xred | 2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-11-2024 20:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
Size

7.4MB
MD5

7f22390ed7858a4530c0a47efe2b215e
SHA1

454afba3978700599c0862094c2ac50292188d89
SHA256

2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6
SHA512

caf8cdcbcb7ca057016dd026d5d8fcced7d967c507dde5c79538281548a7c4aea004ff42870bbaff53899ada806fa39f77bfa30e5bc0efb3c36ba3362996b77d
SSDEEP

98304:rnsmtk2aUnsmtk2aansmtk2aensmtk2aGs+MQnPLeMNCvYaPhJTcYaxYEDzuWqbD:TLHLhL/LrsvyeMjguYax7z+bi+R

Score

10^/10

xred backdoor discovery evasion persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

svchost.exeexplorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 64 IoCs

Processes:

2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exeSynaptics.exe._cache_Synaptics.exe._cache_synaptics.exe icsys.icn.exeexplorer.exeSynaptics.exe._cache_Synaptics.exe._cache_synaptics.exe icsys.icn.exeexplorer.exeSynaptics.exe._cache_Synaptics.exe._cache_synaptics.exe icsys.icn.exeexplorer.exeSynaptics.exe._cache_Synaptics.exe._cache_synaptics.exe icsys.icn.exeexplorer.exeSynaptics.exe._cache_Synaptics.exe._cache_synaptics.exe icsys.icn.exeexplorer.exeSynaptics.exe._cache_Synaptics.exe._cache_synaptics.exe icsys.icn.exeexplorer.exeSynaptics.exe._cache_Synaptics.exe._cache_synaptics.exe icsys.icn.exeexplorer.exeSynaptics.exe._cache_Synaptics.exe._cache_synaptics.exe icsys.icn.exeexplorer.exeSynaptics.exe._cache_Synaptics.exe._cache_synaptics.exe icsys.icn.exeexplorer.exeSynaptics.exe._cache_Synaptics.exe._cache_synaptics.exe icsys.icn.exeexplorer.exeSynaptics.exe._cache_Synaptics.exe._cache_synaptics.exe icsys.icn.exeexplorer.exeSynaptics.exe._cache_Synaptics.exe._cache_synaptics.exe

pid	process
3068	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
2556	icsys.icn.exe
2348	explorer.exe
2904	spoolsv.exe
2888	svchost.exe
2188	spoolsv.exe
2516	Synaptics.exe
1652	._cache_Synaptics.exe
808	._cache_synaptics.exe
1612	icsys.icn.exe
1052	explorer.exe
2996	Synaptics.exe
1992	._cache_Synaptics.exe
1640	._cache_synaptics.exe
2464	icsys.icn.exe
2332	explorer.exe
2528	Synaptics.exe
1852	._cache_Synaptics.exe
2972	._cache_synaptics.exe
2916	icsys.icn.exe
1504	explorer.exe
2804	Synaptics.exe
2772	._cache_Synaptics.exe
2684	._cache_synaptics.exe
1916	icsys.icn.exe
2524	explorer.exe
1748	Synaptics.exe
324	._cache_Synaptics.exe
2008	._cache_synaptics.exe
1728	icsys.icn.exe
1756	explorer.exe
3032	Synaptics.exe
1576	._cache_Synaptics.exe
708	._cache_synaptics.exe
3016	icsys.icn.exe
1128	explorer.exe
2844	Synaptics.exe
2760	._cache_Synaptics.exe
2936	._cache_synaptics.exe
2908	icsys.icn.exe
2632	explorer.exe
1732	Synaptics.exe
1528	._cache_Synaptics.exe
2504	._cache_synaptics.exe
1608	icsys.icn.exe
1772	explorer.exe
2356	Synaptics.exe
1060	._cache_Synaptics.exe
2156	._cache_synaptics.exe
1736	icsys.icn.exe
2052	explorer.exe
1036	Synaptics.exe
892	._cache_Synaptics.exe
1288	._cache_synaptics.exe
2144	icsys.icn.exe
2448	explorer.exe
2304	Synaptics.exe
1436	._cache_Synaptics.exe
2440	._cache_synaptics.exe
2124	icsys.icn.exe
2832	explorer.exe
2064	Synaptics.exe
3052	._cache_Synaptics.exe
2072	._cache_synaptics.exe

Loads dropped DLL 64 IoCs

Processes:

2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exe2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe Synaptics.exe._cache_Synaptics.exe._cache_synaptics.exe Synaptics.exe._cache_Synaptics.exe._cache_synaptics.exe Synaptics.exe._cache_Synaptics.exe._cache_synaptics.exe Synaptics.exe._cache_Synaptics.exe._cache_synaptics.exe Synaptics.exe._cache_Synaptics.exe._cache_synaptics.exe Synaptics.exe._cache_Synaptics.exe._cache_synaptics.exe Synaptics.exe

pid	process
2700	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
2700	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
2700	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
2556	icsys.icn.exe
2348	explorer.exe
2904	spoolsv.exe
2888	svchost.exe
3068	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
3068	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
3068	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
2516	Synaptics.exe
2516	Synaptics.exe
1652	._cache_Synaptics.exe
1652	._cache_Synaptics.exe
1652	._cache_Synaptics.exe
808	._cache_synaptics.exe
808	._cache_synaptics.exe
2996	Synaptics.exe
2996	Synaptics.exe
2996	Synaptics.exe
1992	._cache_Synaptics.exe
1992	._cache_Synaptics.exe
1640	._cache_synaptics.exe
1992	._cache_Synaptics.exe
1640	._cache_synaptics.exe
1640	._cache_synaptics.exe
2528	Synaptics.exe
2528	Synaptics.exe
2528	Synaptics.exe
1852	._cache_Synaptics.exe
1852	._cache_Synaptics.exe
2972	._cache_synaptics.exe
2972	._cache_synaptics.exe
2972	._cache_synaptics.exe
2804	Synaptics.exe
2804	Synaptics.exe
2804	Synaptics.exe
2772	._cache_Synaptics.exe
2772	._cache_Synaptics.exe
2684	._cache_synaptics.exe
2772	._cache_Synaptics.exe
2684	._cache_synaptics.exe
2684	._cache_synaptics.exe
1748	Synaptics.exe
1748	Synaptics.exe
1748	Synaptics.exe
324	._cache_Synaptics.exe
324	._cache_Synaptics.exe
2008	._cache_synaptics.exe
324	._cache_Synaptics.exe
2008	._cache_synaptics.exe
2008	._cache_synaptics.exe
3032	Synaptics.exe
3032	Synaptics.exe
3032	Synaptics.exe
1576	._cache_Synaptics.exe
1576	._cache_Synaptics.exe
708	._cache_synaptics.exe
1576	._cache_Synaptics.exe
708	._cache_synaptics.exe
708	._cache_synaptics.exe
2844	Synaptics.exe
2844	Synaptics.exe
2844	Synaptics.exe

Adds Run key to start application 2 TTPs 34 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

._cache_synaptics.exe ._cache_synaptics.exe explorer.exe._cache_synaptics.exe ._cache_synaptics.exe svchost.exe._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe 2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe

Drops file in System32 directory 2 IoCs

Processes:

svchost.exeexplorer.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe

Drops file in Windows directory 34 IoCs

Processes:

._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exe2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exeexplorer.exespoolsv.exe._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exeicsys.icn.exe._cache_Synaptics.exe

description	ioc	process
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

icsys.icn.exeSynaptics.exeSynaptics.exeexplorer.exe._cache_Synaptics.exeicsys.icn.exe._cache_Synaptics.exeexplorer.exe._cache_Synaptics.exespoolsv.exesvchost.exeexplorer.exeicsys.icn.exeexplorer.exe._cache_Synaptics.exeexplorer.exe._cache_synaptics.exe icsys.icn.exe._cache_synaptics.exe icsys.icn.exeexplorer.exeexplorer.exeexplorer.exeschtasks.exe._cache_Synaptics.exeexplorer.exe._cache_Synaptics.exe._cache_synaptics.exe ._cache_Synaptics.exe._cache_Synaptics.exe._cache_Synaptics.exeSynaptics.exeicsys.icn.exeSynaptics.exeexplorer.exeSynaptics.exeSynaptics.exeexplorer.exeexplorer.exespoolsv.exeSynaptics.exeicsys.icn.exe._cache_synaptics.exe icsys.icn.exe._cache_synaptics.exe ._cache_Synaptics.exe._cache_Synaptics.exe._cache_synaptics.exe icsys.icn.exeexplorer.exeicsys.icn.exe._cache_Synaptics.exe._cache_Synaptics.exeSynaptics.exe._cache_synaptics.exe explorer.exe._cache_synaptics.exe explorer.exeschtasks.exe._cache_Synaptics.exeSynaptics.exe._cache_Synaptics.exe2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exeEXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEEXCEL.EXEEXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

2680 schtasks.exe
3008 schtasks.exe
3024 schtasks.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1908 EXCEL.EXE

pid	process
2680	schtasks.exe
3008	schtasks.exe
3024	schtasks.exe

pid	process
1908	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exeicsys.icn.exeexplorer.exesvchost.exe

pid	process
2700	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
2700	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
2700	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
2700	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
2700	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
2700	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
2700	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
2700	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
2700	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
2700	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
2700	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
2700	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
2700	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
2700	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
2700	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
2700	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
2556	icsys.icn.exe
2556	icsys.icn.exe
2556	icsys.icn.exe
2556	icsys.icn.exe
2556	icsys.icn.exe
2556	icsys.icn.exe
2556	icsys.icn.exe
2556	icsys.icn.exe
2556	icsys.icn.exe
2556	icsys.icn.exe
2556	icsys.icn.exe
2556	icsys.icn.exe
2556	icsys.icn.exe
2556	icsys.icn.exe
2556	icsys.icn.exe
2556	icsys.icn.exe
2556	icsys.icn.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2888	svchost.exe
2888	svchost.exe
2888	svchost.exe
2888	svchost.exe
2888	svchost.exe
2888	svchost.exe
2888	svchost.exe
2888	svchost.exe
2888	svchost.exe
2888	svchost.exe
2888	svchost.exe
2888	svchost.exe
2888	svchost.exe
2888	svchost.exe
2888	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

svchost.exeexplorer.exe

pid process

2888 svchost.exe
2348 explorer.exe

pid	process
2888	svchost.exe
2348	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

._cache_synaptics.exe ._cache_synaptics.exe ._cache_synaptics.exe

description	pid	process
Token: SeSystemProfilePrivilege	808	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	808	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	808	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1640	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1640	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1640	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1640	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1640	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1640	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1640	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1640	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1640	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1640	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1640	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1640	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1640	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1640	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1640	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1640	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1640	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1640	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1640	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1640	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1640	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1640	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1640	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1640	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1640	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1640	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1640	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1640	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1640	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1640	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1640	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1640	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1640	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1640	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1640	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1640	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1640	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1640	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1640	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1640	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1640	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1640	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1640	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1640	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1640	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1640	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2972	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2972	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2972	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2972	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2972	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2972	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2972	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2972	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2972	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2972	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2972	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2972	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2972	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2972	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2972	._cache_synaptics.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe._cache_Synaptics.exeicsys.icn.exeEXCEL.EXEexplorer.exe._cache_Synaptics.exeEXCEL.EXEicsys.icn.exeexplorer.exe._cache_Synaptics.exeicsys.icn.exeexplorer.exe._cache_Synaptics.exeEXCEL.EXEicsys.icn.exeexplorer.exe._cache_Synaptics.exeicsys.icn.exeexplorer.exe._cache_Synaptics.exeicsys.icn.exeexplorer.exe._cache_Synaptics.exeicsys.icn.exeexplorer.exe._cache_Synaptics.exeicsys.icn.exeexplorer.exe._cache_Synaptics.exe

pid	process
2700	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
2700	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
2556	icsys.icn.exe
2556	icsys.icn.exe
2348	explorer.exe
2348	explorer.exe
2904	spoolsv.exe
2904	spoolsv.exe
2888	svchost.exe
2888	svchost.exe
2188	spoolsv.exe
2188	spoolsv.exe
1652	._cache_Synaptics.exe
1652	._cache_Synaptics.exe
1612	icsys.icn.exe
1612	icsys.icn.exe
1908	EXCEL.EXE
1052	explorer.exe
1052	explorer.exe
1992	._cache_Synaptics.exe
1992	._cache_Synaptics.exe
1808	EXCEL.EXE
2464	icsys.icn.exe
2464	icsys.icn.exe
2332	explorer.exe
2332	explorer.exe
1852	._cache_Synaptics.exe
1852	._cache_Synaptics.exe
2916	icsys.icn.exe
2916	icsys.icn.exe
1504	explorer.exe
1504	explorer.exe
2772	._cache_Synaptics.exe
2772	._cache_Synaptics.exe
2768	EXCEL.EXE
1916	icsys.icn.exe
1916	icsys.icn.exe
2524	explorer.exe
2524	explorer.exe
324	._cache_Synaptics.exe
324	._cache_Synaptics.exe
1728	icsys.icn.exe
1728	icsys.icn.exe
1756	explorer.exe
1756	explorer.exe
1576	._cache_Synaptics.exe
1576	._cache_Synaptics.exe
3016	icsys.icn.exe
3016	icsys.icn.exe
1128	explorer.exe
1128	explorer.exe
2760	._cache_Synaptics.exe
2760	._cache_Synaptics.exe
2908	icsys.icn.exe
2908	icsys.icn.exe
2632	explorer.exe
2632	explorer.exe
1528	._cache_Synaptics.exe
1528	._cache_Synaptics.exe
1608	icsys.icn.exe
1608	icsys.icn.exe
1772	explorer.exe
1772	explorer.exe
1060	._cache_Synaptics.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 2700 wrote to memory of 3068	2700	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
PID 2700 wrote to memory of 3068	2700	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
PID 2700 wrote to memory of 3068	2700	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
PID 2700 wrote to memory of 3068	2700	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
PID 2700 wrote to memory of 2556	2700	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe	icsys.icn.exe
PID 2700 wrote to memory of 2556	2700	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe	icsys.icn.exe
PID 2700 wrote to memory of 2556	2700	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe	icsys.icn.exe
PID 2700 wrote to memory of 2556	2700	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe	icsys.icn.exe
PID 2556 wrote to memory of 2348	2556	icsys.icn.exe	explorer.exe
PID 2556 wrote to memory of 2348	2556	icsys.icn.exe	explorer.exe
PID 2556 wrote to memory of 2348	2556	icsys.icn.exe	explorer.exe
PID 2556 wrote to memory of 2348	2556	icsys.icn.exe	explorer.exe
PID 2348 wrote to memory of 2904	2348	explorer.exe	spoolsv.exe
PID 2348 wrote to memory of 2904	2348	explorer.exe	spoolsv.exe
PID 2348 wrote to memory of 2904	2348	explorer.exe	spoolsv.exe
PID 2348 wrote to memory of 2904	2348	explorer.exe	spoolsv.exe
PID 2904 wrote to memory of 2888	2904	spoolsv.exe	svchost.exe
PID 2904 wrote to memory of 2888	2904	spoolsv.exe	svchost.exe
PID 2904 wrote to memory of 2888	2904	spoolsv.exe	svchost.exe
PID 2904 wrote to memory of 2888	2904	spoolsv.exe	svchost.exe
PID 2888 wrote to memory of 2188	2888	svchost.exe	spoolsv.exe
PID 2888 wrote to memory of 2188	2888	svchost.exe	spoolsv.exe
PID 2888 wrote to memory of 2188	2888	svchost.exe	spoolsv.exe
PID 2888 wrote to memory of 2188	2888	svchost.exe	spoolsv.exe
PID 2348 wrote to memory of 2632	2348	explorer.exe	explorer.exe
PID 2348 wrote to memory of 2632	2348	explorer.exe	explorer.exe
PID 2348 wrote to memory of 2632	2348	explorer.exe	explorer.exe
PID 2348 wrote to memory of 2632	2348	explorer.exe	explorer.exe
PID 2888 wrote to memory of 2680	2888	svchost.exe	schtasks.exe
PID 2888 wrote to memory of 2680	2888	svchost.exe	schtasks.exe
PID 2888 wrote to memory of 2680	2888	svchost.exe	schtasks.exe
PID 2888 wrote to memory of 2680	2888	svchost.exe	schtasks.exe
PID 3068 wrote to memory of 2516	3068	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe	Synaptics.exe
PID 3068 wrote to memory of 2516	3068	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe	Synaptics.exe
PID 3068 wrote to memory of 2516	3068	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe	Synaptics.exe
PID 3068 wrote to memory of 2516	3068	2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe	Synaptics.exe
PID 2516 wrote to memory of 1652	2516	Synaptics.exe	._cache_Synaptics.exe
PID 2516 wrote to memory of 1652	2516	Synaptics.exe	._cache_Synaptics.exe
PID 2516 wrote to memory of 1652	2516	Synaptics.exe	._cache_Synaptics.exe
PID 2516 wrote to memory of 1652	2516	Synaptics.exe	._cache_Synaptics.exe
PID 1652 wrote to memory of 808	1652	._cache_Synaptics.exe	._cache_synaptics.exe
PID 1652 wrote to memory of 808	1652	._cache_Synaptics.exe	._cache_synaptics.exe
PID 1652 wrote to memory of 808	1652	._cache_Synaptics.exe	._cache_synaptics.exe
PID 1652 wrote to memory of 808	1652	._cache_Synaptics.exe	._cache_synaptics.exe
PID 1652 wrote to memory of 1612	1652	._cache_Synaptics.exe	icsys.icn.exe
PID 1652 wrote to memory of 1612	1652	._cache_Synaptics.exe	icsys.icn.exe
PID 1652 wrote to memory of 1612	1652	._cache_Synaptics.exe	icsys.icn.exe
PID 1652 wrote to memory of 1612	1652	._cache_Synaptics.exe	icsys.icn.exe
PID 1612 wrote to memory of 1052	1612	icsys.icn.exe	explorer.exe
PID 1612 wrote to memory of 1052	1612	icsys.icn.exe	explorer.exe
PID 1612 wrote to memory of 1052	1612	icsys.icn.exe	explorer.exe
PID 1612 wrote to memory of 1052	1612	icsys.icn.exe	explorer.exe
PID 808 wrote to memory of 2996	808	._cache_synaptics.exe	Synaptics.exe
PID 808 wrote to memory of 2996	808	._cache_synaptics.exe	Synaptics.exe
PID 808 wrote to memory of 2996	808	._cache_synaptics.exe	Synaptics.exe
PID 808 wrote to memory of 2996	808	._cache_synaptics.exe	Synaptics.exe
PID 2996 wrote to memory of 1992	2996	Synaptics.exe	._cache_Synaptics.exe
PID 2996 wrote to memory of 1992	2996	Synaptics.exe	._cache_Synaptics.exe
PID 2996 wrote to memory of 1992	2996	Synaptics.exe	._cache_Synaptics.exe
PID 2996 wrote to memory of 1992	2996	Synaptics.exe	._cache_Synaptics.exe
PID 1992 wrote to memory of 1640	1992	._cache_Synaptics.exe	._cache_synaptics.exe
PID 1992 wrote to memory of 1640	1992	._cache_Synaptics.exe	._cache_synaptics.exe
PID 1992 wrote to memory of 1640	1992	._cache_Synaptics.exe	._cache_synaptics.exe
PID 1992 wrote to memory of 1640	1992	._cache_Synaptics.exe	._cache_synaptics.exe

C:\Users\Admin\AppData\Local\Temp\2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
"C:\Users\Admin\AppData\Local\Temp\2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2700
- \??\c:\users\admin\appdata\local\temp\2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
  c:\users\admin\appdata\local\temp\2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2516
  - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1652
    - - \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:808
      - C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1640
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1852
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2972
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2772
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2684
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:324
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2008
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1576
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:708
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        22⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2760
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        23⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2936
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        24⤵
        Executes dropped EXE
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        25⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1528
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        26⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2504
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        27⤵
        Executes dropped EXE
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        28⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1060
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        29⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2156
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1036
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        31⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:892
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        32⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1288
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        33⤵
        Executes dropped EXE
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        34⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1436
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        35⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2440
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        36⤵
        Executes dropped EXE
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        37⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3052
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        38⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2072
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:704
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        40⤵
        Drops file in Windows directory
        
        PID:588
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        41⤵
        Adds Run key to start application
        
        PID:1460
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        42⤵
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        43⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:596
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        44⤵
        Adds Run key to start application
        
        PID:2396
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        46⤵
        Drops file in Windows directory
        
        PID:2180
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        47⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1124
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        49⤵
        Drops file in Windows directory
        
        PID:2976
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        50⤵
        Adds Run key to start application
        
        PID:2692
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        51⤵
        System Location Discovery: System Language Discovery
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        52⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:864
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        53⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2036
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        54⤵
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        55⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1636
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        56⤵
        Adds Run key to start application
        
        PID:1644
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        57⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        58⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:528
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        59⤵
        Adds Run key to start application
        
        PID:1592
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        60⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        61⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2920
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        62⤵
        Adds Run key to start application
        
        PID:2716
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        63⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        64⤵
        Drops file in Windows directory
        
        PID:2444
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        65⤵
        Adds Run key to start application
        
        PID:2944
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        67⤵
        Drops file in Windows directory
        
        PID:3044
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        68⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:904
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        69⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        70⤵
        Drops file in Windows directory
        
        PID:3064
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        71⤵
        Adds Run key to start application
        
        PID:2228
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        72⤵
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        73⤵
        Drops file in Windows directory
        
        PID:2264
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        74⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1308
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        75⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        76⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        77⤵
        Adds Run key to start application
        
        PID:1080
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        78⤵
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        79⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1712
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        80⤵
        Adds Run key to start application
        
        PID:696
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        82⤵
        Drops file in Windows directory
        
        PID:1512
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        83⤵
        Adds Run key to start application
        
        PID:2020
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        84⤵
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        85⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2644
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        86⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1328
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        87⤵
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        88⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1936
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        89⤵
        Adds Run key to start application
        
        PID:2540
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        90⤵
        
        PID:2308
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        89⤵
        
        PID:1672
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:2448
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        86⤵
        
        PID:912
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        87⤵
        
        PID:1892
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        83⤵
        
        PID:1896
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        84⤵
        
        PID:1708
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        80⤵
        
        PID:1488
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        81⤵
        
        PID:1668
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:1248
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:1764
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        74⤵
        
        PID:2848
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:2184
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:2896
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:2932
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        68⤵
        
        PID:2956
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        69⤵
        
        PID:1008
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        65⤵
        System Location Discovery: System Language Discovery
        
        PID:2992
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:2796
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        62⤵
        System Location Discovery: System Language Discovery
        
        PID:584
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        63⤵
        
        PID:2928
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        59⤵
        
        PID:900
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        60⤵
        System Location Discovery: System Language Discovery
        
        PID:2648
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        56⤵
        
        PID:2364
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:1892
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        53⤵
        
        PID:2032
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        54⤵
        System Location Discovery: System Language Discovery
        
        PID:1888
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        50⤵
        
        PID:1688
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        51⤵
        System Location Discovery: System Language Discovery
        
        PID:2912
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        47⤵
        
        PID:2756
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        48⤵
        
        PID:1496
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:400
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:2352
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        41⤵
        
        PID:2496
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:2876
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:1524
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        39⤵
        
        PID:1684
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        35⤵
        Executes dropped EXE
        
        PID:2124
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2832
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2144
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2448
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        29⤵
        Executes dropped EXE
        
        PID:1736
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        30⤵
        Executes dropped EXE
        
        PID:2052
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1608
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1772
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2908
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2632
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3016
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1128
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1728
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        18⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1756
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        14⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1916
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2524
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2916
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1504
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2464
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2332
    - - C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1612
      - \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1052
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2556
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2348
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2904
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2888
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2188
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 20:47 /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2680
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 20:48 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3008
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 20:49 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3024
  - - C:\Windows\Explorer.exe
      C:\Windows\Explorer.exe
      4⤵
      PID:2632

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1908

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:1808

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\RCXEAFB.tmp

Filesize
753KB

MD5
fa8edbd6e03d01deb62bbf344208d55a

SHA1
f95af0a9b1b6445d0dbd6f01c99a38db25668e55

SHA256
7684cda0a8808227e5387cbddc50a3bd70cb96ba97c7f7d00b5291cf8798810c

SHA512
ff78d5da0fe3f19eb141cc3a508f8067a8432096db75ee6afb95cff75c6e3f95cf764c7c12e05d717d0cf93859613749acf1ec3949130c179c8c25dc828138cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_._cache_synaptics.exe

Filesize
5.6MB

MD5
2bacc3ededd8d4c9164636c254003d80

SHA1
9365d4d983e780457c6cb88a471da905451c2544

SHA256
2a3e2080974f6538aceeaf49d0cc4d76fb3489ecbf4e6abe1c44389e0792048a

SHA512
c43efcd678c4d82d8c32791def5247e3ae39ec6a3174c1e7eabbb8f1b701a644ee9bea79f78b1bd70c032c166ece10a7185b0d85757f1fc952fd5e2c4b406d37

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Filesize
6.5MB

MD5
488236e9415ba14cf0d4f6f6cf3ecf02

SHA1
a3133b5ed21616d3f085160c5ed528e42435b282

SHA256
fa8adb5486017da922021929491a79981aa795ec8035833671f7314d72cfaf82

SHA512
cf8de55534766904fd4f50f5597abcb04b3f7597f76beed8ba76464fbf15edceef7321bd70ece0b9489297fc452128fc7d97ac31572560a24b5aaadc146461b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_synaptics.exe

Filesize
6.4MB

MD5
97a975e3a9338a232aac8f61a093f86e

SHA1
f31de05c6106b3851f75de4a201a08283412a3be

SHA256
6f24d73282da8d60ca86e4f6a4e2c0f4071e13cee22da09270b92ae5cd0cebc8

SHA512
5a272c2056c7ef7aebebd8ec094e7e14a62f4479935447701eac93b359935933ba72a6ebb5415cffd0ce7d43f0833ec0ab32af70493911dfe70911af13def2e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\npe4nLqi.xlsm

Filesize
23KB

MD5
2fb93065fb639d0da134bf2de915a210

SHA1
3943818e13190027a3d0dabf38beabe906adb9e1

SHA256
63acc1c3ab588b150deb947c76cc70a5e90e07ca452b6a7e05e97314d21ed945

SHA512
aa3a917a039b177a545cef4cd96acc715d1beb9e2337ea8036a53cd4e3cd8e38438e393e8ffbe3465807fe671f69e94768de27d83d7d8671db5ac73ac38fc9e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\npe4nLqi.xlsm

Filesize
26KB

MD5
f51cc96b005458a2449ba9c638d41b6d

SHA1
da1fcc819192e391c2c8434a4272194fa7905b29

SHA256
5e509b844ca5848925d89b86b94fdf88b461db64ebd8e0f74f9e7840eb927096

SHA512
3c3922afcde5cd71c4b8b7028d78c3f05c0e53353324a1e921c5397bf3fcfb4a5e08587d514f16f8e897f6edc67599bdf6bdb2e983870113a4d7a01ef581532f

Download Submit
C:\Users\Admin\AppData\Local\Temp\npe4nLqi.xlsm

Filesize
26KB

MD5
a161b78eb152305fc649a874b4de0962

SHA1
5055cb44fb5472b56d48988490b9b012f4b8a5d9

SHA256
d05b81e12951ac0a089e4ea5f3ef0ced6b4ae1616914695e45810695ae430c68

SHA512
4eeaabd93609d5c16c8b267a050a59298379ae024b4d0924e75f3b42ca3e6c96af406caa5e6780170b57271bc30c612d3d2d0e810143dd7790bee0dfba4e4a69

Download Submit
C:\Users\Admin\AppData\Local\Temp\npe4nLqi.xlsm

Filesize
25KB

MD5
5a4578d0a091ad09bfab39f69f8695dc

SHA1
007b5e9497fc06a1e53b4fa36e37b7853299282f

SHA256
f50db74a54d4199a1730de709db13891ebf238326e9b19c8025e861345541359

SHA512
bcc10b680fce58e66845f46de8d85394c980d6a913f1bff7dbe72b8cbe33cdfd44f6419265ff5aeb86b10f0d27d8d6c763d14432c5318726c410534715f3dd52

Download Submit
C:\Users\Admin\AppData\Local\Temp\~$npe4nLqi.xlsm

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
2d48e6392d8b6530b136bf23a2bc0b92

SHA1
1233356a416b33ec6c9f3a880ca16aa034a0c0e3

SHA256
24edc55a5ae32d370dfd0824e41403ba81eea609e993fc1b7b0f112961771853

SHA512
58f0c3250e1235a63a21aea7c382d33ca4aab57a4a0fad730b9ad2c105d4d650f3c9743ba8e0fe5b42145069e47b3af55d6b248479808763420e545158e6d629

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\windows\resources\themes\icsys.icn.exe

Filesize
135KB

MD5
8b64a7673cdacd00b76b33a9dba42fb9

SHA1
550eb1a302b3df9f7802e49440f8943085cb8bf0

SHA256
4031174b8022db4444bfe0de64d3f5be5dcc0d9d7789487c75648c4829f2f0cc

SHA512
237c6410414f163af0bb20199eb90867d0594731dbd08e5f0a72a2d12def2b417da91e200bb429b6d8658c8b19303b3535b47e3f0fb29c245f8c9831c2450521

Download Submit
\Users\Admin\AppData\Local\Temp\2d14b2e3b26441bb9552249e5123de51f1fc1c2efa21c266ce08d58eaa728aa6.exe

Filesize
7.2MB

MD5
a84197ddd69756226f704feb5feaf460

SHA1
e9e46b2167f4a6402355635eb492791cc33bce31

SHA256
7daa0dc7461847842fad8c8a3a00810909d92f910335e9a2946c52539199e2da

SHA512
55e81454e5e2f93034eae60154e64e11afb0907d6026fa10db4a1b4424c77618bcfa3aeb4caf2f603de8f79571e6dd4aba406d9f3ce76f0d53895a471896e219

Download Submit
\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
d7b144e1ca443d4fe8e548b71a841cdd

SHA1
407e999d3e9b8c77decffb7077713058119a67b1

SHA256
0e9b11f0cd609c4e1ecccf6ae9bf918f666213c8e4504e23bc12b7180bd1e7d6

SHA512
9ad2a569700060c6ec847880ca0f8bd942f5f4eb7e7699e1a2cc9921d99d54c55b84c8a9065b8580f93fb7ead1e3061a3281ee0fcdf4de02e3891f4663e6723e

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
1fe0d195aca3ab561562501adf6f6288

SHA1
0adac00c8425ea18188b25b9721e764212b3d666

SHA256
18d75bba8b242439b2b44441241613bcb0d8e4677d3cdbef256e06fc3f925e02

SHA512
bca69a1fbad532beaf71043acff6e46264bbb83e3c1f676821d309ba82a01454c6583d2680320c7330d4eb67f7143a3925da64f472d833785a46dca2a9082858

Download Submit
\Windows\Resources\svchost.exe

Filesize
135KB

MD5
8fb668131ca9ec1e0551373e83a7d88c

SHA1
cd871b4c7288fb5fa47149914ed3c2ad7343bcd9

SHA256
50f225ddaa07ae2ea5e4a04c74cad54b3b021305b57482bddc0857e30a2d46f5

SHA512
30b00ed25550645ce8bba3a6e1f9dcf0c8628787068c38d2de819f26b62e5429b6b0d29ea51d401f290bdab39e9a9a09145a6f29a6e83ac763b34e7ccc371add

Download Submit
memory/324-304-0x0000000000330000-0x000000000034F000-memory.dmp

Filesize
124KB

Download
memory/324-315-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/588-475-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/588-466-0x00000000003A0000-0x00000000003BF000-memory.dmp

Filesize
124KB

Download
memory/696-866-0x0000000000400000-0x0000000000A67000-memory.dmp

Filesize
6.4MB

Download
memory/704-472-0x0000000000400000-0x0000000000B45000-memory.dmp

Filesize
7.3MB

Download
memory/708-335-0x0000000000400000-0x0000000000A67000-memory.dmp

Filesize
6.4MB

Download
memory/708-321-0x0000000002CA0000-0x0000000002CBF000-memory.dmp

Filesize
124KB

Download
memory/808-137-0x0000000000400000-0x0000000000A67000-memory.dmp

Filesize
6.4MB

Download
memory/892-407-0x00000000003C0000-0x00000000003DF000-memory.dmp

Filesize
124KB

Download
memory/904-714-0x0000000000400000-0x0000000000A67000-memory.dmp

Filesize
6.4MB

Download
memory/1036-396-0x00000000037F0000-0x000000000380F000-memory.dmp

Filesize
124KB

Download
memory/1036-415-0x0000000000400000-0x0000000000B45000-memory.dmp

Filesize
7.3MB

Download
memory/1052-131-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1060-386-0x00000000002A0000-0x00000000002BF000-memory.dmp

Filesize
124KB

Download
memory/1060-393-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1080-828-0x0000000000400000-0x0000000000A67000-memory.dmp

Filesize
6.4MB

Download
memory/1124-518-0x0000000000400000-0x0000000000A67000-memory.dmp

Filesize
6.4MB

Download
memory/1128-332-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1288-401-0x0000000000320000-0x000000000033F000-memory.dmp

Filesize
124KB

Download
memory/1288-416-0x0000000000400000-0x0000000000A67000-memory.dmp

Filesize
6.4MB

Download
memory/1308-789-0x0000000000400000-0x0000000000A67000-memory.dmp

Filesize
6.4MB

Download
memory/1328-937-0x0000000000400000-0x0000000000A67000-memory.dmp

Filesize
6.4MB

Download
memory/1332-851-0x0000000000400000-0x0000000000A67000-memory.dmp

Filesize
6.4MB

Download
memory/1436-426-0x0000000001B60000-0x0000000001B7F000-memory.dmp

Filesize
124KB

Download
memory/1436-437-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1456-489-0x0000000000400000-0x0000000000B45000-memory.dmp

Filesize
7.3MB

Download
memory/1460-462-0x00000000003E0000-0x00000000003FF000-memory.dmp

Filesize
124KB

Download
memory/1460-476-0x0000000000400000-0x0000000000A67000-memory.dmp

Filesize
6.4MB

Download
memory/1484-812-0x0000000000400000-0x0000000000A67000-memory.dmp

Filesize
6.4MB

Download
memory/1500-517-0x0000000000400000-0x0000000000B45000-memory.dmp

Filesize
7.3MB

Download
memory/1504-197-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download
memory/1504-198-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download
memory/1504-200-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1504-199-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download
memory/1524-451-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1528-372-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1528-366-0x0000000000350000-0x000000000036F000-memory.dmp

Filesize
124KB

Download
memory/1576-323-0x00000000003C0000-0x00000000003DF000-memory.dmp

Filesize
124KB

Download
memory/1576-333-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1592-619-0x0000000000400000-0x0000000000A67000-memory.dmp

Filesize
6.4MB

Download
memory/1608-367-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1608-371-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1612-132-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1612-120-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1640-179-0x0000000000400000-0x0000000000A67000-memory.dmp

Filesize
6.4MB

Download
memory/1640-152-0x00000000002C0000-0x00000000002DF000-memory.dmp

Filesize
124KB

Download
memory/1644-594-0x0000000000400000-0x0000000000A67000-memory.dmp

Filesize
6.4MB

Download
memory/1652-99-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1652-115-0x00000000003B0000-0x00000000003CF000-memory.dmp

Filesize
124KB

Download
memory/1652-133-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1684-455-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1700-662-0x0000000000400000-0x0000000000B45000-memory.dmp

Filesize
7.3MB

Download
memory/1728-308-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1728-314-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1732-373-0x0000000000400000-0x0000000000B45000-memory.dmp

Filesize
7.3MB

Download
memory/1732-355-0x0000000000C50000-0x0000000000C6F000-memory.dmp

Filesize
124KB

Download
memory/1736-387-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1736-391-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1748-309-0x0000000000400000-0x0000000000B45000-memory.dmp

Filesize
7.3MB

Download
memory/1748-296-0x00000000002A0000-0x00000000002BF000-memory.dmp

Filesize
124KB

Download
memory/1756-313-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1852-186-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1852-202-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1860-697-0x0000000000400000-0x0000000000A67000-memory.dmp

Filesize
6.4MB

Download
memory/1908-121-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1916-293-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1956-616-0x0000000000400000-0x0000000000B45000-memory.dmp

Filesize
7.3MB

Download
memory/1984-885-0x0000000000400000-0x0000000000A67000-memory.dmp

Filesize
6.4MB

Download
memory/1992-176-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1992-155-0x00000000003D0000-0x00000000003EF000-memory.dmp

Filesize
124KB

Download
memory/2008-301-0x0000000000310000-0x000000000032F000-memory.dmp

Filesize
124KB

Download
memory/2008-316-0x0000000000400000-0x0000000000A67000-memory.dmp

Filesize
6.4MB

Download
memory/2020-900-0x0000000000400000-0x0000000000A67000-memory.dmp

Filesize
6.4MB

Download
memory/2036-568-0x0000000000400000-0x0000000000A67000-memory.dmp

Filesize
6.4MB

Download
memory/2052-392-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2064-456-0x0000000000400000-0x0000000000B45000-memory.dmp

Filesize
7.3MB

Download
memory/2064-439-0x00000000002A0000-0x00000000002BF000-memory.dmp

Filesize
124KB

Download
memory/2072-457-0x0000000000400000-0x0000000000A67000-memory.dmp

Filesize
6.4MB

Download
memory/2124-427-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2124-436-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2144-408-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2144-414-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2156-395-0x0000000000400000-0x0000000000A67000-memory.dmp

Filesize
6.4MB

Download
memory/2156-380-0x00000000002B0000-0x00000000002CF000-memory.dmp

Filesize
124KB

Download
memory/2188-73-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2228-752-0x0000000000400000-0x0000000000A67000-memory.dmp

Filesize
6.4MB

Download
memory/2248-638-0x0000000000400000-0x0000000000B45000-memory.dmp

Filesize
7.3MB

Download
memory/2304-418-0x0000000004620000-0x000000000463F000-memory.dmp

Filesize
124KB

Download
memory/2304-432-0x0000000000400000-0x0000000000B45000-memory.dmp

Filesize
7.3MB

Download
memory/2304-417-0x0000000000BE0000-0x0000000000BFF000-memory.dmp

Filesize
124KB

Download
memory/2332-174-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2332-170-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2336-736-0x0000000000400000-0x0000000000A67000-memory.dmp

Filesize
6.4MB

Download
memory/2348-428-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2356-394-0x0000000000400000-0x0000000000B45000-memory.dmp

Filesize
7.3MB

Download
memory/2356-375-0x00000000023C0000-0x00000000023DF000-memory.dmp

Filesize
124KB

Download
memory/2396-494-0x0000000000400000-0x0000000000A67000-memory.dmp

Filesize
6.4MB

Download
memory/2440-438-0x0000000000400000-0x0000000000A67000-memory.dmp

Filesize
6.4MB

Download
memory/2440-423-0x00000000023E0000-0x00000000023FF000-memory.dmp

Filesize
124KB

Download
memory/2448-411-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2448-413-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2452-544-0x0000000000400000-0x0000000000B45000-memory.dmp

Filesize
7.3MB

Download
memory/2464-162-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2464-175-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2496-474-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2504-360-0x0000000000310000-0x000000000032F000-memory.dmp

Filesize
124KB

Download
memory/2504-374-0x0000000000400000-0x0000000000A67000-memory.dmp

Filesize
6.4MB

Download
memory/2516-125-0x0000000000400000-0x0000000000B45000-memory.dmp

Filesize
7.3MB

Download
memory/2516-98-0x0000000004630000-0x000000000464F000-memory.dmp

Filesize
124KB

Download
memory/2524-292-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2528-203-0x0000000000400000-0x0000000000B45000-memory.dmp

Filesize
7.3MB

Download
memory/2528-178-0x00000000002F0000-0x000000000030F000-memory.dmp

Filesize
124KB

Download
memory/2528-185-0x0000000004760000-0x000000000477F000-memory.dmp

Filesize
124KB

Download
memory/2544-566-0x0000000000400000-0x0000000000B45000-memory.dmp

Filesize
7.3MB

Download
memory/2556-75-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2556-29-0x00000000003B0000-0x00000000003CF000-memory.dmp

Filesize
124KB

Download
memory/2632-353-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2660-922-0x0000000000400000-0x0000000000A67000-memory.dmp

Filesize
6.4MB

Download
memory/2684-295-0x0000000000400000-0x0000000000A67000-memory.dmp

Filesize
6.4MB

Download
memory/2684-281-0x00000000002E0000-0x00000000002FF000-memory.dmp

Filesize
124KB

Download
memory/2692-545-0x0000000000400000-0x0000000000A67000-memory.dmp

Filesize
6.4MB

Download
memory/2700-76-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2700-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2700-20-0x00000000003C0000-0x00000000003DF000-memory.dmp

Filesize
124KB

Download
memory/2708-769-0x0000000000400000-0x0000000000A67000-memory.dmp

Filesize
6.4MB

Download
memory/2716-641-0x0000000000400000-0x0000000000A67000-memory.dmp

Filesize
6.4MB

Download
memory/2760-343-0x00000000006B0000-0x00000000006CF000-memory.dmp

Filesize
124KB

Download
memory/2768-279-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2772-284-0x00000000002A0000-0x00000000002BF000-memory.dmp

Filesize
124KB

Download
memory/2772-294-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2804-205-0x0000000000290000-0x00000000002AF000-memory.dmp

Filesize
124KB

Download
memory/2804-206-0x0000000004630000-0x000000000464F000-memory.dmp

Filesize
124KB

Download
memory/2804-291-0x0000000000400000-0x0000000000B45000-memory.dmp

Filesize
7.3MB

Download
memory/2832-433-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2844-336-0x0000000000B90000-0x0000000000BAF000-memory.dmp

Filesize
124KB

Download
memory/2844-348-0x0000000000400000-0x0000000000B45000-memory.dmp

Filesize
7.3MB

Download
memory/2876-473-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2888-440-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2904-62-0x00000000005B0000-0x00000000005CF000-memory.dmp

Filesize
124KB

Download
memory/2904-74-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2908-352-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2916-201-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2916-195-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2936-341-0x0000000000350000-0x000000000036F000-memory.dmp

Filesize
124KB

Download
memory/2936-354-0x0000000000400000-0x0000000000A67000-memory.dmp

Filesize
6.4MB

Download
memory/2944-677-0x0000000000400000-0x0000000000A67000-memory.dmp

Filesize
6.4MB

Download
memory/2972-192-0x00000000003A0000-0x00000000003BF000-memory.dmp

Filesize
124KB

Download
memory/2972-204-0x0000000000400000-0x0000000000A67000-memory.dmp

Filesize
6.4MB

Download
memory/2996-141-0x0000000004630000-0x000000000464F000-memory.dmp

Filesize
124KB

Download
memory/2996-166-0x0000000000400000-0x0000000000B45000-memory.dmp

Filesize
7.3MB

Download
memory/3016-334-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3032-331-0x0000000000400000-0x0000000000B45000-memory.dmp

Filesize
7.3MB

Download
memory/3040-593-0x0000000000400000-0x0000000000B45000-memory.dmp

Filesize
7.3MB

Download
memory/3052-446-0x0000000000330000-0x000000000034F000-memory.dmp

Filesize
124KB

Download
memory/3068-86-0x0000000000400000-0x0000000000B45000-memory.dmp

Filesize
7.3MB

Download
memory/3068-69-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/3068-13-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download