Analysis Overview
SHA256
e533e9171cd5be1442ac411b60af0e29bcef9ecd53cc27236aeb200ad18c7271
Threat Level: Known bad
The file NLBrute1.2.zip was found to be: Known bad.
Malicious Activity Summary
Neshta
Xred
Neshta family
Xred family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Executes dropped EXE
Checks BIOS information in registry
Checks computer location settings
Identifies Wine through registry keys
Modifies system executable filetype association
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Program Files directory
Drops file in Windows directory
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious behavior: AddClipboardFormatListener
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
Enumerates system info in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-03 15:25
Signatures
Xred family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-03 15:25
Reported
2025-01-03 15:27
Platform
win7-20240903-en
Max time kernel
42s
Max time network
122s
Command Line
Signatures
Neshta
Neshta family
Xred
Xred family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE | N/A |
Loads dropped DLL
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" | C:\Users\Admin\AppData\Local\Temp\NL Brute 1.2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\PROGRA~2\WI4223~1\sidebar.exe | C:\Users\Admin\AppData\Local\Temp\._cache_._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe | C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\INTERN~1\ieinstal.exe | C:\Users\Admin\AppData\Local\Temp\._cache_._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\WI54FB~1\wmprph.exe | C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe | C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\WI54FB~1\wmpconfig.exe | C:\Users\Admin\AppData\Local\Temp\._cache_._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\WI54FB~1\WMPDMC.exe | C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe | C:\Users\Admin\AppData\Local\Temp\._cache_._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe | C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\INTERN~1\ieinstal.exe | C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\WI4223~1\sidebar.exe | C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe | C:\Users\Admin\AppData\Local\Temp\._cache_._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe | C:\Users\Admin\AppData\Local\Temp\._cache_._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\OIS.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\WI54FB~1\wmplayer.exe | C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe | C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~1\wab.exe | C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\INTERN~1\ielowutil.exe | C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe | C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\WI54FB~1\wmlaunch.exe | C:\Users\Admin\AppData\Local\Temp\._cache_._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe | C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_._cache_NL Brute 1.2.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\directx.sys | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\._cache_._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\svchost.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\NL Brute 1.2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\svchost.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\svchost.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\svchost.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\svchost.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\svchost.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_NL Brute 1.2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\svchost.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\svchost.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\._cache_._cache_NL Brute 1.2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\svchost.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\svchost.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\svchost.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\svchost.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\svchost.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\svchost.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\svchost.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\NL Brute 1.2.exe
"C:\Users\Admin\AppData\Local\Temp\NL Brute 1.2.exe"
C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe"
C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_NL Brute 1.2.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_NL Brute 1.2.exe"
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache_._cache_NL Brute 1.2.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_._cache_NL Brute 1.2.exe"
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE"
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE" InjUpdate
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE" InjUpdate
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE" InjUpdate
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE" InjUpdate
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE" InjUpdate
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE" InjUpdate
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE" InjUpdate
Network
Files
memory/2980-0-0x0000000000220000-0x0000000000221000-memory.dmp
\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe
| MD5 | ad581ec2abb20785ac61234ec270509b |
| SHA1 | 4c46f335468f76e5eecd444f55074834725f8fc1 |
| SHA256 | ec1ef94580cfeef624d395ca70bb824d4d1522f5e003d4fa1126230ced3795cd |
| SHA512 | b9ad5ebdfd5f9069a8e9be9d12cf5fa6ab0ad21d1c428114414a9253e3768f6029352a6b4cb4b1de48f092827e4d8cae4bbd5cfaa90cfd9d0c721f238ce29ad1 |
C:\ProgramData\Synaptics\Synaptics.exe
| MD5 | 50b072669d250694e04f3e2d27153ece |
| SHA1 | 616d07f52763be900b56eafdf54e996e1183da4a |
| SHA256 | 3837bbb589f027fe75534ac85223641d8cb3f162420e8843aa94ade7045fa35a |
| SHA512 | f556f495692011df4170c2e2a21378d9fbb4bb6769d87116f31afca3f9200a9eb22f24e275d087098ffed5a5b0108d04b52296892fd9b6c15399ac5e53b28682 |
C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_NL Brute 1.2.exe
| MD5 | a30763c11386537891860bb31ae2332c |
| SHA1 | 812c4e600b097ec74d6fcba24889994b458c452f |
| SHA256 | af5aadcf55a696d1725b4d91d0a49afd9ba122ccc003618506eff255b7a2dcbc |
| SHA512 | 9fc786154505280591d915897b769be022af3f1beea3473f6f1be2e385382348305dd09b7bf0bf281f7b511dc4eedb9c14fdc3c343d9355a0a344e4bac70cc90 |
memory/2980-46-0x0000000000400000-0x0000000000E1A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\._cache_._cache_NL Brute 1.2.exe
| MD5 | 29a056a84cf2cbaace260906b558c9bf |
| SHA1 | 5a5199d4cb1e8fa63f738baf443e002c546d031c |
| SHA256 | cf68e068a071f44ea5b40b6f514cc4f9cfd16279652f85c3221cdfc5e0184e15 |
| SHA512 | 8eecaa3efb4744dbd85ae413213803e5d09bb82d590ad3df4ca477120f72c04c611ced971a8e6b462e67e23186137e975006ca89c893d67bd39d2bd030f14901 |
memory/2556-72-0x0000000000400000-0x0000000000D53000-memory.dmp
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe
| MD5 | 248a8df8e662dfca1db4f7160e1a972b |
| SHA1 | dca22df5bca069f90d84d59988abe73a24704304 |
| SHA256 | 6c7abeebd50487ca33315f5e507c9a5346e6e7a4b732103b35b8006ed58d7bb2 |
| SHA512 | 0042e806d50c938fb1f08506327c87cd99e4f5f9520636b20695d94a696bb8b3f500f6d9507cb46fdba27c60cc0cb9e3c1e7c35dcfb7fcf4dadac3270e654f75 |
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe
| MD5 | ad98b20199243808cde0b5f0fd14b98f |
| SHA1 | f95ce4c4c1bb507da8ed379503b7f597ee2016cd |
| SHA256 | 214f478e94658fa2bd7f0bc17022831baee707756798addb41d9c5bee050e70b |
| SHA512 | ee1251c62530b3027e2cd5669533c633577ffbcf854e137a551148fc0de3ee6cc34253a0bdefdbd4843929843b0790f1de893aa6fbae1c969f057b9f8486afef |
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE
| MD5 | e6bf3f31987645cbbfe74e2fbcb87331 |
| SHA1 | f38f57cb3bcc28047f200d9fdd1fca400a9eafb1 |
| SHA256 | 69e61da1dda3a4c7cfd589000ecf831c2739b4ffe578bdfb1456b59b3b1ec233 |
| SHA512 | 7fadd83caa14497837d0d900cf40e706ef6e33815b861a602e0e83b3b1aa3c753ece3b084968919c7adc453bc368de8fe1e531e30e6ea6d1e9465b5628bc8605 |
memory/2836-89-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Windows\directx.sys
| MD5 | 6b3bfceb3942a9508a2148acbee89007 |
| SHA1 | 3622ac7466cc40f50515eb6fcdc15d1f34ad3be3 |
| SHA256 | e0a7bae2a9ac263cff5d725922e40272d8854278d901233a93a5267859c00a3c |
| SHA512 | fa222bfcade636824af32124b45450c92b1abec7a33e6e647a9248eef5371c127d22ccb7cc5a096b4d5d52e2457f3841293a1b34304e8e5523549856ac02f224 |
memory/1964-102-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Windows\svchost.com
| MD5 | f2d9d8bfa7e66046f928920c14a99994 |
| SHA1 | aa3f3f7a16b54b65b55c27f862ad1f9169c102d1 |
| SHA256 | b6dabbe8027291860a9251351464485a38e600087ffb08f5a030ac82ddfc9010 |
| SHA512 | 081d8b0f4491e10c23ae1edb8853e23c68be1642d2762f2e3632967f77d152c67ff008ddff1e53608bdc2c8b629abf561b6fca8b0089cedcf1c9a8be21905e21 |
C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE
| MD5 | 754309b7b83050a50768236ee966224f |
| SHA1 | 10ed7efc2e594417ddeb00a42deb8fd9f804ed53 |
| SHA256 | acd32dd903e5464b0ecd153fb3f71da520d2e59a63d4c355d9c1874c919d04e6 |
| SHA512 | e5aaddf62c08c8fcc1ae3f29df220c5c730a2efa96dd18685ee19f5a9d66c4735bb4416c4828033661990604669ed345415ef2dc096ec75e1ab378dd804b1614 |
memory/2568-116-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE
| MD5 | 025c1c35c3198e6e3497d5dbf97ae81f |
| SHA1 | 6d390038003c298c7ab8f2cbe35a50b07e096554 |
| SHA256 | ffa28db79daca3b93a283ce2a6ff24791956a768cb5fc791c075b638416b51f4 |
| SHA512 | 1d4cf52062b4f1aa9349ee96b234fc51e693ea8231230ec2b35fa896c2c27f47158d6493e26a1881b070b3f86e6c7d9d2ed3f5f161d456eb011551d434e06b50 |
memory/1628-117-0x0000000000400000-0x0000000000C8D000-memory.dmp
memory/1628-118-0x0000000005C90000-0x0000000007530000-memory.dmp
memory/2404-140-0x0000000000400000-0x0000000000E1A000-memory.dmp
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe
| MD5 | dc6114cf663ccdb1e55d37e6501c54cc |
| SHA1 | 8007df78476f6e723ddcb3ad6d515e558dcb97c9 |
| SHA256 | d566164c874ef66149b493e3220616cdb9090a8cebb4a1325c48c705aea5c348 |
| SHA512 | 677464e6dab367f9158655533cade6e1ec4b39c4e64b05395e72e4099ca7f8fa82b8e49846932956da5fef760cc109a348e1c599d986166998e4d2623022a28c |
C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE
| MD5 | 437e3b3206cacd8458c1a2fbdef78b35 |
| SHA1 | f32832fbb0421e73ede442f97706716a59c46e4a |
| SHA256 | 41ae8e5d20a3bbf8bafa4f7bbc24603c266b84ebe491e48fe39cd40879f03e83 |
| SHA512 | dc55edbb72b4a1ea6fd95933d304c7fc93a3a1c772acdc6391b21dc8c0a46557252d25c587136c480e23f1dd8823edc4f3b88738e017db9f2ce828987e6cd5e0 |
C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE
| MD5 | 156aa268fa5236c9f16110863dc383d1 |
| SHA1 | 4d1a29a4a5b74716cb9a4a0c945aee511ef3cbf5 |
| SHA256 | 0537d77d6e447a2ec34321c61828e9f3690a9b846995b6da5de6729692f7a31f |
| SHA512 | 2c7f5d2465f483a0cdfc01bc3962c6a31f46b04c91f3db6164e3a24504c76dba035fbbd0a6b0c959af505872395c77f9db614df2cf898850a3663ec97b2e06ad |
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE
| MD5 | f38304be865a9f773dcac807b42684a4 |
| SHA1 | 5dfb3d4424b20bec9a93cac785c4d6b65ec847d9 |
| SHA256 | 0cd50ff5ddf00cdcf95370e5f169038293b1f4783380f88d2ce12e14eb73eafd |
| SHA512 | ec81d5b8859937281e0018ba9ee9874e1de59f1f413440b5a3115662154c71546433efacf7e51d71c2893f81ebb41cd2268134849b07625e9861ba1d370ed3a0 |
C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE
| MD5 | 94a6f89a6391389a41d4ab2f660ccbad |
| SHA1 | 61a95366a8fee5c11120f25d5d2f5202f4a550da |
| SHA256 | da4ac3ca15fae5fa60717bf9a20e113d4108c7be883be4fe39d9e1fa91059325 |
| SHA512 | cf27c8767ebedb492a4f3eff73ac2884cde945eadc1c75ea20df5e981770423b0b5a7b76083c8d0499469d33f83d61c2c5608ff0b618d1fd420cf9e3163ad39d |
C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE
| MD5 | 6e2056a06a20c59fa9bfdef3490accf0 |
| SHA1 | 4f84138c0c61e1c37e7c0b316c77b48a6401c3e1 |
| SHA256 | 3ec70e2e58fc40e7031e37af2ea1f0ed1202d9608b91b29d5cef568a8900d387 |
| SHA512 | 191a9a19d2eee3af36571177109a394a5f0582fc5c763c38b4490253c7f58329bb391981bf1702dda672e5a6b908585ddb92cf4ece71c082311b1e096430bd3d |
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE
| MD5 | 137088e3f14337e7dd22e79ad53bf6bd |
| SHA1 | fa12820a19d300a11e839457c4db2c4f9b19a93b |
| SHA256 | d10e2f064a6beac6affab5cb5e7105961f5671f73dc22e2ab4a0a23dd91e0e21 |
| SHA512 | 52056afdc54c16f8db18ea10769d44a98df8a2974edf9d0abf6e7677dd4b5505183d5d472142ec8998ce69da3471df940f424383a572d23ccfee11105dd33646 |
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE
| MD5 | e9228ebf8b765c170034519a798bc2a3 |
| SHA1 | a28837f4aca4e86450ed38557f5f9dd4bec7eee0 |
| SHA256 | 6a7e5d2f0c486637a27014308bb90944b571b3b1b09d70d37cfbfbc56ff575c9 |
| SHA512 | 3139cf9ff431a5091512919718da45e86517c63511d90f1643897369d95af0bddaadb00a51bc3da82ebab6c76616d3ee9d3ee7f9f29e98802bf0b28737102423 |
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE
| MD5 | 0cde1fa887c8ea745774ce63ba6be5b8 |
| SHA1 | 299de942f1b3318eece2fa1c3c094ff75c5ee034 |
| SHA256 | 725df16261e3b528efb8b4d96313d1e98fabe575843bab72eb54eed6fa453079 |
| SHA512 | c4baaa6767c0ac6a8271634bcec7e19714dbf21bad2abce23e86165189809efbbd25cf9360c581ed8cc7765c154d0248bde36fbda1bd6b49bb4a6eb6e018d98f |
memory/2104-120-0x0000000000400000-0x0000000001C9F400-memory.dmp
C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe
| MD5 | 2352318f01171370a31048e3ef80a4a9 |
| SHA1 | aeca009b93c80a3a51eaefa035b09f8a5aa6d252 |
| SHA256 | 88b241c269c0b657ed4a2b09b0835f15f4dee77d0bb8fec3240bb14d93ba0b62 |
| SHA512 | 7783abcc2a0e448ea476c53d70b8d04f4c90c3b30b72a1b89310fb6f9f05efcc7e511276cc045c3e3f476e932874c3aef30366872b408fa257561aba2d907b3b |
C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE
| MD5 | 46990c189f267e44f1927f68380102a7 |
| SHA1 | 01eb9127bcda65186295003420683f3b4385659c |
| SHA256 | 323942be693446177d1e1f3686ccf142c31f812501a4b96aba2465c5291280cf |
| SHA512 | 3d1b342922f6fbb55aab224c705202d8607108ed459eb3dfecd7deece986f8818961c31930858f9576afeb9f7114cb64ad68d50768a9a61103be44d668d53296 |
C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE
| MD5 | 2142b0fff4fbaaaa52bb901730f4b58c |
| SHA1 | 8c139ed4e04bb6413200716f0567bf76262e3051 |
| SHA256 | da7c7e2a69816a8e1c3cd016bdd461c5b55963ef6f198287098b193893d37a54 |
| SHA512 | f9055d72c535836ec3f06278a7891572665e943ca5af52f84ee368504e82a1f2ce330d455b8420a61e8576b9c8daa08063905df50c76248c58d8c9c97a03c7a0 |
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
| MD5 | 9e2b9928c89a9d0da1d3e8f4bd96afa7 |
| SHA1 | ec66cda99f44b62470c6930e5afda061579cde35 |
| SHA256 | 8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043 |
| SHA512 | 2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156 |
memory/2712-214-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Windows\directx.sys
| MD5 | 8e4bd9619c227ef2bc20a2cb2aa55e7b |
| SHA1 | a6214b7678b83c4db74b210625b4812300df3a74 |
| SHA256 | 84ba3f2b07e112efaff6ee034b84db960521db9e504a4ac77a5e8e5e988d86d9 |
| SHA512 | 12a6a559b89441983e9aab70f0ea17dc790bc48c7938dd573c888e33811db8fb210539ebebaa6c8f5c04971d72d037be6603de15ea3a1ffc0f5ea3dd5132b4bf |
memory/1800-226-0x0000000000400000-0x0000000000D53000-memory.dmp
memory/2548-233-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2420-238-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1628-240-0x0000000005C90000-0x0000000007530000-memory.dmp
memory/2348-242-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2216-241-0x0000000000400000-0x000000000041B000-memory.dmp
memory/3040-249-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1608-255-0x0000000000400000-0x0000000000E1A000-memory.dmp
memory/2308-265-0x0000000005E30000-0x00000000076D0000-memory.dmp
memory/2104-250-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/2308-271-0x0000000000400000-0x0000000000C8D000-memory.dmp
C:\ProgramData\Synaptics\RCX4579.tmp
| MD5 | 50891fdf662153bd82aadddeb9c11f4f |
| SHA1 | 3e6dbe704e58ed48b0a92bc04b83cd77510a5e89 |
| SHA256 | 876f13848ccc16b4771440887df15c89e43c4811b6f34b977c0da8e6fea8cc26 |
| SHA512 | 8dd3689711326005e9673608b35db760f02d3d30cfc37b3d749d7d8f5eaf81e2fcd3484fb5aedd4dcb4b86e89e3bc1da2694148b3886a05c2ef055e48120ccde |
memory/1776-276-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2504-282-0x0000000000400000-0x0000000000D53000-memory.dmp
memory/1392-283-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1480-287-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2712-293-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2452-294-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2856-295-0x0000000000400000-0x0000000000C8D000-memory.dmp
memory/1412-298-0x0000000000400000-0x0000000000C8D000-memory.dmp
memory/992-297-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2324-307-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1484-313-0x0000000000400000-0x0000000000C8D000-memory.dmp
memory/1936-324-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1372-330-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1864-336-0x0000000000400000-0x0000000000D53000-memory.dmp
memory/1844-337-0x0000000000400000-0x0000000000D53000-memory.dmp
memory/2612-353-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2104-354-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/2216-347-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2040-355-0x0000000000400000-0x0000000000D53000-memory.dmp
memory/2636-357-0x0000000000400000-0x000000000041B000-memory.dmp
memory/748-358-0x0000000000400000-0x0000000000D53000-memory.dmp
memory/2664-369-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/2896-373-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2864-375-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2268-374-0x0000000000400000-0x0000000000C8D000-memory.dmp
memory/2188-379-0x0000000000400000-0x0000000000C8D000-memory.dmp
memory/1316-380-0x0000000000400000-0x0000000000D53000-memory.dmp
memory/1760-382-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1920-394-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2044-395-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1772-405-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1516-410-0x0000000000400000-0x0000000000D53000-memory.dmp
memory/2712-411-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1736-415-0x0000000000400000-0x0000000000D53000-memory.dmp
memory/1708-419-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2344-430-0x0000000000400000-0x0000000000C8D000-memory.dmp
memory/2516-417-0x0000000000400000-0x000000000041B000-memory.dmp
memory/264-440-0x0000000000400000-0x000000000041B000-memory.dmp
memory/632-441-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2804-446-0x0000000000400000-0x0000000000D53000-memory.dmp
memory/2428-447-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/2216-448-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1744-451-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/2664-450-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/2248-456-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2104-449-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/2228-457-0x0000000000400000-0x0000000000D53000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-03 15:25
Reported
2025-01-03 15:27
Platform
win10v2004-20241007-en
Max time kernel
32s
Max time network
151s
Command Line
Signatures
Neshta
Neshta family
Xred
Xred family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\NL Brute 1.2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_NL Brute 1.2.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| N/A | N/A | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE | N/A |
| N/A | N/A | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| N/A | N/A | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE | N/A |
| N/A | N/A | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| N/A | N/A | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE | N/A |
| N/A | N/A | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| N/A | N/A | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" | C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_NL Brute 1.2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" | C:\Users\Admin\AppData\Local\Temp\NL Brute 1.2.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~4\wmplayer.exe | C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~4\wmprph.exe | C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe | C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe | C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe | C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe | C:\Users\Admin\AppData\Local\Temp\._cache_._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe | C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\INTERN~1\iexplore.exe | C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\MOZILL~1\UNINST~1.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~4\setup_wm.exe | C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe | C:\Users\Admin\AppData\Local\Temp\._cache_._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~4\wmplayer.exe | C:\Users\Admin\AppData\Local\Temp\._cache_._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~4\wmlaunch.exe | C:\Users\Admin\AppData\Local\Temp\._cache_._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~2\wab.exe | C:\Users\Admin\AppData\Local\Temp\._cache_._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~4\setup_wm.exe | C:\Users\Admin\AppData\Local\Temp\._cache_._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe | C:\Users\Admin\AppData\Local\Temp\._cache_._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe | C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\INTERN~1\ielowutil.exe | C:\Users\Admin\AppData\Local\Temp\._cache_._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\INTERN~1\ielowutil.exe | C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\INTERN~1\ExtExport.exe | C:\Users\Admin\AppData\Local\Temp\._cache_._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\INTERN~1\ieinstal.exe | C:\Users\Admin\AppData\Local\Temp\._cache_._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe | C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe | C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe | C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe | C:\Users\Admin\AppData\Local\Temp\._cache_._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe | C:\Users\Admin\AppData\Local\Temp\._cache_._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\INTERN~1\ExtExport.exe | C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\Google\Update\DISABL~1.EXE | C:\Users\Admin\AppData\Local\Temp\._cache_._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\WINDOW~2\wab.exe | C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe | C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\._cache_._cache_NL Brute 1.2.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\svchost.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\svchost.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\NL Brute 1.2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\._cache_._cache_NL Brute 1.2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\svchost.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\svchost.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\svchost.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_NL Brute 1.2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\svchost.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\svchost.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_NL Brute 1.2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\NL Brute 1.2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\NL Brute 1.2.exe
"C:\Users\Admin\AppData\Local\Temp\NL Brute 1.2.exe"
C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe"
C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_NL Brute 1.2.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_NL Brute 1.2.exe"
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache_._cache_NL Brute 1.2.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_._cache_NL Brute 1.2.exe"
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.162.46.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.239.69.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.72.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.253.116.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
Files
memory/4672-0-0x0000000002A70000-0x0000000002A71000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\._cache_NL Brute 1.2.exe
| MD5 | ad581ec2abb20785ac61234ec270509b |
| SHA1 | 4c46f335468f76e5eecd444f55074834725f8fc1 |
| SHA256 | ec1ef94580cfeef624d395ca70bb824d4d1522f5e003d4fa1126230ced3795cd |
| SHA512 | b9ad5ebdfd5f9069a8e9be9d12cf5fa6ab0ad21d1c428114414a9253e3768f6029352a6b4cb4b1de48f092827e4d8cae4bbd5cfaa90cfd9d0c721f238ce29ad1 |
C:\ProgramData\Synaptics\Synaptics.exe
| MD5 | 50b072669d250694e04f3e2d27153ece |
| SHA1 | 616d07f52763be900b56eafdf54e996e1183da4a |
| SHA256 | 3837bbb589f027fe75534ac85223641d8cb3f162420e8843aa94ade7045fa35a |
| SHA512 | f556f495692011df4170c2e2a21378d9fbb4bb6769d87116f31afca3f9200a9eb22f24e275d087098ffed5a5b0108d04b52296892fd9b6c15399ac5e53b28682 |
C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_NL Brute 1.2.exe
| MD5 | a30763c11386537891860bb31ae2332c |
| SHA1 | 812c4e600b097ec74d6fcba24889994b458c452f |
| SHA256 | af5aadcf55a696d1725b4d91d0a49afd9ba122ccc003618506eff255b7a2dcbc |
| SHA512 | 9fc786154505280591d915897b769be022af3f1beea3473f6f1be2e385382348305dd09b7bf0bf281f7b511dc4eedb9c14fdc3c343d9355a0a344e4bac70cc90 |
memory/4672-115-0x0000000000400000-0x0000000000E1A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\._cache_._cache_NL Brute 1.2.exe
| MD5 | 29a056a84cf2cbaace260906b558c9bf |
| SHA1 | 5a5199d4cb1e8fa63f738baf443e002c546d031c |
| SHA256 | cf68e068a071f44ea5b40b6f514cc4f9cfd16279652f85c3221cdfc5e0184e15 |
| SHA512 | 8eecaa3efb4744dbd85ae413213803e5d09bb82d590ad3df4ca477120f72c04c611ced971a8e6b462e67e23186137e975006ca89c893d67bd39d2bd030f14901 |
memory/1360-191-0x0000000000400000-0x0000000000D53000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_._cache_NL Brute 1.2.exe
| MD5 | e6bf3f31987645cbbfe74e2fbcb87331 |
| SHA1 | f38f57cb3bcc28047f200d9fdd1fca400a9eafb1 |
| SHA256 | 69e61da1dda3a4c7cfd589000ecf831c2739b4ffe578bdfb1456b59b3b1ec233 |
| SHA512 | 7fadd83caa14497837d0d900cf40e706ef6e33815b861a602e0e83b3b1aa3c753ece3b084968919c7adc453bc368de8fe1e531e30e6ea6d1e9465b5628bc8605 |
C:\Windows\directx.sys
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/3512-235-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2604-236-0x00007FF9832B0000-0x00007FF9832C0000-memory.dmp
C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE
| MD5 | 6b27dd3f7c6898e7d1bcff73d6e29858 |
| SHA1 | 55102c244643d43aeaf625145c6475e78dfbe9de |
| SHA256 | 53e47df12f0ce2005f4a2a773d194c9431b325b64c205dfa4cfba45c973b65f3 |
| SHA512 | 52b7a596b07935f15f008c2de38c5dfd85df18b49e5083e363b90fb321d4f1bf588627dcbe94fa6434c460243b254c5ca1dbcf2c956e49baa92e13e104500f2f |
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE
| MD5 | a31628879099ba1efd1b63e81771f6c7 |
| SHA1 | 42d9de49d0465c907be8ee1ef1ccf3926b8825fe |
| SHA256 | 031b0b0de72eba9350a1234eba7489bc04f94823501fc6a200266fa94b8c51dc |
| SHA512 | 0e86020f61fd08578507c3cd37385ffa2ffd964407a689b4c3d532fe4dc826eea58391f938840d18ecfa6bae79c6ece31b8f63b50366c2fa4d6ecf5194475759 |
memory/2604-316-0x00007FF980CC0000-0x00007FF980CD0000-memory.dmp
C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe
| MD5 | 2b10fad55bb461c01d3f922c3fbf7d2e |
| SHA1 | e899a087bc0a8b36c79d24505dc72813a25b0eb9 |
| SHA256 | 8f1d9b2c820fb05556bc9ddabafc7e5cf51c5c01075bab11d68ae965ca21f68f |
| SHA512 | 2a47bf1f477dcf0070e9157cc0b816fd1563075a19286df7bb4d3fc368552d72a95505a35bba961b69b3561d1d858857c14762b7c046c6cf382d08e037f2ec61 |
C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE
| MD5 | 048da0aced67fe14cbc1801a057b8cef |
| SHA1 | 9ddac6ad86b54d0b7e1d22fbc1ff75ccfa9c17ea |
| SHA256 | 2f37cac4a1dbf7944d43f1154ce293311c3f9d44317276a06b49cd41123d9d96 |
| SHA512 | 1d2b23dc25ea03002a3ccbcdf08a7ebf47ee2158bf9211b71830a92dfa4bef584529c1804148ebe2cb662e579cc97e9f702a6a42071f2600a129c642a6b92c16 |
C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE
| MD5 | fc3c02a4d4d5861fabd35e1fee6c471a |
| SHA1 | 1596a8ee947e5fdff7f1f03b694bfb71e9b1ddd1 |
| SHA256 | 741ab407aa8af5f0f09d42a3c4eca0cf39a40af9a261d3f0d653b13f7e5ad36f |
| SHA512 | d6dae86cdf99696c7af7b397d8a81d09671f96801472063567dc4f6780d35307e2f149af6762616ece84039c34099c26fa6e1460da5ffe8acbc56da5b28afc97 |
C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE
| MD5 | 96c338591ac8ea4483337c8371cfbab9 |
| SHA1 | 21bed3f86db1c33912390db397678631c876f431 |
| SHA256 | 7237de120dcf61936d33394b8e211d4af88a7e4c6ee53cf053a54b8b60c23a1e |
| SHA512 | 44e44c466ca812a1ce21f5ba8e3e57434ae7ff1549b0315d3887cd467da40e1604ec9a69f07d7e3c834aa1d96c8206628ce173ae8a8a59a9d713b516f58e9455 |
C:\PROGRA~2\MOZILL~1\UNINST~1.EXE
| MD5 | 144294f89c5a1ad929b9056ec0760f0f |
| SHA1 | 91175b430042997c8fb899596afc53bea4bb38c8 |
| SHA256 | 9d1eeb4a9b9ef3d686891ac34e9b4a2379f24fc02ea2e9fc00071d03a86d42ab |
| SHA512 | 77c2fd3dc1bc710e652e4e4ca7cd73076a3988cf395d977b5a46a395cedd943560f3a5ad2251365c63cd2d3e681e7cf9fc3510d8d778732d7c692831c2fc9898 |
C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE
| MD5 | 7fbf415b935535d546d5f9203964ed7e |
| SHA1 | ce6a5d5117940e7435f4a0ff412741f40a5cbafb |
| SHA256 | ea24198d33ecd695b9892068d4d155435318e41531d7ca5379b45b344a086a28 |
| SHA512 | 5e613b6f43f16f298ae67ff1928354e7f40adfc574bec5996dbdef99c8c053f1c32c677f18093c7ff78ec2f883e6d377af8515c76380823264633dd8c78cd2ec |
C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE
| MD5 | cd4af683704c71887125716ca891e18c |
| SHA1 | 64d02bac29cfeeed31978438d572230f316d61df |
| SHA256 | 1e6a087180f0e5a8e738718de2d4d99c1a4b6d89bd2a84ad19ab45f7dd9225c5 |
| SHA512 | dda5661f1e95e1a6dc0ce62a5b476aa335ddde431d47fb6cabffe36947376f6c583f83560dc43da4bc4432052a95ed61f0553ade59308582510c25a5f828921a |
C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE
| MD5 | 74a044a62415d995102a0d58424bc49e |
| SHA1 | 10aeaa3fa60f5550bab9321048675c433a27e12a |
| SHA256 | bf70a32a354a2c7ec912701f3350b8706bd9f422ea091de93088abe8e2b58efa |
| SHA512 | 0aa5780b75b506dadcdd3902b4defb847c1f7e6deca78596c70e95cf2e179489f8748e0580aacd07875aa75fba08af13e7c6463925424ead18720a2934ac210b |
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE
| MD5 | ecda5b4161dbf34af2cd3bd4b4ca92a6 |
| SHA1 | a76347d21e3bfc8d9a528097318e4b037d7b1351 |
| SHA256 | 98e7a35dd61a5eeea32ca5ff0f195b7e5931429e2e4b12d1e75ca09ddab3278f |
| SHA512 | 3cd3d64e7670ab824d36a792faa5d16a61f080d52345e07b0ef8396b2a1481876a3b30fc702bf0018a1b02c7788c3c7f1b016590c5b31485a90e3a375f11dade |
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe
| MD5 | 6b7a2ce420e8dd7484ca4fa4460894ae |
| SHA1 | df07e4a085fc29168ae9ec4781b88002077f7594 |
| SHA256 | dec51011b3bd2d82c42d13f043fac935b52adeaa17427ce4e21e34fcbd2231e4 |
| SHA512 | 7d2cd278ee45ec0e14145f2be26b8cdbe3312b300aa216532c41e839ba61c12ae379025568c85634f0ec3bc95cc481bb17f99ab30c711986651569f0f1f81beb |
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE
| MD5 | 032ee4d65b62d87cf809438556d30429 |
| SHA1 | 34458fcefe3c67f19c3d2c94389fc99e54e74801 |
| SHA256 | 0099c710e406e0423bb0b11eb4c113508c67f84a0972a2d14c038687cac1753b |
| SHA512 | 6b912d51e93f1e4756ecc5321ec08a6eb5e15413a9d9cf568bd14ce2a5199d064f6dd5c7d9d5155296d1a4ab5852c81a8fc138565fb788e7402c09b61281a5cd |
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe
| MD5 | 69e1e0de795a8bf8c4884cb98203b1f4 |
| SHA1 | a17f2ba68776596e2d1593781289c7007a805675 |
| SHA256 | 2b6d153b9df86033b7a83eb4f521fd4f7aeec35dc54ef8d1ffe80f5bbd030dbb |
| SHA512 | 353b664271d0f49f94b60c7fbaf5ab6d5b8df7690383517a90ba675f750d9b28628bbd5ed92a6782879607f4c21214b15ea95fd6a5a8d6f9540a1b75ddb9e665 |
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE
| MD5 | 24eeb998cb16869438b95642d49ac3dd |
| SHA1 | b45aa87f45250aa3482c29b24fa4aa3d57ae4c71 |
| SHA256 | a2cfd55902b1750070e9154a90e29a10b9e6fa0c03bc82d8f198678e9bc46cd0 |
| SHA512 | 2ac6de5c3e52b31355300ff4e846ed0627d8d4af02c4c07c0886694a09237ef2ee76e004883fae76a959bef0b60bd4138a9c88ad22139c6b859786c8e37bb358 |
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE
| MD5 | ae390fa093b459a84c27b6c266888a7e |
| SHA1 | ad88709a7f286fc7d65559e9aee3812be6baf4b2 |
| SHA256 | 738b7b5da8ca4798043672d2a32913e0f64268c7861eecc9fcc4c7f9d440d8cd |
| SHA512 | 096b5190efefe4c5272637e0721dcd339883f551c5e0cce568ed0bd63b31fb9acef6b09d310966482dbc7a944cc7a5878b0ad6bd68c30d1871254865a1660851 |
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE
| MD5 | b84ae39dd0420080bd9e6b9557eea65b |
| SHA1 | 5326a058a3bcc4eb0530028e17d391e356210603 |
| SHA256 | 92439a773781fc1b4e45de7fad393bb9ccd05af99dc1a1bb2246a4befb1f5924 |
| SHA512 | 860ae09c5806622420147af1073cecc065786968737547276641af710b4caccd16b787bdf7212dd1d8ab16e257dd5c5cd20790bf000d75d82410cbd5bf7af388 |
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE
| MD5 | fdad5d6d8cf37e8c446dcd6c56c718c3 |
| SHA1 | 412883fd3bb56f2b850d2c29ee666d9b75636faf |
| SHA256 | 2ed31146dc94132acafc7e759086f18c83560693a813b1d842a30908f50faf7c |
| SHA512 | 9866ddd370e7ab75aea143c5ede3ee96700ed662aab7fb3e989f9beedb2800b488f985a8069a61025cc8201bbc42e23d744717988587c2a8a66f2e91ea7cbbbc |
memory/2604-278-0x00007FF980CC0000-0x00007FF980CD0000-memory.dmp
C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE
| MD5 | 78f77aff4993684fdbcad13c74d5f364 |
| SHA1 | 0b02ed9112021b3c65778fdce0642e81dfb5b628 |
| SHA256 | 9f707deff2f5b5a8c611c5926362c4ffc82f5744a4699f3fb1ee3ef6bb9b2cfb |
| SHA512 | 568c1abf5f6d13fe37cb55a5f5992dea38e30fc80812a977c0ae25ed30f67321db8f4c0da2ae4ae558e58dc430885fa13c1f7f1d6b2d6bb51ed031f042defafb |
C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE
| MD5 | a12297c17e3747647d5c29d67edd4d9a |
| SHA1 | 6a6ed9d50d8385b2fb1da6c700934bf213e1ec2d |
| SHA256 | 288f7e376d1ba967276a05a1b00fddff236315ee0df24e543cf8b604768ae7f2 |
| SHA512 | e1004b5307f26af7c22ec051539ed633105ac6673301d31a57cb530ab76551b51aa59741397d1b9fe860bed8c93c2a21d8e828edd1612750bcec1bd068898239 |
C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE
| MD5 | 6ecccb4bab82a4971897aa0bcb2f14be |
| SHA1 | 1c680d6f8ca6a0436b5935906a2d9c4699a7a412 |
| SHA256 | c661a1408b32f837e02965675400807e111dc5d43a00588011e4365dd3c24be1 |
| SHA512 | d68cae4b3c7664751bca1f73cb6b6aa0f0745bb10a76e250b9ffae82bbf2a398f17277ebe5cfd22338af9b4d4c0e0c8241eeb640bdcc0a73774612a6785ac081 |
C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE
| MD5 | 2424d589d7997df1356c160a9a82088c |
| SHA1 | ca9b479043636434f32c74c2299210ef9f933b98 |
| SHA256 | 9d6982a566148cf69cb6aec417baddca680e647931315736a6c19f2ba91c4d60 |
| SHA512 | 4dd0a69c1dfb0e88fc6b24c97e14dd0ad1ac0226dd372d09123b6a2ec3c107fc94a810764d16e111d1cf7e81a23b70b84d36cbfbf1e32986d00de3cd9e315c2b |
C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE
| MD5 | b6283a7eb554d995d9a7c72dcfca14b5 |
| SHA1 | 67d64907800c611bbcefd31d2494da12962f5022 |
| SHA256 | 099da4830adbab785d86ca4680c041458acfe798ed8b301b2bb6bd47891ed881 |
| SHA512 | a6d96a13b8672d0f1d50ac22ba95b715527050ce91bb67dc261732e0a114ef2902e3380577546ff34860f65723a143153cea47ae31e12bb27dd3f4f5ee2245f3 |
C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE
| MD5 | 48628eeb152032e8dc9af97aaaeba7cf |
| SHA1 | e826f32c423627ef625a6618e7250f7dbc4d2501 |
| SHA256 | f271af83d96b1d536e1a1788ec0baa0c3c583ddfe61faceccaeec1470c5676ca |
| SHA512 | 18a2a247177d04d5b1b56d126d72e29b02c8378e8aa4c89bdbaefe14bcd577d7aa054b05a5db37d142a37cf869f3bc03fe9a5bba4886a52d6c2ede5052dfcc7d |
C:\PROGRA~2\COMMON~1\Oracle\Java\JAVAPA~1\java.exe
| MD5 | 75dbb8ccc95969068e221b7292f50888 |
| SHA1 | c87ee029a84d2c021ce5d816b32a9d7d55c914d4 |
| SHA256 | 6b2fdb20eab37b1faec1a92358d05ca2ee050fd824add15b0f1de7ee47999185 |
| SHA512 | 66e8a79990a38a4a7b7d6366383eb23cbc9bf522c1354193d04d7442a7d72356e9d7f1b84459724c800dda79fac438f35756aa1e8465b1dc8d870792cca1c831 |
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe
| MD5 | 7aac73055860fcd079d9407cab08276d |
| SHA1 | 482b9f337d60270c95950353f9ca8929d8926b1d |
| SHA256 | 97508a81b805937e1ca57711a51d2e8d715a2748e2f9d27d39dfecc28f3fb9e5 |
| SHA512 | f183a10eb13c083c7cd8e785a7978eee4998c33d1eb104a0ab0e54146e10651f68612249e668baa08919a5840f6f929b5452c93f71a232b30aab9e2857109fb5 |
memory/2604-246-0x00007FF9832B0000-0x00007FF9832C0000-memory.dmp
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE
| MD5 | 961c73fd70b543a6a3c816649e5f8fce |
| SHA1 | 8dbdc7daeb83110638d192f65f6d014169e0a79b |
| SHA256 | f94ddaf929fb16d952b79c02e78439a10dd2faa78f7f66b7d52de2675e513103 |
| SHA512 | e5d97ee63b02abc65add41f6721514515b34fd79f7db23ae04cf608c2f7e0504e00b07694047b982d14d60cccf6f833b50268c693e3baf1b697d3370c0bba0b6 |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE
| MD5 | dc6f9d4b474492fd2c6bb0d6219b9877 |
| SHA1 | 85f5550b7e51ecbf361aaba35b26d62ed4a3f907 |
| SHA256 | 686bec325444e43232fb20e96365bb1f1eb7c47a4e4ce246fc900d3a9784d436 |
| SHA512 | 1e9c2dfeada91e69ee91cd398145e4044bd5788a628b89441c8c6ff4067ba0a399124197fd31dad26ccb76a4d866ad99918ba8e1549983be967d31b933ad9780 |
memory/2604-239-0x00007FF9832B0000-0x00007FF9832C0000-memory.dmp
memory/2604-238-0x00007FF9832B0000-0x00007FF9832C0000-memory.dmp
memory/2604-237-0x00007FF9832B0000-0x00007FF9832C0000-memory.dmp
C:\Windows\svchost.com
| MD5 | f2d9d8bfa7e66046f928920c14a99994 |
| SHA1 | aa3f3f7a16b54b65b55c27f862ad1f9169c102d1 |
| SHA256 | b6dabbe8027291860a9251351464485a38e600087ffb08f5a030ac82ddfc9010 |
| SHA512 | 081d8b0f4491e10c23ae1edb8853e23c68be1642d2762f2e3632967f77d152c67ff008ddff1e53608bdc2c8b629abf561b6fca8b0089cedcf1c9a8be21905e21 |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE
| MD5 | 3e8712e3f8ce04d61b1c23d9494e1154 |
| SHA1 | 7e28cd92992cdee55a02b5ece4b7c2fc4dd0c5e4 |
| SHA256 | 7a8ee09f8a75b3e812f99a0b611c6720626c62c6985306a408694389a996c8e9 |
| SHA512 | d07d924f338bd36ca51c8e11931f7ff069e65942725a8e1f1ff6b81076a987ab7d787452a5fb08314edf1489e081f4164db1ad299a6d78401e630796f4487dc8 |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE
| MD5 | 823cb3e3a3de255bdb0d1f362f6f48ab |
| SHA1 | 9027969c2f7b427527b23cb7ab1a0abc1898b262 |
| SHA256 | b8c5b99365f5ac318973b151fe3fe2a4ad12546371df69e1b7d749f7a4ce356f |
| SHA512 | 0652b60e07aa5a469b9cf1013a1ed98d0352996c59b9a66f612be2bc0081d8ec8a65a44a3977d2e188cd8ee3311edb251b818cf300d152ed5f633679a6cf834c |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE
| MD5 | 3ccfc6967bcfea597926999974eb0cf9 |
| SHA1 | 6736e7886e848d41de098cd00b8279c9bc94d501 |
| SHA256 | a89d3e2109a8e35e263da363d3551258ea320a99bfb84a4b13ad563008eda8d9 |
| SHA512 | f550af4e053d89eff45c0fb00bb32e8d212645a155727d3536a3f12bb0b5550bed25516516334245b912fa4fc2e4e7c267e80da4f06d22ea128f20eb56ab4351 |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE
| MD5 | 2e989da204d9c4c3e375a32edf4d16e7 |
| SHA1 | e8a0bf8b4ae4f26e2af5c1748de6055ba4308129 |
| SHA256 | cae320401aa01a3cef836c191c2edbd7a96bfcce9efad1a21880626a64cc4dec |
| SHA512 | 3ebf71578bef909d9411c131d0ccd38ead68cba01a8e0f845d08faa012ca2136476fe09a2859ed846641f80b7a2d9b78d49c709065a52c6b9ee149edf84c8c4f |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE
| MD5 | c4a918069757a263adb9fbc9f5c9e00d |
| SHA1 | 66d749fc566763b6170080a40f54f4cda4644af4 |
| SHA256 | 129a2bfe25ceabb871b65b645ef98f6799d7d273fc5ddfd33c1cb78f5b76fa3b |
| SHA512 | 4ecf32fa2c8f53ff7a08555ec5d37739dc1358352621d038669f608edf18b0dcc6dca168a2b602359c9ee098052e546e5c02603f83aad44a114192138de7b7b9 |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe
| MD5 | 514972e16cdda8b53012ad8a14a26e60 |
| SHA1 | aa082c2fbe0b3dd5c47952f9a285636412203559 |
| SHA256 | 49091e1e41980b39d8de055fe6c6a1dc69398f17817960d64743e7efb740efc4 |
| SHA512 | 98bbd6f06e3ff3e94aee3620f20f89e254dde157bc8129a64cf78fefe5cf9b13c7902128c2acbd54b3def527e09a039bd1f66ba64efb85f3f0404d894cabbee4 |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE
| MD5 | 4ab023aa6def7b300dec4fc7ef55dbe7 |
| SHA1 | aa30491eb799fa5bdf79691f8fe5e087467463f1 |
| SHA256 | 8ca27077312716f79f39309156c905719a908e8ded4bf88c2ba6fa821e574673 |
| SHA512 | 000e33cc2399efa9dc56c06a42f91eb64b94f30b78cf260469f45f3b876f518d2d2b62e33d8f697660ae560d595e5bd5b7a5f847c316d5f97adeb3d8f9248ab5 |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe
| MD5 | 66a77a65eea771304e524dd844c9846a |
| SHA1 | f7e3b403439b5f63927e8681a64f62caafe9a360 |
| SHA256 | 9a7391267ab83b45a47d9fcf1e0f76002ed6640ed6a574ba51373410b94812f6 |
| SHA512 | 3643ad1036075305d76dfd753b1ed29ae611b4b9f397b2520f95b1487e85155a111adc83578db8ca5d0fd1e9fe146d018e22f572c187ef468eab8d11d48fc7f4 |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE
| MD5 | 3e4c1ecf89d19b8484e386008bb37a25 |
| SHA1 | a9a92b63645928e8a92dc395713d3c5b921026b7 |
| SHA256 | 1ebe469c94c2c2a5acbc3927cef19dbe2f583ba3651a55623633891c4c05cc22 |
| SHA512 | 473d03abbb61609749a176a0724e427599a4f4707d72a74ed457b2198098f59fdf64b5394798db82f4064dfe964083d70af6a50a5fa2ab2674c77a99792e4e52 |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe
| MD5 | 3da833f022988fbc093129595cc8591c |
| SHA1 | fdde5a7fb7a60169d2967ff88c6aba8273f12e36 |
| SHA256 | 1ad4c736829dbcb0fcc620fd897fe0941b9c01e14ccba5d18085b3ca0416ab66 |
| SHA512 | 1299d63337c958e8072d6aaa057904cbbaa51c2eec4457269ead6b72c4eb2a10882e4a5dc7afcdcab5a6910d2105c2e5ee706850074e0425ae7f87d9ea1e5537 |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE
| MD5 | ef63e5ccbea2788d900f1c70a6159c68 |
| SHA1 | 4ac2e144f9dd97a0cd061b76be89f7850887c166 |
| SHA256 | a46d1ffbe9114015050b2a778859c26248f8bab22d5d1a302b59373bc20c6b45 |
| SHA512 | 913371abb54e0adc94aa08372a20f07ced9f9fdc170f9e468cd39c7387c7e30c1ae238148ccf355d5c8b88b7fd63f914bb108c6cafca9a791d02d8b36468bfac |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe
| MD5 | d9e8a1fa55faebd36ed2342fedefbedd |
| SHA1 | c25cc7f0035488de9c5df0121a09b5100e1c28e9 |
| SHA256 | bd7696911d75a9a35dfd125b24cb95003f1e9598592df47fa23a2568986a4a9a |
| SHA512 | 134644c68bd04536e9ea0a5da6e334d36b1ce8012a061fa6dabd31f85c16a1ac9eee8c40fee3d55f25c4d4edf0672de8ce204e344c800361cbcff092c09d7a33 |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe
| MD5 | 124147ede15f97b47224628152110ce2 |
| SHA1 | 4530fee9b1199777693073414b82420a7c88a042 |
| SHA256 | 3e815d583236b9cecd912fcc949a301d1e51b609cbb53a2285d08feea305edcd |
| SHA512 | f4c2825380d1bb9ca889d5c5684f13aa0cacb0d6511f6409ca0972a7191195a0175e00c995407848bf09ea03cff05c7395952bf2ffd2af2015b8939f75a8e627 |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE
| MD5 | 114445130d5e083c42830d9adbf5d748 |
| SHA1 | 48a62ec52b835918cc19a2df9c624a7a0d6b85e1 |
| SHA256 | a5f47d59b8d08fc85ee411ec2e1015fedda08fd4a6cae2bf7b3bb1a7db2ccb5e |
| SHA512 | 45eb73fd4e12ed70c386c733b2bc04296fb1a16be04b4cd45260c70d0e4b6cf3a87dc223ce2319d94b79c513ba19d0816bae428c466076c1de906429aaa78748 |
memory/2000-339-0x0000000000400000-0x000000000041B000-memory.dmp
memory/232-340-0x0000000000400000-0x0000000000E1A000-memory.dmp
memory/928-344-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Windows\directx.sys
| MD5 | 6b3bfceb3942a9508a2148acbee89007 |
| SHA1 | 3622ac7466cc40f50515eb6fcdc15d1f34ad3be3 |
| SHA256 | e0a7bae2a9ac263cff5d725922e40272d8854278d901233a93a5267859c00a3c |
| SHA512 | fa222bfcade636824af32124b45450c92b1abec7a33e6e647a9248eef5371c127d22ccb7cc5a096b4d5d52e2457f3841293a1b34304e8e5523549856ac02f224 |
memory/5100-376-0x0000000000400000-0x000000000041B000-memory.dmp
memory/3784-381-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4916-382-0x0000000000400000-0x000000000041B000-memory.dmp
memory/232-383-0x0000000000400000-0x0000000000E1A000-memory.dmp
memory/4952-384-0x0000000000400000-0x0000000000E1A000-memory.dmp
C:\ProgramData\Synaptics\RCXE04E.tmp
| MD5 | 50891fdf662153bd82aadddeb9c11f4f |
| SHA1 | 3e6dbe704e58ed48b0a92bc04b83cd77510a5e89 |
| SHA256 | 876f13848ccc16b4771440887df15c89e43c4811b6f34b977c0da8e6fea8cc26 |
| SHA512 | 8dd3689711326005e9673608b35db760f02d3d30cfc37b3d749d7d8f5eaf81e2fcd3484fb5aedd4dcb4b86e89e3bc1da2694148b3886a05c2ef055e48120ccde |
memory/4888-395-0x0000000000400000-0x0000000000D53000-memory.dmp
memory/3212-457-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Windows\directx.sys
| MD5 | 56abc40d1e45c091d8afddb90a4ce6b4 |
| SHA1 | 08db549484467b32b79958700300cabefc659848 |
| SHA256 | a43fa861957415e3b0f25e2b54d931961cd309ff1d5354a9362852895b90b3e1 |
| SHA512 | 51625c015a7c8fcf6fb51d3396aa08d2068772e3fcacaf32c409e82071af4ba1eb2ee94f36c06a98c32ba59d23bbaa6b540f7bd418a9472303cc225151daa698 |
memory/2924-464-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2640-483-0x0000000000400000-0x000000000041B000-memory.dmp
memory/3528-484-0x0000000000400000-0x000000000041B000-memory.dmp
memory/3480-486-0x0000000000400000-0x0000000000D53000-memory.dmp
memory/952-490-0x0000000004550000-0x0000000005DF0000-memory.dmp
memory/4888-485-0x0000000000400000-0x0000000000D53000-memory.dmp
memory/2296-547-0x0000000000400000-0x0000000000D53000-memory.dmp
memory/952-548-0x0000000004550000-0x0000000005DF0000-memory.dmp
memory/4660-557-0x0000000000400000-0x00000000004C2000-memory.dmp
memory/5076-559-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/5048-560-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/2000-561-0x0000000000400000-0x000000000041B000-memory.dmp
memory/952-562-0x0000000000400000-0x0000000000C8D000-memory.dmp
memory/4916-572-0x0000000000400000-0x000000000041B000-memory.dmp
memory/5096-632-0x0000000000400000-0x0000000000C8D000-memory.dmp
memory/1956-656-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4216-657-0x0000000000400000-0x000000000041B000-memory.dmp
memory/5076-658-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/5048-659-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/1540-662-0x0000000000400000-0x0000000000C8D000-memory.dmp
memory/716-742-0x0000000000400000-0x0000000000D53000-memory.dmp
memory/1320-743-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1736-744-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4764-751-0x0000000000400000-0x0000000000C8D000-memory.dmp
memory/5076-752-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/5048-753-0x0000000000400000-0x0000000001C9F400-memory.dmp
memory/3896-775-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2000-776-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2492-777-0x0000000000400000-0x000000000041B000-memory.dmp