agenttesla | 871cb8ec41387d172ee2f7c67c771b12a2d764617afe9a2820f9766623d67113

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
31/08/2024, 19:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0xBenz Spoofer.exe
Size

12.2MB
MD5

0a90d26fed44e0adc47a981f1bbb4be9
SHA1

51d5d7e5286cf8ebbd0bf995902e9c07cf5b9bdc
SHA256

57595f8217e40c3b92cabb2acba08e241f80e432551f5a5f09cb965b9d1361e2
SHA512

26cdcf12fdcfc23175b9fad8af4ea5334cf44fcb101401ed911a148d9920743cf443aadd8550bd1c21e049fa8b633f7b631444bef69c6928a00d9864fb057a37
SSDEEP

393216:7bhpZbRK0u3ezsWHYM2G1WKWLRTqAPLKEem2:fh7w0u3eA020+Rl+

Score

10^/10

agenttesla discovery keylogger macro persistence spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 1 IoCs

resource	yara_rule
behavioral1/memory/880-454-0x0000000005310000-0x0000000005524000-memory.dmp	family_agenttesla

Suspicious Office macro 2 IoCs

Office document equipped with macros.

macro

resource
behavioral1/files/0x0005000000019cba-133.dat
behavioral1/files/0x0006000000019ce4-146.dat

Executes dropped EXE 64 IoCs

pid	Process
1836	._cache_0xBenz Spoofer.exe
2780	Synaptics.exe
2812	._cache_Synaptics.exe
2912	._cache_._cache_0xBenz Spoofer.exe
2260	svchost.exe
2228	._cache_._cache_Synaptics.exe
2432	svchost.exe
1532	Synaptics.exe
1656	svchost.exe
620	._cache_Synaptics.exe
2732	._cache_._cache_Synaptics.exe
2012	svchost.exe
1760	Synaptics.exe
1008	._cache_Synaptics.exe
556	._cache_._cache_Synaptics.exe
2308	svchost.exe
1788	Synaptics.exe
1452	._cache_Synaptics.exe
1888	._cache_._cache_Synaptics.exe
2072	svchost.exe
1616	Synaptics.exe
2748	._cache_Synaptics.exe
2988	._cache_._cache_Synaptics.exe
1060	svchost.exe
2980	Synaptics.exe
1692	._cache_Synaptics.exe
1704	._cache_._cache_Synaptics.exe
2156	svchost.exe
880	._cache_._cache_Synaptics.exe
348	Synaptics.exe
2732	._cache_Synaptics.exe
2764	._cache_._cache_Synaptics.exe
2920	Synaptics.exe
400	._cache_Synaptics.exe
2556	._cache_._cache_Synaptics.exe
2004	Synaptics.exe
1452	._cache_Synaptics.exe
1152	._cache_._cache_Synaptics.exe
1824	Synaptics.exe
992	._cache_Synaptics.exe
2200	._cache_._cache_Synaptics.exe
2116	Synaptics.exe
2944	._cache_Synaptics.exe
2952	._cache_._cache_Synaptics.exe
2664	Synaptics.exe
348	._cache_Synaptics.exe
2408	._cache_._cache_Synaptics.exe
748	Synaptics.exe
1676	._cache_Synaptics.exe
2568	._cache_._cache_Synaptics.exe
2780	Synaptics.exe
1556	._cache_Synaptics.exe
2216	._cache_._cache_Synaptics.exe
856	Synaptics.exe
2676	._cache_Synaptics.exe
2888	._cache_._cache_Synaptics.exe
2388	Synaptics.exe
2732	._cache_Synaptics.exe
2128	._cache_._cache_Synaptics.exe
916	Synaptics.exe
2636	._cache_Synaptics.exe
2260	._cache_._cache_Synaptics.exe
296	Synaptics.exe
2656	._cache_Synaptics.exe

Loads dropped DLL 64 IoCs

pid	Process
1700	0xBenz Spoofer.exe
1700	0xBenz Spoofer.exe
1700	0xBenz Spoofer.exe
1700	0xBenz Spoofer.exe
2780	Synaptics.exe
2780	Synaptics.exe
2780	Synaptics.exe
1836	._cache_0xBenz Spoofer.exe
1836	._cache_0xBenz Spoofer.exe
2812	._cache_Synaptics.exe
2812	._cache_Synaptics.exe
2812	._cache_Synaptics.exe
1532	Synaptics.exe
1532	Synaptics.exe
1532	Synaptics.exe
1532	Synaptics.exe
620	._cache_Synaptics.exe
620	._cache_Synaptics.exe
620	._cache_Synaptics.exe
620	._cache_Synaptics.exe
1760	Synaptics.exe
1760	Synaptics.exe
1760	Synaptics.exe
1760	Synaptics.exe
1008	._cache_Synaptics.exe
1008	._cache_Synaptics.exe
1008	._cache_Synaptics.exe
1008	._cache_Synaptics.exe
1788	Synaptics.exe
1788	Synaptics.exe
1788	Synaptics.exe
1788	Synaptics.exe
1452	._cache_Synaptics.exe
1452	._cache_Synaptics.exe
1452	._cache_Synaptics.exe
1452	._cache_Synaptics.exe
1616	Synaptics.exe
1616	Synaptics.exe
1616	Synaptics.exe
1616	Synaptics.exe
2748	._cache_Synaptics.exe
2748	._cache_Synaptics.exe
2748	._cache_Synaptics.exe
2748	._cache_Synaptics.exe
2980	Synaptics.exe
2980	Synaptics.exe
2980	Synaptics.exe
2980	Synaptics.exe
1692	._cache_Synaptics.exe
1692	._cache_Synaptics.exe
1692	._cache_Synaptics.exe
2156	svchost.exe
1692	._cache_Synaptics.exe
348	Synaptics.exe
348	Synaptics.exe
348	Synaptics.exe
348	Synaptics.exe
2732	._cache_Synaptics.exe
2732	._cache_Synaptics.exe
2732	._cache_Synaptics.exe
2732	._cache_Synaptics.exe
2920	Synaptics.exe
2920	Synaptics.exe
2920	Synaptics.exe

Adds Run key to start application 2 TTPs 50 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	0xBenz Spoofer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_Synaptics.exe

Drops file in Program Files directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\7zG.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	svchost.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	._cache_._cache_0xBenz Spoofer.exe
File created	C:\Windows\svchost.exe	._cache_._cache_Synaptics.exe
File created	C:\Windows\svchost.exe	._cache_._cache_Synaptics.exe
File created	C:\Windows\svchost.exe	._cache_._cache_Synaptics.exe
File created	C:\Windows\svchost.exe	._cache_._cache_Synaptics.exe
File created	C:\Windows\svchost.exe	._cache_._cache_Synaptics.exe
File created	C:\Windows\svchost.exe	._cache_._cache_Synaptics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_0xBenz Spoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0xBenz Spoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe

Enumerates system info in registry 2 TTPs 64 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	._cache_._cache_Synaptics.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	._cache_._cache_Synaptics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	._cache_._cache_Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	._cache_._cache_Synaptics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	._cache_._cache_Synaptics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	._cache_._cache_Synaptics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	._cache_._cache_Synaptics.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2708	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1836	._cache_0xBenz Spoofer.exe
2812	._cache_Synaptics.exe
2812	._cache_Synaptics.exe
2812	._cache_Synaptics.exe
2812	._cache_Synaptics.exe
2812	._cache_Synaptics.exe
2812	._cache_Synaptics.exe
2812	._cache_Synaptics.exe
2812	._cache_Synaptics.exe
2812	._cache_Synaptics.exe
2812	._cache_Synaptics.exe
2812	._cache_Synaptics.exe
2812	._cache_Synaptics.exe
2812	._cache_Synaptics.exe
2812	._cache_Synaptics.exe
2812	._cache_Synaptics.exe
2812	._cache_Synaptics.exe
620	._cache_Synaptics.exe
620	._cache_Synaptics.exe
620	._cache_Synaptics.exe
620	._cache_Synaptics.exe
620	._cache_Synaptics.exe
620	._cache_Synaptics.exe
620	._cache_Synaptics.exe
620	._cache_Synaptics.exe
620	._cache_Synaptics.exe
620	._cache_Synaptics.exe
620	._cache_Synaptics.exe
620	._cache_Synaptics.exe
620	._cache_Synaptics.exe
620	._cache_Synaptics.exe
620	._cache_Synaptics.exe
620	._cache_Synaptics.exe
620	._cache_Synaptics.exe
620	._cache_Synaptics.exe
620	._cache_Synaptics.exe
620	._cache_Synaptics.exe
620	._cache_Synaptics.exe
620	._cache_Synaptics.exe
620	._cache_Synaptics.exe
620	._cache_Synaptics.exe
620	._cache_Synaptics.exe
620	._cache_Synaptics.exe
620	._cache_Synaptics.exe
620	._cache_Synaptics.exe
620	._cache_Synaptics.exe
620	._cache_Synaptics.exe
620	._cache_Synaptics.exe
620	._cache_Synaptics.exe
620	._cache_Synaptics.exe
620	._cache_Synaptics.exe
620	._cache_Synaptics.exe
620	._cache_Synaptics.exe
1008	._cache_Synaptics.exe
1008	._cache_Synaptics.exe
1008	._cache_Synaptics.exe
1008	._cache_Synaptics.exe
1008	._cache_Synaptics.exe
1008	._cache_Synaptics.exe
1008	._cache_Synaptics.exe
1008	._cache_Synaptics.exe
1008	._cache_Synaptics.exe
1008	._cache_Synaptics.exe
1008	._cache_Synaptics.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSystemProfilePrivilege	2812	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	2812	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	2812	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	2812	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	2812	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	2812	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	2812	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	2812	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	2812	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	2812	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	2812	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	2812	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	2812	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	2812	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	2812	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	620	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	620	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	620	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	620	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	620	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	620	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	620	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	620	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	620	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	620	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	620	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	620	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	620	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	620	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	620	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	620	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	620	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	620	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	620	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	620	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	620	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	620	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	620	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	620	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	620	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	620	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	620	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	620	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	620	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	620	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	620	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	620	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	620	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	620	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	620	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	1008	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	1008	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	1008	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	1008	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	1008	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	1008	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	1008	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	1008	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	1008	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	1008	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	1008	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	1008	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	1008	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	1008	._cache_Synaptics.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2708	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 1836	1700	0xBenz Spoofer.exe	30
PID 1700 wrote to memory of 1836	1700	0xBenz Spoofer.exe	30
PID 1700 wrote to memory of 1836	1700	0xBenz Spoofer.exe	30
PID 1700 wrote to memory of 1836	1700	0xBenz Spoofer.exe	30
PID 1700 wrote to memory of 2780	1700	0xBenz Spoofer.exe	82
PID 1700 wrote to memory of 2780	1700	0xBenz Spoofer.exe	82
PID 1700 wrote to memory of 2780	1700	0xBenz Spoofer.exe	82
PID 1700 wrote to memory of 2780	1700	0xBenz Spoofer.exe	82
PID 2780 wrote to memory of 2812	2780	Synaptics.exe	32
PID 2780 wrote to memory of 2812	2780	Synaptics.exe	32
PID 2780 wrote to memory of 2812	2780	Synaptics.exe	32
PID 2780 wrote to memory of 2812	2780	Synaptics.exe	32
PID 1836 wrote to memory of 2912	1836	._cache_0xBenz Spoofer.exe	34
PID 1836 wrote to memory of 2912	1836	._cache_0xBenz Spoofer.exe	34
PID 1836 wrote to memory of 2912	1836	._cache_0xBenz Spoofer.exe	34
PID 1836 wrote to memory of 2912	1836	._cache_0xBenz Spoofer.exe	34
PID 2912 wrote to memory of 2260	2912	._cache_._cache_0xBenz Spoofer.exe	93
PID 2912 wrote to memory of 2260	2912	._cache_._cache_0xBenz Spoofer.exe	93
PID 2912 wrote to memory of 2260	2912	._cache_._cache_0xBenz Spoofer.exe	93
PID 2912 wrote to memory of 2260	2912	._cache_._cache_0xBenz Spoofer.exe	93
PID 2812 wrote to memory of 2228	2812	._cache_Synaptics.exe	36
PID 2812 wrote to memory of 2228	2812	._cache_Synaptics.exe	36
PID 2812 wrote to memory of 2228	2812	._cache_Synaptics.exe	36
PID 2812 wrote to memory of 2228	2812	._cache_Synaptics.exe	36
PID 2228 wrote to memory of 2432	2228	._cache_._cache_Synaptics.exe	37
PID 2228 wrote to memory of 2432	2228	._cache_._cache_Synaptics.exe	37
PID 2228 wrote to memory of 2432	2228	._cache_._cache_Synaptics.exe	37
PID 2228 wrote to memory of 2432	2228	._cache_._cache_Synaptics.exe	37
PID 2812 wrote to memory of 1532	2812	._cache_Synaptics.exe	38
PID 2812 wrote to memory of 1532	2812	._cache_Synaptics.exe	38
PID 2812 wrote to memory of 1532	2812	._cache_Synaptics.exe	38
PID 2812 wrote to memory of 1532	2812	._cache_Synaptics.exe	38
PID 1532 wrote to memory of 620	1532	Synaptics.exe	40
PID 1532 wrote to memory of 620	1532	Synaptics.exe	40
PID 1532 wrote to memory of 620	1532	Synaptics.exe	40
PID 1532 wrote to memory of 620	1532	Synaptics.exe	40
PID 620 wrote to memory of 2732	620	._cache_Synaptics.exe	89
PID 620 wrote to memory of 2732	620	._cache_Synaptics.exe	89
PID 620 wrote to memory of 2732	620	._cache_Synaptics.exe	89
PID 620 wrote to memory of 2732	620	._cache_Synaptics.exe	89
PID 2732 wrote to memory of 2012	2732	._cache_._cache_Synaptics.exe	43
PID 2732 wrote to memory of 2012	2732	._cache_._cache_Synaptics.exe	43
PID 2732 wrote to memory of 2012	2732	._cache_._cache_Synaptics.exe	43
PID 2732 wrote to memory of 2012	2732	._cache_._cache_Synaptics.exe	43
PID 620 wrote to memory of 1760	620	._cache_Synaptics.exe	44
PID 620 wrote to memory of 1760	620	._cache_Synaptics.exe	44
PID 620 wrote to memory of 1760	620	._cache_Synaptics.exe	44
PID 620 wrote to memory of 1760	620	._cache_Synaptics.exe	44
PID 1760 wrote to memory of 1008	1760	Synaptics.exe	45
PID 1760 wrote to memory of 1008	1760	Synaptics.exe	45
PID 1760 wrote to memory of 1008	1760	Synaptics.exe	45
PID 1760 wrote to memory of 1008	1760	Synaptics.exe	45
PID 1008 wrote to memory of 556	1008	._cache_Synaptics.exe	46
PID 1008 wrote to memory of 556	1008	._cache_Synaptics.exe	46
PID 1008 wrote to memory of 556	1008	._cache_Synaptics.exe	46
PID 1008 wrote to memory of 556	1008	._cache_Synaptics.exe	46
PID 556 wrote to memory of 2308	556	._cache_._cache_Synaptics.exe	47
PID 556 wrote to memory of 2308	556	._cache_._cache_Synaptics.exe	47
PID 556 wrote to memory of 2308	556	._cache_._cache_Synaptics.exe	47
PID 556 wrote to memory of 2308	556	._cache_._cache_Synaptics.exe	47
PID 1008 wrote to memory of 1788	1008	._cache_Synaptics.exe	48
PID 1008 wrote to memory of 1788	1008	._cache_Synaptics.exe	48
PID 1008 wrote to memory of 1788	1008	._cache_Synaptics.exe	48
PID 1008 wrote to memory of 1788	1008	._cache_Synaptics.exe	48

C:\Users\Admin\AppData\Local\Temp\0xBenz Spoofer.exe
"C:\Users\Admin\AppData\Local\Temp\0xBenz Spoofer.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Users\Admin\AppData\Local\Temp\._cache_0xBenz Spoofer.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_0xBenz Spoofer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1836
- - C:\Users\Admin\AppData\Local\Temp\._cache_._cache_0xBenz Spoofer.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_0xBenz Spoofer.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:2912
  - - C:\Windows\svchost.exe
      "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_0xBenz Spoofer.exe"
      4⤵
      Executes dropped EXE
      PID:2260
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:2228
    - - C:\Windows\svchost.exe
        
        "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        5⤵
        Executes dropped EXE
        
        PID:2432
  - - C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1532
    - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:620
      - C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\svchost.exe
        
        "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        7⤵
        Executes dropped EXE
        
        PID:2012
      - C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:556
        
        C:\Windows\svchost.exe
        
        "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        9⤵
        Executes dropped EXE
        
        PID:2308
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        10⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1888
        
        C:\Windows\svchost.exe
        
        "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        11⤵
        Executes dropped EXE
        
        PID:2072
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        12⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2988
        
        C:\Windows\svchost.exe
        
        "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        13⤵
        Executes dropped EXE
        
        PID:1060
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        14⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1704
        
        C:\Windows\svchost.exe
        
        "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:880
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:348
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:2764
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        17⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        18⤵
        Executes dropped EXE
        Enumerates system info in registry
        
        PID:2556
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        18⤵
        Executes dropped EXE
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        19⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:1152
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        21⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:992
        
        C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        22⤵
        Executes dropped EXE
        Enumerates system info in registry
        
        PID:2200
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        23⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:2952
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        25⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:348
        
        C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        26⤵
        Executes dropped EXE
        Enumerates system info in registry
        
        PID:2408
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        26⤵
        Executes dropped EXE
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        27⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:2568
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        28⤵
        Executes dropped EXE
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        29⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        30⤵
        Executes dropped EXE
        Enumerates system info in registry
        
        PID:2216
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        30⤵
        Executes dropped EXE
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        31⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        Modifies system certificate store
        
        PID:2888
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        32⤵
        Executes dropped EXE
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        33⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:2128
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:916
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        35⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        36⤵
        Executes dropped EXE
        Enumerates system info in registry
        
        PID:2260
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:296
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        37⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        38⤵
        
        PID:2672
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        38⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        39⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        40⤵
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:2852
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        40⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        41⤵
        Adds Run key to start application
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        42⤵
        Enumerates system info in registry
        
        PID:1260
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        42⤵
        
        PID:1248
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        43⤵
        Adds Run key to start application
        
        PID:796
        
        C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        44⤵
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:1756
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        44⤵
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        45⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        46⤵
        Enumerates system info in registry
        
        PID:272
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:348
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        47⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:756
        
        C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        48⤵
        Enumerates system info in registry
        
        PID:1556
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        48⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        49⤵
        Adds Run key to start application
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        50⤵
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:2652
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:1412
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        51⤵
        Adds Run key to start application
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        52⤵
        Enumerates system info in registry
        
        PID:1804
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        52⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        53⤵
        Adds Run key to start application
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        54⤵
        Enumerates system info in registry
        
        PID:2824
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        54⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        55⤵
        Adds Run key to start application
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        56⤵
        System Location Discovery: System Language Discovery
        
        PID:2364
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        56⤵
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        57⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:308
        
        C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        58⤵
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:2788
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        58⤵
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        59⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        60⤵
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:1472
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        60⤵
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        61⤵
        Adds Run key to start application
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        62⤵
        System Location Discovery: System Language Discovery
        
        PID:2332
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        62⤵
        System Location Discovery: System Language Discovery
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        63⤵
        Adds Run key to start application
        
        PID:1416
        
        C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        64⤵
        Enumerates system info in registry
        
        PID:2980
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        64⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        65⤵
        Adds Run key to start application
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        66⤵
        Enumerates system info in registry
        
        PID:2960
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        66⤵
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        67⤵
        Adds Run key to start application
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:2948
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        68⤵
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        69⤵
        Adds Run key to start application
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:2540
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        70⤵
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        71⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        72⤵
        Enumerates system info in registry
        
        PID:2896
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        73⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        74⤵
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:2204
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        75⤵
        Adds Run key to start application
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        76⤵
        Enumerates system info in registry
        
        PID:2976
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        76⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        77⤵
        Adds Run key to start application
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        78⤵
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:1824
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        78⤵
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        79⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        80⤵
        Enumerates system info in registry
        
        PID:1468
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        81⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        82⤵
        Enumerates system info in registry
        
        PID:1644
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        83⤵
        Adds Run key to start application
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        84⤵
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:2080
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        84⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        85⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        86⤵
        Enumerates system info in registry
        
        PID:1536
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        87⤵
        Adds Run key to start application
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:2592
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        88⤵
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        89⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        90⤵
        Enumerates system info in registry
        
        PID:1272
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        90⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        91⤵
        Adds Run key to start application
        
        PID:1184
        
        C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        92⤵
        Enumerates system info in registry
        
        PID:2704
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        92⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        93⤵
        Adds Run key to start application
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        94⤵
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:3040
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        94⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        95⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        96⤵
        Enumerates system info in registry
        
        PID:2116
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        96⤵
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        97⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        98⤵
        Enumerates system info in registry
        
        PID:2580
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        98⤵
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        99⤵
        Adds Run key to start application
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        100⤵
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:1900
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        100⤵
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        101⤵
        
        PID:2624

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2708

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
12.2MB

MD5
0a90d26fed44e0adc47a981f1bbb4be9

SHA1
51d5d7e5286cf8ebbd0bf995902e9c07cf5b9bdc

SHA256
57595f8217e40c3b92cabb2acba08e241f80e432551f5a5f09cb965b9d1361e2

SHA512
26cdcf12fdcfc23175b9fad8af4ea5334cf44fcb101401ed911a148d9920743cf443aadd8550bd1c21e049fa8b633f7b631444bef69c6928a00d9864fb057a37

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c7e3b4d1f3b0a056b68346ac1d8937ce

SHA1
8321b04d5cbff2595f8254820646184a0fd20ca7

SHA256
189ebb7868cdf2c61eab089f0ec4cfe96b136a397c1c94c4898459d928dbec0e

SHA512
fb809ae5082e0dd9506c70ddb7f41e1db5c4bf078daee0d96dd5983747e9454bd26d12b51c977e43aeb313facdc99fb50f31e78b8e2505e38e59924cb18c0e05

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_._cache_0xBenz Spoofer.exe

Filesize
2.5MB

MD5
031e75678a57af86dd67875425327c0e

SHA1
71b97ea5712912b52a79fce5d2c53650027107bc

SHA256
477d36ae2c56c912813e69b4feb69026f40562a57b85c844b7393852ccedb81d

SHA512
5a1517854857b770d94e25ba51ada692a22f3e6b713e98a81e5efb01808d1e52a3934c2243e8ba5b954207e16b44dacd27aeb8b097e84299ea6ad1468a9b37e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_0xBenz Spoofer.exe

Filesize
11.4MB

MD5
1b5d0bbd718b6391d1d7b4805e11069f

SHA1
f9c925f20bb0ac4ef0c0b11cbd954f5a06e155de

SHA256
53b609b79d22f11772f228292e34f0e820d00ddbff25e5361ccd58efb8df06fc

SHA512
9a5f1fde7aaf35075a74b01b6aa174789eba4812d0e0df745e5741689a6180ed9bc77b5b9acc99aaa93548ae1a04464fb5886d25698704c754865e4676294b2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab625D.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar634A.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4GpBQ8m.xlsm

Filesize
25KB

MD5
bf8480b6151aa8e04af2701c0aaff19d

SHA1
d3bad66919edd87f34c23d7973875cf0a360f019

SHA256
517ee9ef4d37af6eba86da497d9189b280d55c441b2c968a8a79258c9f237ea9

SHA512
8ea8cffc4c19bfdc9e281a96dcd0b29b3aaa6cd6b9ec8cb29994e18f43a8ff362894733bba35704177d47ff3bbaed96e4ff2746c5b3b9c4bbdc1193cf48dcdcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4GpBQ8m.xlsm

Filesize
26KB

MD5
7e0ef9bbc400b1b1dca91326e121f238

SHA1
3f6d1693aba8c57b3c7ea647dcac24e1458e7b36

SHA256
2260bede758022a7e61ba2af4551c413f930fcd5d09bab146ab90a67f294e2e5

SHA512
a9808455c90bad318ec45396648d2bfc7bb4fa114fef53c00d5687069891ff886fad6f76115b6ec1ca88738398c5f165b47f61d172b70689114b1f84316ff052

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4GpBQ8m.xlsm

Filesize
28KB

MD5
0a32ea5e7aa6549db164a290268956ca

SHA1
b2d9ad5effbfdb5989d0fe7ffccad4226e073e4d

SHA256
97c38ffb9fef547599c7540f3e6f9c74494981a1bc1e255d7d898cb58f0a7cbd

SHA512
46fc7d5285d047273683bd4266934779a3cd11254cc5dd4456746ae8b4b544067fd91f6c29cf00f283bae96f1ce9a36ac2cc1bde1e7dd21d5615f857416cf3dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4GpBQ8m.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
memory/880-455-0x0000000005520000-0x0000000005926000-memory.dmp

Filesize
4.0MB

Download
memory/880-454-0x0000000005310000-0x0000000005524000-memory.dmp

Filesize
2.1MB

Download
memory/880-453-0x0000000000020000-0x0000000000290000-memory.dmp

Filesize
2.4MB

Download
memory/1700-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1700-27-0x0000000000400000-0x0000000001035000-memory.dmp

Filesize
12.2MB

Download
memory/1836-54-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1836-62-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1836-52-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1836-50-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1836-49-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1836-47-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1836-45-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1836-57-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1836-59-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1836-55-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1836-79-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1836-64-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1836-67-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1836-80-0x0000000000400000-0x00000000017BE000-memory.dmp

Filesize
19.7MB

Download
memory/1836-69-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1836-72-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1836-74-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1836-77-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2708-43-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2912-110-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download