neshta | e2e888f5e0dec43e08cdfe000040307b32dba99431d00337b69002cadbb1acae

Analysis

max time kernel
1s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
30/03/2025, 11:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-30_a2b6b00c9d611b99e47068506941fa31_amadey_black-basta_darkgate_hijackloader_luca-stealer_neshta_smoke-loader.exe
Size

7.8MB
MD5

a2b6b00c9d611b99e47068506941fa31
SHA1

eadf765375639ba78ee98048aa61ef519efb757e
SHA256

e2e888f5e0dec43e08cdfe000040307b32dba99431d00337b69002cadbb1acae
SHA512

6b5ba15df2ef49a7b9564dade3e023119d00e7208bf59586e0e584d95e610d964e509e752f7f1e524fbdc447b27938bc6074255f4f0f3596652ae996f754816a
SSDEEP

98304:Gnsmtk2a0mtk2aUmtk2aPxOpcjacR2lqxZA1pm2KMhSpo1jgPnQng:4Li69NlqxWpm2KM0sKug

Score

10^/10

neshta xred backdoor discovery persistence spyware

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Detect Neshta payload 64 IoCs

resource	yara_rule
behavioral2/files/0x00040000000233b9-5.dat	family_neshta
behavioral2/files/0x0007000000024275-40.dat	family_neshta
behavioral2/files/0x0007000000024277-102.dat	family_neshta
behavioral2/files/0x0007000000024275-107.dat	family_neshta
behavioral2/files/0x0007000000024275-114.dat	family_neshta
behavioral2/files/0x0007000000024275-112.dat	family_neshta
behavioral2/memory/5844-108-0x0000000000400000-0x0000000000BCE000-memory.dmp	family_neshta
behavioral2/memory/2332-213-0x0000000000400000-0x0000000000BCE000-memory.dmp	family_neshta
behavioral2/files/0x000700000002427a-232.dat	family_neshta
behavioral2/memory/1400-235-0x0000000000400000-0x0000000000B08000-memory.dmp	family_neshta
behavioral2/files/0x0007000000024279-267.dat	family_neshta
behavioral2/memory/1268-289-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x000600000002030a-343.dat	family_neshta
behavioral2/memory/1788-346-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x000600000002042c-344.dat	family_neshta
behavioral2/files/0x0004000000020440-358.dat	family_neshta
behavioral2/files/0x0001000000022fcd-383.dat	family_neshta
behavioral2/files/0x0001000000022fdf-389.dat	family_neshta
behavioral2/memory/60-393-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x0001000000022fd8-388.dat	family_neshta
behavioral2/files/0x0001000000022fd3-387.dat	family_neshta
behavioral2/files/0x0001000000022fd2-386.dat	family_neshta
behavioral2/files/0x0001000000022fcb-382.dat	family_neshta
behavioral2/files/0x0001000000023010-381.dat	family_neshta
behavioral2/files/0x0001000000022f5c-380.dat	family_neshta
behavioral2/files/0x0001000000022f57-379.dat	family_neshta
behavioral2/files/0x0001000000022f56-378.dat	family_neshta
behavioral2/files/0x0001000000022f48-377.dat	family_neshta
behavioral2/files/0x0001000000022f46-376.dat	family_neshta
behavioral2/files/0x00010000000233bc-375.dat	family_neshta
behavioral2/files/0x00010000000215ab-373.dat	family_neshta
behavioral2/files/0x00010000000215aa-372.dat	family_neshta
behavioral2/files/0x00010000000215a9-371.dat	family_neshta
behavioral2/files/0x00010000000226a6-370.dat	family_neshta
behavioral2/files/0x00010000000215fe-369.dat	family_neshta
behavioral2/files/0x0002000000020405-368.dat	family_neshta
behavioral2/files/0x000800000002032f-367.dat	family_neshta
behavioral2/files/0x000600000002032d-366.dat	family_neshta
behavioral2/memory/4872-364-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x000100000002039f-357.dat	family_neshta
behavioral2/files/0x000400000002042e-356.dat	family_neshta
behavioral2/files/0x000100000002038c-355.dat	family_neshta
behavioral2/files/0x000100000002031d-353.dat	family_neshta
behavioral2/files/0x0006000000020325-361.dat	family_neshta
behavioral2/memory/408-523-0x0000000000400000-0x0000000000B08000-memory.dmp	family_neshta
behavioral2/files/0x0004000000020401-360.dat	family_neshta
behavioral2/files/0x0001000000020387-359.dat	family_neshta
behavioral2/files/0x0006000000020316-342.dat	family_neshta
behavioral2/files/0x000600000002030e-341.dat	family_neshta
behavioral2/files/0x0007000000020376-338.dat	family_neshta
behavioral2/files/0x000400000002043b-337.dat	family_neshta
behavioral2/memory/1816-287-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4532-543-0x0000000000400000-0x0000000000BCE000-memory.dmp	family_neshta
behavioral2/memory/5988-559-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1544-610-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2468-612-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3660-676-0x0000000000400000-0x0000000000B08000-memory.dmp	family_neshta
behavioral2/memory/3428-677-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1060-747-0x0000000000400000-0x0000000000B08000-memory.dmp	family_neshta
behavioral2/memory/2484-748-0x0000000000400000-0x0000000000B08000-memory.dmp	family_neshta
behavioral2/memory/5452-764-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/1368-771-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/5872-770-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4800-778-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta
Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	2025-03-30_a2b6b00c9d611b99e47068506941fa31_amadey_black-basta_darkgate_hijackloader_luca-stealer_neshta_smoke-loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	._cache_2025-03-30_a2b6b00c9d611b99e47068506941fa31_amadey_black-basta_darkgate_hijackloader_luca-stealer_neshta_smoke-loader.exe

Executes dropped EXE 4 IoCs

pid	Process
5872	._cache_2025-03-30_a2b6b00c9d611b99e47068506941fa31_amadey_black-basta_darkgate_hijackloader_luca-stealer_neshta_smoke-loader.exe
4532	Synaptics.exe
1400	._cache_2025-03-30_a2b6b00c9d611b99e47068506941fa31_amadey_black-basta_darkgate_hijackloader_luca-stealer_neshta_smoke-loader.exe
2332	Synaptics.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	._cache_2025-03-30_a2b6b00c9d611b99e47068506941fa31_amadey_black-basta_darkgate_hijackloader_luca-stealer_neshta_smoke-loader.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	2025-03-30_a2b6b00c9d611b99e47068506941fa31_amadey_black-basta_darkgate_hijackloader_luca-stealer_neshta_smoke-loader.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\._cache_Synaptics.exe	Synaptics.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	._cache_2025-03-30_a2b6b00c9d611b99e47068506941fa31_amadey_black-basta_darkgate_hijackloader_luca-stealer_neshta_smoke-loader.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_2025-03-30_a2b6b00c9d611b99e47068506941fa31_amadey_black-basta_darkgate_hijackloader_luca-stealer_neshta_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-03-30_a2b6b00c9d611b99e47068506941fa31_amadey_black-basta_darkgate_hijackloader_luca-stealer_neshta_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_2025-03-30_a2b6b00c9d611b99e47068506941fa31_amadey_black-basta_darkgate_hijackloader_luca-stealer_neshta_smoke-loader.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	2025-03-30_a2b6b00c9d611b99e47068506941fa31_amadey_black-basta_darkgate_hijackloader_luca-stealer_neshta_smoke-loader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	._cache_2025-03-30_a2b6b00c9d611b99e47068506941fa31_amadey_black-basta_darkgate_hijackloader_luca-stealer_neshta_smoke-loader.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 5844 wrote to memory of 5872	5844	2025-03-30_a2b6b00c9d611b99e47068506941fa31_amadey_black-basta_darkgate_hijackloader_luca-stealer_neshta_smoke-loader.exe	88
PID 5844 wrote to memory of 5872	5844	2025-03-30_a2b6b00c9d611b99e47068506941fa31_amadey_black-basta_darkgate_hijackloader_luca-stealer_neshta_smoke-loader.exe	88
PID 5844 wrote to memory of 5872	5844	2025-03-30_a2b6b00c9d611b99e47068506941fa31_amadey_black-basta_darkgate_hijackloader_luca-stealer_neshta_smoke-loader.exe	88
PID 5844 wrote to memory of 4532	5844	2025-03-30_a2b6b00c9d611b99e47068506941fa31_amadey_black-basta_darkgate_hijackloader_luca-stealer_neshta_smoke-loader.exe	244
PID 5844 wrote to memory of 4532	5844	2025-03-30_a2b6b00c9d611b99e47068506941fa31_amadey_black-basta_darkgate_hijackloader_luca-stealer_neshta_smoke-loader.exe	244
PID 5844 wrote to memory of 4532	5844	2025-03-30_a2b6b00c9d611b99e47068506941fa31_amadey_black-basta_darkgate_hijackloader_luca-stealer_neshta_smoke-loader.exe	244
PID 5872 wrote to memory of 1400	5872	._cache_2025-03-30_a2b6b00c9d611b99e47068506941fa31_amadey_black-basta_darkgate_hijackloader_luca-stealer_neshta_smoke-loader.exe	92
PID 5872 wrote to memory of 1400	5872	._cache_2025-03-30_a2b6b00c9d611b99e47068506941fa31_amadey_black-basta_darkgate_hijackloader_luca-stealer_neshta_smoke-loader.exe	92
PID 5872 wrote to memory of 1400	5872	._cache_2025-03-30_a2b6b00c9d611b99e47068506941fa31_amadey_black-basta_darkgate_hijackloader_luca-stealer_neshta_smoke-loader.exe	92
PID 1480 wrote to memory of 2332	1480	cmd.exe	93
PID 1480 wrote to memory of 2332	1480	cmd.exe	93
PID 1480 wrote to memory of 2332	1480	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\2025-03-30_a2b6b00c9d611b99e47068506941fa31_amadey_black-basta_darkgate_hijackloader_luca-stealer_neshta_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-30_a2b6b00c9d611b99e47068506941fa31_amadey_black-basta_darkgate_hijackloader_luca-stealer_neshta_smoke-loader.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5844
- C:\Users\Admin\AppData\Local\Temp\._cache_2025-03-30_a2b6b00c9d611b99e47068506941fa31_amadey_black-basta_darkgate_hijackloader_luca-stealer_neshta_smoke-loader.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_2025-03-30_a2b6b00c9d611b99e47068506941fa31_amadey_black-basta_darkgate_hijackloader_luca-stealer_neshta_smoke-loader.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5872
- - C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_2025-03-30_a2b6b00c9d611b99e47068506941fa31_amadey_black-basta_darkgate_hijackloader_luca-stealer_neshta_smoke-loader.exe
    "C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_2025-03-30_a2b6b00c9d611b99e47068506941fa31_amadey_black-basta_darkgate_hijackloader_luca-stealer_neshta_smoke-loader.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1400
  - - C:\Users\Admin\AppData\Local\Temp\._cache_._cache_2025-03-30_a2b6b00c9d611b99e47068506941fa31_amadey_black-basta_darkgate_hijackloader_luca-stealer_neshta_smoke-loader.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_2025-03-30_a2b6b00c9d611b99e47068506941fa31_amadey_black-basta_darkgate_hijackloader_luca-stealer_neshta_smoke-loader.exe"
      4⤵
      PID:1268
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE"
        5⤵
        
        PID:4872
      - C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE
        6⤵
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE"
        7⤵
        
        PID:4732
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4532
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    PID:1816
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
      4⤵
      PID:60
    - - C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
        5⤵
        
        PID:3660
      - C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
        6⤵
        
        PID:2468
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate
        7⤵
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate
        8⤵
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE" InjUpdate
        9⤵
        
        PID:1440
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        9⤵
        
        PID:2004
      - C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        6⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        7⤵
        
        PID:5452
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
        8⤵
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
        9⤵
        
        PID:4636
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
        10⤵
        
        PID:4684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE" InjUpdate
        11⤵
        
        PID:5152
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE InjUpdate
        12⤵
        
        PID:4160
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~4.EXE" InjUpdate
        13⤵
        
        PID:5460
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        13⤵
        
        PID:4216
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SYNAPT~1.EXE" InjUpdate
        14⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SYNAPT~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SYNAPT~1.EXE InjUpdate
        15⤵
        
        PID:4524
        
        C:\ProgramData\Synaptics\._cache_SYNAPT~1.EXE
        
        "C:\ProgramData\Synaptics\._cache_SYNAPT~1.EXE" InjUpdate
        16⤵
        
        PID:408
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate
        17⤵
        
        PID:2620
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        16⤵
        
        PID:5564
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SYNAPT~1.EXE" InjUpdate
        17⤵
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SYNAPT~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SYNAPT~1.EXE InjUpdate
        18⤵
        
        PID:4460
        
        C:\ProgramData\Synaptics\._cache_SYNAPT~1.EXE
        
        "C:\ProgramData\Synaptics\._cache_SYNAPT~1.EXE" InjUpdate
        19⤵
        
        PID:1804
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_SYNAPT~1.EXE" InjUpdate
        20⤵
        
        PID:3792
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_SYNAPT~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_SYNAPT~1.EXE InjUpdate
        21⤵
        
        PID:3220
        
        C:\ProgramData\Synaptics\._cache_._cache_SYNAPT~1.EXE
        
        "C:\ProgramData\Synaptics\._cache_._cache_SYNAPT~1.EXE" InjUpdate
        22⤵
        
        PID:5608
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        19⤵
        
        PID:2752
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SYNAPT~1.EXE" InjUpdate
        20⤵
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SYNAPT~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SYNAPT~1.EXE InjUpdate
        21⤵
        
        PID:4972
        
        C:\ProgramData\Synaptics\._cache_SYNAPT~1.EXE
        
        "C:\ProgramData\Synaptics\._cache_SYNAPT~1.EXE" InjUpdate
        22⤵
        
        PID:2664
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate
        23⤵
        
        PID:3716
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate
        24⤵
        
        PID:6092
        
        C:\ProgramData\Synaptics\._cache__CACHE~1.EXE
        
        "C:\ProgramData\Synaptics\._cache__CACHE~1.EXE" InjUpdate
        25⤵
        
        PID:1044
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        10⤵
        
        PID:3924
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SYNAPT~1.EXE" InjUpdate
        11⤵
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SYNAPT~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SYNAPT~1.EXE InjUpdate
        12⤵
        
        PID:5268
        
        C:\ProgramData\Synaptics\._cache_SYNAPT~1.EXE
        
        "C:\ProgramData\Synaptics\._cache_SYNAPT~1.EXE" InjUpdate
        13⤵
        
        PID:4924
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_SYNAPT~1.EXE" InjUpdate
        14⤵
        
        PID:4652
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        13⤵
        
        PID:3092
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SYNAPT~1.EXE" InjUpdate
        14⤵
        
        PID:4712
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SYNAPT~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SYNAPT~1.EXE InjUpdate
        15⤵
        
        PID:6004
        
        C:\ProgramData\Synaptics\._cache_SYNAPT~1.EXE
        
        "C:\ProgramData\Synaptics\._cache_SYNAPT~1.EXE" InjUpdate
        16⤵
        
        PID:2296
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate
        17⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate
        18⤵
        
        PID:5680
        
        C:\ProgramData\Synaptics\._cache__CACHE~1.EXE
        
        "C:\ProgramData\Synaptics\._cache__CACHE~1.EXE" InjUpdate
        19⤵
        
        PID:6032
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        16⤵
        
        PID:3508
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SYNAPT~1.EXE" InjUpdate
        17⤵
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SYNAPT~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SYNAPT~1.EXE InjUpdate
        18⤵
        
        PID:1588
        
        C:\ProgramData\Synaptics\._cache_SYNAPT~1.EXE
        
        "C:\ProgramData\Synaptics\._cache_SYNAPT~1.EXE" InjUpdate
        19⤵
        
        PID:4240
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate
        20⤵
        
        PID:5376
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate
        21⤵
        
        PID:388
        
        C:\ProgramData\Synaptics\._cache__CACHE~1.EXE
        
        "C:\ProgramData\Synaptics\._cache__CACHE~1.EXE" InjUpdate
        22⤵
        
        PID:5564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Synaptics\Synaptics.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1480
- C:\ProgramData\Synaptics\Synaptics.exe
  C:\ProgramData\Synaptics\Synaptics.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:2332
- - C:\Windows\SysWOW64\._cache_Synaptics.exe
    "C:\Windows\system32\._cache_Synaptics.exe"
    3⤵
    PID:1808
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE"
      4⤵
      PID:1788
    - - C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
        5⤵
        
        PID:408
      - C:\Windows\SysWOW64\._cache__CACHE~2.EXE
        
        "C:\Windows\SysWOW64\._cache__CACHE~2.EXE"
        6⤵
        
        PID:5988
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE"
        7⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~4.EXE
        8⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\._cache__CACHE~4.EXE
        
        "C:\Windows\SysWOW64\._cache__CACHE~4.EXE"
        9⤵
        
        PID:5996
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        9⤵
        
        PID:2876
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        9⤵
        
        PID:4440
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\PROGRA~3\SYNAPT~1\SYNAPT~1.EXE" InjUpdate
        9⤵
        
        PID:4800
        
        C:\PROGRA~3\SYNAPT~1\SYNAPT~1.EXE
        
        C:\PROGRA~3\SYNAPT~1\SYNAPT~1.EXE InjUpdate
        10⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\._cache_SYNAPT~1.EXE
        
        "C:\Windows\SysWOW64\._cache_SYNAPT~1.EXE" InjUpdate
        11⤵
        
        PID:5316
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate
        12⤵
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate
        13⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\._cache__CACHE~1.EXE
        
        "C:\Windows\SysWOW64\._cache__CACHE~1.EXE" InjUpdate
        14⤵
        
        PID:5696
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        14⤵
        
        PID:1112
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SYNAPT~1.EXE" InjUpdate
        15⤵
        
        PID:4296
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SYNAPT~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SYNAPT~1.EXE InjUpdate
        16⤵
        
        PID:5252
        
        C:\ProgramData\Synaptics\._cache_SYNAPT~1.EXE
        
        "C:\ProgramData\Synaptics\._cache_SYNAPT~1.EXE" InjUpdate
        17⤵
        
        PID:4364
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_SYNAPT~1.EXE" InjUpdate
        18⤵
        
        PID:4288
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        17⤵
        
        PID:6016
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SYNAPT~1.EXE" InjUpdate
        18⤵
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SYNAPT~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\SYNAPT~1.EXE InjUpdate
        19⤵
        
        PID:3060
        
        C:\ProgramData\Synaptics\._cache_SYNAPT~1.EXE
        
        "C:\ProgramData\Synaptics\._cache_SYNAPT~1.EXE" InjUpdate
        20⤵
        
        PID:1036
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate
        21⤵
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate
        22⤵
        
        PID:5860
        
        C:\ProgramData\Synaptics\._cache__CACHE~1.EXE
        
        "C:\ProgramData\Synaptics\._cache__CACHE~1.EXE" InjUpdate
        23⤵
        
        PID:6000
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        11⤵
        
        PID:1216

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:5180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Synaptics\Synaptics.exe
1⤵
PID:1588
- C:\ProgramData\Synaptics\Synaptics.exe
  C:\ProgramData\Synaptics\Synaptics.exe
  2⤵
  PID:2484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Synaptics\Synaptics.exe
1⤵
PID:5124
- C:\ProgramData\Synaptics\Synaptics.exe
  C:\ProgramData\Synaptics\Synaptics.exe
  2⤵
  PID:1628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Synaptics\Synaptics.exe
1⤵
PID:888
- C:\ProgramData\Synaptics\Synaptics.exe
  C:\ProgramData\Synaptics\Synaptics.exe
  2⤵
  PID:3448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Synaptics\Synaptics.exe
1⤵
PID:2280
- C:\ProgramData\Synaptics\Synaptics.exe
  C:\ProgramData\Synaptics\Synaptics.exe
  2⤵
  PID:708
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SYNAPT~1.EXE"
    3⤵
    PID:5200
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\SYNAPT~1.EXE
      C:\Users\Admin\AppData\Local\Temp\3582-490\SYNAPT~1.EXE
      4⤵
      PID:1840
    - - C:\ProgramData\Synaptics\._cache_SYNAPT~1.EXE
        
        "C:\ProgramData\Synaptics\._cache_SYNAPT~1.EXE"
        5⤵
        
        PID:4748
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_SYNAPT~1.EXE"
        6⤵
        
        PID:6096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Synaptics\Synaptics.exe
1⤵
PID:1480
- C:\ProgramData\Synaptics\Synaptics.exe
  C:\ProgramData\Synaptics\Synaptics.exe
  2⤵
  PID:1604
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SYNAPT~1.EXE"
    3⤵
    PID:1232
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\SYNAPT~1.EXE
      C:\Users\Admin\AppData\Local\Temp\3582-490\SYNAPT~1.EXE
      4⤵
      PID:4304
    - - C:\ProgramData\Synaptics\._cache_SYNAPT~1.EXE
        
        "C:\ProgramData\Synaptics\._cache_SYNAPT~1.EXE"
        5⤵
        
        PID:2704
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_SYNAPT~1.EXE"
        6⤵
        
        PID:1044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Synaptics\Synaptics.exe
1⤵
PID:6044
- C:\ProgramData\Synaptics\Synaptics.exe
  C:\ProgramData\Synaptics\Synaptics.exe
  2⤵
  PID:4992
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SYNAPT~1.EXE"
    3⤵
    PID:3004
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\SYNAPT~1.EXE
      C:\Users\Admin\AppData\Local\Temp\3582-490\SYNAPT~1.EXE
      4⤵
      PID:3088
    - - C:\ProgramData\Synaptics\._cache_SYNAPT~1.EXE
        
        "C:\ProgramData\Synaptics\._cache_SYNAPT~1.EXE"
        5⤵
        
        PID:4564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Synaptics\Synaptics.exe
1⤵
PID:2636
- C:\ProgramData\Synaptics\Synaptics.exe
  C:\ProgramData\Synaptics\Synaptics.exe
  2⤵
  PID:5068
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SYNAPT~1.EXE"
    3⤵
    PID:5228
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\SYNAPT~1.EXE
      C:\Users\Admin\AppData\Local\Temp\3582-490\SYNAPT~1.EXE
      4⤵
      PID:736
    - - C:\ProgramData\Synaptics\._cache_SYNAPT~1.EXE
        
        "C:\ProgramData\Synaptics\._cache_SYNAPT~1.EXE"
        5⤵
        
        PID:6084
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
        6⤵
        
        PID:3996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Synaptics\Synaptics.exe
1⤵
PID:1624
- C:\ProgramData\Synaptics\Synaptics.exe
  C:\ProgramData\Synaptics\Synaptics.exe
  2⤵
  PID:5876
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SYNAPT~1.EXE"
    3⤵
    PID:1296
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\SYNAPT~1.EXE
      C:\Users\Admin\AppData\Local\Temp\3582-490\SYNAPT~1.EXE
      4⤵
      PID:1604
    - - C:\ProgramData\Synaptics\._cache_SYNAPT~1.EXE
        
        "C:\ProgramData\Synaptics\._cache_SYNAPT~1.EXE"
        5⤵
        
        PID:972
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
        6⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
        7⤵
        
        PID:3008
        
        C:\ProgramData\Synaptics\._cache__CACHE~1.EXE
        
        "C:\ProgramData\Synaptics\._cache__CACHE~1.EXE"
        8⤵
        
        PID:4784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Synaptics\Synaptics.exe
1⤵
PID:1692
- C:\ProgramData\Synaptics\Synaptics.exe
  C:\ProgramData\Synaptics\Synaptics.exe
  2⤵
  PID:5548
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SYNAPT~1.EXE"
    3⤵
    PID:2936
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\SYNAPT~1.EXE
      C:\Users\Admin\AppData\Local\Temp\3582-490\SYNAPT~1.EXE
      4⤵
      PID:952
    - - C:\ProgramData\Synaptics\._cache_SYNAPT~1.EXE
        
        "C:\ProgramData\Synaptics\._cache_SYNAPT~1.EXE"
        5⤵
        
        PID:6140
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
        6⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
        7⤵
        
        PID:8
        
        C:\ProgramData\Synaptics\._cache__CACHE~1.EXE
        
        "C:\ProgramData\Synaptics\._cache__CACHE~1.EXE"
        8⤵
        
        PID:3076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Synaptics\Synaptics.exe
1⤵
PID:5848
- C:\ProgramData\Synaptics\Synaptics.exe
  C:\ProgramData\Synaptics\Synaptics.exe
  2⤵
  PID:4888
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SYNAPT~1.EXE"
    3⤵
    PID:3392
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\SYNAPT~1.EXE
      C:\Users\Admin\AppData\Local\Temp\3582-490\SYNAPT~1.EXE
      4⤵
      PID:5412
    - - C:\ProgramData\Synaptics\._cache_SYNAPT~1.EXE
        
        "C:\ProgramData\Synaptics\._cache_SYNAPT~1.EXE"
        5⤵
        
        PID:4772
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
        6⤵
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
        7⤵
        
        PID:708
        
        C:\ProgramData\Synaptics\._cache__CACHE~1.EXE
        
        "C:\ProgramData\Synaptics\._cache__CACHE~1.EXE"
        8⤵
        
        PID:5416
    - - C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        5⤵
        
        PID:5236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Synaptics\Synaptics.exe
1⤵
PID:2716
- C:\ProgramData\Synaptics\Synaptics.exe
  C:\ProgramData\Synaptics\Synaptics.exe
  2⤵
  PID:2456
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SYNAPT~1.EXE"
    3⤵
    PID:2936
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\SYNAPT~1.EXE
      C:\Users\Admin\AppData\Local\Temp\3582-490\SYNAPT~1.EXE
      4⤵
      PID:4532
    - - C:\ProgramData\Synaptics\._cache_SYNAPT~1.EXE
        
        "C:\ProgramData\Synaptics\._cache_SYNAPT~1.EXE"
        5⤵
        
        PID:5268
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
        6⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
        7⤵
        
        PID:1248
        
        C:\ProgramData\Synaptics\._cache__CACHE~1.EXE
        
        "C:\ProgramData\Synaptics\._cache__CACHE~1.EXE"
        8⤵
        
        PID:4740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Synaptics\Synaptics.exe
1⤵
PID:1112
- C:\ProgramData\Synaptics\Synaptics.exe
  C:\ProgramData\Synaptics\Synaptics.exe
  2⤵
  PID:2540
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SYNAPT~1.EXE"
    3⤵
    PID:4048
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\SYNAPT~1.EXE
      C:\Users\Admin\AppData\Local\Temp\3582-490\SYNAPT~1.EXE
      4⤵
      PID:3196
    - - C:\ProgramData\Synaptics\._cache_SYNAPT~1.EXE
        
        "C:\ProgramData\Synaptics\._cache_SYNAPT~1.EXE"
        5⤵
        
        PID:1620
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"
        6⤵
        
        PID:5504
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
        7⤵
        
        PID:1964
        
        C:\ProgramData\Synaptics\._cache__CACHE~1.EXE
        
        "C:\ProgramData\Synaptics\._cache__CACHE~1.EXE"
        8⤵
        
        PID:2324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Synaptics\Synaptics.exe
1⤵
PID:5072
- C:\ProgramData\Synaptics\Synaptics.exe
  C:\ProgramData\Synaptics\Synaptics.exe
  2⤵
  PID:748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE

Filesize
328KB

MD5
39c8a4c2c3984b64b701b85cb724533b

SHA1
c911f4c4070dfe9a35d9adcb7de6e6fb1482ce00

SHA256
888a1dd0033e5d758a4e731e3e55357de866e80d03b1b194375f714e1fd4351d

SHA512
f42ca2962fe60cff1a13dea8b81ff0647b317c785ee4f5159c38487c34d33aecba8478757047d31ab2ee893fbdcb91a21655353456ba6a018fc71b2278db4db2

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

Filesize
86KB

MD5
3b73078a714bf61d1c19ebc3afc0e454

SHA1
9abeabd74613a2f533e2244c9ee6f967188e4e7e

SHA256
ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29

SHA512
75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE

Filesize
5.7MB

MD5
09acdc5bbec5a47e8ae47f4a348541e2

SHA1
658f64967b2a9372c1c0bdd59c6fb2a18301d891

SHA256
1b5c715d71384f043843ea1785a6873a9f39d2daae112ccdeffcd88b10a3a403

SHA512
3867bf98e1a0e253114a98b78b047b0d8282b5abf4aaf836f31cc0e26224e2a1b802c65df9d90dc7696a6dbcb9a8e4b900f1d1299e1b11e36f095ebaf8a2e5b8

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe

Filesize
175KB

MD5
576410de51e63c3b5442540c8fdacbee

SHA1
8de673b679e0fee6e460cbf4f21ab728e41e0973

SHA256
3f00404dd591c2856e6f71bd78423ed47199902e0b85f228e6c4de72c59ddffe

SHA512
f7761f3878775b30cc3d756fa122e74548dfc0a27e38fa4109e34a59a009df333d074bf14a227549ae347605f271be47984c55148685faac479aeb481f7191db

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe

Filesize
9.4MB

MD5
322302633e36360a24252f6291cdfc91

SHA1
238ed62353776c646957efefc0174c545c2afa3d

SHA256
31da9632f5d25806b77b617d48da52a14afc574bbe1653120f97705284ea566c

SHA512
5a1f7c44ce7f5036bffc18ebac39e2bf70e6f35fa252617d665b26448f4c4473adfa115467b7e2d9b7068823e448f74410cdcdfef1ac1c09021e051921787373

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe

Filesize
2.4MB

MD5
8ffc3bdf4a1903d9e28b99d1643fc9c7

SHA1
919ba8594db0ae245a8abd80f9f3698826fc6fe5

SHA256
8268d3fefe8ca96a25a73690d14bacf644170ab5e9e70d2f8eeb350a4c83f9f6

SHA512
0b94ead97374d74eaee87e7614ddd3911d2cf66d4c49abbfd06b02c03e5dd56fd00993b4947e8a4bcd9d891fa39cab18cc6b61efc7d0812e91eb3aea9cd1a427

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE

Filesize
183KB

MD5
9dfcdd1ab508b26917bb2461488d8605

SHA1
4ba6342bcf4942ade05fb12db83da89dc8c56a21

SHA256
ecd5e94da88c653e4c34b6ab325e0aca8824247b290336f75c410caa16381bc5

SHA512
1afc1b95f160333f1ff2fa14b3f22a28ae33850699c6b5498915a8b6bec1cfc40f33cb69583240aa9206bc2ea7ab14e05e071275b836502a92aa8c529fc1b137

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe

Filesize
131KB

MD5
5791075058b526842f4601c46abd59f5

SHA1
b2748f7542e2eebcd0353c3720d92bbffad8678f

SHA256
5c3ef3ec7594c040146e908014791dd15201ba58b4d70032770bb661b6a0e394

SHA512
83e303971ed64019fde9e4ba6f6e889f8fb105088490dfa7dcf579a12baff20ef491f563d132d60c7b24a4fd3cac29bd9dc974571cd162000fae8fba4e0e54fb

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE

Filesize
254KB

MD5
4ddc609ae13a777493f3eeda70a81d40

SHA1
8957c390f9b2c136d37190e32bccae3ae671c80a

SHA256
16d65f2463658a72dba205dcaa18bc3d0bab4453e726233d68bc176e69db0950

SHA512
9d7f90d1529cab20078c2690bf7bffab5a451a41d8993781effe807e619da0e7292f991da2f0c5c131b111d028b3e6084e5648c90816e74dfb664e7f78181bc5

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE

Filesize
386KB

MD5
8c753d6448183dea5269445738486e01

SHA1
ebbbdc0022ca7487cd6294714cd3fbcb70923af9

SHA256
473eb551101caeaf2d18f811342e21de323c8dd19ed21011997716871defe997

SHA512
4f6fddefc42455540448eac0b693a4847e21b68467486376a4186776bfe137337733d3075b7b87ed7dac532478dc9afc63883607ec8205df3f155fee64c7a9be

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE

Filesize
92KB

MD5
176436d406fd1aabebae353963b3ebcf

SHA1
9ffdfdb8cc832a0c6501c4c0e85b23a0f7eff57a

SHA256
2f947e3ca624ce7373080b4a3934e21644fb070a53feeaae442b15b849c2954f

SHA512
a2d1a714e0c1e5463260c64048ba8fd5064cfa06d4a43d02fc04a30748102ff5ba86d20a08e611e200dc778e2b7b3ae808da48132a05a61aa09ac424a182a06a

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE

Filesize
147KB

MD5
3b35b268659965ab93b6ee42f8193395

SHA1
8faefc346e99c9b2488f2414234c9e4740b96d88

SHA256
750824b5f75c91a6c2eeb8c5e60ae28d7a81e323d3762c8652255bfea5cba0bb

SHA512
035259a7598584ddb770db3da4e066b64dc65638501cdd8ff9f8e2646f23b76e3dfffa1fb5ed57c9bd15bb4efa3f7dd33fdc2e769e5cc195c25de0e340eb89ab

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe

Filesize
125KB

MD5
cce8964848413b49f18a44da9cb0a79b

SHA1
0b7452100d400acebb1c1887542f322a92cbd7ae

SHA256
fe44ca8d5050932851aa54c23133277e66db939501af58e5aeb7b67ec1dde7b5

SHA512
bf8fc270229d46a083ced30da6637f3ca510b0ce44624a9b21ec6aacac81666dffd41855053a936aa9e8ea6e745a09b820b506ec7bf1173b6f1837828a35103d

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE

Filesize
142KB

MD5
92dc0a5b61c98ac6ca3c9e09711e0a5d

SHA1
f809f50cfdfbc469561bced921d0bad343a0d7b4

SHA256
3e9da97a7106122245e77f13f3f3cc96c055d732ab841eb848d03ac25401c1bc

SHA512
d9eefb19f82e0786d9be0dbe5e339d25473fb3a09682f40c6d190d4c320cca5556abb72b5d97c6b0da4f8faefdc6d39ac9d0415fdf94ebcc90ecdf2e513c6a31

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE

Filesize
278KB

MD5
12c29dd57aa69f45ddd2e47620e0a8d9

SHA1
ba297aa3fe237ca916257bc46370b360a2db2223

SHA256
22a585c183e27b3c732028ff193733c2f9d03700a0e95e65c556b0592c43d880

SHA512
255176cd1a88dfa2af3838769cc20dc7ad9d969344801f07b9ebb372c12cee3f47f2dba3559f391deab10650875cad245d9724acfa23a42b336bfa96559a5488

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE

Filesize
454KB

MD5
bcd0f32f28d3c2ba8f53d1052d05252d

SHA1
c29b4591df930dabc1a4bd0fa2c0ad91500eafb2

SHA256
bb07d817b8b1b6b4c25e62b6120e51dec10118557d7b6b696ad084a5ba5bfdeb

SHA512
79f407735853f82f46870c52058ceee4d91857a89db14868ee1169abd5c0fd2e3fa1ed230ab90b5f479a9581b88998643d69b0df498defea29e73b0d487f3b10

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe

Filesize
1.2MB

MD5
d47ed8961782d9e27f359447fa86c266

SHA1
d37d3f962c8d302b18ec468b4abe94f792f72a3b

SHA256
b1ec065f71cc40f400e006586d370997102860504fd643b235e8ed9f5607262a

SHA512
3e33f2cdf35024868b183449019de9278035e7966b342ba320a6c601b5629792cbb98a19850d4ca80b906c85d10e8503b0193794d1f1efa849fa33d26cff0669

Download Submit
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe

Filesize
555KB

MD5
ce82862ca68d666d7aa47acc514c3e3d

SHA1
f458c7f43372dbcdac8257b1639e0fe51f592e28

SHA256
c5a99f42100834599e4995d0a178b32b772a6e774a4050a6bb00438af0a6a1f3

SHA512
bca7afd6589c3215c92fdaca552ad3380f53d3db8c4b69329a1fa81528dd952a14bf012321de92ad1d20e5c1888eab3dd512b1ac80a406baccc37ee6ff4a90dc

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE

Filesize
121KB

MD5
cbd96ba6abe7564cb5980502eec0b5f6

SHA1
74e1fe1429cec3e91f55364e5cb8385a64bb0006

SHA256
405b8bd647fa703e233b8b609a18999abe465a8458168f1daf23197bd2ea36aa

SHA512
a551001853f6b93dfbc6cf6a681820af31330a19d5411076ff3dbce90937b3d92173085a15f29ebf56f2ef12a4e86860ac6723ebc89c98ea31ea7a6c7e3d7cdc

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe

Filesize
325KB

MD5
9a8d683f9f884ddd9160a5912ca06995

SHA1
98dc8682a0c44727ee039298665f5d95b057c854

SHA256
5e2e22ead49ce9cc11141dbeebbe5b93a530c966695d8efc2083f00e6be53423

SHA512
6aecf8c5cb5796d6879f8643e20c653f58bad70820896b0019c39623604d5b3c8a4420562ab051c6685edce60aa068d9c2dbb4413a7b16c6d01a9ac10dc22c12

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe

Filesize
325KB

MD5
892cf4fc5398e07bf652c50ef2aa3b88

SHA1
c399e55756b23938057a0ecae597bd9dbe481866

SHA256
e2262c798729169f697e6c30e5211cde604fd8b14769311ff4ea81abba8c2781

SHA512
f16a9e4b1150098c5936ec6107c36d47246dafd5a43e9f4ad9a31ecab69cc789c768691fa23a1440fae7f6e93e8e62566b5c86f7ed6bb4cfe26368149ea8c167

Download Submit
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe

Filesize
505KB

MD5
452c3ce70edba3c6e358fad9fb47eb4c

SHA1
d24ea3b642f385a666159ef4c39714bec2b08636

SHA256
da73b6e071788372702104b9c72b6697e84e7c75e248e964996700b77c6b6f1c

SHA512
fe8a0b9b1386d6931dc7b646d0dd99c3d1b44bd40698b33077e7eeba877b53e5cb39ff2aa0f6919ccab62953a674577bc1b2516d9cadc0c051009b2083a08085

Download Submit
C:\PROGRA~2\Google\Update\DISABL~1.EXE

Filesize
5.4MB

MD5
9036b1f2266a9cdd8b29fdb0dc6d557d

SHA1
7fc4c17901c2907b3d9fcfd436be55dc6df69b82

SHA256
c81f0eeb79898a345f7724464f71b1642b4b8294b50d549290144f3ee2fbaf69

SHA512
14251e50f7e6d83af357251af545b09ed14fd86783dce64bef84af7b4facf3a9ad4fdcefd4fb8cf355dc6d2692fccb0aeaaa87deaaa6d5a836887ff189eb483e

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\133030~1.69\BHO\ie_to_edge_stub.exe

Filesize
554KB

MD5
205885bc273bb0e43beb4ec064af8422

SHA1
96cd3cad425fc1dbfdcf75f7085e9359b1911977

SHA256
cfac2c539bb9c3bc51975643d7c8576ba0a63dc7f1a451ca5daebf098fba8a3c

SHA512
ba6426390826437bb12ea90f11f6b112939cbf03082d81900249eccc64f1078cd73a26017810edca6410787fbdfb48383bd10ebcaed12f8910a52340173df02f

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\133030~1.69\INSTAL~1\setup.exe

Filesize
6.9MB

MD5
d55ae56406e1dbce540f8c385bc5c244

SHA1
479de824de2a013921f867ef738fa3a3100aa708

SHA256
98b7868bb8c9aae548ee7244a71f5a0602c25611643c61c94ba56332882f59ef

SHA512
ab7705081af40c74c8005fd8f673b070653b9b871a087cb86594424df957d4eb40930484c4b8c83a3f867297101f3c01d89e55b4cf35ec288bc406954780168a

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\133030~1.69\cookie_exporter.exe

Filesize
161KB

MD5
2f70ce2fd6a36867b80c9b5171f7ad01

SHA1
cdac4cb30c1ad3ac6793a7e057d58428e799d6c1

SHA256
eafdb0f86d520c66417edd0c1981c79ce7b79f2e24476402f939a577d250ed6b

SHA512
394ae58b149ad750c071b17b42817d9eaae794ca9b583a92155a57eafff15467ca1e767fbece8098c22d67a01baf66a5d489b4789db7284ab1a644be335f87ba

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\133030~1.69\elevated_tracing_service.exe

Filesize
2.5MB

MD5
e60af4c310c73019650b9eb2931c9bac

SHA1
8fa6c09ed7c8a357946479f7351582191260bd97

SHA256
029c237e6cc508cc4c0e97e4e5a9a3c7c54fb706ce237f38ab3b72fad63f2bb1

SHA512
61f3743569111df1846f3f13ba95f0a17eac7aafa3a885f72ffbc8b7e5471b757a44aadad27504dbd4ec4e5c52a4354d76443f75479359cac8e52c3ed1fbd1dc

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\133030~1.69\elevation_service.exe

Filesize
1.8MB

MD5
b7e311cd8c0144f008c49c42bb8fab3d

SHA1
d96d89cbe4e0b2961755df9383abd50a77988f2c

SHA256
5e0c8d2f25706df47c676a41f667b8a31b53e0de96143190161e3e24453d3263

SHA512
0df96b9e3dca1a470d6ee20f5646d3427538492c0031742a481f05ad40aa38981906e60cccb89ebbf44ed5356fbe1f22862298a4866608e73cb54e904bfabd16

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\133030~1.69\identity_helper.exe

Filesize
1.1MB

MD5
1bfa8c82b2c5759a93fbcd568e55ad36

SHA1
52e6229323366ddd6aeaf2a83b590a9792e530f6

SHA256
5a08e3ceae03703ac7fab7e5527380519f156ea2441d3152f4be7dad5ccd17d6

SHA512
430c804f0b2203a78a942ca439f1e919867783772bcc893f12e249f918c89eb0fc5cd97fd1622e4909c3946be4d40b5edcb94dcf6d679abf335a91c0aba98072

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\133030~1.69\msedge.exe

Filesize
3.9MB

MD5
a954dbc45566e18f9051fc43503e0be1

SHA1
16bb38561d02a304cd397b6727925a548dedc22f

SHA256
1802e5c80c837c9f979783191e4df212a59d5d9a956ff2eb13f3e7093f5685ed

SHA512
3aeb5982ac4d9240f427ccd622fbf3a6cce6038ddf97564c1c3d10b02a10ec6b13fab5acba30cdd86e0bbc070acc0a3efd19c86fa83f0e8fc347f7d2e8ea9fdb

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\133030~1.69\msedge_proxy.exe

Filesize
1.1MB

MD5
db1a2e2e2f92341ff6559107c71ec885

SHA1
bfd10b84287ed36626af1941a05b5ae6d078790e

SHA256
27158f6eac1dd2fc9774d28b5c90d2147ca6e138c2285395f2f979c3f62e4bfb

SHA512
2790689169807cd8be353936ff3824030495d6c7cf9ed06609e61d0db8a2247b319df234cbe4debb843478944fa2a1587f7c3dd64ae6b88ee3fc04d6ee9a37c2

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\133030~1.69\msedge_pwa_launcher.exe

Filesize
1.5MB

MD5
48ca92017dbfb5348d63d658f69947eb

SHA1
f0d453619359cf2af688f0a80999d59cde9c3b9d

SHA256
bb591bce74dc3e902c2d1692b2f9427f4d2980ef2d7f019e918cac3107a2f40d

SHA512
84632fb9ec2e5aa0b969f73e439d1200a564d662bef50ecef9dedf287f780678a00f0a2f2e9f5f5414882dfb19fc26aa520ba55c954c8b79bdf878f2b7121db4

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\133030~1.69\msedgewebview2.exe

Filesize
3.4MB

MD5
9269b33ee0b68213ac019e331e814ca5

SHA1
7c8a4b2a304f482436670a7d36efd9c1546013fc

SHA256
a24f051bc53fb1f0209ce9dda174981657f3e6ad9bea3d8032f62e411e602e45

SHA512
dabd0c04313b251f76507e3a2a8e014d9febfd713271ca7f120d598b38756937a4d473a83a650b42da9c893514c3c258c5dd48438cf3d09fea1cbf7e56e7142b

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\133030~1.69\notification_click_helper.exe

Filesize
1.3MB

MD5
b45b21f37a1ef904d6cfe2d8e627cfc9

SHA1
b856b92d5770b19cfbce966e53621d3ed52555c6

SHA256
851b3a4693bed2bac57ec494181b04114adf644a840586ff5347999270c8c3a5

SHA512
75467dc78c9ec10aad97193f27f38e3392027a537b836b810db44fb2e1dabdf6da672c3ef63809aeb2cf32dbbba91e0b4cca9ad63e456b1c93b9a615bf6d6ceb

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\133030~1.69\pwahelper.exe

Filesize
1.1MB

MD5
d00b4c03d09a290101c94a55b5c8a0bd

SHA1
c6c48a3a167c3d3b603186673b7364f70112b16e

SHA256
0299a91e62192e68e2f468884e30e99b61afc9058eb162700383c0acdfdd142e

SHA512
2f2673451ddc9cfddb7a2fad0ac0ba0e0f2ab18a496130ba1d1280ae34482caf489b85743dae6f3edff0b5b112c2ca10c5aaf815dd8cecc529d7aa8c604ec82d

Download Submit
C:\ProgramData\Synaptics\RCX9CCC.tmp

Filesize
753KB

MD5
46644d4bb7a86493316e3a5be480d389

SHA1
fb2a998caed45d4276950d683e836c19a5ead190

SHA256
150767718f2627c06e0953ddc394f8b01833bf2ef54347336685e1cb38fedbf6

SHA512
d1ee19f9275f1d26b375faedb070c2b6dd9b6dc842f36b295167994c024d13dbd10cf91132abf2f0c6314a17bf8fc3927fe9d6ffde555b31a3d1a8527b762bf5

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
5.1MB

MD5
1f36ecfb2c960624f2b4e0c774967bfd

SHA1
a33c51f43501d06dcab5dda35e75502b1edebb5f

SHA256
7adb87c66ec672980272850326ec3a4e60f0e30fcedc12776ccf95367e1c77d6

SHA512
0818d1e59494be05dce712d484b434ecf201ac17b655167c2474fb2cf60753c3215f5532f31ac6b365f9eb359aba2985b0277e71d344bd86ff45ca1039d31044

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
5.6MB

MD5
226dab9cd4cb07601a9e554606315e15

SHA1
87bf650c3294efbd533d9672955e75ee5dbe091c

SHA256
5b6ad3654495a9ca1b4a7fe88f74bb1e093fd83e6792f9a33cb6d434f7e6042f

SHA512
41fffb176d80d0f202aace2d23c97db604b93ea5ca88968f34a868ea55b55fe2811bdf6c67aa4b337575feac5b10df90d143271f17d78e99a12891e04e7511b1

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
4.8MB

MD5
ae51be36d30d834104360fb933dc9fc2

SHA1
48c4e79044ae524b9f93a7d1f2c7817c3ec407cb

SHA256
dfe7fbcbe18d4792889395dbf5b2ba9ad49448a2c9085189e75ea7568ed28e18

SHA512
9679fb9619357f94e82d8eb8b2bd79626d93dfef54210dfcc4ca6938812cf04b80429769bc84a9037832df94c11253421504f1d36ee8e75c67d85e4e068445dd

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
5.8MB

MD5
ed8a1a995b21a019ae1c3eb2e494b163

SHA1
07e226dc85936109170ee9787871eadcf98c0b2c

SHA256
04a06932081f01b5b4df41513de4ebd92138fcc341ac1bc0b3c34da9fa423394

SHA512
78049794fde71f2142e4e882e33c469386767408b46b23926cc6e92b1700d70984f2fb64356df7d74892b30ce6865c67c3929e29b88d8ec69e6bdfa0890b7f2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_._cache_2025-03-30_a2b6b00c9d611b99e47068506941fa31_amadey_black-basta_darkgate_hijackloader_luca-stealer_neshta_smoke-loader.exe

Filesize
6.3MB

MD5
9fbd25b96f95e1530b2379a05ee8ff08

SHA1
014d399db0bf9caf269fa25d7f67c17a830c7b33

SHA256
7b40477497a6bf5b9733005d7a6d3916515ed984240fb36aa62ca31fdfc74055

SHA512
71d5cbad4ab65e3b4768191a8a470484e0b79459f84ca40599c2493c76ad752bb4ec9674227ba7e2c4ab2a0d703ce7f8da5f100b372a980ae8fc2a30be1d5fab

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_2025-03-30_a2b6b00c9d611b99e47068506941fa31_amadey_black-basta_darkgate_hijackloader_luca-stealer_neshta_smoke-loader.exe

Filesize
7.0MB

MD5
71fe855dab29d9ae5d40d1f28d63aaa5

SHA1
60808948e75c48b2d96a6d06dea10d2a40963d0d

SHA256
1df1ba581ce50fcb28c298f3c190844096cbff4bb67fc7992040aa69d292e015

SHA512
83b6d61f0c625d322c9b4ccf0d341651b50eba3fe59fa9c1731526be48ab812363e250497498ab99adf77dc0fb1a754fbbf466fde5b5262a77954ffc28e71194

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE

Filesize
5.5MB

MD5
a8ffe89abda8f23afc94ee94294c90b5

SHA1
6f50a6e089cb9c0fc2de07069d05d16f68233cec

SHA256
77fe8ffda7e6c026655d3199623a0b703fb0f67a0af9f57175913fded3acf3e4

SHA512
645c1f66fec60418869828702e9540ff5709d2fe17637fb7219694a3e03b4b2a72aedb88c3469e64a37de07e3775ecbaf6f0cdc05c3e917d45bbb8d8c11d3a26

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_._cache_2025-03-30_a2b6b00c9d611b99e47068506941fa31_amadey_black-basta_darkgate_hijackloader_luca-stealer_neshta_smoke-loader.exe

Filesize
6.2MB

MD5
6f35a3ffdf098e593b79aa19c8d282a9

SHA1
8ee501ebd401e1736ba9bdcbe0b42c5d0288a665

SHA256
562e0d00a464d1b8c9f5d62c9cfd1540dc1a89ad4dd8a2f81bb0261ad562e849

SHA512
1e56e9703731778008a556f93d596de851f314e3a1569b714d63714ee8d1b01aeda0a1a60ba759b294f89d236d63de4e0bf4d93e14edaa0d150396e2cc9c2e65

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_2025-03-30_a2b6b00c9d611b99e47068506941fa31_amadey_black-basta_darkgate_hijackloader_luca-stealer_neshta_smoke-loader.exe

Filesize
7.0MB

MD5
0f4827944bed17b09602e5a4e6b8cc51

SHA1
5a45da69a5b9543ae493655fb476faf4270a612f

SHA256
6c775c80a7838d755df0f417930054388c9910d01771112e873cee1b681ab063

SHA512
29c3a7a45a9318f6cb944348e68ce58681566954dc310415c93fcbaef452c0cd59466f11ce3ed210d819b02ce42f86b5573317cd56757c0e1758eea0ec06061c

Download Submit
C:\Windows\directx.sys

Filesize
65B

MD5
9ac0e111c3f6c50e70ac387f1fd9b43a

SHA1
ff287dd3081bdfbe8b524a75ea8f3a61ddb9116b

SHA256
f8247a92eef6cc7ddc65ce607221b630c5113478bccd177dee9f79e60c0165fb

SHA512
f7f381159f69df453fb3f7b2c10855b215f206de91bebb4277f47e252b16da8febc03cd93e740c47aba26582384774be2a398979c67d380fab04c892e65cbdaa

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
56abc40d1e45c091d8afddb90a4ce6b4

SHA1
08db549484467b32b79958700300cabefc659848

SHA256
a43fa861957415e3b0f25e2b54d931961cd309ff1d5354a9362852895b90b3e1

SHA512
51625c015a7c8fcf6fb51d3396aa08d2068772e3fcacaf32c409e82071af4ba1eb2ee94f36c06a98c32ba59d23bbaa6b540f7bd418a9472303cc225151daa698

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
6b3bfceb3942a9508a2148acbee89007

SHA1
3622ac7466cc40f50515eb6fcdc15d1f34ad3be3

SHA256
e0a7bae2a9ac263cff5d725922e40272d8854278d901233a93a5267859c00a3c

SHA512
fa222bfcade636824af32124b45450c92b1abec7a33e6e647a9248eef5371c127d22ccb7cc5a096b4d5d52e2457f3841293a1b34304e8e5523549856ac02f224

Download Submit
C:\Windows\directx.sys

Filesize
35B

MD5
10320b53df6530a542f13adf5f36d39a

SHA1
386dd879a3e1176b0c91328ce8254174e4220569

SHA256
9c4249eb6a5603fcc10a8c8c3c4d8f028a98ebcd9179c0836faacf1d03a48ce7

SHA512
c8007820db892b374dee1e6917c6caa4981d3f230ffc11d6753951ff46861ee4b0035544b3309b3008a2a769266639ce45ebc023b1748730cf0cf67844a065d6

Download Submit
C:\Windows\directx.sys

Filesize
92B

MD5
9ce08ae707e9e7a9b2b3c569985a71e2

SHA1
7b4d378e4e0e2afa453ab852bceb62b2833eadc0

SHA256
164b61d20e159b58b9b1f088e5b539f5d64b01669b870e333aedba1de1441a38

SHA512
9b5ad6c5f378150d04fa9a66e666af15eeac89371a5312b6a4a6921a9343dbd095184dca258c09190221b2cde699896cd57548919630e6fa726297bd518db580

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
4e125c05c3c52106512082f82aac0717

SHA1
8505fb21e0058418415b73921e4d5d872c4485e1

SHA256
d450a68cb3fc838b7658dc7d0c0ebe239a29285410b1af7b76497779d23f27c2

SHA512
3d6caa724b358829dca51623e9cbf6cca72512e19d027b0f72296fa20ffa47f31f24d72b45cb5d5fb767756a5a5469bae66dbca94d97f1e33ca134d1f080323a

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
3c499505ae2e6972a76a4f50c08d1559

SHA1
cc0138a39d765a3a88d82f40e5645089ccb5ecfe

SHA256
3dc1edcad8a1a91ce7cd34ba466d275963a174f26464d5fc694bc6d5aeca94dc

SHA512
e8c6d4020b6d88f04a544f4efbfc00ec06c554696c0176e1b6103d8bd432221f9bc61c61647069cf35df57d29e818bf721bda9f7394de5d415261ab1ef36b030

Download Submit
memory/8-1246-0x0000000004300000-0x0000000004B3B000-memory.dmp

Filesize
8.2MB

Download
memory/8-1239-0x0000000004300000-0x0000000004B3B000-memory.dmp

Filesize
8.2MB

Download
memory/60-393-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/408-523-0x0000000000400000-0x0000000000B08000-memory.dmp

Filesize
7.0MB

Download
memory/408-1005-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/708-948-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1032-962-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1060-964-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1060-747-0x0000000000400000-0x0000000000B08000-memory.dmp

Filesize
7.0MB

Download
memory/1112-987-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1232-959-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1268-289-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1368-771-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1400-235-0x0000000000400000-0x0000000000B08000-memory.dmp

Filesize
7.0MB

Download
memory/1440-974-0x0000000000240000-0x0000000000A7B000-memory.dmp

Filesize
8.2MB

Download
memory/1440-1070-0x0000000000240000-0x0000000000A7B000-memory.dmp

Filesize
8.2MB

Download
memory/1440-750-0x0000000000240000-0x0000000000A7B000-memory.dmp

Filesize
8.2MB

Download
memory/1544-610-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1604-946-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1788-346-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1808-997-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1808-804-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1816-287-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1840-976-0x0000000000400000-0x0000000000B08000-memory.dmp

Filesize
7.0MB

Download
memory/2004-815-0x0000000000400000-0x0000000000B08000-memory.dmp

Filesize
7.0MB

Download
memory/2332-213-0x0000000000400000-0x0000000000BCE000-memory.dmp

Filesize
7.8MB

Download
memory/2468-612-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2484-748-0x0000000000400000-0x0000000000B08000-memory.dmp

Filesize
7.0MB

Download
memory/2620-998-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2712-522-0x0000000000400000-0x0000000000A41000-memory.dmp

Filesize
6.3MB

Download
memory/2716-800-0x0000000000400000-0x0000000000A41000-memory.dmp

Filesize
6.3MB

Download
memory/3004-975-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3160-848-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3428-677-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3448-814-0x0000000000400000-0x0000000000B08000-memory.dmp

Filesize
7.0MB

Download
memory/3660-676-0x0000000000400000-0x0000000000B08000-memory.dmp

Filesize
7.0MB

Download
memory/3924-933-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4000-772-0x0000000000400000-0x0000000000A41000-memory.dmp

Filesize
6.3MB

Download
memory/4160-857-0x00000000043A0000-0x0000000004BDB000-memory.dmp

Filesize
8.2MB

Download
memory/4160-858-0x00000000043A0000-0x0000000004BDB000-memory.dmp

Filesize
8.2MB

Download
memory/4160-912-0x0000000000400000-0x0000000000A41000-memory.dmp

Filesize
6.3MB

Download
memory/4216-960-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4296-989-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4304-986-0x0000000000400000-0x0000000000B08000-memory.dmp

Filesize
7.0MB

Download
memory/4524-990-0x0000000000400000-0x0000000000B08000-memory.dmp

Filesize
7.0MB

Download
memory/4532-543-0x0000000000400000-0x0000000000BCE000-memory.dmp

Filesize
7.8MB

Download
memory/4636-859-0x0000000000400000-0x0000000000B08000-memory.dmp

Filesize
7.0MB

Download
memory/4652-1020-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4684-854-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4732-947-0x0000000000D90000-0x00000000015CB000-memory.dmp

Filesize
8.2MB

Download
memory/4732-525-0x0000000000D90000-0x00000000015CB000-memory.dmp

Filesize
8.2MB

Download
memory/4732-860-0x0000000000D90000-0x00000000015CB000-memory.dmp

Filesize
8.2MB

Download
memory/4748-1021-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4784-965-0x0000000000400000-0x0000000000A41000-memory.dmp

Filesize
6.3MB

Download
memory/4800-778-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4872-364-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4992-972-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5068-1006-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5152-856-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5180-229-0x00007FF7FD0F0000-0x00007FF7FD100000-memory.dmp

Filesize
64KB

Download
memory/5180-231-0x00007FF7FD0F0000-0x00007FF7FD100000-memory.dmp

Filesize
64KB

Download
memory/5180-227-0x00007FF7FD0F0000-0x00007FF7FD100000-memory.dmp

Filesize
64KB

Download
memory/5180-236-0x00007FF7FD0F0000-0x00007FF7FD100000-memory.dmp

Filesize
64KB

Download
memory/5180-244-0x00007FF7FAE20000-0x00007FF7FAE30000-memory.dmp

Filesize
64KB

Download
memory/5180-277-0x00007FF7FAE20000-0x00007FF7FAE30000-memory.dmp

Filesize
64KB

Download
memory/5180-230-0x00007FF7FD0F0000-0x00007FF7FD100000-memory.dmp

Filesize
64KB

Download
memory/5200-963-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5316-829-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5384-830-0x0000000000400000-0x0000000000B08000-memory.dmp

Filesize
7.0MB

Download
memory/5452-764-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5460-1071-0x0000000000240000-0x0000000000A7B000-memory.dmp

Filesize
8.2MB

Download
memory/5460-861-0x0000000000240000-0x0000000000A7B000-memory.dmp

Filesize
8.2MB

Download
memory/5608-1219-0x00000000002F0000-0x0000000000B2B000-memory.dmp

Filesize
8.2MB

Download
memory/5608-1327-0x00000000002F0000-0x0000000000B2B000-memory.dmp

Filesize
8.2MB

Download
memory/5680-1291-0x0000000004330000-0x0000000004B6B000-memory.dmp

Filesize
8.2MB

Download
memory/5680-1208-0x0000000004330000-0x0000000004B6B000-memory.dmp

Filesize
8.2MB

Download
memory/5680-1210-0x0000000004330000-0x0000000004B6B000-memory.dmp

Filesize
8.2MB

Download
memory/5680-1289-0x0000000004330000-0x0000000004B6B000-memory.dmp

Filesize
8.2MB

Download
memory/5696-961-0x0000000000A00000-0x000000000123B000-memory.dmp

Filesize
8.2MB

Download
memory/5696-1211-0x0000000000A00000-0x000000000123B000-memory.dmp

Filesize
8.2MB

Download
memory/5696-1261-0x0000000000A00000-0x000000000123B000-memory.dmp

Filesize
8.2MB

Download
memory/5844-108-0x0000000000400000-0x0000000000BCE000-memory.dmp

Filesize
7.8MB

Download
memory/5844-0-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/5872-770-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5872-973-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5988-559-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5996-949-0x00000000008F0000-0x000000000112B000-memory.dmp

Filesize
8.2MB

Download
memory/5996-738-0x00000000008F0000-0x000000000112B000-memory.dmp

Filesize
8.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads