asyncrat | d054e33de2d63966c68b44dd1d1de8a9b7abb76781100fe82423c80e112d4580

Analysis

max time kernel
151s
max time network
146s
platform
windows7_x64
resource
win7-en-20211208
submitted
26-01-2022 01:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bff363a92ac43ff249652a83dadc02ab.exe
Size

2.0MB
MD5

bff363a92ac43ff249652a83dadc02ab
SHA1

3c7b47a3f4dc3c8555b656505244886cb3a172f5
SHA256

d054e33de2d63966c68b44dd1d1de8a9b7abb76781100fe82423c80e112d4580
SHA512

8ceef643926251a6d6b5ffee6e662b68580992117d98dbd24ccfde5cdad429ce4719a92c63f470c2857272330c9f3a4a2d7f175a6300d6b1833a387f4b841d29

Score

10^/10

asyncrat nanocore evasion keylogger macro persistence rat spyware stealer suricata trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

chivalrous-condition.auto.playit.gg:53811

127.0.0.1:53811

Mutex

fd5fd13e-0f57-4bfb-84a4-034a7f99c7fe

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2021-10-27T11:20:06.412816736Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
53811
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
fd5fd13e-0f57-4bfb-84a4-034a7f99c7fe
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
chivalrous-condition.auto.playit.gg
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
suricata: ET MALWARE Possible NanoCore C2 60B
suricata: ET MALWARE Possible NanoCore C2 60B
suricata

Async RAT payload 23 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/336-65-0x0000000000400000-0x00000000005CB000-memory.dmp	asyncrat
behavioral1/memory/336-67-0x0000000000400000-0x00000000005CB000-memory.dmp	asyncrat
\Users\Admin\AppData\Local\Temp\._cache_bff363a92ac43ff249652a83dadc02ab.exe	asyncrat
\Users\Admin\AppData\Local\Temp\._cache_bff363a92ac43ff249652a83dadc02ab.exe	asyncrat
C:\Users\Admin\AppData\Local\Temp\._cache_bff363a92ac43ff249652a83dadc02ab.exe	asyncrat
behavioral1/memory/1068-81-0x00000000013E0000-0x00000000013F2000-memory.dmp	asyncrat
C:\Users\Admin\AppData\Local\Temp\SYSTEM32.EXE	asyncrat
C:\Users\Admin\AppData\Local\Temp\SYSTEM32.EXE	asyncrat
\Users\Admin\AppData\Local\Temp\SYSTEM32.EXE	asyncrat
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe	asyncrat
\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe	asyncrat
\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe	asyncrat
behavioral1/memory/1396-119-0x0000000000400000-0x00000000005CB000-memory.dmp	asyncrat
\Users\Admin\AppData\Local\Temp\SYSTEM32.EXE	asyncrat
C:\Users\Admin\AppData\Local\Temp\SYSTEM32.EXE	asyncrat
\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe	asyncrat
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe	asyncrat
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe	asyncrat
\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe	asyncrat
\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe	asyncrat
behavioral1/memory/1500-152-0x0000000000400000-0x00000000005CB000-memory.dmp	asyncrat
\Users\Admin\AppData\Local\Temp\SYSTEM32.EXE	asyncrat
C:\Users\Admin\AppData\Local\Temp\SYSTEM32.EXE	asyncrat

Executes dropped EXE 16 IoCs

Processes:

._cache_bff363a92ac43ff249652a83dadc02ab.exeSynaptics.exeSYSTEM32.EXEWINDOWS.EXE._cache_WINDOWS.EXESynaptics.exeSynaptics.exe._cache_Synaptics.exeSYSTEM32.EXEWINDOWS.EXE._cache_WINDOWS.EXESynaptics.exe._cache_Synaptics.exeSYSTEM32.EXEWINDOWS.EXE._cache_WINDOWS.EXE

pid	process
1056	._cache_bff363a92ac43ff249652a83dadc02ab.exe
2012	Synaptics.exe
1068	SYSTEM32.EXE
1572	WINDOWS.EXE
808	._cache_WINDOWS.EXE
1116	Synaptics.exe
1396	Synaptics.exe
336	._cache_Synaptics.exe
1624	SYSTEM32.EXE
1948	WINDOWS.EXE
1140	._cache_WINDOWS.EXE
1500	Synaptics.exe
1300	._cache_Synaptics.exe
1528	SYSTEM32.EXE
1772	WINDOWS.EXE
992	._cache_WINDOWS.EXE

Suspicious Office macro 1 IoCs

Office document equipped with macros.

macro

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\s3uN3Jx2.xlsm	office_macros

Loads dropped DLL 30 IoCs

Processes:

bff363a92ac43ff249652a83dadc02ab.exe._cache_bff363a92ac43ff249652a83dadc02ab.exeWINDOWS.EXESynaptics.exe._cache_Synaptics.exeWINDOWS.EXESynaptics.exe._cache_Synaptics.exeWINDOWS.EXE

pid	process
336	bff363a92ac43ff249652a83dadc02ab.exe
336	bff363a92ac43ff249652a83dadc02ab.exe
336	bff363a92ac43ff249652a83dadc02ab.exe
1056	._cache_bff363a92ac43ff249652a83dadc02ab.exe
1056	._cache_bff363a92ac43ff249652a83dadc02ab.exe
1056	._cache_bff363a92ac43ff249652a83dadc02ab.exe
1572	WINDOWS.EXE
1572	WINDOWS.EXE
1572	WINDOWS.EXE
1396	Synaptics.exe
1396	Synaptics.exe
1396	Synaptics.exe
336	._cache_Synaptics.exe
336	._cache_Synaptics.exe
336	._cache_Synaptics.exe
1948	WINDOWS.EXE
1948	WINDOWS.EXE
1948	WINDOWS.EXE
1948	WINDOWS.EXE
1500	Synaptics.exe
1500	Synaptics.exe
1500	Synaptics.exe
1500	Synaptics.exe
1300	._cache_Synaptics.exe
1300	._cache_Synaptics.exe
1300	._cache_Synaptics.exe
1772	WINDOWS.EXE
1772	WINDOWS.EXE
1772	WINDOWS.EXE
1772	WINDOWS.EXE

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

bff363a92ac43ff249652a83dadc02ab.exeWINDOWS.EXE._cache_WINDOWS.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	bff363a92ac43ff249652a83dadc02ab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	WINDOWS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SAAS Monitor = "C:\\Program Files (x86)\\SAAS Monitor\\saasmon.exe"	._cache_WINDOWS.EXE

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

._cache_WINDOWS.EXE

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ._cache_WINDOWS.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	._cache_WINDOWS.EXE

Suspicious use of SetThreadContext 3 IoCs

Processes:

bff363a92ac43ff249652a83dadc02ab.exeSynaptics.exeSynaptics.exe

description	pid	process	target process
PID 1640 set thread context of 336	1640	bff363a92ac43ff249652a83dadc02ab.exe	bff363a92ac43ff249652a83dadc02ab.exe
PID 2012 set thread context of 1396	2012	Synaptics.exe	Synaptics.exe
PID 1116 set thread context of 1500	1116	Synaptics.exe	Synaptics.exe

Drops file in Program Files directory 2 IoCs

Processes:

._cache_WINDOWS.EXE

description	ioc	process
File created	C:\Program Files (x86)\SAAS Monitor\saasmon.exe	._cache_WINDOWS.EXE
File opened for modification	C:\Program Files (x86)\SAAS Monitor\saasmon.exe	._cache_WINDOWS.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

700 schtasks.exe
920 schtasks.exe
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

pid	process
700	schtasks.exe
920	schtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE

Modifies registry class 64 IoCs

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

864 EXCEL.EXE

pid	process
864	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

._cache_WINDOWS.EXE

pid	process
808	._cache_WINDOWS.EXE
808	._cache_WINDOWS.EXE
808	._cache_WINDOWS.EXE
808	._cache_WINDOWS.EXE
808	._cache_WINDOWS.EXE
808	._cache_WINDOWS.EXE
808	._cache_WINDOWS.EXE
808	._cache_WINDOWS.EXE
808	._cache_WINDOWS.EXE
808	._cache_WINDOWS.EXE
808	._cache_WINDOWS.EXE
808	._cache_WINDOWS.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

._cache_WINDOWS.EXE

pid process

808 ._cache_WINDOWS.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

._cache_WINDOWS.EXESYSTEM32.EXE

description pid process

Token: SeDebugPrivilege 808 ._cache_WINDOWS.EXE
Token: SeDebugPrivilege 1068 SYSTEM32.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

EXCEL.EXE

pid process

864 EXCEL.EXE

description	pid	process
Token: SeDebugPrivilege	808	._cache_WINDOWS.EXE
Token: SeDebugPrivilege	1068	SYSTEM32.EXE

pid	process
864	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

bff363a92ac43ff249652a83dadc02ab.exebff363a92ac43ff249652a83dadc02ab.exe._cache_bff363a92ac43ff249652a83dadc02ab.exeWINDOWS.EXE._cache_WINDOWS.EXESynaptics.exeSynaptics.exe._cache_Synaptics.exe

description	pid	process	target process
PID 1640 wrote to memory of 336	1640	bff363a92ac43ff249652a83dadc02ab.exe	bff363a92ac43ff249652a83dadc02ab.exe
PID 1640 wrote to memory of 336	1640	bff363a92ac43ff249652a83dadc02ab.exe	bff363a92ac43ff249652a83dadc02ab.exe
PID 1640 wrote to memory of 336	1640	bff363a92ac43ff249652a83dadc02ab.exe	bff363a92ac43ff249652a83dadc02ab.exe
PID 1640 wrote to memory of 336	1640	bff363a92ac43ff249652a83dadc02ab.exe	bff363a92ac43ff249652a83dadc02ab.exe
PID 1640 wrote to memory of 336	1640	bff363a92ac43ff249652a83dadc02ab.exe	bff363a92ac43ff249652a83dadc02ab.exe
PID 1640 wrote to memory of 336	1640	bff363a92ac43ff249652a83dadc02ab.exe	bff363a92ac43ff249652a83dadc02ab.exe
PID 1640 wrote to memory of 336	1640	bff363a92ac43ff249652a83dadc02ab.exe	bff363a92ac43ff249652a83dadc02ab.exe
PID 1640 wrote to memory of 336	1640	bff363a92ac43ff249652a83dadc02ab.exe	bff363a92ac43ff249652a83dadc02ab.exe
PID 1640 wrote to memory of 336	1640	bff363a92ac43ff249652a83dadc02ab.exe	bff363a92ac43ff249652a83dadc02ab.exe
PID 1640 wrote to memory of 336	1640	bff363a92ac43ff249652a83dadc02ab.exe	bff363a92ac43ff249652a83dadc02ab.exe
PID 1640 wrote to memory of 336	1640	bff363a92ac43ff249652a83dadc02ab.exe	bff363a92ac43ff249652a83dadc02ab.exe
PID 1640 wrote to memory of 336	1640	bff363a92ac43ff249652a83dadc02ab.exe	bff363a92ac43ff249652a83dadc02ab.exe
PID 336 wrote to memory of 1056	336	bff363a92ac43ff249652a83dadc02ab.exe	._cache_bff363a92ac43ff249652a83dadc02ab.exe
PID 336 wrote to memory of 1056	336	bff363a92ac43ff249652a83dadc02ab.exe	._cache_bff363a92ac43ff249652a83dadc02ab.exe
PID 336 wrote to memory of 1056	336	bff363a92ac43ff249652a83dadc02ab.exe	._cache_bff363a92ac43ff249652a83dadc02ab.exe
PID 336 wrote to memory of 1056	336	bff363a92ac43ff249652a83dadc02ab.exe	._cache_bff363a92ac43ff249652a83dadc02ab.exe
PID 336 wrote to memory of 2012	336	bff363a92ac43ff249652a83dadc02ab.exe	Synaptics.exe
PID 336 wrote to memory of 2012	336	bff363a92ac43ff249652a83dadc02ab.exe	Synaptics.exe
PID 336 wrote to memory of 2012	336	bff363a92ac43ff249652a83dadc02ab.exe	Synaptics.exe
PID 336 wrote to memory of 2012	336	bff363a92ac43ff249652a83dadc02ab.exe	Synaptics.exe
PID 1056 wrote to memory of 1068	1056	._cache_bff363a92ac43ff249652a83dadc02ab.exe	SYSTEM32.EXE
PID 1056 wrote to memory of 1068	1056	._cache_bff363a92ac43ff249652a83dadc02ab.exe	SYSTEM32.EXE
PID 1056 wrote to memory of 1068	1056	._cache_bff363a92ac43ff249652a83dadc02ab.exe	SYSTEM32.EXE
PID 1056 wrote to memory of 1068	1056	._cache_bff363a92ac43ff249652a83dadc02ab.exe	SYSTEM32.EXE
PID 1056 wrote to memory of 1572	1056	._cache_bff363a92ac43ff249652a83dadc02ab.exe	WINDOWS.EXE
PID 1056 wrote to memory of 1572	1056	._cache_bff363a92ac43ff249652a83dadc02ab.exe	WINDOWS.EXE
PID 1056 wrote to memory of 1572	1056	._cache_bff363a92ac43ff249652a83dadc02ab.exe	WINDOWS.EXE
PID 1056 wrote to memory of 1572	1056	._cache_bff363a92ac43ff249652a83dadc02ab.exe	WINDOWS.EXE
PID 1572 wrote to memory of 808	1572	WINDOWS.EXE	._cache_WINDOWS.EXE
PID 1572 wrote to memory of 808	1572	WINDOWS.EXE	._cache_WINDOWS.EXE
PID 1572 wrote to memory of 808	1572	WINDOWS.EXE	._cache_WINDOWS.EXE
PID 1572 wrote to memory of 808	1572	WINDOWS.EXE	._cache_WINDOWS.EXE
PID 1572 wrote to memory of 1116	1572	WINDOWS.EXE	Synaptics.exe
PID 1572 wrote to memory of 1116	1572	WINDOWS.EXE	Synaptics.exe
PID 1572 wrote to memory of 1116	1572	WINDOWS.EXE	Synaptics.exe
PID 1572 wrote to memory of 1116	1572	WINDOWS.EXE	Synaptics.exe
PID 808 wrote to memory of 700	808	._cache_WINDOWS.EXE	schtasks.exe
PID 808 wrote to memory of 700	808	._cache_WINDOWS.EXE	schtasks.exe
PID 808 wrote to memory of 700	808	._cache_WINDOWS.EXE	schtasks.exe
PID 808 wrote to memory of 700	808	._cache_WINDOWS.EXE	schtasks.exe
PID 808 wrote to memory of 920	808	._cache_WINDOWS.EXE	schtasks.exe
PID 808 wrote to memory of 920	808	._cache_WINDOWS.EXE	schtasks.exe
PID 808 wrote to memory of 920	808	._cache_WINDOWS.EXE	schtasks.exe
PID 808 wrote to memory of 920	808	._cache_WINDOWS.EXE	schtasks.exe
PID 2012 wrote to memory of 1396	2012	Synaptics.exe	Synaptics.exe
PID 2012 wrote to memory of 1396	2012	Synaptics.exe	Synaptics.exe
PID 2012 wrote to memory of 1396	2012	Synaptics.exe	Synaptics.exe
PID 2012 wrote to memory of 1396	2012	Synaptics.exe	Synaptics.exe
PID 2012 wrote to memory of 1396	2012	Synaptics.exe	Synaptics.exe
PID 2012 wrote to memory of 1396	2012	Synaptics.exe	Synaptics.exe
PID 2012 wrote to memory of 1396	2012	Synaptics.exe	Synaptics.exe
PID 2012 wrote to memory of 1396	2012	Synaptics.exe	Synaptics.exe
PID 2012 wrote to memory of 1396	2012	Synaptics.exe	Synaptics.exe
PID 2012 wrote to memory of 1396	2012	Synaptics.exe	Synaptics.exe
PID 2012 wrote to memory of 1396	2012	Synaptics.exe	Synaptics.exe
PID 2012 wrote to memory of 1396	2012	Synaptics.exe	Synaptics.exe
PID 1396 wrote to memory of 336	1396	Synaptics.exe	._cache_Synaptics.exe
PID 1396 wrote to memory of 336	1396	Synaptics.exe	._cache_Synaptics.exe
PID 1396 wrote to memory of 336	1396	Synaptics.exe	._cache_Synaptics.exe
PID 1396 wrote to memory of 336	1396	Synaptics.exe	._cache_Synaptics.exe
PID 336 wrote to memory of 1624	336	._cache_Synaptics.exe	SYSTEM32.EXE
PID 336 wrote to memory of 1624	336	._cache_Synaptics.exe	SYSTEM32.EXE
PID 336 wrote to memory of 1624	336	._cache_Synaptics.exe	SYSTEM32.EXE
PID 336 wrote to memory of 1624	336	._cache_Synaptics.exe	SYSTEM32.EXE

C:\Users\Admin\AppData\Local\Temp\bff363a92ac43ff249652a83dadc02ab.exe
"C:\Users\Admin\AppData\Local\Temp\bff363a92ac43ff249652a83dadc02ab.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1640

C:\Users\Admin\AppData\Local\Temp\bff363a92ac43ff249652a83dadc02ab.exe
"C:\Users\Admin\AppData\Local\Temp\bff363a92ac43ff249652a83dadc02ab.exe"
2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:336

C:\Users\Admin\AppData\Local\Temp\._cache_bff363a92ac43ff249652a83dadc02ab.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_bff363a92ac43ff249652a83dadc02ab.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1056

C:\Users\Admin\AppData\Local\Temp\SYSTEM32.EXE
"C:\Users\Admin\AppData\Local\Temp\SYSTEM32.EXE"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1068

C:\Users\Admin\AppData\Local\Temp\WINDOWS.EXE
"C:\Users\Admin\AppData\Local\Temp\WINDOWS.EXE"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1572

C:\Users\Admin\AppData\Local\Temp\._cache_WINDOWS.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache_WINDOWS.EXE"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:808

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "SAAS Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmpC87D.tmp"
6⤵
- Creates scheduled task(s)
PID:700

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "SAAS Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpC9C6.tmp"
6⤵
- Creates scheduled task(s)
PID:920

C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1116

C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1500

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1300

C:\Users\Admin\AppData\Local\Temp\SYSTEM32.EXE
"C:\Users\Admin\AppData\Local\Temp\SYSTEM32.EXE"
8⤵
- Executes dropped EXE
PID:1528

C:\Users\Admin\AppData\Local\Temp\WINDOWS.EXE
"C:\Users\Admin\AppData\Local\Temp\WINDOWS.EXE"
8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1772

C:\Users\Admin\AppData\Local\Temp\._cache_WINDOWS.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache_WINDOWS.EXE"
9⤵
- Executes dropped EXE
PID:992

C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2012

C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1396

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:336

C:\Users\Admin\AppData\Local\Temp\SYSTEM32.EXE
"C:\Users\Admin\AppData\Local\Temp\SYSTEM32.EXE"
6⤵
- Executes dropped EXE
PID:1624

C:\Users\Admin\AppData\Local\Temp\WINDOWS.EXE
"C:\Users\Admin\AppData\Local\Temp\WINDOWS.EXE"
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1948

C:\Users\Admin\AppData\Local\Temp\._cache_WINDOWS.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache_WINDOWS.EXE"
7⤵
- Executes dropped EXE
PID:1140

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:864

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe
MD5
bff363a92ac43ff249652a83dadc02ab

SHA1
3c7b47a3f4dc3c8555b656505244886cb3a172f5

SHA256
d054e33de2d63966c68b44dd1d1de8a9b7abb76781100fe82423c80e112d4580

SHA512
8ceef643926251a6d6b5ffee6e662b68580992117d98dbd24ccfde5cdad429ce4719a92c63f470c2857272330c9f3a4a2d7f175a6300d6b1833a387f4b841d29

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe
MD5
bff363a92ac43ff249652a83dadc02ab

SHA1
3c7b47a3f4dc3c8555b656505244886cb3a172f5

SHA256
d054e33de2d63966c68b44dd1d1de8a9b7abb76781100fe82423c80e112d4580

SHA512
8ceef643926251a6d6b5ffee6e662b68580992117d98dbd24ccfde5cdad429ce4719a92c63f470c2857272330c9f3a4a2d7f175a6300d6b1833a387f4b841d29

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe
MD5
bff363a92ac43ff249652a83dadc02ab

SHA1
3c7b47a3f4dc3c8555b656505244886cb3a172f5

SHA256
d054e33de2d63966c68b44dd1d1de8a9b7abb76781100fe82423c80e112d4580

SHA512
8ceef643926251a6d6b5ffee6e662b68580992117d98dbd24ccfde5cdad429ce4719a92c63f470c2857272330c9f3a4a2d7f175a6300d6b1833a387f4b841d29

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe
MD5
bff363a92ac43ff249652a83dadc02ab

SHA1
3c7b47a3f4dc3c8555b656505244886cb3a172f5

SHA256
d054e33de2d63966c68b44dd1d1de8a9b7abb76781100fe82423c80e112d4580

SHA512
8ceef643926251a6d6b5ffee6e662b68580992117d98dbd24ccfde5cdad429ce4719a92c63f470c2857272330c9f3a4a2d7f175a6300d6b1833a387f4b841d29

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe
MD5
bff363a92ac43ff249652a83dadc02ab

SHA1
3c7b47a3f4dc3c8555b656505244886cb3a172f5

SHA256
d054e33de2d63966c68b44dd1d1de8a9b7abb76781100fe82423c80e112d4580

SHA512
8ceef643926251a6d6b5ffee6e662b68580992117d98dbd24ccfde5cdad429ce4719a92c63f470c2857272330c9f3a4a2d7f175a6300d6b1833a387f4b841d29

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
MD5
3a5072a9a5dc35dfb99a59f67c3dc6c0

SHA1
335398bb44927ddb18905221c52a89aa101a3c7f

SHA256
29bf88f94ffab5559b5af5a9db05cfdbe2beeb81301f1e64e851cfa925c930ac

SHA512
b3b11f8e5b495c873a8afa58fdc2f2fef7e7d610a50516fb701dab1197ac11a63e5f857f9b6ecf1a9b33fdf0d875ecf59695be83ff35afcbc23f8293d068e8fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
MD5
3a5072a9a5dc35dfb99a59f67c3dc6c0

SHA1
335398bb44927ddb18905221c52a89aa101a3c7f

SHA256
29bf88f94ffab5559b5af5a9db05cfdbe2beeb81301f1e64e851cfa925c930ac

SHA512
b3b11f8e5b495c873a8afa58fdc2f2fef7e7d610a50516fb701dab1197ac11a63e5f857f9b6ecf1a9b33fdf0d875ecf59695be83ff35afcbc23f8293d068e8fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
MD5
3a5072a9a5dc35dfb99a59f67c3dc6c0

SHA1
335398bb44927ddb18905221c52a89aa101a3c7f

SHA256
29bf88f94ffab5559b5af5a9db05cfdbe2beeb81301f1e64e851cfa925c930ac

SHA512
b3b11f8e5b495c873a8afa58fdc2f2fef7e7d610a50516fb701dab1197ac11a63e5f857f9b6ecf1a9b33fdf0d875ecf59695be83ff35afcbc23f8293d068e8fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_WINDOWS.EXE
MD5
568e6a074378730cee0947c4c796372d

SHA1
7688894728b8207756f52384798e394de8d54070

SHA256
2f990b69464dab55b2ebc8f6a302fe09e5767844b4afb71b43a20a6c2ea48d8d

SHA512
250a1215fd28e4cd5f6da3e72b42a88f93664d4a2484d29f6141a81ef4968872b86379fb54aaf2e645d46ef8c881e43d1c32392dc3f7c381a86c252d7bdb2730

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_WINDOWS.EXE
MD5
568e6a074378730cee0947c4c796372d

SHA1
7688894728b8207756f52384798e394de8d54070

SHA256
2f990b69464dab55b2ebc8f6a302fe09e5767844b4afb71b43a20a6c2ea48d8d

SHA512
250a1215fd28e4cd5f6da3e72b42a88f93664d4a2484d29f6141a81ef4968872b86379fb54aaf2e645d46ef8c881e43d1c32392dc3f7c381a86c252d7bdb2730

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_WINDOWS.EXE
MD5
568e6a074378730cee0947c4c796372d

SHA1
7688894728b8207756f52384798e394de8d54070

SHA256
2f990b69464dab55b2ebc8f6a302fe09e5767844b4afb71b43a20a6c2ea48d8d

SHA512
250a1215fd28e4cd5f6da3e72b42a88f93664d4a2484d29f6141a81ef4968872b86379fb54aaf2e645d46ef8c881e43d1c32392dc3f7c381a86c252d7bdb2730

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_WINDOWS.EXE
MD5
568e6a074378730cee0947c4c796372d

SHA1
7688894728b8207756f52384798e394de8d54070

SHA256
2f990b69464dab55b2ebc8f6a302fe09e5767844b4afb71b43a20a6c2ea48d8d

SHA512
250a1215fd28e4cd5f6da3e72b42a88f93664d4a2484d29f6141a81ef4968872b86379fb54aaf2e645d46ef8c881e43d1c32392dc3f7c381a86c252d7bdb2730

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_bff363a92ac43ff249652a83dadc02ab.exe
MD5
3a5072a9a5dc35dfb99a59f67c3dc6c0

SHA1
335398bb44927ddb18905221c52a89aa101a3c7f

SHA256
29bf88f94ffab5559b5af5a9db05cfdbe2beeb81301f1e64e851cfa925c930ac

SHA512
b3b11f8e5b495c873a8afa58fdc2f2fef7e7d610a50516fb701dab1197ac11a63e5f857f9b6ecf1a9b33fdf0d875ecf59695be83ff35afcbc23f8293d068e8fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYSTEM32.EXE
MD5
807474fc253612359dc697e331f01b43

SHA1
d998bcdf573eb66781bbe931b2ca8b35492908ce

SHA256
1e2b305d0a5ce914591f712fe0b53be279d0ec8e598cec95fa6cfdc6cb94c4b5

SHA512
c2916e62d8b7b0ad214d57e2dc0dd5b0f910e06f2d070e0390612fd33c2ee416f252fba4fe3f523114acc14924bcfda105a9b4379ad443f1010bb29010b83adf

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYSTEM32.EXE
MD5
807474fc253612359dc697e331f01b43

SHA1
d998bcdf573eb66781bbe931b2ca8b35492908ce

SHA256
1e2b305d0a5ce914591f712fe0b53be279d0ec8e598cec95fa6cfdc6cb94c4b5

SHA512
c2916e62d8b7b0ad214d57e2dc0dd5b0f910e06f2d070e0390612fd33c2ee416f252fba4fe3f523114acc14924bcfda105a9b4379ad443f1010bb29010b83adf

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYSTEM32.EXE
MD5
807474fc253612359dc697e331f01b43

SHA1
d998bcdf573eb66781bbe931b2ca8b35492908ce

SHA256
1e2b305d0a5ce914591f712fe0b53be279d0ec8e598cec95fa6cfdc6cb94c4b5

SHA512
c2916e62d8b7b0ad214d57e2dc0dd5b0f910e06f2d070e0390612fd33c2ee416f252fba4fe3f523114acc14924bcfda105a9b4379ad443f1010bb29010b83adf

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYSTEM32.EXE
MD5
807474fc253612359dc697e331f01b43

SHA1
d998bcdf573eb66781bbe931b2ca8b35492908ce

SHA256
1e2b305d0a5ce914591f712fe0b53be279d0ec8e598cec95fa6cfdc6cb94c4b5

SHA512
c2916e62d8b7b0ad214d57e2dc0dd5b0f910e06f2d070e0390612fd33c2ee416f252fba4fe3f523114acc14924bcfda105a9b4379ad443f1010bb29010b83adf

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINDOWS.EXE
MD5
6278f321b0b9c85a0df4e485a8de7993

SHA1
48fe65a144aee7a9b437d7c8ae9bd5bfe5409d81

SHA256
4dc8cc4ecd4d173a024c221c61f282028bd03967c631ec6827544a36d036952a

SHA512
fdba000c5ab7ba6aaa4e2f94f248003d3505206b3b23aa03565bf0c36fa4c4a7654498a5002a979cb9d042e9f216fdfff21ecb4cb57883a0b2b35b020cdfeb6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINDOWS.EXE
MD5
6278f321b0b9c85a0df4e485a8de7993

SHA1
48fe65a144aee7a9b437d7c8ae9bd5bfe5409d81

SHA256
4dc8cc4ecd4d173a024c221c61f282028bd03967c631ec6827544a36d036952a

SHA512
fdba000c5ab7ba6aaa4e2f94f248003d3505206b3b23aa03565bf0c36fa4c4a7654498a5002a979cb9d042e9f216fdfff21ecb4cb57883a0b2b35b020cdfeb6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINDOWS.EXE
MD5
6278f321b0b9c85a0df4e485a8de7993

SHA1
48fe65a144aee7a9b437d7c8ae9bd5bfe5409d81

SHA256
4dc8cc4ecd4d173a024c221c61f282028bd03967c631ec6827544a36d036952a

SHA512
fdba000c5ab7ba6aaa4e2f94f248003d3505206b3b23aa03565bf0c36fa4c4a7654498a5002a979cb9d042e9f216fdfff21ecb4cb57883a0b2b35b020cdfeb6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINDOWS.EXE
MD5
6278f321b0b9c85a0df4e485a8de7993

SHA1
48fe65a144aee7a9b437d7c8ae9bd5bfe5409d81

SHA256
4dc8cc4ecd4d173a024c221c61f282028bd03967c631ec6827544a36d036952a

SHA512
fdba000c5ab7ba6aaa4e2f94f248003d3505206b3b23aa03565bf0c36fa4c4a7654498a5002a979cb9d042e9f216fdfff21ecb4cb57883a0b2b35b020cdfeb6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINDOWS.EXE
MD5
6278f321b0b9c85a0df4e485a8de7993

SHA1
48fe65a144aee7a9b437d7c8ae9bd5bfe5409d81

SHA256
4dc8cc4ecd4d173a024c221c61f282028bd03967c631ec6827544a36d036952a

SHA512
fdba000c5ab7ba6aaa4e2f94f248003d3505206b3b23aa03565bf0c36fa4c4a7654498a5002a979cb9d042e9f216fdfff21ecb4cb57883a0b2b35b020cdfeb6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINDOWS.EXE
MD5
6278f321b0b9c85a0df4e485a8de7993

SHA1
48fe65a144aee7a9b437d7c8ae9bd5bfe5409d81

SHA256
4dc8cc4ecd4d173a024c221c61f282028bd03967c631ec6827544a36d036952a

SHA512
fdba000c5ab7ba6aaa4e2f94f248003d3505206b3b23aa03565bf0c36fa4c4a7654498a5002a979cb9d042e9f216fdfff21ecb4cb57883a0b2b35b020cdfeb6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\s3uN3Jx2.xlsm
MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC87D.tmp
MD5
439ec901bf0da2068ffda706616c6c4e

SHA1
6d64adaf144e811e5a0fb3611d8fe1b9236c1c99

SHA256
333efedb8e51e6deb6a1f84ae2cb00c4395ce13546f62be6274c6831ed87d86f

SHA512
e88a318670b8dbc464bf17b4a7d2e4a433da4e4682306eb6a183912be6a157277b1c67d84b03b2e945cdbe491f282c938857d7e48462d4c01c8863b8ff7f04a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC9C6.tmp
MD5
8a92e4176a36b704a55c4888e04853e2

SHA1
6efbd8d0097e2632ca90083974b845f93e5b6a5c

SHA256
91f88494715f51246ed7255ad4bba50e2f5dec26bef203f31450a6a8e1443cdd

SHA512
4ea87f28391b022cfad5e0f695c2413a5addb18a6e9fdf9c56c4121253cf6e532110da8200b1c57b43ee85ed047f1530b1516a7c689c9574af069176114fa157

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\ProgramData\Synaptics\Synaptics.exe
MD5
bff363a92ac43ff249652a83dadc02ab

SHA1
3c7b47a3f4dc3c8555b656505244886cb3a172f5

SHA256
d054e33de2d63966c68b44dd1d1de8a9b7abb76781100fe82423c80e112d4580

SHA512
8ceef643926251a6d6b5ffee6e662b68580992117d98dbd24ccfde5cdad429ce4719a92c63f470c2857272330c9f3a4a2d7f175a6300d6b1833a387f4b841d29

Download Submit
\ProgramData\Synaptics\Synaptics.exe
MD5
bff363a92ac43ff249652a83dadc02ab

SHA1
3c7b47a3f4dc3c8555b656505244886cb3a172f5

SHA256
d054e33de2d63966c68b44dd1d1de8a9b7abb76781100fe82423c80e112d4580

SHA512
8ceef643926251a6d6b5ffee6e662b68580992117d98dbd24ccfde5cdad429ce4719a92c63f470c2857272330c9f3a4a2d7f175a6300d6b1833a387f4b841d29

Download Submit
\ProgramData\Synaptics\Synaptics.exe
MD5
bff363a92ac43ff249652a83dadc02ab

SHA1
3c7b47a3f4dc3c8555b656505244886cb3a172f5

SHA256
d054e33de2d63966c68b44dd1d1de8a9b7abb76781100fe82423c80e112d4580

SHA512
8ceef643926251a6d6b5ffee6e662b68580992117d98dbd24ccfde5cdad429ce4719a92c63f470c2857272330c9f3a4a2d7f175a6300d6b1833a387f4b841d29

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
MD5
3a5072a9a5dc35dfb99a59f67c3dc6c0

SHA1
335398bb44927ddb18905221c52a89aa101a3c7f

SHA256
29bf88f94ffab5559b5af5a9db05cfdbe2beeb81301f1e64e851cfa925c930ac

SHA512
b3b11f8e5b495c873a8afa58fdc2f2fef7e7d610a50516fb701dab1197ac11a63e5f857f9b6ecf1a9b33fdf0d875ecf59695be83ff35afcbc23f8293d068e8fa

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
MD5
3a5072a9a5dc35dfb99a59f67c3dc6c0

SHA1
335398bb44927ddb18905221c52a89aa101a3c7f

SHA256
29bf88f94ffab5559b5af5a9db05cfdbe2beeb81301f1e64e851cfa925c930ac

SHA512
b3b11f8e5b495c873a8afa58fdc2f2fef7e7d610a50516fb701dab1197ac11a63e5f857f9b6ecf1a9b33fdf0d875ecf59695be83ff35afcbc23f8293d068e8fa

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
MD5
3a5072a9a5dc35dfb99a59f67c3dc6c0

SHA1
335398bb44927ddb18905221c52a89aa101a3c7f

SHA256
29bf88f94ffab5559b5af5a9db05cfdbe2beeb81301f1e64e851cfa925c930ac

SHA512
b3b11f8e5b495c873a8afa58fdc2f2fef7e7d610a50516fb701dab1197ac11a63e5f857f9b6ecf1a9b33fdf0d875ecf59695be83ff35afcbc23f8293d068e8fa

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
MD5
3a5072a9a5dc35dfb99a59f67c3dc6c0

SHA1
335398bb44927ddb18905221c52a89aa101a3c7f

SHA256
29bf88f94ffab5559b5af5a9db05cfdbe2beeb81301f1e64e851cfa925c930ac

SHA512
b3b11f8e5b495c873a8afa58fdc2f2fef7e7d610a50516fb701dab1197ac11a63e5f857f9b6ecf1a9b33fdf0d875ecf59695be83ff35afcbc23f8293d068e8fa

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
MD5
3a5072a9a5dc35dfb99a59f67c3dc6c0

SHA1
335398bb44927ddb18905221c52a89aa101a3c7f

SHA256
29bf88f94ffab5559b5af5a9db05cfdbe2beeb81301f1e64e851cfa925c930ac

SHA512
b3b11f8e5b495c873a8afa58fdc2f2fef7e7d610a50516fb701dab1197ac11a63e5f857f9b6ecf1a9b33fdf0d875ecf59695be83ff35afcbc23f8293d068e8fa

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_WINDOWS.EXE
MD5
568e6a074378730cee0947c4c796372d

SHA1
7688894728b8207756f52384798e394de8d54070

SHA256
2f990b69464dab55b2ebc8f6a302fe09e5767844b4afb71b43a20a6c2ea48d8d

SHA512
250a1215fd28e4cd5f6da3e72b42a88f93664d4a2484d29f6141a81ef4968872b86379fb54aaf2e645d46ef8c881e43d1c32392dc3f7c381a86c252d7bdb2730

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_WINDOWS.EXE
MD5
568e6a074378730cee0947c4c796372d

SHA1
7688894728b8207756f52384798e394de8d54070

SHA256
2f990b69464dab55b2ebc8f6a302fe09e5767844b4afb71b43a20a6c2ea48d8d

SHA512
250a1215fd28e4cd5f6da3e72b42a88f93664d4a2484d29f6141a81ef4968872b86379fb54aaf2e645d46ef8c881e43d1c32392dc3f7c381a86c252d7bdb2730

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_WINDOWS.EXE
MD5
568e6a074378730cee0947c4c796372d

SHA1
7688894728b8207756f52384798e394de8d54070

SHA256
2f990b69464dab55b2ebc8f6a302fe09e5767844b4afb71b43a20a6c2ea48d8d

SHA512
250a1215fd28e4cd5f6da3e72b42a88f93664d4a2484d29f6141a81ef4968872b86379fb54aaf2e645d46ef8c881e43d1c32392dc3f7c381a86c252d7bdb2730

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_WINDOWS.EXE
MD5
568e6a074378730cee0947c4c796372d

SHA1
7688894728b8207756f52384798e394de8d54070

SHA256
2f990b69464dab55b2ebc8f6a302fe09e5767844b4afb71b43a20a6c2ea48d8d

SHA512
250a1215fd28e4cd5f6da3e72b42a88f93664d4a2484d29f6141a81ef4968872b86379fb54aaf2e645d46ef8c881e43d1c32392dc3f7c381a86c252d7bdb2730

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_WINDOWS.EXE
MD5
568e6a074378730cee0947c4c796372d

SHA1
7688894728b8207756f52384798e394de8d54070

SHA256
2f990b69464dab55b2ebc8f6a302fe09e5767844b4afb71b43a20a6c2ea48d8d

SHA512
250a1215fd28e4cd5f6da3e72b42a88f93664d4a2484d29f6141a81ef4968872b86379fb54aaf2e645d46ef8c881e43d1c32392dc3f7c381a86c252d7bdb2730

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_WINDOWS.EXE
MD5
568e6a074378730cee0947c4c796372d

SHA1
7688894728b8207756f52384798e394de8d54070

SHA256
2f990b69464dab55b2ebc8f6a302fe09e5767844b4afb71b43a20a6c2ea48d8d

SHA512
250a1215fd28e4cd5f6da3e72b42a88f93664d4a2484d29f6141a81ef4968872b86379fb54aaf2e645d46ef8c881e43d1c32392dc3f7c381a86c252d7bdb2730

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_WINDOWS.EXE
MD5
568e6a074378730cee0947c4c796372d

SHA1
7688894728b8207756f52384798e394de8d54070

SHA256
2f990b69464dab55b2ebc8f6a302fe09e5767844b4afb71b43a20a6c2ea48d8d

SHA512
250a1215fd28e4cd5f6da3e72b42a88f93664d4a2484d29f6141a81ef4968872b86379fb54aaf2e645d46ef8c881e43d1c32392dc3f7c381a86c252d7bdb2730

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_WINDOWS.EXE
MD5
568e6a074378730cee0947c4c796372d

SHA1
7688894728b8207756f52384798e394de8d54070

SHA256
2f990b69464dab55b2ebc8f6a302fe09e5767844b4afb71b43a20a6c2ea48d8d

SHA512
250a1215fd28e4cd5f6da3e72b42a88f93664d4a2484d29f6141a81ef4968872b86379fb54aaf2e645d46ef8c881e43d1c32392dc3f7c381a86c252d7bdb2730

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_bff363a92ac43ff249652a83dadc02ab.exe
MD5
3a5072a9a5dc35dfb99a59f67c3dc6c0

SHA1
335398bb44927ddb18905221c52a89aa101a3c7f

SHA256
29bf88f94ffab5559b5af5a9db05cfdbe2beeb81301f1e64e851cfa925c930ac

SHA512
b3b11f8e5b495c873a8afa58fdc2f2fef7e7d610a50516fb701dab1197ac11a63e5f857f9b6ecf1a9b33fdf0d875ecf59695be83ff35afcbc23f8293d068e8fa

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_bff363a92ac43ff249652a83dadc02ab.exe
MD5
3a5072a9a5dc35dfb99a59f67c3dc6c0

SHA1
335398bb44927ddb18905221c52a89aa101a3c7f

SHA256
29bf88f94ffab5559b5af5a9db05cfdbe2beeb81301f1e64e851cfa925c930ac

SHA512
b3b11f8e5b495c873a8afa58fdc2f2fef7e7d610a50516fb701dab1197ac11a63e5f857f9b6ecf1a9b33fdf0d875ecf59695be83ff35afcbc23f8293d068e8fa

Download Submit
\Users\Admin\AppData\Local\Temp\SYSTEM32.EXE
MD5
807474fc253612359dc697e331f01b43

SHA1
d998bcdf573eb66781bbe931b2ca8b35492908ce

SHA256
1e2b305d0a5ce914591f712fe0b53be279d0ec8e598cec95fa6cfdc6cb94c4b5

SHA512
c2916e62d8b7b0ad214d57e2dc0dd5b0f910e06f2d070e0390612fd33c2ee416f252fba4fe3f523114acc14924bcfda105a9b4379ad443f1010bb29010b83adf

Download Submit
\Users\Admin\AppData\Local\Temp\SYSTEM32.EXE
MD5
807474fc253612359dc697e331f01b43

SHA1
d998bcdf573eb66781bbe931b2ca8b35492908ce

SHA256
1e2b305d0a5ce914591f712fe0b53be279d0ec8e598cec95fa6cfdc6cb94c4b5

SHA512
c2916e62d8b7b0ad214d57e2dc0dd5b0f910e06f2d070e0390612fd33c2ee416f252fba4fe3f523114acc14924bcfda105a9b4379ad443f1010bb29010b83adf

Download Submit
\Users\Admin\AppData\Local\Temp\SYSTEM32.EXE
MD5
807474fc253612359dc697e331f01b43

SHA1
d998bcdf573eb66781bbe931b2ca8b35492908ce

SHA256
1e2b305d0a5ce914591f712fe0b53be279d0ec8e598cec95fa6cfdc6cb94c4b5

SHA512
c2916e62d8b7b0ad214d57e2dc0dd5b0f910e06f2d070e0390612fd33c2ee416f252fba4fe3f523114acc14924bcfda105a9b4379ad443f1010bb29010b83adf

Download Submit
\Users\Admin\AppData\Local\Temp\WINDOWS.EXE
MD5
6278f321b0b9c85a0df4e485a8de7993

SHA1
48fe65a144aee7a9b437d7c8ae9bd5bfe5409d81

SHA256
4dc8cc4ecd4d173a024c221c61f282028bd03967c631ec6827544a36d036952a

SHA512
fdba000c5ab7ba6aaa4e2f94f248003d3505206b3b23aa03565bf0c36fa4c4a7654498a5002a979cb9d042e9f216fdfff21ecb4cb57883a0b2b35b020cdfeb6d

Download Submit
\Users\Admin\AppData\Local\Temp\WINDOWS.EXE
MD5
6278f321b0b9c85a0df4e485a8de7993

SHA1
48fe65a144aee7a9b437d7c8ae9bd5bfe5409d81

SHA256
4dc8cc4ecd4d173a024c221c61f282028bd03967c631ec6827544a36d036952a

SHA512
fdba000c5ab7ba6aaa4e2f94f248003d3505206b3b23aa03565bf0c36fa4c4a7654498a5002a979cb9d042e9f216fdfff21ecb4cb57883a0b2b35b020cdfeb6d

Download Submit
\Users\Admin\AppData\Local\Temp\WINDOWS.EXE
MD5
6278f321b0b9c85a0df4e485a8de7993

SHA1
48fe65a144aee7a9b437d7c8ae9bd5bfe5409d81

SHA256
4dc8cc4ecd4d173a024c221c61f282028bd03967c631ec6827544a36d036952a

SHA512
fdba000c5ab7ba6aaa4e2f94f248003d3505206b3b23aa03565bf0c36fa4c4a7654498a5002a979cb9d042e9f216fdfff21ecb4cb57883a0b2b35b020cdfeb6d

Download Submit
\Users\Admin\AppData\Local\Temp\WINDOWS.EXE
MD5
6278f321b0b9c85a0df4e485a8de7993

SHA1
48fe65a144aee7a9b437d7c8ae9bd5bfe5409d81

SHA256
4dc8cc4ecd4d173a024c221c61f282028bd03967c631ec6827544a36d036952a

SHA512
fdba000c5ab7ba6aaa4e2f94f248003d3505206b3b23aa03565bf0c36fa4c4a7654498a5002a979cb9d042e9f216fdfff21ecb4cb57883a0b2b35b020cdfeb6d

Download Submit
\Users\Admin\AppData\Local\Temp\WINDOWS.EXE
MD5
6278f321b0b9c85a0df4e485a8de7993

SHA1
48fe65a144aee7a9b437d7c8ae9bd5bfe5409d81

SHA256
4dc8cc4ecd4d173a024c221c61f282028bd03967c631ec6827544a36d036952a

SHA512
fdba000c5ab7ba6aaa4e2f94f248003d3505206b3b23aa03565bf0c36fa4c4a7654498a5002a979cb9d042e9f216fdfff21ecb4cb57883a0b2b35b020cdfeb6d

Download Submit
\Users\Admin\AppData\Local\Temp\WINDOWS.EXE
MD5
6278f321b0b9c85a0df4e485a8de7993

SHA1
48fe65a144aee7a9b437d7c8ae9bd5bfe5409d81

SHA256
4dc8cc4ecd4d173a024c221c61f282028bd03967c631ec6827544a36d036952a

SHA512
fdba000c5ab7ba6aaa4e2f94f248003d3505206b3b23aa03565bf0c36fa4c4a7654498a5002a979cb9d042e9f216fdfff21ecb4cb57883a0b2b35b020cdfeb6d

Download Submit
\Users\Admin\AppData\Local\Temp\WINDOWS.EXE
MD5
6278f321b0b9c85a0df4e485a8de7993

SHA1
48fe65a144aee7a9b437d7c8ae9bd5bfe5409d81

SHA256
4dc8cc4ecd4d173a024c221c61f282028bd03967c631ec6827544a36d036952a

SHA512
fdba000c5ab7ba6aaa4e2f94f248003d3505206b3b23aa03565bf0c36fa4c4a7654498a5002a979cb9d042e9f216fdfff21ecb4cb57883a0b2b35b020cdfeb6d

Download Submit
\Users\Admin\AppData\Local\Temp\WINDOWS.EXE
MD5
6278f321b0b9c85a0df4e485a8de7993

SHA1
48fe65a144aee7a9b437d7c8ae9bd5bfe5409d81

SHA256
4dc8cc4ecd4d173a024c221c61f282028bd03967c631ec6827544a36d036952a

SHA512
fdba000c5ab7ba6aaa4e2f94f248003d3505206b3b23aa03565bf0c36fa4c4a7654498a5002a979cb9d042e9f216fdfff21ecb4cb57883a0b2b35b020cdfeb6d

Download Submit
\Users\Admin\AppData\Local\Temp\WINDOWS.EXE
MD5
6278f321b0b9c85a0df4e485a8de7993

SHA1
48fe65a144aee7a9b437d7c8ae9bd5bfe5409d81

SHA256
4dc8cc4ecd4d173a024c221c61f282028bd03967c631ec6827544a36d036952a

SHA512
fdba000c5ab7ba6aaa4e2f94f248003d3505206b3b23aa03565bf0c36fa4c4a7654498a5002a979cb9d042e9f216fdfff21ecb4cb57883a0b2b35b020cdfeb6d

Download Submit
memory/336-59-0x0000000000400000-0x00000000005CB000-memory.dmp

Filesize
1.8MB

Download
memory/336-60-0x0000000000400000-0x00000000005CB000-memory.dmp

Filesize
1.8MB

Download
memory/336-63-0x0000000000400000-0x00000000005CB000-memory.dmp

Filesize
1.8MB

Download
memory/336-64-0x0000000000400000-0x00000000005CB000-memory.dmp

Filesize
1.8MB

Download
memory/336-65-0x0000000000400000-0x00000000005CB000-memory.dmp

Filesize
1.8MB

Download
memory/336-62-0x0000000000400000-0x00000000005CB000-memory.dmp

Filesize
1.8MB

Download
memory/336-67-0x0000000000400000-0x00000000005CB000-memory.dmp

Filesize
1.8MB

Download
memory/336-61-0x0000000000400000-0x00000000005CB000-memory.dmp

Filesize
1.8MB

Download
memory/336-58-0x0000000000400000-0x00000000005CB000-memory.dmp

Filesize
1.8MB

Download
memory/336-68-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/808-98-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

Filesize
4KB

Download
memory/864-171-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/864-170-0x000000006A1A1000-0x000000006A1A3000-memory.dmp

Filesize
8KB

Download
memory/864-169-0x000000002FFF1000-0x000000002FFF4000-memory.dmp

Filesize
12KB

Download
memory/992-167-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1068-81-0x00000000013E0000-0x00000000013F2000-memory.dmp

Filesize
72KB

Download
memory/1068-102-0x0000000001270000-0x0000000001271000-memory.dmp

Filesize
4KB

Download
memory/1116-97-0x0000000004E70000-0x0000000004E71000-memory.dmp

Filesize
4KB

Download
memory/1140-137-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/1396-120-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/1396-119-0x0000000000400000-0x00000000005CB000-memory.dmp

Filesize
1.8MB

Download
memory/1500-152-0x0000000000400000-0x00000000005CB000-memory.dmp

Filesize
1.8MB

Download
memory/1528-175-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download
memory/1572-87-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/1624-168-0x00000000012E0000-0x00000000012E1000-memory.dmp

Filesize
4KB

Download
memory/1640-57-0x0000000005440000-0x000000000560E000-memory.dmp

Filesize
1.8MB

Download
memory/1640-56-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/1640-54-0x0000000000BD0000-0x0000000000DD2000-memory.dmp

Filesize
2.0MB

Download
memory/1640-55-0x0000000075431000-0x0000000075433000-memory.dmp

Filesize
8KB

Download
memory/2012-86-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/2012-76-0x0000000000D50000-0x0000000000F52000-memory.dmp

Filesize
2.0MB

Download