8f53d1052d05252d
SHA1 c29b4591df930dabc1a4bd0fa2c0ad91500eafb2
SHA256 bb07d817b8b1b6b4c25e62b6120e51dec10118557d7b6b696ad084a5ba5bfdeb
SHA512 79f407735853f82f46870c52058ceee4d91857a89db14868ee1169abd5c0fd2e3fa1ed230ab90b5f479a9581b88998643d69b0df498defea29e73b0d487f3b10

C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe

MD5 d1c48274711d83d4a1a0cfb2abdf8d31
SHA1 b4367dd7201ef0cc22d56613e428efda07da57a8
SHA256 ade1db79870327538841d5470483c6474083f08d871bb7d56cfc9e76971c8640
SHA512 7a3e7927b8be3dc1706e6511bf04475558da076696435f937c4eafa94111c378f3bcaa1ea4e5063e91e3e333c91f086a75baaff6c5cc190d3d314c5eee1687a3

C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe

MD5 892cf4fc5398e07bf652c50ef2aa3b88
SHA1 c399e55756b23938057a0ecae597bd9dbe481866
SHA256 e2262c798729169f697e6c30e5211cde604fd8b14769311ff4ea81abba8c2781
SHA512 f16a9e4b1150098c5936ec6107c36d47246dafd5a43e9f4ad9a31ecab69cc789c768691fa23a1440fae7f6e93e8e62566b5c86f7ed6bb4cfe26368149ea8c167

C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaws.exe

MD5 2fbf8e73fc690c57c64459cb4c349ddb
SHA1 1038053aff4e542a8dbb77fc4d100fe083493e50
SHA256 408ad7354171bc8d51846bbe8238e8fbd6a5bf9b0b12b3f55b43f61e03371bf2
SHA512 7e29b6ae75865dc9e7004665f6c90513e5b8f593509cbd209f523ea5602ea9e242ef1fee867f8d293781a51fa816d502456bbe97414de2e7ecbc6f6f640a49fc

C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\java.exe

MD5 9a8d683f9f884ddd9160a5912ca06995
SHA1 98dc8682a0c44727ee039298665f5d95b057c854
SHA256 5e2e22ead49ce9cc11141dbeebbe5b93a530c966695d8efc2083f00e6be53423
SHA512 6aecf8c5cb5796d6879f8643e20c653f58bad70820896b0019c39623604d5b3c8a4420562ab051c6685edce60aa068d9c2dbb4413a7b16c6d01a9ac10dc22c12

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

MD5 b2c766e2d8b5b26e189f0c4f84cd2aa8
SHA1 6248b51576750abaf4534a05d3d2662f63aca17a
SHA256 3f13bf03c4ddc7fd5db223769bd37ce5cd0f235c2451d720cf283556c0fae25a
SHA512 e0b66841060032433a28bc9cd973d6078c62c1a139efc378f8555cb2256af2d44ddd70eb4d25cddf5a43fe74aa28a3e036ab2c058562763b86c49288568aa878

C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE

MD5 400836f307cf7dbfb469cefd3b0391e7
SHA1 7af3cbb12d3b2d8b5d9553c687c6129d1dd90a10
SHA256 cb5c5abb625a812d47007c75e3855be3f29da527a41cf03730ad5c81f3eb629a
SHA512 aa53cb304478585d6f83b19a6de4a7938ba2570d380a565a56ff5365aed073d5f56b95ad3228eb7d1e7e6110c6172a58b97bd6a5e57e4a8d39e762ed31dc17c8

C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE

MD5 3b0e91f9bb6c1f38f7b058c91300e582
SHA1 6e2e650941b1a96bb0bb19ff26a5d304bb09df5f
SHA256 57c993cadf4bf84810cea23a7112c6e260624beaab48d0e4332d3462900fec1d
SHA512 a4fbe28a0135f4632e0a5b6bd775f8d010250b0fbfe223db1fe81d18552a6bc166ebce807853ba02e6a476e9829454805e415ca828a5e043bd1e63dc53599d0f

C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE

MD5 25e165d6a9c6c0c77ee1f94c9e58754b
SHA1 9b614c1280c75d058508bba2a468f376444b10c1
SHA256 8bbe59987228dd9ab297f9ea34143ea1e926bfb19f3d81c2904ab877f31e1217
SHA512 7d55c7d86ccabb6e9769ebca44764f4d89e221d5756e5c5d211e52c271e3ce222df90bc9938248e2e210d6695f30f6280d929d19ef41c09d3ea31688ae24d4bf

C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE

MD5 e5589ec1e4edb74cc7facdaac2acabfd
SHA1 9b12220318e848ed87bb7604d6f6f5df5dbc6b3f
SHA256 6ce92587a138ec07dac387a294d0bbe8ab629599d1a2868d2afaccea3b245d67
SHA512 f36ab33894681f51b9cec7ea5a738eb081a56bcd7625bdd2f5ef2c084e4beb7378be8f292af3aeae79d9317ba57cc41df89f00aef52e58987bdb2eac3f48171a

memory/4228-481-0x0000000000400000-0x000000000055F000-memory.dmp

C:\ProgramData\Synaptics\RCX1519.tmp

MD5 e4a7eb2876ffd171ff603b1c2888348c
SHA1 c04ba85968b72370a1839cfe4062a4726c1c12d1
SHA256 ba74794ef25aa8148fe3cede53880bce6a702b154538178362ae3c5aded0497b
SHA512 0db4a73f570aa7659db581f6fe44bcf6555b41c225e9c542fd3b1d5b75e7ad17cf0b002167e8556f02d0a966051ce3e5b426ec7004b3b3b2f0dc87224dce96b2

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\INSTAL~1\setup.exe

MD5 1cae3b29628f35e661eab78f1c8b4a99
SHA1 97fb011f97340a0687204a2f35e0e7e85112c97f
SHA256 643df72069bacb87065bfa4a0b552c97655c9497aeadea96e48e3d5df10cf3b0
SHA512 30924f452425afe598f4f21d59433c05c4bd217bf313363c22be4e9d23e712f96cef905a2411cdbf23da08b3f8d61e20f127fd4d2ab3aab35483f46b4e32759b

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\identity_helper.exe

MD5 a4c554903ffddf2c66eca876c614a75d
SHA1 cc789ac39fea72c579a5ec64970d2b6cc9daeac1
SHA256 09f2820a2ee73dc9ee5288fd25b3cde313e400f99f730464a31b71cfdbbd7f31
SHA512 d1feb67afcbacc1cb8c76c8774687546ab9ac6c0962ca62a8059a2b04b7332e9a0d8575ef37f9887a367b3f4f47b4bd5ea9010f754fdf0049498a58ba9fee088

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\msedgewebview2.exe

MD5 a4b214a072e3b243c4ebc478e6eb36a7
SHA1 03d0e04d345971141a1cd5f56e31e7f8480974f7
SHA256 77411e2933273fb7b04fd0dec90ea0a620b2293b6fbdbd5c29afa0cd7536fa51
SHA512 e32edd286477a52cbeaea9a0d20c49328bf78e86698620cee8c6900b672c0cc7feed5d2a5426770e9c2c70fe2a339814db4468d9fc960070e61e928ca3866a8d

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\122023~1.52\pwahelper.exe

MD5 6aa892c7d9621d5388526f832195fc0f
SHA1 9f77f2fe1166734a4eda02222b5ec080091b68c9
SHA256 e5f38ea31c0d27d3d0435d4f19e3da0e023a9fa94bf611d5d522b72d9a2b3b66
SHA512 6bf56ce59afcf84265cd757ff99b8d664361f0f23d521386b0092b1574d34eb619184c6f8925b57fa0b94f5edf30453d6cec3b39273f8735cfe1835961ac0e3c

C:\PROGRA~2\MICROS~1\EdgeCore\122023~1.52\MSEDGE~3.EXE

MD5 037eb09ec7455bed1c2cc12ead01b246
SHA1 821ca5516402d68a0e6aa8d807abb2f3e2a78554
SHA256 fe404e589880c9a7065f3e2cfcfa4675953dccc5250f26715f29986d7580d924
SHA512 bfae4a3f1ef8a8036e5c3c7700796bb2e5b534fd602a2ed9f209e0974b111ace42f7f82683388f2fdefbf7939bc504b57901af0cc881b2e06c74036bf802760b

C:\PROGRA~2\MICROS~1\EdgeCore\122023~1.52\NOTIFI~1.EXE

MD5 9265ab18f47b9624d04a7bcc4794cd89
SHA1 4589d080807701f5a4813326a1b72d62e71d2880
SHA256 0cb11ab79f1810b4589f2a28a12dee99c8c913428b6c6e497123800e2134ec3c
SHA512 aa7870c60af1a278e78569c487950f6b9868b4941a25783fad63ea4bc07ba2959a8bb1b2242fc492a2ec85df610dcfcda08013501a2dd9fd9b8dcd728c0d5ead

C:\PROGRA~2\MICROS~1\EdgeCore\122023~1.52\MSEDGE~2.EXE

MD5 7f88f3f90ac64568f91d7886f56ff0b6
SHA1 2ef4a4496c09928a09da0af641e3c092ade4f03b
SHA256 1dc1ebb5939a050cd9eff7b7011afbf877cb33f21950fff127d7481f3e9d38b2
SHA512 412345a84eeffd2ddd1bd66230d4eef5fa29e35891a4b5f329626f4b557fb2fc972f05f131b8c4c94c8296c774545b288da7ba2fda93e6654733a03d247f33e3

C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MICROS~4.EXE

MD5 87a9a3c1e1477e659286afd59790e1b3
SHA1 19909ca38a6c2be2fefce3f10357b7cf210f1739
SHA256 863824b473ecc45e018a7e394c4c3926e56a244134ac08b849a05d1177fc18d4
SHA512 d15502a82bf5c6ff8abf3bad088bf833000e2e8253d4af8e7182d2d7479497f20bb153062984a7bc0afeee24d03e1d7dcd01d868fc2d2ac3bc73dc0d2b318105

C:\PROGRA~2\MICROS~1\EdgeCore\122023~1.52\msedge.exe

MD5 5d756a0168c787760258a53087193fcd
SHA1 3a1190370ec84df9cbc2d0b8dc2c3c040268e667
SHA256 4dcb3cc3b7e87ea4fdfe524d5d24a32eab1f87f1d477620879edbf8ac99c25d8
SHA512 213c39edbce4602f5e2882ba39d59ab51552b5e1c384c5e274addf3ddaafecd50fd9763a888fac7b406f136dcca63ca29a696ba407ae5e1e0446bee95ad24af4

C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MICROS~1.EXE

MD5 247348036dbe419034c3289f577ec6ea
SHA1 6adfd450bd84a629c612c7a2f8b2a613afb49245
SHA256 29af76a6a5c935cae799cba744b4604da06d69f30e272a873f15ecfd57043b1d
SHA512 1c8c636f9a1c3c0e4f92ef026f9509fd29d696823bb1c7086b877f6f32663c2c42a83ea51c9751192cae331ad25733b417030dba81654fd747903cc3eae11025

C:\PROGRA~2\MICROS~1\EdgeCore\122023~1.52\ELEVAT~1.EXE

MD5 f31b25bb1e8bd429892a63eaac0bce5d
SHA1 f007774635ef84623a7b4e0c892a8ee14c4b6221
SHA256 35e16cb335e2e73dc5a8ea0117598cebc98aa2e3550b32a4fb2b3d1f60be17d9
SHA512 f9515824dc4de6968903471bcc842e97acc30489d2054357c61098af190aae30ec7027c5e99aa9da1f527d53cddc209dd793db937e69f316ba1c9206884dff0a

C:\PROGRA~2\MICROS~1\EdgeCore\122023~1.52\COOKIE~1.EXE

MD5 fe0269e24575d8a8590185540f7b4f6c
SHA1 e133f0f269ac97b93caf93fe6f7ecf55e929cef1
SHA256 1b3d321b505dd2f13e8b669f554b31e6e00f5a5ab4f98160a8f7a0dd96c3b9fa
SHA512 b30ce7aad664d2ad7ad9ff046e16a80bbf13caa70c981c12ee164f45f570b7e2013dacb630d6341ee67d4821519a9c33277f2801ad87521329b984e66873e6c0

C:\PROGRA~2\MICROS~1\EdgeCore\122023~1.52\BHO\IE_TO_~1.EXE

MD5 46bda7f4ac4ec1457af4aceec4b0951e
SHA1 9038a90a2b4f6363fd20dc45984405e1d1e2a2d6
SHA256 5eb1cd925ce4a5c5dd035a0de64bb7249303e53d1efff96ea510b0930470524f
SHA512 36e917760e250ad7550b73b20471c5c8264a6ab12984e95d4bba1f3f15602aa8ac1acbb0af3fa8fbd9aba80f002eeb444d1fb49a6d64b720e5368a7a8ce58465

memory/4612-591-0x0000000000400000-0x000000000055F000-memory.dmp

memory/2572-608-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3580-607-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3120-613-0x00007FF962170000-0x00007FF962180000-memory.dmp

memory/3120-624-0x00007FF962170000-0x00007FF962180000-memory.dmp

memory/3576-633-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4084-639-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3792-651-0x0000000000400000-0x000000000055F000-memory.dmp

memory/4668-717-0x0000000000400000-0x000000000055F000-memory.dmp

memory/1936-726-0x00007FF962170000-0x00007FF962180000-memory.dmp

memory/552-739-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1936-738-0x00007FF962170000-0x00007FF962180000-memory.dmp

memory/3744-740-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2572-741-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2192-742-0x0000000000400000-0x000000000055F000-memory.dmp

memory/3516-808-0x0000000000400000-0x000000000055F000-memory.dmp

memory/2032-815-0x00007FF962170000-0x00007FF962180000-memory.dmp

memory/2032-823-0x00007FF962170000-0x00007FF962180000-memory.dmp

memory/5096-830-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3012-831-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3580-832-0x0000000000400000-0x000000000041B000-memory.dmp

memory/5100-833-0x0000000000400000-0x000000000055F000-memory.dmp

memory/5076-899-0x0000000000400000-0x000000000055F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lBtUbPTN.xlsm

MD5 e566fc53051035e1e6fd0ed1823de0f9
SHA1 00bc96c48b98676ecd67e81a6f1d7754e4156044
SHA256 8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512 a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04