dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7v20210408
submitted
11-05-2021 15:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe
Size

1.9MB
MD5

4a401739cc063b19870a7c1cf3a5d8a9
SHA1

0bfd9614b124c7bc1035e58d1ed2e2e3d020686c
SHA256

dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac
SHA512

ce9fc63110adedaee0ab4ab569d210853d6b58c9a1233a776c7b7012d007d2bdf23a91fc92318ddd438940b08bb9a6f10a8dd14832fdec8adcf99210ae9b249c

Score

8^/10

discovery macro persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exeSynaptics.exe._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe

pid	process
1996	._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe
2008	Synaptics.exe
1780	._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe

Suspicious Office macro 1 IoCs

Office document equipped with macros.

macro

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\rPhp9AEl.xlsm	office_macros

Loads dropped DLL 11 IoCs

Processes:

dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe

pid	process
788	dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe
788	dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe
788	dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe
1996	._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe
1780	._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe
1780	._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe
1780	._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe
1780	._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe
1780	._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe
1780	._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe
1780	._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 1 IoCs

Processes:

._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe

description	ioc	process
File opened for modification	C:\Windows\WindowsUpdate.log	._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Synaptics.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	Synaptics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Synaptics.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1524 EXCEL.EXE

pid	process
1524	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe

pid	process
1780	._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe
1780	._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe
1780	._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe
1780	._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe
1780	._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe
1780	._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe
1780	._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe
1780	._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe

description pid process

Token: SeDebugPrivilege 1780 ._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

EXCEL.EXE

pid process

1524 EXCEL.EXE

description	pid	process
Token: SeDebugPrivilege	1780	._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe

pid	process
1524	EXCEL.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe

C:\Users\Admin\AppData\Local\Temp\dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe
"C:\Users\Admin\AppData\Local\Temp\dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:788

C:\Users\Admin\AppData\Local\Temp\._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1996

C:\Users\Admin\AppData\Local\Temp\._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe" -burn.unelevated BurnPipe.{09CA33F0-1112-47A1-866F-C4A5E9E56F10} {FE8893E6-0174-477C-9A59-B23840CB8874} 1996
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1780

C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
2⤵
- Executes dropped EXE
- Modifies system certificate store
PID:2008

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe
MD5
f6dc5c09d9e0941fd93a9bda70c6a529

SHA1
27a9250233252625456c06049292a2c27a6a4efc

SHA256
a0a20c6b71890512baf81b9843db7e18608def2e19e19a020802ca7702563ff4

SHA512
8bcd32f755531ddb457db3969d2c0606232dd1dcde6fe171f511a1877eb5b6efda11b8e92baf156d9b92b32d0c4f93e3050366f617cf21c8de50403bb5fa4ab8

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe
MD5
f6dc5c09d9e0941fd93a9bda70c6a529

SHA1
27a9250233252625456c06049292a2c27a6a4efc

SHA256
a0a20c6b71890512baf81b9843db7e18608def2e19e19a020802ca7702563ff4

SHA512
8bcd32f755531ddb457db3969d2c0606232dd1dcde6fe171f511a1877eb5b6efda11b8e92baf156d9b92b32d0c4f93e3050366f617cf21c8de50403bb5fa4ab8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
28cc59b0b16d042eea492fe8dd33cddd

SHA1
a428c1ebf5a65df63f71c0731c9305499340d226

SHA256
958943e6448ae9c9546a83d8b0006f9b9e03ee9268f5b71aa55a727a5b41b42a

SHA512
b8d2a3611021e8ec73124ee54b5656d7e17412cbafd5e405440acb1c07f8da4745192a5203b90d90b726c6e2200d65d25fc1ad260d7e303d1d7bd7e8a16918b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe
MD5
4736c0ddc6104a9327b0fb889b39b8ac

SHA1
3fe80b770e0edf013dfb0353b86f70fedf33cca8

SHA256
285d21e6ba826f86faf1352163a687facb2e3f87fe1dd08db5b4e3025dc68f6a

SHA512
a32f71a89be6333c5b5bcd5d1d6c245e183f7ad6cad6903b565184921db3b529a5d5fb8fd5afaa515ec2255e64f84b8897d0c39dda6b56f9932c618e0a073bf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe
MD5
4736c0ddc6104a9327b0fb889b39b8ac

SHA1
3fe80b770e0edf013dfb0353b86f70fedf33cca8

SHA256
285d21e6ba826f86faf1352163a687facb2e3f87fe1dd08db5b4e3025dc68f6a

SHA512
a32f71a89be6333c5b5bcd5d1d6c245e183f7ad6cad6903b565184921db3b529a5d5fb8fd5afaa515ec2255e64f84b8897d0c39dda6b56f9932c618e0a073bf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe
MD5
4736c0ddc6104a9327b0fb889b39b8ac

SHA1
3fe80b770e0edf013dfb0353b86f70fedf33cca8

SHA256
285d21e6ba826f86faf1352163a687facb2e3f87fe1dd08db5b4e3025dc68f6a

SHA512
a32f71a89be6333c5b5bcd5d1d6c245e183f7ad6cad6903b565184921db3b529a5d5fb8fd5afaa515ec2255e64f84b8897d0c39dda6b56f9932c618e0a073bf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\rPhp9AEl.xlsm
MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
\ProgramData\Synaptics\Synaptics.exe
MD5
f6dc5c09d9e0941fd93a9bda70c6a529

SHA1
27a9250233252625456c06049292a2c27a6a4efc

SHA256
a0a20c6b71890512baf81b9843db7e18608def2e19e19a020802ca7702563ff4

SHA512
8bcd32f755531ddb457db3969d2c0606232dd1dcde6fe171f511a1877eb5b6efda11b8e92baf156d9b92b32d0c4f93e3050366f617cf21c8de50403bb5fa4ab8

Download Submit
\ProgramData\Synaptics\Synaptics.exe
MD5
f6dc5c09d9e0941fd93a9bda70c6a529

SHA1
27a9250233252625456c06049292a2c27a6a4efc

SHA256
a0a20c6b71890512baf81b9843db7e18608def2e19e19a020802ca7702563ff4

SHA512
8bcd32f755531ddb457db3969d2c0606232dd1dcde6fe171f511a1877eb5b6efda11b8e92baf156d9b92b32d0c4f93e3050366f617cf21c8de50403bb5fa4ab8

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe
MD5
4736c0ddc6104a9327b0fb889b39b8ac

SHA1
3fe80b770e0edf013dfb0353b86f70fedf33cca8

SHA256
285d21e6ba826f86faf1352163a687facb2e3f87fe1dd08db5b4e3025dc68f6a

SHA512
a32f71a89be6333c5b5bcd5d1d6c245e183f7ad6cad6903b565184921db3b529a5d5fb8fd5afaa515ec2255e64f84b8897d0c39dda6b56f9932c618e0a073bf8

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe
MD5
4736c0ddc6104a9327b0fb889b39b8ac

SHA1
3fe80b770e0edf013dfb0353b86f70fedf33cca8

SHA256
285d21e6ba826f86faf1352163a687facb2e3f87fe1dd08db5b4e3025dc68f6a

SHA512
a32f71a89be6333c5b5bcd5d1d6c245e183f7ad6cad6903b565184921db3b529a5d5fb8fd5afaa515ec2255e64f84b8897d0c39dda6b56f9932c618e0a073bf8

Download Submit
\Users\Admin\AppData\Local\Temp\{71688083-99e8-4e10-9522-8e98a130c438}\.ba1\BootstrapperCore.dll
MD5
a8b01738b2582c198096c7ecee8f84f1

SHA1
8dfca728d9f7db0d7cf32f1f034bdd812713337f

SHA256
74788435ec96e8f153c04c807ce6f96777d0307ee8a46a3f6b975ca69eeeb65f

SHA512
0b3b791d82f7d23c2d3b6fa683784ba510c293ea0cba9dd762268fe91150f4e3cfb5b06b4921ee6eaa69f437f48c49d6ef8fee6d798e6d2d15bbc336df380c4c

Download Submit
\Users\Admin\AppData\Local\Temp\{71688083-99e8-4e10-9522-8e98a130c438}\.ba1\BootstrapperCore.dll
MD5
a8b01738b2582c198096c7ecee8f84f1

SHA1
8dfca728d9f7db0d7cf32f1f034bdd812713337f

SHA256
74788435ec96e8f153c04c807ce6f96777d0307ee8a46a3f6b975ca69eeeb65f

SHA512
0b3b791d82f7d23c2d3b6fa683784ba510c293ea0cba9dd762268fe91150f4e3cfb5b06b4921ee6eaa69f437f48c49d6ef8fee6d798e6d2d15bbc336df380c4c

Download Submit
\Users\Admin\AppData\Local\Temp\{71688083-99e8-4e10-9522-8e98a130c438}\.ba1\BootstrapperCore.dll
MD5
a8b01738b2582c198096c7ecee8f84f1

SHA1
8dfca728d9f7db0d7cf32f1f034bdd812713337f

SHA256
74788435ec96e8f153c04c807ce6f96777d0307ee8a46a3f6b975ca69eeeb65f

SHA512
0b3b791d82f7d23c2d3b6fa683784ba510c293ea0cba9dd762268fe91150f4e3cfb5b06b4921ee6eaa69f437f48c49d6ef8fee6d798e6d2d15bbc336df380c4c

Download Submit
\Users\Admin\AppData\Local\Temp\{71688083-99e8-4e10-9522-8e98a130c438}\.ba1\ManagedUx.dll
MD5
869a1e6676fca19bc59856d9d06fa143

SHA1
75cf1b1e50977d3937db5a121235b2d476d45a8d

SHA256
b6e907ac487eb0fe755ab89dd30af1d888c199afb575afe02737299ede45ecae

SHA512
8c4f877ef00eb5de128bc36276b32b4b9c7ebeebaeecaaa6d67a713940d0d6abc1224bf5f525db8b2631685d7bf0190053d8fd615488b3eb19aa13be23a9e8cf

Download Submit
\Users\Admin\AppData\Local\Temp\{71688083-99e8-4e10-9522-8e98a130c438}\.ba1\ManagedUx.dll
MD5
869a1e6676fca19bc59856d9d06fa143

SHA1
75cf1b1e50977d3937db5a121235b2d476d45a8d

SHA256
b6e907ac487eb0fe755ab89dd30af1d888c199afb575afe02737299ede45ecae

SHA512
8c4f877ef00eb5de128bc36276b32b4b9c7ebeebaeecaaa6d67a713940d0d6abc1224bf5f525db8b2631685d7bf0190053d8fd615488b3eb19aa13be23a9e8cf

Download Submit
\Users\Admin\AppData\Local\Temp\{71688083-99e8-4e10-9522-8e98a130c438}\.ba1\ManagedUx.dll
MD5
869a1e6676fca19bc59856d9d06fa143

SHA1
75cf1b1e50977d3937db5a121235b2d476d45a8d

SHA256
b6e907ac487eb0fe755ab89dd30af1d888c199afb575afe02737299ede45ecae

SHA512
8c4f877ef00eb5de128bc36276b32b4b9c7ebeebaeecaaa6d67a713940d0d6abc1224bf5f525db8b2631685d7bf0190053d8fd615488b3eb19aa13be23a9e8cf

Download Submit
\Users\Admin\AppData\Local\Temp\{71688083-99e8-4e10-9522-8e98a130c438}\.ba1\mbahost.dll
MD5
fe7968a25d40e940eba0ed10e420b0b8

SHA1
12d89db5ec0bd6aa4980141cc420b5a2fa01a5ec

SHA256
1c94f023d5d246551451229676132bb0be239129963be24394b13e090db69dee

SHA512
f6135e9842dfb4d717e7d496957090b27549dbe46a5845271c83be054f7fe0236bf1f75811a80a0502bf6123bf342c11ac0f1a603d59785841d42d197ed90134

Download Submit
memory/788-60-0x0000000075451000-0x0000000075453000-memory.dmp

Filesize
8KB

Download
memory/788-61-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1524-77-0x000000002F481000-0x000000002F484000-memory.dmp

Filesize
12KB

Download
memory/1524-79-0x0000000070861000-0x0000000070863000-memory.dmp

Filesize
8KB

Download
memory/1524-84-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1780-85-0x0000000003651000-0x0000000003652000-memory.dmp

Filesize
4KB

Download
memory/1780-102-0x0000000003675000-0x0000000003676000-memory.dmp

Filesize
4KB

Download
memory/1780-87-0x0000000003654000-0x0000000003656000-memory.dmp

Filesize
8KB

Download
memory/1780-80-0x0000000003650000-0x0000000003651000-memory.dmp

Filesize
4KB

Download
memory/1780-107-0x000000000366F000-0x0000000003670000-memory.dmp

Filesize
4KB

Download
memory/1780-73-0x0000000000000000-mapping.dmp

Download
memory/1780-110-0x000000000367B000-0x000000000367C000-memory.dmp

Filesize
4KB

Download
memory/1780-93-0x0000000003656000-0x0000000003657000-memory.dmp

Filesize
4KB

Download
memory/1780-94-0x000000000365B000-0x000000000366C000-memory.dmp

Filesize
68KB

Download
memory/1780-95-0x000000007EF40000-0x000000007EF41000-memory.dmp

Filesize
4KB

Download
memory/1780-105-0x0000000003679000-0x000000000367A000-memory.dmp

Filesize
4KB

Download
memory/1780-104-0x0000000003677000-0x0000000003678000-memory.dmp

Filesize
4KB

Download
memory/1780-103-0x0000000003676000-0x0000000003677000-memory.dmp

Filesize
4KB

Download
memory/1780-86-0x0000000003652000-0x0000000003653000-memory.dmp

Filesize
4KB

Download
memory/1780-101-0x0000000003673000-0x0000000003674000-memory.dmp

Filesize
4KB

Download
memory/1780-100-0x0000000003674000-0x0000000003675000-memory.dmp

Filesize
4KB

Download
memory/1780-99-0x0000000003672000-0x0000000003673000-memory.dmp

Filesize
4KB

Download
memory/1780-98-0x000000000366D000-0x000000000366E000-memory.dmp

Filesize
4KB

Download
memory/1780-97-0x000000000366E000-0x000000000366F000-memory.dmp

Filesize
4KB

Download
memory/1780-96-0x000000000366C000-0x000000000366D000-memory.dmp

Filesize
4KB

Download
memory/1780-106-0x0000000003678000-0x0000000003679000-memory.dmp

Filesize
4KB

Download
memory/1780-109-0x0000000003670000-0x0000000003671000-memory.dmp

Filesize
4KB

Download
memory/1780-108-0x0000000003671000-0x0000000003672000-memory.dmp

Filesize
4KB

Download
memory/1996-63-0x0000000000000000-mapping.dmp

Download
memory/2008-69-0x0000000000000000-mapping.dmp

Download
memory/2008-76-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download

description	pid	process	target process
PID 788 wrote to memory of 1996	788	dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe	._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe
PID 788 wrote to memory of 1996	788	dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe	._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe
PID 788 wrote to memory of 1996	788	dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe	._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe
PID 788 wrote to memory of 1996	788	dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe	._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe
PID 788 wrote to memory of 1996	788	dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe	._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe
PID 788 wrote to memory of 1996	788	dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe	._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe
PID 788 wrote to memory of 1996	788	dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe	._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe
PID 788 wrote to memory of 2008	788	dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe	Synaptics.exe
PID 788 wrote to memory of 2008	788	dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe	Synaptics.exe
PID 788 wrote to memory of 2008	788	dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe	Synaptics.exe
PID 788 wrote to memory of 2008	788	dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe	Synaptics.exe
PID 1996 wrote to memory of 1780	1996	._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe	._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe
PID 1996 wrote to memory of 1780	1996	._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe	._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe
PID 1996 wrote to memory of 1780	1996	._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe	._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe
PID 1996 wrote to memory of 1780	1996	._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe	._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe
PID 1996 wrote to memory of 1780	1996	._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe	._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe
PID 1996 wrote to memory of 1780	1996	._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe	._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe
PID 1996 wrote to memory of 1780	1996	._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe	._cache_dc5309715df45bcbde4b8e75dc4164a542cbfc08550349c509f7278349baa0ac.exe