agenttesla | 871cb8ec41387d172ee2f7c67c771b12a2d764617afe9a2820f9766623d67113

Analysis

max time kernel
141s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
31/08/2024, 19:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0xBenz Spoofer.exe
Size

12.2MB
MD5

0a90d26fed44e0adc47a981f1bbb4be9
SHA1

51d5d7e5286cf8ebbd0bf995902e9c07cf5b9bdc
SHA256

57595f8217e40c3b92cabb2acba08e241f80e432551f5a5f09cb965b9d1361e2
SHA512

26cdcf12fdcfc23175b9fad8af4ea5334cf44fcb101401ed911a148d9920743cf443aadd8550bd1c21e049fa8b633f7b631444bef69c6928a00d9864fb057a37
SSDEEP

393216:7bhpZbRK0u3ezsWHYM2G1WKWLRTqAPLKEem2:fh7w0u3eA020+Rl+

Score

10^/10

agenttesla discovery keylogger macro persistence spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 1 IoCs

resource	yara_rule
behavioral2/memory/552-445-0x00000000057C0000-0x00000000059D4000-memory.dmp	family_agenttesla

Suspicious Office macro 2 IoCs

Office document equipped with macros.

macro

resource
behavioral2/files/0x00090000000234a8-509.dat
behavioral2/files/0x000200000001e7a3-650.dat

Checks computer location settings 2 TTPs 51 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	._cache_Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	._cache_Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	._cache_Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	._cache_Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	._cache_Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	._cache_Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	._cache_Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	._cache_Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	._cache_Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	._cache_Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	._cache_Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	._cache_Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	._cache_Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	._cache_Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	0xBenz Spoofer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	._cache_Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	._cache_0xBenz Spoofer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	._cache_Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	._cache_Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	._cache_Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	._cache_Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	._cache_Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	._cache_Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	._cache_Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	._cache_Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	._cache_Synaptics.exe

Executes dropped EXE 64 IoCs

pid	Process
2984	._cache_0xBenz Spoofer.exe
4988	Synaptics.exe
2484	._cache_Synaptics.exe
4332	._cache_._cache_0xBenz Spoofer.exe
1344	svchost.exe
552	._cache_._cache_0xBenz Spoofer.exe
3332	svchost.exe
3548	._cache_._cache_Synaptics.exe
4552	svchost.exe
536	._cache_._cache_Synaptics.exe
1448	Synaptics.exe
4316	._cache_Synaptics.exe
4552	._cache_._cache_Synaptics.exe
2248	Synaptics.exe
2660	._cache_Synaptics.exe
4440	._cache_._cache_Synaptics.exe
1376	Synaptics.exe
1288	._cache_Synaptics.exe
2484	._cache_._cache_Synaptics.exe
2596	Synaptics.exe
2956	._cache_Synaptics.exe
3800	._cache_._cache_Synaptics.exe
1840	Synaptics.exe
1376	._cache_Synaptics.exe
1628	._cache_._cache_Synaptics.exe
1008	Synaptics.exe
1192	._cache_Synaptics.exe
3228	._cache_._cache_Synaptics.exe
3164	Synaptics.exe
1152	._cache_Synaptics.exe
4632	._cache_._cache_Synaptics.exe
1136	Synaptics.exe
564	._cache_Synaptics.exe
1496	._cache_._cache_Synaptics.exe
1400	Synaptics.exe
3376	._cache_Synaptics.exe
4964	._cache_._cache_Synaptics.exe
5112	Synaptics.exe
1336	._cache_Synaptics.exe
220	._cache_._cache_Synaptics.exe
4448	Synaptics.exe
3876	._cache_Synaptics.exe
4276	._cache_._cache_Synaptics.exe
1128	Synaptics.exe
216	._cache_Synaptics.exe
4988	._cache_._cache_Synaptics.exe
5004	Synaptics.exe
4768	._cache_Synaptics.exe
2984	._cache_._cache_Synaptics.exe
3096	Synaptics.exe
1092	._cache_Synaptics.exe
4612	._cache_._cache_Synaptics.exe
2508	Synaptics.exe
860	._cache_Synaptics.exe
1028	._cache_._cache_Synaptics.exe
1796	Synaptics.exe
3576	._cache_Synaptics.exe
4868	._cache_._cache_Synaptics.exe
4532	Synaptics.exe
912	._cache_Synaptics.exe
464	._cache_._cache_Synaptics.exe
4256	Synaptics.exe
3608	._cache_Synaptics.exe
1284	._cache_._cache_Synaptics.exe

Loads dropped DLL 64 IoCs

pid	Process
1448	Synaptics.exe
1448	Synaptics.exe
4316	._cache_Synaptics.exe
4316	._cache_Synaptics.exe
2248	Synaptics.exe
2248	Synaptics.exe
2660	._cache_Synaptics.exe
2660	._cache_Synaptics.exe
1376	Synaptics.exe
1376	Synaptics.exe
1288	._cache_Synaptics.exe
1288	._cache_Synaptics.exe
2596	Synaptics.exe
2596	Synaptics.exe
2956	._cache_Synaptics.exe
2956	._cache_Synaptics.exe
1840	Synaptics.exe
1840	Synaptics.exe
1376	._cache_Synaptics.exe
1376	._cache_Synaptics.exe
1008	Synaptics.exe
1008	Synaptics.exe
1192	._cache_Synaptics.exe
1192	._cache_Synaptics.exe
3164	Synaptics.exe
3164	Synaptics.exe
1152	._cache_Synaptics.exe
1152	._cache_Synaptics.exe
1136	Synaptics.exe
1136	Synaptics.exe
564	._cache_Synaptics.exe
564	._cache_Synaptics.exe
1400	Synaptics.exe
1400	Synaptics.exe
3376	._cache_Synaptics.exe
3376	._cache_Synaptics.exe
5112	Synaptics.exe
5112	Synaptics.exe
1336	._cache_Synaptics.exe
1336	._cache_Synaptics.exe
4448	Synaptics.exe
4448	Synaptics.exe
3876	._cache_Synaptics.exe
3876	._cache_Synaptics.exe
1128	Synaptics.exe
1128	Synaptics.exe
216	._cache_Synaptics.exe
216	._cache_Synaptics.exe
5004	Synaptics.exe
5004	Synaptics.exe
4768	._cache_Synaptics.exe
4768	._cache_Synaptics.exe
3096	Synaptics.exe
3096	Synaptics.exe
1092	._cache_Synaptics.exe
1092	._cache_Synaptics.exe
2508	Synaptics.exe
2508	Synaptics.exe
860	._cache_Synaptics.exe
860	._cache_Synaptics.exe
1796	Synaptics.exe
1796	Synaptics.exe
3576	._cache_Synaptics.exe
3576	._cache_Synaptics.exe

Adds Run key to start application 2 TTPs 25 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	0xBenz Spoofer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_Synaptics.exe

Drops file in Program Files directory 38 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	svchost.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	svchost.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	svchost.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	._cache_._cache_0xBenz Spoofer.exe
File created	C:\Windows\svchost.exe	._cache_._cache_Synaptics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0xBenz Spoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_._cache_0xBenz Spoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_._cache_0xBenz Spoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 64 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	._cache_._cache_0xBenz Spoofer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	._cache_._cache_0xBenz Spoofer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	._cache_._cache_0xBenz Spoofer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	._cache_._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	._cache_._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	._cache_._cache_Synaptics.exe

Modifies registry class 51 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	._cache_0xBenz Spoofer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	._cache_Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	._cache_Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	._cache_Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	._cache_Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	._cache_Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	._cache_Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	._cache_Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	._cache_Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	._cache_Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	0xBenz Spoofer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	._cache_Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	._cache_Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	._cache_Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	._cache_Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	._cache_Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	._cache_Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	._cache_Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	._cache_Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	._cache_Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	._cache_Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	._cache_Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	._cache_Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	._cache_Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	._cache_Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	._cache_Synaptics.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
664	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2984	._cache_0xBenz Spoofer.exe
2984	._cache_0xBenz Spoofer.exe
2484	._cache_Synaptics.exe
2484	._cache_Synaptics.exe
2484	._cache_Synaptics.exe
2484	._cache_Synaptics.exe
2484	._cache_Synaptics.exe
2484	._cache_Synaptics.exe
2484	._cache_Synaptics.exe
2484	._cache_Synaptics.exe
2484	._cache_Synaptics.exe
2484	._cache_Synaptics.exe
2484	._cache_Synaptics.exe
2484	._cache_Synaptics.exe
2484	._cache_Synaptics.exe
2484	._cache_Synaptics.exe
2484	._cache_Synaptics.exe
2484	._cache_Synaptics.exe
2484	._cache_Synaptics.exe
2484	._cache_Synaptics.exe
2484	._cache_Synaptics.exe
2484	._cache_Synaptics.exe
2484	._cache_Synaptics.exe
2484	._cache_Synaptics.exe
2484	._cache_Synaptics.exe
2484	._cache_Synaptics.exe
2484	._cache_Synaptics.exe
2484	._cache_Synaptics.exe
2484	._cache_Synaptics.exe
2484	._cache_Synaptics.exe
2484	._cache_Synaptics.exe
2484	._cache_Synaptics.exe
2484	._cache_Synaptics.exe
2484	._cache_Synaptics.exe
2484	._cache_Synaptics.exe
2484	._cache_Synaptics.exe
2484	._cache_Synaptics.exe
2484	._cache_Synaptics.exe
2484	._cache_Synaptics.exe
2484	._cache_Synaptics.exe
2484	._cache_Synaptics.exe
2484	._cache_Synaptics.exe
2484	._cache_Synaptics.exe
2484	._cache_Synaptics.exe
2484	._cache_Synaptics.exe
2484	._cache_Synaptics.exe
2484	._cache_Synaptics.exe
2484	._cache_Synaptics.exe
1448	Synaptics.exe
1448	Synaptics.exe
4316	._cache_Synaptics.exe
4316	._cache_Synaptics.exe
4316	._cache_Synaptics.exe
4316	._cache_Synaptics.exe
4316	._cache_Synaptics.exe
4316	._cache_Synaptics.exe
4316	._cache_Synaptics.exe
4316	._cache_Synaptics.exe
4316	._cache_Synaptics.exe
4316	._cache_Synaptics.exe
4316	._cache_Synaptics.exe
4316	._cache_Synaptics.exe
4316	._cache_Synaptics.exe
4316	._cache_Synaptics.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSystemProfilePrivilege	2484	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	2484	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	2484	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	2484	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	2484	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	2484	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	2484	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	2484	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	2484	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	2484	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	2484	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	2484	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	2484	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	2484	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	2484	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	2484	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	2484	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	2484	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	2484	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	2484	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	2484	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	2484	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	4316	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	4316	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	4316	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	4316	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	4316	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	4316	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	4316	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	4316	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	4316	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	4316	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	4316	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	4316	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	4316	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	4316	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	4316	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	4316	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	4316	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	4316	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	4316	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	4316	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	4316	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	4316	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	4316	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	4316	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	4316	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	4316	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	2660	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	2660	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	2660	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	2660	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	2660	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	2660	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	2660	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	2660	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	2660	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	2660	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	2660	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	2660	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	2660	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	2660	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	2660	._cache_Synaptics.exe
Token: SeSystemProfilePrivilege	2660	._cache_Synaptics.exe

Suspicious use of SetWindowsHookEx 26 IoCs

pid	Process
664	EXCEL.EXE
664	EXCEL.EXE
664	EXCEL.EXE
664	EXCEL.EXE
664	EXCEL.EXE
664	EXCEL.EXE
2084	EXCEL.EXE
2084	EXCEL.EXE
2084	EXCEL.EXE
2084	EXCEL.EXE
2084	EXCEL.EXE
2084	EXCEL.EXE
2084	EXCEL.EXE
2084	EXCEL.EXE
2320	EXCEL.EXE
2320	EXCEL.EXE
2320	EXCEL.EXE
2320	EXCEL.EXE
2320	EXCEL.EXE
2320	EXCEL.EXE
2320	EXCEL.EXE
2320	EXCEL.EXE
1484	EXCEL.EXE
1484	EXCEL.EXE
1484	EXCEL.EXE
1484	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4104 wrote to memory of 2984	4104	0xBenz Spoofer.exe	87
PID 4104 wrote to memory of 2984	4104	0xBenz Spoofer.exe	87
PID 4104 wrote to memory of 2984	4104	0xBenz Spoofer.exe	87
PID 4104 wrote to memory of 4988	4104	0xBenz Spoofer.exe	88
PID 4104 wrote to memory of 4988	4104	0xBenz Spoofer.exe	88
PID 4104 wrote to memory of 4988	4104	0xBenz Spoofer.exe	88
PID 4988 wrote to memory of 2484	4988	Synaptics.exe	120
PID 4988 wrote to memory of 2484	4988	Synaptics.exe	120
PID 4988 wrote to memory of 2484	4988	Synaptics.exe	120
PID 2984 wrote to memory of 4332	2984	._cache_0xBenz Spoofer.exe	92
PID 2984 wrote to memory of 4332	2984	._cache_0xBenz Spoofer.exe	92
PID 2984 wrote to memory of 4332	2984	._cache_0xBenz Spoofer.exe	92
PID 4332 wrote to memory of 1344	4332	._cache_._cache_0xBenz Spoofer.exe	93
PID 4332 wrote to memory of 1344	4332	._cache_._cache_0xBenz Spoofer.exe	93
PID 4332 wrote to memory of 1344	4332	._cache_._cache_0xBenz Spoofer.exe	93
PID 1344 wrote to memory of 552	1344	svchost.exe	95
PID 1344 wrote to memory of 552	1344	svchost.exe	95
PID 1344 wrote to memory of 552	1344	svchost.exe	95
PID 2484 wrote to memory of 3548	2484	._cache_Synaptics.exe	97
PID 2484 wrote to memory of 3548	2484	._cache_Synaptics.exe	97
PID 2484 wrote to memory of 3548	2484	._cache_Synaptics.exe	97
PID 3548 wrote to memory of 4552	3548	._cache_._cache_Synaptics.exe	106
PID 3548 wrote to memory of 4552	3548	._cache_._cache_Synaptics.exe	106
PID 3548 wrote to memory of 4552	3548	._cache_._cache_Synaptics.exe	106
PID 4552 wrote to memory of 536	4552	svchost.exe	99
PID 4552 wrote to memory of 536	4552	svchost.exe	99
PID 4552 wrote to memory of 536	4552	svchost.exe	99
PID 2484 wrote to memory of 1448	2484	._cache_Synaptics.exe	100
PID 2484 wrote to memory of 1448	2484	._cache_Synaptics.exe	100
PID 2484 wrote to memory of 1448	2484	._cache_Synaptics.exe	100
PID 1448 wrote to memory of 4316	1448	Synaptics.exe	102
PID 1448 wrote to memory of 4316	1448	Synaptics.exe	102
PID 1448 wrote to memory of 4316	1448	Synaptics.exe	102
PID 4316 wrote to memory of 4552	4316	._cache_Synaptics.exe	106
PID 4316 wrote to memory of 4552	4316	._cache_Synaptics.exe	106
PID 4316 wrote to memory of 4552	4316	._cache_Synaptics.exe	106
PID 4316 wrote to memory of 2248	4316	._cache_Synaptics.exe	107
PID 4316 wrote to memory of 2248	4316	._cache_Synaptics.exe	107
PID 4316 wrote to memory of 2248	4316	._cache_Synaptics.exe	107
PID 2248 wrote to memory of 2660	2248	Synaptics.exe	110
PID 2248 wrote to memory of 2660	2248	Synaptics.exe	110
PID 2248 wrote to memory of 2660	2248	Synaptics.exe	110
PID 2660 wrote to memory of 4440	2660	._cache_Synaptics.exe	113
PID 2660 wrote to memory of 4440	2660	._cache_Synaptics.exe	113
PID 2660 wrote to memory of 4440	2660	._cache_Synaptics.exe	113
PID 2660 wrote to memory of 1376	2660	._cache_Synaptics.exe	125
PID 2660 wrote to memory of 1376	2660	._cache_Synaptics.exe	125
PID 2660 wrote to memory of 1376	2660	._cache_Synaptics.exe	125
PID 1376 wrote to memory of 1288	1376	Synaptics.exe	118
PID 1376 wrote to memory of 1288	1376	Synaptics.exe	118
PID 1376 wrote to memory of 1288	1376	Synaptics.exe	118
PID 1288 wrote to memory of 2484	1288	._cache_Synaptics.exe	120
PID 1288 wrote to memory of 2484	1288	._cache_Synaptics.exe	120
PID 1288 wrote to memory of 2484	1288	._cache_Synaptics.exe	120
PID 1288 wrote to memory of 2596	1288	._cache_Synaptics.exe	121
PID 1288 wrote to memory of 2596	1288	._cache_Synaptics.exe	121
PID 1288 wrote to memory of 2596	1288	._cache_Synaptics.exe	121
PID 2596 wrote to memory of 2956	2596	Synaptics.exe	122
PID 2596 wrote to memory of 2956	2596	Synaptics.exe	122
PID 2596 wrote to memory of 2956	2596	Synaptics.exe	122
PID 2956 wrote to memory of 3800	2956	._cache_Synaptics.exe	123
PID 2956 wrote to memory of 3800	2956	._cache_Synaptics.exe	123
PID 2956 wrote to memory of 3800	2956	._cache_Synaptics.exe	123
PID 2956 wrote to memory of 1840	2956	._cache_Synaptics.exe	124

C:\Users\Admin\AppData\Local\Temp\0xBenz Spoofer.exe
"C:\Users\Admin\AppData\Local\Temp\0xBenz Spoofer.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4104
- C:\Users\Admin\AppData\Local\Temp\._cache_0xBenz Spoofer.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_0xBenz Spoofer.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Users\Admin\AppData\Local\Temp\._cache_._cache_0xBenz Spoofer.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_0xBenz Spoofer.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4332
  - - C:\Windows\svchost.exe
      "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_0xBenz Spoofer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1344
    - - C:\Users\Admin\AppData\Local\Temp\._cache_._cache_0xBenz Spoofer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_0xBenz Spoofer.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:552
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4988
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2484
  - - C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3548
    - - C:\Windows\svchost.exe
        
        "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4552
      - C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:536
  - - C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1448
    - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4316
      - C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:4552
      - C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:4440
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:2484
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        12⤵
        Executes dropped EXE
        Enumerates system info in registry
        
        PID:3800
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:1628
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1192
        
        C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:3228
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3164
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:4632
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1136
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:564
        
        C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:1496
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3376
        
        C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:4964
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:220
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4448
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3876
        
        C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:4276
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:216
        
        C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:4988
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:2984
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3096
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:4612
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:1028
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3576
        
        C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        36⤵
        Executes dropped EXE
        Enumerates system info in registry
        
        PID:4868
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4532
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        38⤵
        Executes dropped EXE
        Enumerates system info in registry
        
        PID:464
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4256
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        39⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3608
        
        C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:1284
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        40⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        41⤵
        Checks computer location settings
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:376
        
        C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        42⤵
        Enumerates system info in registry
        
        PID:2196
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        42⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        43⤵
        Checks computer location settings
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        44⤵
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:3928
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        44⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        45⤵
        Checks computer location settings
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        46⤵
        Enumerates system info in registry
        
        PID:1352
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        46⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5180
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        47⤵
        Checks computer location settings
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5416
        
        C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        48⤵
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:5556
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        48⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5824
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        49⤵
        Checks computer location settings
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5936
        
        C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        50⤵
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:6084
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        50⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        51⤵
        
        PID:5500
        
        C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe" InjUpdate
        52⤵
        
        PID:5608
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        52⤵
        
        PID:3588
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        53⤵
        
        PID:5980

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:664

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3332

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:2084

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:2320

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:1484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
11.4MB

MD5
01028bb209d7f19090bc6b58dd9974b8

SHA1
d68b0bb100210464959d80528c4686db215a6e27

SHA256
7c433d6caea68c27cff2c6980231a32ff5889a8c1b2a7943b42c9bccca2fac54

SHA512
f8d8ad8104236343e7a11c7e3d3baf25f3793dfbd73ad7aa3ffe4989c5e6e85f2ccc88b5a0bdbe6667e92977ef02328d96b098b45c79890701c87a25e2ec6971

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
11.4MB

MD5
4297039d9032c746cd9c119418563729

SHA1
703388c52a7d1cc92c1e5d3a0871dd27cfed3cb2

SHA256
7fd1d00e4d80401e4dd9d5ebd573c17cc6413707b67d3df59ad081ce43486642

SHA512
f6171e6d4c1cd1dbf13059b994728c3658f0d04d19c15a4021f15330b1ac98533f476b06172d34f83fe08fc3d1a757e30952b6f14a415305d71647b180d8bac0

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
11.4MB

MD5
25bc6cdd9dd83c167e15c7bdee0501db

SHA1
9800e7a6a38ad3fe6aa9616e6105de9cecabe9ef

SHA256
33538d3524bea989ae3d9a6bbd201ec1592b11cf3015c96854ae73e97f72a494

SHA512
10f79f0499d4bc5cdd1643ac3f597228e2ba203721e6963c3de792085b43f906aeeaed5f454bcd90dd6c9de5e8848a86933eed7c4b65a46be15ca36c85cba68d

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
11.4MB

MD5
3113b751dcf03608050ed0af52b4f6f7

SHA1
be2f56a968c13d07a37f76a604623591008326f9

SHA256
a1e032c8e65f8449128490dda69a45bcf28a94b2f40fa45d78a1802ae1f2a67f

SHA512
0b6d9abcc9969172291b23d0f9ea5be17d20b0a079be863db40e21858e54b28cc568ba36b5f9ef278f4b5b0e68ed25d009841177b5a8fd34963186f25af34df1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
471B

MD5
40d3772d6d4e703d383161da620db712

SHA1
9b90eea9b44ad7de50c1202220a5d83b091fa5e4

SHA256
dcae5c5c871c9b1ca73e42cef69f9c988245f8665f6cb5565d0b60f557c3dd5a

SHA512
2c090d1441e9639b5447b9054281f21acab95b4a42a1e42282e441469abf88557b923bd32288f1914991d36683429d8aa8143f0f55b1aa9dac594c1909b2ed72

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
412B

MD5
7cf9b7f3ee046fb9d6d2c517cdc562c6

SHA1
1f2f7f7869193bb0d5eedeebd2053fd7c598dfe9

SHA256
250d984d8b31cf79a510e383e92533d9deac1e4d1a997cdde88d00f0fef4d275

SHA512
dde85b93dec200ec2615c81701c770243abcfb69b1aa2b102dd6838c073df11c131289567b0d02e57e9ca13c3943f696e632057f21404bbc9e0721d298dd0d56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\._cache_._cache_Synaptics.exe.log

Filesize
1KB

MD5
7ebe314bf617dc3e48b995a6c352740c

SHA1
538f643b7b30f9231a3035c448607f767527a870

SHA256
48178f884b8a4dd96e330b210b0530667d9473a7629fc6b4ad12b614bf438ee8

SHA512
0ba9d8f4244c15285e254d27b4bff7c49344ff845c48bc0bf0d8563072fab4d6f7a6abe6b6742e8375a08e9a3b3e5d5dc4937ab428dbe2dd8e62892fda04507e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\65BA3A33-26C6-41E8-BBCF-11D9222D2430

Filesize
170KB

MD5
d7d6ac35dd175a8bfd0c1fffa83e4e99

SHA1
7026d4a1237d63969edb48bad57a82df9c496121

SHA256
8a5af4ac5ee9be9898bcf97eecfb19b737c2f4c69173af2237d0a1e8b625c071

SHA512
16e60284aff70766191349e34568f7f559fb006762cff958998f4ab8d48978f1d8043d9aa37d7d0ce0cb9d82bcb149f70f8d74e0854d1a1c8f40fa607967a945

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
10KB

MD5
b28a78ac8fc79e12592dbcdff5b9bdbc

SHA1
dc425e1f8b5ff420cb21e81daaf0710052fc6ae2

SHA256
ae215cdba0ca3e64b1b2b574bed49427f5c86ef91cf7a2e8c9eba23918604d58

SHA512
480e4bb6282ffefe59523c464fdec57227019f5f250df7e9d11af7ac91dfe0627e324cfcf1bf04b6f2a778e17f5620626040ed8c94dcd1069a4dc12c95a0b367

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
13KB

MD5
650977ed134d858a80e41f919e16107d

SHA1
483ebe8f56cd480144ea8db5a2ed73f8a3dbf0b6

SHA256
d97d56f5e1893881bd684e84e5c2fdc9e2f0751ed92755898e2f31f71765c52e

SHA512
21ad8d90f28f72d6f4a4d7e27aef9ab1a05ce0c4237c6b6028dd0d7be7919ccece180b79d9eccc95042f3f57290571de2b9527d5477a5aa5a77a02bff149c73b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
15KB

MD5
825775d9d25bf0b7315d87b8d1284a64

SHA1
8539d6c5e4062814da42eff5b72d2452005ac25c

SHA256
bf44c30ccab21b902228e9293e5dd5a5b9a61617001952ec1c067903885e63ba

SHA512
916e7d9848ea043d2cf224f09dcba98e90b4eae0f38f537a9b6821378490afd5765ba382339e989c89e01b0467aa207b1c3eaa581135acdc172ee32c02007fdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

Filesize
12KB

MD5
dadf1224d67969a5e585e5e4d8b6e50a

SHA1
faf7482c76c157c53d21a74ee3df6db607c48d81

SHA256
07db335d0daaede68c2014d829a63362168148862c7295b1203a8a9e1ebeb565

SHA512
716ceb4710e38b64ccfcca26b0ce4eee1c7075f70fbf8667a738032b2d940eabb6041751c4c733722a926a2d2133d1a9048c67b359d4f0b89217a0a66d4fb6b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

Filesize
16KB

MD5
9c2d8bf587e96745bef8ec162276a636

SHA1
15f4b795c5a85730f000a4089d70ad7f8423f521

SHA256
08f60d1f6f8dec258dc18ba515851df38cbcdb62768f188445dd34bf8531e23d

SHA512
588f58cec21b054338e647bb53d13fdf325a3ce91bad35ffeb85edb575f9fcf1763806c2152f96b14eb2a045ee593b6b4ea1381794fce883ea7f73c8a4a28f43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

Filesize
20KB

MD5
cea88667af1b77381ef1014c3fbe384d

SHA1
43a1eeb700e0ef0ddace178f9aa89ab0dd9d33db

SHA256
f3654202234623202caf861729d4a2f193fcd4d6657aa040a0fa51a0a6a3e6b3

SHA512
a6432f92f1fec14d807145c81c4992bc976ac92e5051747fc22e1df01643b0e54f389ebc00464d7bc01f79e6bcf49954571a821b04f600ea844045e74f05c415

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
a7f7f674a0be7c51ff3ac7b4ba44690f

SHA1
7279c6bdae279cbe49e5e7430f532f036ae987f2

SHA256
8fab2e46ec39d29f15160db1b09f32d7c3caed024a890592e938b3c0978fb597

SHA512
17d68eac42bc0bc2ba26de4efbce09747abaa6c4b972864b9e247bdfbf7bedd21df141008d3076c5cf2894842bedf0081100cb499d94d81100a9a38b946a522b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
ef0d9f01743e8125d1e57d10a967057b

SHA1
c743e3d06cc6401c679464548bc0f35829ad603b

SHA256
eb1196b5086b5e2c1b17422403e6ed190a15b6295ca940bf8d8ab935fb93493f

SHA512
acec7673976366d0cb7601f578ce488d30e4435bd5e24c9c09f3e86f39152327371d058bb5b9861fa2e14b179a44cae832f3ee1853a42ae87af45dd2984b5561

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_._cache_0xBenz Spoofer.exe

Filesize
2.4MB

MD5
55e1577f9970564ccfceae7625b263a4

SHA1
e1e84fa4ee17cf4536008f6a50924710e98aaa4a

SHA256
114e4109ee70cbf3b458040e8b3368f669d998422c36b2de6a8c0f1f9ea81579

SHA512
23e30e7bce19f4590e77a47bce42ebf67fb9f669f8388e1d747887f7078fb1f94359dd428095122d33fee14fa1ab3dd887fa2b364f407ed1f902ffb0dbeab5e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_._cache_0xBenz Spoofer.exe

Filesize
2.4MB

MD5
38c264f6c8b93f43d2c119d51464ca63

SHA1
9e257ab80a8c31fdb6830d5b3db36035c5cdf411

SHA256
1e769a3f416dc8c46ab3cfaecf5e68e40d2f0bb3271b10a7bc5a98dbd7e91110

SHA512
11043196302dba954f41d79733a1a6bdfa22ecc6721b88cf47175a16f39cfd108deb9631a58ef90bcf0de3152bf68086ec03ae8f8771b36ec21e933505333856

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_._cache_Synaptics.exe

Filesize
2.4MB

MD5
4121363a325f1bc674c58d6558e15e66

SHA1
a3ebd6c4cb1af5a696b1bf2da307e39bbfc2e7b7

SHA256
12ed31e6199305c4b5257dd3ddd0d6903e5db7beaf61ed815dfb9b1d07264e5f

SHA512
bb8fe363eaf19ecb6515442e7403681326e611bcd60389fa3148d8e02c4369c2e2351193387af6af3ca1e881e00d39530fef656c412ed3fe3145ebc35d2cfeff

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_0xBenz Spoofer.exe

Filesize
11.4MB

MD5
1b5d0bbd718b6391d1d7b4805e11069f

SHA1
f9c925f20bb0ac4ef0c0b11cbd954f5a06e155de

SHA256
53b609b79d22f11772f228292e34f0e820d00ddbff25e5361ccd58efb8df06fc

SHA512
9a5f1fde7aaf35075a74b01b6aa174789eba4812d0e0df745e5741689a6180ed9bc77b5b9acc99aaa93548ae1a04464fb5886d25698704c754865e4676294b2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\4MUnmAtb.xlsm

Filesize
23KB

MD5
53c2ca25ccb95335332142b1595eda4f

SHA1
2110d60f63b9ed5dfd68a592f84b66e4a95f2104

SHA256
7ed6b0b6cda691e8e03081a1478a1bcfa62e6780bd5c558b9cca1e257b4d2507

SHA512
6443c473563e67e9d4a23dafe42f5477e086683f13edc7ca494f3160b6022ba308f74759d729486fc6e2ee6b0f4921614da1643224525a0c10947b63f30ca2e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\VgbgHvCN.xlsm

Filesize
21KB

MD5
9b83c61b27610f7a2d2fc556319030d6

SHA1
c51e81c0f8282b7a98283cdac6000d954f447dbd

SHA256
94c1011d519081529e037353c099c47c5f2be046ae5f4fa86f9e6f2d3375658c

SHA512
bd6f660fe4def94123e7d7feae33dec01bfa9078c9441f6c36abf2220756f3b06169acfe023c6f7245c72ee8998ff40e2846837edbc0701c1f3299cf3040a64b

Download Submit
C:\Users\Admin\AppData\Local\Temp\iNEi7rPO.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\Desktop\~$LimitClear.xlsx

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
memory/536-446-0x0000000006630000-0x0000000006A36000-memory.dmp

Filesize
4.0MB

Download
memory/552-359-0x00000000006C0000-0x0000000000930000-memory.dmp

Filesize
2.4MB

Download
memory/552-445-0x00000000057C0000-0x00000000059D4000-memory.dmp

Filesize
2.1MB

Download
memory/552-369-0x00000000059E0000-0x0000000005F84000-memory.dmp

Filesize
5.6MB

Download
memory/552-442-0x00000000051E0000-0x00000000051EA000-memory.dmp

Filesize
40KB

Download
memory/552-374-0x0000000005250000-0x00000000052E2000-memory.dmp

Filesize
584KB

Download
memory/664-193-0x00007FFE49810000-0x00007FFE49820000-memory.dmp

Filesize
64KB

Download
memory/664-194-0x00007FFE46EB0000-0x00007FFE46EC0000-memory.dmp

Filesize
64KB

Download
memory/664-189-0x00007FFE49810000-0x00007FFE49820000-memory.dmp

Filesize
64KB

Download
memory/664-190-0x00007FFE49810000-0x00007FFE49820000-memory.dmp

Filesize
64KB

Download
memory/664-192-0x00007FFE49810000-0x00007FFE49820000-memory.dmp

Filesize
64KB

Download
memory/664-195-0x00007FFE46EB0000-0x00007FFE46EC0000-memory.dmp

Filesize
64KB

Download
memory/664-191-0x00007FFE49810000-0x00007FFE49820000-memory.dmp

Filesize
64KB

Download
memory/1344-308-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1448-453-0x00000000033D0000-0x00000000033D1000-memory.dmp

Filesize
4KB

Download
memory/1448-454-0x00000000033E0000-0x00000000033E1000-memory.dmp

Filesize
4KB

Download
memory/1448-455-0x00000000033F0000-0x00000000033F1000-memory.dmp

Filesize
4KB

Download
memory/1448-456-0x0000000003420000-0x0000000003421000-memory.dmp

Filesize
4KB

Download
memory/1448-457-0x0000000003430000-0x0000000003431000-memory.dmp

Filesize
4KB

Download
memory/1448-459-0x0000000003450000-0x0000000003451000-memory.dmp

Filesize
4KB

Download
memory/1448-458-0x0000000003440000-0x0000000003441000-memory.dmp

Filesize
4KB

Download
memory/1448-460-0x0000000000400000-0x00000000017BE000-memory.dmp

Filesize
19.7MB

Download
memory/2248-599-0x0000000003320000-0x0000000003321000-memory.dmp

Filesize
4KB

Download
memory/2248-602-0x0000000000400000-0x00000000017BE000-memory.dmp

Filesize
19.7MB

Download
memory/2248-598-0x0000000003310000-0x0000000003311000-memory.dmp

Filesize
4KB

Download
memory/2248-595-0x00000000018E0000-0x00000000018E1000-memory.dmp

Filesize
4KB

Download
memory/2248-596-0x00000000018F0000-0x00000000018F1000-memory.dmp

Filesize
4KB

Download
memory/2248-597-0x0000000001900000-0x0000000001901000-memory.dmp

Filesize
4KB

Download
memory/2484-261-0x00000000018D0000-0x00000000018D1000-memory.dmp

Filesize
4KB

Download
memory/2484-259-0x0000000001820000-0x0000000001821000-memory.dmp

Filesize
4KB

Download
memory/2484-258-0x0000000001810000-0x0000000001811000-memory.dmp

Filesize
4KB

Download
memory/2484-264-0x0000000000400000-0x00000000017BE000-memory.dmp

Filesize
19.7MB

Download
memory/2484-260-0x0000000001870000-0x0000000001871000-memory.dmp

Filesize
4KB

Download
memory/2484-263-0x0000000003560000-0x0000000003561000-memory.dmp

Filesize
4KB

Download
memory/2484-262-0x0000000003550000-0x0000000003551000-memory.dmp

Filesize
4KB

Download
memory/2484-257-0x0000000001800000-0x0000000001801000-memory.dmp

Filesize
4KB

Download
memory/2984-197-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/2984-196-0x0000000001910000-0x0000000001911000-memory.dmp

Filesize
4KB

Download
memory/2984-202-0x0000000003340000-0x0000000003341000-memory.dmp

Filesize
4KB

Download
memory/2984-201-0x0000000003330000-0x0000000003331000-memory.dmp

Filesize
4KB

Download
memory/2984-203-0x0000000000400000-0x00000000017BE000-memory.dmp

Filesize
19.7MB

Download
memory/2984-200-0x0000000001A80000-0x0000000001A81000-memory.dmp

Filesize
4KB

Download
memory/2984-199-0x0000000001A70000-0x0000000001A71000-memory.dmp

Filesize
4KB

Download
memory/2984-198-0x0000000001A40000-0x0000000001A41000-memory.dmp

Filesize
4KB

Download
memory/3548-375-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4104-128-0x0000000000400000-0x0000000001035000-memory.dmp

Filesize
12.2MB

Download
memory/4104-0-0x0000000002EE0000-0x0000000002EE1000-memory.dmp

Filesize
4KB

Download
memory/4316-519-0x0000000003540000-0x0000000003541000-memory.dmp

Filesize
4KB

Download
memory/4316-520-0x0000000003550000-0x0000000003551000-memory.dmp

Filesize
4KB

Download
memory/4316-517-0x0000000001970000-0x0000000001971000-memory.dmp

Filesize
4KB

Download
memory/4316-521-0x0000000000400000-0x00000000017BE000-memory.dmp

Filesize
19.7MB

Download
memory/4316-518-0x0000000003520000-0x0000000003521000-memory.dmp

Filesize
4KB

Download
memory/4316-515-0x0000000001950000-0x0000000001951000-memory.dmp

Filesize
4KB

Download
memory/4316-516-0x0000000001960000-0x0000000001961000-memory.dmp

Filesize
4KB

Download
memory/4332-281-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4552-434-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4988-372-0x0000000000400000-0x0000000001035000-memory.dmp

Filesize
12.2MB

Download