Malware Analysis Report

2024-09-11 00:03

Sample ID 240620-b2s25s1gmc
Target e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972
SHA256 e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972
Tags
neshta persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972

Threat Level: Known bad

The file e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972 was found to be: Known bad.

Malicious Activity Summary

neshta persistence spyware stealer

Detect Neshta payload

Neshta

Neshta family

Loads dropped DLL

Modifies system executable filetype association

Checks computer location settings

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-20 01:38

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A

Neshta family

neshta

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 01:38

Reported

2024-06-20 01:41

Platform

win7-20240611-en

Max time kernel

38s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\3582-490\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2240 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe C:\Users\Admin\AppData\Local\Temp\3582-490\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe
PID 2240 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe C:\Users\Admin\AppData\Local\Temp\3582-490\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe
PID 2240 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe C:\Users\Admin\AppData\Local\Temp\3582-490\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe
PID 2240 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe C:\Users\Admin\AppData\Local\Temp\3582-490\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe
PID 3044 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe
PID 3044 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe
PID 3044 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe
PID 3044 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe
PID 2636 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe C:\Windows\svchost.com
PID 2636 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe C:\Windows\svchost.com
PID 2636 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe C:\Windows\svchost.com
PID 2636 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe C:\Windows\svchost.com
PID 2556 wrote to memory of 2564 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
PID 2556 wrote to memory of 2564 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
PID 2556 wrote to memory of 2564 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
PID 2556 wrote to memory of 2564 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
PID 3044 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 3044 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 3044 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 3044 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2464 wrote to memory of 2816 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2464 wrote to memory of 2816 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2464 wrote to memory of 2816 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2464 wrote to memory of 2816 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2564 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
PID 2564 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
PID 2564 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
PID 2564 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
PID 2816 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Windows\svchost.com
PID 2816 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Windows\svchost.com
PID 2816 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Windows\svchost.com
PID 2816 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Windows\svchost.com
PID 1656 wrote to memory of 2004 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
PID 1656 wrote to memory of 2004 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
PID 1656 wrote to memory of 2004 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
PID 1656 wrote to memory of 2004 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
PID 2004 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
PID 2004 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
PID 2004 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
PID 2004 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
PID 2004 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE C:\ProgramData\Synaptics\Synaptics.exe
PID 2004 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE C:\ProgramData\Synaptics\Synaptics.exe
PID 2004 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE C:\ProgramData\Synaptics\Synaptics.exe
PID 2004 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE C:\ProgramData\Synaptics\Synaptics.exe
PID 1628 wrote to memory of 1156 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 1628 wrote to memory of 1156 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 1628 wrote to memory of 1156 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 1628 wrote to memory of 1156 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 1156 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Windows\svchost.com
PID 1156 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Windows\svchost.com
PID 1156 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Windows\svchost.com
PID 1156 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Windows\svchost.com
PID 912 wrote to memory of 2124 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
PID 912 wrote to memory of 2124 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
PID 912 wrote to memory of 2124 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
PID 912 wrote to memory of 2124 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
PID 2124 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
PID 2124 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
PID 2124 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
PID 2124 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
PID 2124 wrote to memory of 280 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE C:\ProgramData\Synaptics\Synaptics.exe
PID 2124 wrote to memory of 280 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE C:\ProgramData\Synaptics\Synaptics.exe
PID 2124 wrote to memory of 280 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE C:\ProgramData\Synaptics\Synaptics.exe
PID 2124 wrote to memory of 280 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE C:\ProgramData\Synaptics\Synaptics.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe

"C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe"

C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 660

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 668

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 660

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2932 -s 664

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2308 -s 660

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1208 -s 664

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2420 -s 664

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 984 -s 660

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 660

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2596 -s 660

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 904 -s 660

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 660

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 664

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 936 -s 664

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 664

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 672 -s 664

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 660

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 664

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 660

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 960 -s 660

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1132 -s 664

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1852 -s 660

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 664

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 660

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 280 -s 668

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 660

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 576 -s 660

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 664

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 664

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3696 -s 660

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 664

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3256 -s 660

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 664

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 660

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 664

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 660

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 664

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 660

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 660

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3268 -s 664

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 584 -s 660

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3432 -s 664

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 664

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3760 -s 660

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 660

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3264 -s 660

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3852 -s 668

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 664

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4336 -s 664

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 660

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 660

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4156 -s 664

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 660

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 664

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 660

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 660

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4840 -s 660

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4200 -s 660

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 660

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 660

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 660

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1840 -s 660

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 856 -s 664

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 664

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 660

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 660

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 660

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 664

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 664

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2172 -s 660

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5316 -s 660

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5596 -s 660

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5876 -s 664

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 664

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5432 -s 664

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5732 -s 660

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 664

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\3582-490\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe

MD5 24d4d9a41938e137745887381a12e6d4
SHA1 5617de436daba197cfc2483e3afe934c452337cc
SHA256 1c36f14d5c7df48e26a149c28e026a7a3eb622e1594ecee0c3442b926071c436
SHA512 4edb6b41dba6efc28dfdb6e30818339732760b69a6659e77a0e0dd3289e395bbdfdbd8d292c9071eb788bdb01150b5bc4ebb122d1a5f9cf0dd152fb141bad912

memory/3044-12-0x00000000003A0000-0x00000000003A1000-memory.dmp

C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

MD5 cf6c595d3e5e9667667af096762fd9c4
SHA1 9bb44da8d7f6457099cb56e4f7d1026963dce7ce
SHA256 593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d
SHA512 ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe

MD5 58a90c9469cf77c251e438179faea8df
SHA1 3737c1391e7ab7a7c159734986c2fd5e5a5b3ee3
SHA256 f2a4fdabe84832e098f3965d1da4318c4bb870c055a4af48084e5b9788320000
SHA512 e12c71aa25d83270fe15ceeb4fa39f6f2fe7c004b44142f729f644f95b55402fc722f220dbc01fea7d0047b3c688046386b86691dc6667f9934a68880bb30325

C:\Windows\svchost.com

MD5 2ff724ca136d4a831421dfd891e167c6
SHA1 5416f8de17ae4a8d9ea2e2d4570c5dd9ba7e5eb8
SHA256 ff787f8231bb6f6a30eb61f46d56920e742ae22dd047622f8fbe6266d8bb864d
SHA512 5ad202eb3222b9a95695ee1ffcebdaa3cd7235dbc8a1bf845e560736f514d9d7c92bc509c7089f53ff391bcd1d053050ccf0d889102a2b53b373d211dfbd9dc0

C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE

MD5 02ee6a3424782531461fb2f10713d3c1
SHA1 b581a2c365d93ebb629e8363fd9f69afc673123f
SHA256 ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc
SHA512 6c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec

C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe

MD5 566ed4f62fdc96f175afedd811fa0370
SHA1 d4b47adc40e0d5a9391d3f6f2942d1889dd2a451
SHA256 e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460
SHA512 cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7

C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe

MD5 58b58875a50a0d8b5e7be7d6ac685164
SHA1 1e0b89c1b2585c76e758e9141b846ed4477b0662
SHA256 2a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae
SHA512 d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE

MD5 d96b1760395519ccdb18da2654a2fd84
SHA1 99bb6809355a5961b87eba8ff428a8e3bf26051c
SHA256 0a13c019c85afc769ec7ff398f9cf33feb263445a2a37f0e1f06bb51b1c0de16
SHA512 a87748feb742a20b0e73e0f051ce4df3e81b158091df73d8d0b6e0251c46e9ed92cc9371701e9f11bc2356d41baf1e7c0a9cfcdd0dfb51328eda066d8e84a4fa

memory/3044-59-0x0000000000400000-0x000000000065F000-memory.dmp

memory/2556-65-0x0000000000400000-0x000000000041B000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE

MD5 593e3c4e79aac503ecc36e6f3e4039d6
SHA1 d19a1d24b61d7358d50a99b35e3a8a119e66a783
SHA256 2768c17af7d2f15c3848d6dc32b34b94089c2199be35d40ce29fc6aec39cc50d
SHA512 af03476b97d739e0d49417a3654c021ee7712897eb0f618d430aa5cb86ee021f9bf4f50cd68531e8bbb282f6ffb55d65bfe5c549cc09fa46ada95def33ad047f

memory/2564-85-0x0000000000400000-0x000000000053E000-memory.dmp

memory/2816-90-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Windows\directx.sys

MD5 6b3bfceb3942a9508a2148acbee89007
SHA1 3622ac7466cc40f50515eb6fcdc15d1f34ad3be3
SHA256 e0a7bae2a9ac263cff5d725922e40272d8854278d901233a93a5267859c00a3c
SHA512 fa222bfcade636824af32124b45450c92b1abec7a33e6e647a9248eef5371c127d22ccb7cc5a096b4d5d52e2457f3841293a1b34304e8e5523549856ac02f224

memory/1656-104-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2804-105-0x0000000000C80000-0x0000000000CA6000-memory.dmp

C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE

MD5 831270ac3db358cdbef5535b0b3a44e6
SHA1 c0423685c09bbe465f6bb7f8672c936e768f05a3
SHA256 a8f78ac26c738b13564252f1048ca784bf152ef048b829d3d22650b7f62078f0
SHA512 f64a00977d4b6f8c43f53cee7bb450f3c8cbef08525975055fde5d8c515db32d2bfad92e99313b3a10a72a50dd09b4ffe28e9af4c148c6480622ba486776e450

memory/2464-118-0x0000000000400000-0x000000000065F000-memory.dmp

memory/1112-129-0x0000000000870000-0x0000000000896000-memory.dmp

\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

MD5 9e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1 ec66cda99f44b62470c6930e5afda061579cde35
SHA256 8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA512 2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

memory/2004-138-0x0000000000400000-0x000000000053E000-memory.dmp

C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE

MD5 7ce8bcabb035b3de517229dbe7c5e67d
SHA1 8e43cd79a7539d240e7645f64fd7f6e9e0f90ab9
SHA256 81a3a1dc3104973a100bf8d114b6be35da03767a0cbbaf925f970ffcbe5f217c
SHA512 be7fcd50b4f71b458ca001b7c019bf1169ec089d7a1ce05355134b11cbe75a5a29811f9efec803877aeb1a1d576ea2628926e0131361db23214275af6e89e80c

C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE

MD5 a741183f8c4d83467c51abab1ff68d7b
SHA1 ddb4a6f3782c0f03f282c2bed765d7b065aadcc6
SHA256 78be3aeb507db7e4ee7468c6b9384ee0459deebd503e06bd4988c52247ecea24
SHA512 c15dbecc0754a662892ecaff4b9b6c1bad46f710d8e1b973f86eaee467444f8e5764b31ace8f5a9a5e936947cc4dcb97cb1b14a6930c1025f38a3544393b6b18

C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE

MD5 d4fdbb8de6a219f981ffda11aa2b2cc4
SHA1 cca2cffd4cf39277cc56ebd050f313de15aabbf6
SHA256 ba3dc87fca4641e5f5486c4d50c09d087e65264e6c5c885fa6866f6ccb23167b
SHA512 7167e13dbcc8c96114fef5fc7ae19afa31173617db153dd283aa6d8256f6b8c09c8f906f5d418efe9f7f242cdfaef24b93c11c451701c4d56eb48d18de4e88bf

C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE

MD5 7ed0f5802e7fc1243b7c82862c5bf87c
SHA1 e16741b5050df662da25419da6cf80517fc2a46a
SHA256 3342cf175e2c42ee691ba58cf7f6d6db3116f615b5483327fed706067b265595
SHA512 a006888ed6dbd9dd548f84d57c84e3baccc1ee5c09d2d127ce26c3f01af59e8531bc43b4f986aa45d8853f3d71a87dec2adbd34bd75a182e4f45111c69339fef

memory/1156-181-0x0000000000400000-0x000000000041B000-memory.dmp

memory/912-188-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1628-201-0x0000000000400000-0x000000000053E000-memory.dmp

C:\ProgramData\Synaptics\RCX7FDA.tmp

MD5 f3a0530736a863e4f515ff43a05fd8f3
SHA1 f484212f405000bc7ac99fbb1b76036a320c1961
SHA256 41171f3979204bc9a1b932e16d0700e6bedb7915507470badd64a979187652b6
SHA512 02e39f09d7b32497bc9e278f59e3994ca98337332973ff4868cf29d01d928d425b22884e1ff68250013353bc1ec2dee1584902114f735b11ffea61ea709f840a

memory/2124-220-0x0000000000400000-0x000000000053E000-memory.dmp

memory/2132-238-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2248-256-0x0000000000400000-0x000000000041B000-memory.dmp

memory/280-260-0x0000000000400000-0x000000000053E000-memory.dmp

memory/2076-276-0x0000000000400000-0x000000000053E000-memory.dmp

memory/2016-292-0x0000000000400000-0x000000000041B000-memory.dmp

memory/784-293-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2240-294-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2532-295-0x0000000000400000-0x000000000053E000-memory.dmp

memory/1064-310-0x0000000000400000-0x000000000053E000-memory.dmp

memory/2028-314-0x0000000000400000-0x000000000041B000-memory.dmp

memory/580-320-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2452-321-0x0000000000400000-0x000000000053E000-memory.dmp

memory/936-336-0x0000000000400000-0x000000000053E000-memory.dmp

memory/2160-340-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2636-346-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1488-347-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1636-348-0x0000000000400000-0x000000000053E000-memory.dmp

memory/616-363-0x0000000000400000-0x000000000053E000-memory.dmp

memory/1924-367-0x0000000000400000-0x000000000041B000-memory.dmp

memory/608-373-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2300-374-0x0000000000400000-0x000000000053E000-memory.dmp

memory/952-389-0x0000000000400000-0x000000000053E000-memory.dmp

memory/1604-393-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2356-399-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2264-400-0x0000000000400000-0x000000000053E000-memory.dmp

memory/2240-410-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2636-411-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2612-417-0x0000000000400000-0x000000000053E000-memory.dmp

memory/2600-421-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2328-427-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2776-428-0x0000000000400000-0x000000000053E000-memory.dmp

memory/2184-443-0x0000000000400000-0x000000000053E000-memory.dmp

memory/2568-447-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2384-453-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2816-454-0x0000000000400000-0x000000000053E000-memory.dmp

memory/752-469-0x0000000000400000-0x000000000053E000-memory.dmp

memory/1548-473-0x0000000000400000-0x000000000041B000-memory.dmp

memory/860-479-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1344-480-0x0000000000400000-0x000000000053E000-memory.dmp

memory/2272-495-0x0000000000400000-0x000000000053E000-memory.dmp

memory/2844-499-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1512-505-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2148-506-0x0000000000400000-0x000000000053E000-memory.dmp

memory/1536-521-0x0000000000400000-0x000000000053E000-memory.dmp

memory/856-525-0x0000000000400000-0x000000000041B000-memory.dmp

memory/688-531-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2768-532-0x0000000000400000-0x000000000053E000-memory.dmp

memory/2480-547-0x0000000000400000-0x000000000053E000-memory.dmp

memory/944-551-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1808-557-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2792-560-0x0000000000400000-0x000000000053E000-memory.dmp

memory/2636-559-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2240-558-0x0000000000400000-0x000000000041B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 01:38

Reported

2024-06-20 01:41

Platform

win10v2004-20240508-en

Max time kernel

143s

Max time network

89s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\3582-490\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~4.EXE C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MI391D~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~3.EXE C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~2.EXE C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MI9C33~1.EXE C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~3\SYNAPT~1\SYNAPT~1.EXE C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13187~1.37\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\3582-490\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4164 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe C:\Users\Admin\AppData\Local\Temp\3582-490\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe
PID 4164 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe C:\Users\Admin\AppData\Local\Temp\3582-490\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe
PID 4164 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe C:\Users\Admin\AppData\Local\Temp\3582-490\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe
PID 2072 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe
PID 2072 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe
PID 2072 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe
PID 4980 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe C:\Windows\svchost.com
PID 4980 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe C:\Windows\svchost.com
PID 4980 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe C:\Windows\svchost.com
PID 2072 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2072 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2072 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 4604 wrote to memory of 3332 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
PID 4604 wrote to memory of 3332 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
PID 4604 wrote to memory of 3332 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
PID 3332 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
PID 3332 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
PID 3332 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe

"C:\Users\Admin\AppData\Local\Temp\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe"

C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE

"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5056 -ip 5056

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 1068

Network

Country Destination Domain Proto
US 8.8.8.8:53 xred.mooo.com udp
US 8.8.8.8:53 freedns.afraid.org udp
US 8.8.8.8:53 docs.google.com udp
US 8.8.8.8:53 docs.google.com udp

Files

C:\Users\Admin\AppData\Local\Temp\3582-490\e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe

MD5 24d4d9a41938e137745887381a12e6d4
SHA1 5617de436daba197cfc2483e3afe934c452337cc
SHA256 1c36f14d5c7df48e26a149c28e026a7a3eb622e1594ecee0c3442b926071c436
SHA512 4edb6b41dba6efc28dfdb6e30818339732760b69a6659e77a0e0dd3289e395bbdfdbd8d292c9071eb788bdb01150b5bc4ebb122d1a5f9cf0dd152fb141bad912

memory/2072-12-0x0000000000910000-0x0000000000911000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe

MD5 58a90c9469cf77c251e438179faea8df
SHA1 3737c1391e7ab7a7c159734986c2fd5e5a5b3ee3
SHA256 f2a4fdabe84832e098f3965d1da4318c4bb870c055a4af48084e5b9788320000
SHA512 e12c71aa25d83270fe15ceeb4fa39f6f2fe7c004b44142f729f644f95b55402fc722f220dbc01fea7d0047b3c688046386b86691dc6667f9934a68880bb30325

C:\ProgramData\Synaptics\Synaptics.exe

MD5 8637c10cd4c0d9fd2e12bae1fa414744
SHA1 ca4cf0db8b5583a62c716b58a09fc03bdd048b46
SHA256 ee9aa3d4c0924658245ff692c959e727095e7b6d240723e95d487fd35e7dc465
SHA512 8ff8ff32154783e91d4311c44aeb31cc3b991edd311f41575d606bc41aaaacfbcbe3c79f41e15b1ef4c43a06989cbc52500406984a9c45217527202c03109129

C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_e16012cd42c8eb1346233b056618375166954eaf7c24021e7f7fb1b59cbde972.exe

MD5 d96b1760395519ccdb18da2654a2fd84
SHA1 99bb6809355a5961b87eba8ff428a8e3bf26051c
SHA256 0a13c019c85afc769ec7ff398f9cf33feb263445a2a37f0e1f06bb51b1c0de16
SHA512 a87748feb742a20b0e73e0f051ce4df3e81b158091df73d8d0b6e0251c46e9ed92cc9371701e9f11bc2356d41baf1e7c0a9cfcdd0dfb51328eda066d8e84a4fa

C:\Windows\svchost.com

MD5 2ff724ca136d4a831421dfd891e167c6
SHA1 5416f8de17ae4a8d9ea2e2d4570c5dd9ba7e5eb8
SHA256 ff787f8231bb6f6a30eb61f46d56920e742ae22dd047622f8fbe6266d8bb864d
SHA512 5ad202eb3222b9a95695ee1ffcebdaa3cd7235dbc8a1bf845e560736f514d9d7c92bc509c7089f53ff391bcd1d053050ccf0d889102a2b53b373d211dfbd9dc0

C:\Windows\directx.sys

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2072-132-0x0000000000400000-0x000000000065F000-memory.dmp

memory/4604-133-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE

MD5 593e3c4e79aac503ecc36e6f3e4039d6
SHA1 d19a1d24b61d7358d50a99b35e3a8a119e66a783
SHA256 2768c17af7d2f15c3848d6dc32b34b94089c2199be35d40ce29fc6aec39cc50d
SHA512 af03476b97d739e0d49417a3654c021ee7712897eb0f618d430aa5cb86ee021f9bf4f50cd68531e8bbb282f6ffb55d65bfe5c549cc09fa46ada95def33ad047f

memory/3332-192-0x0000000000400000-0x000000000053E000-memory.dmp

C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe

MD5 8ffc3bdf4a1903d9e28b99d1643fc9c7
SHA1 919ba8594db0ae245a8abd80f9f3698826fc6fe5
SHA256 8268d3fefe8ca96a25a73690d14bacf644170ab5e9e70d2f8eeb350a4c83f9f6
SHA512 0b94ead97374d74eaee87e7614ddd3911d2cf66d4c49abbfd06b02c03e5dd56fd00993b4947e8a4bcd9d891fa39cab18cc6b61efc7d0812e91eb3aea9cd1a427

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe

MD5 576410de51e63c3b5442540c8fdacbee
SHA1 8de673b679e0fee6e460cbf4f21ab728e41e0973
SHA256 3f00404dd591c2856e6f71bd78423ed47199902e0b85f228e6c4de72c59ddffe
SHA512 f7761f3878775b30cc3d756fa122e74548dfc0a27e38fa4109e34a59a009df333d074bf14a227549ae347605f271be47984c55148685faac479aeb481f7191db

memory/5056-208-0x0000000000430000-0x0000000000456000-memory.dmp

C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe

MD5 e316c67c785d3e39e90341b0bbaac705
SHA1 7ffd89492438a97ad848068cfdaab30c66afca35
SHA256 4fc8b9433b45c2607cbdf3d1c042c3918b854c9db3ade13b5bb2761d28f1c478
SHA512 25ec433c10adc69305de97107463be74d7b4768acca27886498485e8bc2c8b099994e6c1c6c09a7e603816203d6b18e509fb79f24992915eb802f59bcb790090

C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe

MD5 1871539ce7d10fa86a69d88817c88699
SHA1 77cd85e3be185549f58b9717d2ba442bbb4b3702
SHA256 5fa917ecb3603cec549bc4ba0b23b1a028100322e6f07bb1bc8f4c101fac38db
SHA512 1ab5408adad0fcbc95018ad748a7561e72897f866eab85318ce2ccdbadd7a3a5622ee31d7903d2d9ad9dece3d81acdbdb32807e62824b8a36fd13ec1484fb44a

C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe

MD5 0511abca39ed6d36fff86a8b6f2266cd
SHA1 bfe55ac898d7a570ec535328b6283a1cdfa33b00
SHA256 76ae68fc7c6c552c4a98c5df640cd96cf27b62e7e1536b7f7d08eff56fcde8b8
SHA512 6608412e3ed0057f387bafcddcb07bfe7da4f207c7300c460e5acc4bd234cec3362191800789eb465eb120ec069e3ed49eabb6bd7db30d9e9245a89bb20e4346

C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\javaw.exe

MD5 6f87ccb8ab73b21c9b8288b812de8efa
SHA1 a709254f843a4cb50eec3bb0a4170ad3e74ea9b3
SHA256 14e7a1f2f930380903ae3c912b4a70fd0a59916315c46874805020fe41215c22
SHA512 619b45b9728880691a88fbfc396c9d34b41d5e349e04d2eb2d18c535fffc079395835af2af7ca69319954a98852d2f9b7891eff91864d63bf25759c156e192ee

C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE

MD5 400836f307cf7dbfb469cefd3b0391e7
SHA1 7af3cbb12d3b2d8b5d9553c687c6129d1dd90a10
SHA256 cb5c5abb625a812d47007c75e3855be3f29da527a41cf03730ad5c81f3eb629a
SHA512 aa53cb304478585d6f83b19a6de4a7938ba2570d380a565a56ff5365aed073d5f56b95ad3228eb7d1e7e6110c6172a58b97bd6a5e57e4a8d39e762ed31dc17c8

C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE

MD5 f7c714dbf8e08ca2ed1a2bfb8ca97668
SHA1 cc78bf232157f98b68b8d81327f9f826dabb18ab
SHA256 fc379fda348644fef660a3796861c122aa2dd5498e80279d1279a7ddb259e899
SHA512 28bc04c4df3f632865e68e83d045b3ecd2a263e62853c922b260d0734026e8a1541988fcbf4ddc9cf3aba6863214d6c6eb51f8bbb2586122a7cb01a70f08d16c

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE

MD5 7c73e01bd682dc67ef2fbb679be99866
SHA1 ad3834bd9f95f8bf64eb5be0a610427940407117
SHA256 da333c92fdfd2e8092f5b56686b94f713f8fa27ef8f333e7222259ad1eb08f5d
SHA512 b2f3398e486cde482cb6bea18f4e5312fa2db7382ca25cea17bcba5ab1ff0e891d59328bc567641a9da05caca4d7c61dc102289d46e7135f947ce6155e295711

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe

MD5 6ce350ad38c8f7cbe5dd8fda30d11fa1
SHA1 4f232b8cccd031c25378b4770f85e8038e8655d8
SHA256 06a3bb0bdd2da870bc8dc2c6b760855cea7821273ce59fc0be158149e52915ba
SHA512 4c18a112fec391f443a4ae217ac6d1850e0cfdad4b2d2cbe3f61cb01c0a1400ea6bd5c3ffe0a9978ead50e7f6cfab96ae5090bb9a611f988f1a86ccaa5d4cd4f

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE

MD5 301d7f5daa3b48c83df5f6b35de99982
SHA1 17e68d91f3ec1eabde1451351cc690a1978d2cd4
SHA256 abe398284d90be5e5e78f98654b88664e2e14478f7eb3f55c5fd1c1bcf1bebee
SHA512 4a72a24dec461d116fe8324c651913273ccaa50cb036ccdacb3ae300e417cf4a64aa458869b8d2f3b4c298c59977437d11b241d08b391a481c3226954bba22e4

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE

MD5 eb008f1890fed6dc7d13a25ff9c35724
SHA1 751d3b944f160b1f77c1c8852af25b65ae9d649c
SHA256 a9b7b9155af49d651b092bb1665447059f7a1d0061f88fa320d4f956b9723090
SHA512 9cfe3480f24bf8970ad5773cb9df51d132ee90ada35cbf8ec1222e09a60ae46b2ff4b96862fea19085b1c32f93c47c69f604589fa3f4af17e5d67bef893b6bf1

C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~3.EXE

MD5 b86f81df1d3224fc2f5d293f20413c46
SHA1 3407aa7cc7089b259aaf1ec367468032ee92f20d
SHA256 42e44f3039713ab044e49fd84fcec8ba72f1366562bb927f0f3c99f3c0ee135f
SHA512 8b17b9ce97f945146c7d0c883e7f1d5645d1071b1af2c448f29181e39f765660ea30af92450b43896511e362aa9128a97b57186ee9f1af63a3aecf10ee8e00a1

C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MIA062~1.EXE

MD5 7abe22be5c0dcb7e9632a304429772eb
SHA1 bf3cc17af14b6a3384162809def0460b57af8896
SHA256 1b3f3a1c7786f24e3b4b446cb6ca9e2c78a04c95f7e77a071a70c1def07d46cb
SHA512 7f9c0af509b1fc9a19b7ccbd6c8ecdd3e86a829ea7d5deee117aec483a9d82fd899633a45708c99aca04c3b03d6fd5918b286eb4a996bac76bcd1a4281d1c824

C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MI391D~1.EXE

MD5 49139daa5597eaad0979962066bc0d6b
SHA1 530c87363f416a7dce92316c5941ec535029ca98
SHA256 013c02a79be19f930a74cb081f0ba048dfd54d82c236ee3a524f4d5784f67d77
SHA512 b5b636e313281eb1d398c1aec2f973503f4384ffb169fc691a7b340dc4f6f5bc14ba14bc6c242ac65da4469fd610d4fa52d84ed1fb6db0db22fad55974f908e0

C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~1.EXE

MD5 64f984b2f82f24ff3afe653fa78ae2c1
SHA1 33ed1c8686a7ee0ef7efeb3628a814873461f54f
SHA256 a4d51e8cbc9a30dc847c6b0913e1d5a6c1643d0b013b4c93cd1a505ce59ffcf9
SHA512 7aa1eb9630ecb63e70de516f16fb8769cce1f4659b206c80ec284fc061d714aafbebc5ed69cdd971831ed1ee2194a1b55002de45386dcd095919c1fc031780ac

C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~4.EXE

MD5 bb192a81d4fc65ff7517566285a01b66
SHA1 4451fe8fbb725dc44218842350116b989b5be6da
SHA256 5db0dd7e51ffaba7b95c83ba3d897ef4c43b62219a5c36a6fd0dc8ada45be063
SHA512 1d997fa59a86f209a116f26a7c5f756de3dc30844f30457caa4b53cca1225c0a5e734ae4adb69a33d3ab5ce9dc5a7c3980d44768380fc29d5ff834e4ebf21250

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE

MD5 5c78384d8eb1f6cb8cb23d515cfe7c98
SHA1 b732ab6c3fbf2ded8a4d6c8962554d119f59082e
SHA256 9abd7f0aa942ee6b263cdc4b32a4110ddb95e43ad411190f0ea48c0064884564
SHA512 99324af5f8fb70a9d01f97d845a4c6999053d6567ba5b80830a843a1634b02eaf3c0c04ced924cf1b1be9b4d1dbbcb95538385f7f85ad84d3eaaa6dcdebcc8a6

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE

MD5 a5d9eaa7d52bffc494a5f58203c6c1b5
SHA1 97928ba7b61b46a1a77a38445679d040ffca7cc8
SHA256 34b8662d38e7d3d6394fa6c965d943d2c82ea06ba9d7a0af4f8e0571fb5a9c48
SHA512 b6fdc8389bb4d736d608600469be6a4b0452aa3ea082f9a0791022a14c02b8fb7dcd62df133b0518e91283094eaba2be9318316f72d2c4aae6286d3e8686e787

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe

MD5 5119e350591269f44f732b470024bb7c
SHA1 4ccd48e4c6ba6e162d1520760ee3063e93e2c014
SHA256 2b3aa9642b291932ba7f9f3d85221402a9d27078f56ef0e9c6bca633616e3873
SHA512 599b4ec673169d42a348d1117737b4ad4d7539574153df5a5c7689130c9ac5ff5cd00f3c8ec39adf32ff2b56be074081efcabb6456272c649703c3ea6cdaded4

C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE

MD5 9c10a5ec52c145d340df7eafdb69c478
SHA1 57f3d99e41d123ad5f185fc21454367a7285db42
SHA256 ccf37e88447a7afdb0ba4351b8c5606dbb05b984fb133194d71bcc00d7be4e36
SHA512 2704cfd1a708bfca6db7c52467d3abf0b09313db0cdd1ea8e5d48504c8240c4bf24e677f17c5df9e3ac1f6a678e0328e73e951dc4481f35027cb03b2966dc38f

C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE

MD5 97510a7d9bf0811a6ea89fad85a9f3f3
SHA1 2ac0c49b66a92789be65580a38ae9798237711db
SHA256 c48abbc29405559e68cc9f8fc6d218aa317a9d0023839c7846ca509c1f563fea
SHA512 2a93e2a3bd187fdde160f87ef777ccd1d1c398d547b7c869e6b64469b9418ad04d887cdfe94af7407476377bf2d009f576de3935c025b7aefbab26fbcd8f90fb

C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE

MD5 86749cd13537a694795be5d87ef7106d
SHA1 538030845680a8be8219618daee29e368dc1e06c
SHA256 8c35dcc975a5c7c687686a3970306452476d17a89787bc5bd3bf21b9de0d36a5
SHA512 7b6ae20515fb6b13701df422cbb0844d26c8a98087b2758427781f0bf11eb9ec5da029096e42960bf99ddd3d4f817db6e29ac172039110df6ea92547d331db4c

C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE

MD5 558fdb0b9f097118b0c928bb6062370a
SHA1 ad971a9a4cac3112a494a167e1b7736dcd6718b3
SHA256 90cee4a89cc1401ac464818226b7df69aa930804cefce56758d4e2ea0009d924
SHA512 5d08d5428e82fb3dad55c19e2c029de8f16e121faac87575b97f468b0ec312b3e0696225546cba91addaaf8f2451d44ae6386b4e4f7f621ce45055f3be797d7c

C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE

MD5 72d0addae57f28c993b319bfafa190ac
SHA1 8082ad7a004a399f0edbf447425f6a0f6c772ff3
SHA256 671be498af4e13872784eeae4bae2e462dfac62d51d7057b2b3bebff511b7d18
SHA512 98bcde1133edbff713aa43b944dceb5dae20a9cbdf8009f5b758da20ccfbcdf6d617f609a7094aa52a514373f6695b0fd43c3d601538483816cd08832edd15ab

C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXE

MD5 9597098cfbc45fae685d9480d135ed13
SHA1 84401f03a7942a7e4fcd26e4414b227edd9b0f09
SHA256 45966655baaed42df92cd6d8094b4172c0e7a0320528b59cf63fca7c25d66e9c
SHA512 16afbdffe4b4b2e54b4cc96fe74e49ca367dea50752321ddf334756519812ba8ce147ef5459e421dc42e103bc3456aab1d185588cc86b35fa2315ac86b2a0164

C:\Users\ALLUSE~1\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE

MD5 63dc05e27a0b43bf25f151751b481b8c
SHA1 b20321483dac62bce0aa0cef1d193d247747e189
SHA256 7d607fb69c69a72a5bf4305599279f46318312ce1082b6a34ac9100b8c7762ce
SHA512 374d705704d456cc5f9f79b7f465f6ec7c775dc43001c840e9d6efbbdef20926ed1fa97f8a9b1e73161e17f72520b96c05fa58ac86b3945208b405f9166e7ba3

C:\Users\ALLUSE~1\PACKAG~1\{D87AE~1\WINDOW~1.EXE

MD5 2f826daacb184077b67aad3fe30e3413
SHA1 981d415fe70414aaac3a11024e65ae2e949aced8
SHA256 a6180f0aa9c56c32e71fe8dc150131177e4036a5a2111d0f3ec3c341fd813222
SHA512 2a6d9bdf4b7be9b766008e522cbb2c21921ba55d84dfde653ca977f70639e342a9d5548768de29ae2a85031c11dac2ae4b3c76b9136c020a6e7c9a9a5879caeb

C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE

MD5 07e194ce831b1846111eb6c8b176c86e
SHA1 b9c83ec3b0949cb661878fb1a8b43a073e15baf1
SHA256 d882f673ddf40a7ea6d89ce25e4ee55d94a5ef0b5403aa8d86656fd960d0e4ac
SHA512 55f9b6d3199aa60d836b6792ae55731236fb2a99c79ce8522e07e579c64eabb88fa413c02632deb87a361dd8490361aa1424beed2e01ba28be220f8c676a1bb5

C:\Users\ALLUSE~1\Adobe\Setup\{AC76B~1\setup.exe

MD5 3bf259392097b2c212b621a52da03706
SHA1 c740b063803008e3d4bab51b8e2719c1f4027bf9
SHA256 79538fa3a6cf33b989d43e7311de4d7b0e1a99b60964e3acc00fa3cb49ff8160
SHA512 186a81ec6cfa4c6dbcb2dc51cbd647bf44328077b58575fafab920303ccf259322cd31fccc0bb23418293f1b88d7f21ab3f0d8e3f9af7db4b5d3f7c8978c7934

C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE

MD5 f6636e7fd493f59a5511f08894bba153
SHA1 3618061817fdf1155acc0c99b7639b30e3b6936c
SHA256 61720d294189141b74631299911d91874aa02e67096a47cfaf56ef03f568bd33
SHA512 bd2ae751a37b4c065f0d7f7f7ec19785c1552dfaa4818fdb213fffcf90b7951886131a2b5d7aad843f714be418383fcf09ba1d9548bdbf38fa3d304a092a33d1

memory/4164-318-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4980-319-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4968-320-0x0000000000400000-0x000000000051D000-memory.dmp

memory/4980-322-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4164-321-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4968-323-0x0000000000400000-0x000000000051D000-memory.dmp

memory/4164-324-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4980-325-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4968-326-0x0000000000400000-0x000000000051D000-memory.dmp

memory/4980-329-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4164-328-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4968-332-0x0000000000400000-0x000000000051D000-memory.dmp

memory/4968-334-0x0000000000400000-0x000000000051D000-memory.dmp