asyncrat | d054e33de2d63966c68b44dd1d1de8a9b7abb76781100fe82423c80e112d4580

Analysis

max time kernel
153s
max time network
156s
platform
windows10_x64
resource
win10-en-20211208
submitted
26-01-2022 01:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bff363a92ac43ff249652a83dadc02ab.exe
Size

2.0MB
MD5

bff363a92ac43ff249652a83dadc02ab
SHA1

3c7b47a3f4dc3c8555b656505244886cb3a172f5
SHA256

d054e33de2d63966c68b44dd1d1de8a9b7abb76781100fe82423c80e112d4580
SHA512

8ceef643926251a6d6b5ffee6e662b68580992117d98dbd24ccfde5cdad429ce4719a92c63f470c2857272330c9f3a4a2d7f175a6300d6b1833a387f4b841d29

Score

10^/10

asyncrat nanocore evasion keylogger macro persistence rat spyware stealer suricata trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

chivalrous-condition.auto.playit.gg:53811

127.0.0.1:53811

Mutex

fd5fd13e-0f57-4bfb-84a4-034a7f99c7fe

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2021-10-27T11:20:06.412816736Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
53811
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
fd5fd13e-0f57-4bfb-84a4-034a7f99c7fe
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
chivalrous-condition.auto.playit.gg
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
suricata: ET MALWARE Possible NanoCore C2 60B
suricata: ET MALWARE Possible NanoCore C2 60B
suricata

Async RAT payload 17 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2188-123-0x0000000000400000-0x00000000005CB000-memory.dmp	asyncrat
behavioral2/memory/2188-124-0x0000000000400000-0x00000000005CB000-memory.dmp	asyncrat
C:\Users\Admin\AppData\Local\Temp\._cache_bff363a92ac43ff249652a83dadc02ab.exe	asyncrat
C:\Users\Admin\AppData\Local\Temp\._cache_bff363a92ac43ff249652a83dadc02ab.exe	asyncrat
C:\Users\Admin\AppData\Local\Temp\SYSTEM32.EXE	asyncrat
C:\Users\Admin\AppData\Local\Temp\SYSTEM32.EXE	asyncrat
behavioral2/memory/372-132-0x0000000000A80000-0x0000000000A92000-memory.dmp	asyncrat
behavioral2/memory/604-135-0x00000000056A0000-0x0000000005B9E000-memory.dmp	asyncrat
behavioral2/memory/2932-150-0x0000000000400000-0x00000000005CB000-memory.dmp	asyncrat
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe	asyncrat
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe	asyncrat
C:\Users\Admin\AppData\Local\Temp\SYSTEM32.EXE	asyncrat
\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe	asyncrat
\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe	asyncrat
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe	asyncrat
behavioral2/memory/3228-166-0x0000000000400000-0x00000000005CB000-memory.dmp	asyncrat
C:\Users\Admin\AppData\Local\Temp\SYSTEM32.EXE	asyncrat

Executes dropped EXE 19 IoCs

Processes:

._cache_bff363a92ac43ff249652a83dadc02ab.exeSynaptics.exeSYSTEM32.EXEWINDOWS.EXE._cache_WINDOWS.EXESynaptics.exeSynaptics.exeSynaptics.exeSynaptics.exeSynaptics.exe._cache_Synaptics.exeSYSTEM32.EXEWINDOWS.EXESynaptics.exe._cache_WINDOWS.EXE._cache_Synaptics.exeSYSTEM32.EXEWINDOWS.EXE._cache_WINDOWS.EXE

pid	process
1768	._cache_bff363a92ac43ff249652a83dadc02ab.exe
604	Synaptics.exe
372	SYSTEM32.EXE
440	WINDOWS.EXE
1240	._cache_WINDOWS.EXE
1072	Synaptics.exe
3488	Synaptics.exe
2316	Synaptics.exe
3240	Synaptics.exe
2932	Synaptics.exe
3176	._cache_Synaptics.exe
3012	SYSTEM32.EXE
3156	WINDOWS.EXE
3228	Synaptics.exe
1868	._cache_WINDOWS.EXE
1288	._cache_Synaptics.exe
1300	SYSTEM32.EXE
912	WINDOWS.EXE
1320	._cache_WINDOWS.EXE

Suspicious Office macro 1 IoCs

Office document equipped with macros.

macro

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\cgy1ZfdE.xlsm	office_macros

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINDOWS.EXEbff363a92ac43ff249652a83dadc02ab.exeWINDOWS.EXESynaptics.exeWINDOWS.EXESynaptics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Control Panel\International\Geo\Nation	WINDOWS.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Control Panel\International\Geo\Nation	bff363a92ac43ff249652a83dadc02ab.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Control Panel\International\Geo\Nation	WINDOWS.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Control Panel\International\Geo\Nation	WINDOWS.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Loads dropped DLL 6 IoCs

Processes:

WINDOWS.EXESynaptics.exeWINDOWS.EXE

pid process

3156 WINDOWS.EXE
3156 WINDOWS.EXE
3228 Synaptics.exe
3228 Synaptics.exe
912 WINDOWS.EXE
912 WINDOWS.EXE

pid	process
3156	WINDOWS.EXE
3156	WINDOWS.EXE
3228	Synaptics.exe
3228	Synaptics.exe
912	WINDOWS.EXE
912	WINDOWS.EXE

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

bff363a92ac43ff249652a83dadc02ab.exeWINDOWS.EXE._cache_WINDOWS.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	bff363a92ac43ff249652a83dadc02ab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	WINDOWS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NAT Service = "C:\\Program Files (x86)\\NAT Service\\natsv.exe"	._cache_WINDOWS.EXE

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

._cache_WINDOWS.EXE

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ._cache_WINDOWS.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	._cache_WINDOWS.EXE

Suspicious use of SetThreadContext 3 IoCs

Processes:

bff363a92ac43ff249652a83dadc02ab.exeSynaptics.exeSynaptics.exe

description	pid	process	target process
PID 2760 set thread context of 2188	2760	bff363a92ac43ff249652a83dadc02ab.exe	bff363a92ac43ff249652a83dadc02ab.exe
PID 604 set thread context of 2932	604	Synaptics.exe	Synaptics.exe
PID 1072 set thread context of 3228	1072	Synaptics.exe	Synaptics.exe

Drops file in Program Files directory 2 IoCs

Processes:

._cache_WINDOWS.EXE

description	ioc	process
File created	C:\Program Files (x86)\NAT Service\natsv.exe	._cache_WINDOWS.EXE
File opened for modification	C:\Program Files (x86)\NAT Service\natsv.exe	._cache_WINDOWS.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1436 schtasks.exe
1652 schtasks.exe

pid	process
1436	schtasks.exe
1652	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 6 IoCs

Processes:

WINDOWS.EXEbff363a92ac43ff249652a83dadc02ab.exeWINDOWS.EXESynaptics.exeWINDOWS.EXESynaptics.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	WINDOWS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	bff363a92ac43ff249652a83dadc02ab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	WINDOWS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	WINDOWS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	Synaptics.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

3004 EXCEL.EXE

pid	process
3004	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

bff363a92ac43ff249652a83dadc02ab.exe._cache_WINDOWS.EXESynaptics.exe

pid	process
2760	bff363a92ac43ff249652a83dadc02ab.exe
2760	bff363a92ac43ff249652a83dadc02ab.exe
1240	._cache_WINDOWS.EXE
1240	._cache_WINDOWS.EXE
1240	._cache_WINDOWS.EXE
604	Synaptics.exe
604	Synaptics.exe
604	Synaptics.exe
604	Synaptics.exe
604	Synaptics.exe
604	Synaptics.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

._cache_WINDOWS.EXE

pid process

1240 ._cache_WINDOWS.EXE

pid	process
1240	._cache_WINDOWS.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

bff363a92ac43ff249652a83dadc02ab.exeSYSTEM32.EXE._cache_WINDOWS.EXESynaptics.exe

description	pid	process
Token: SeDebugPrivilege	2760	bff363a92ac43ff249652a83dadc02ab.exe
Token: SeDebugPrivilege	372	SYSTEM32.EXE
Token: SeDebugPrivilege	1240	._cache_WINDOWS.EXE
Token: SeDebugPrivilege	604	Synaptics.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

EXCEL.EXE

pid process

3004 EXCEL.EXE
3004 EXCEL.EXE
3004 EXCEL.EXE
3004 EXCEL.EXE

pid	process
3004	EXCEL.EXE
3004	EXCEL.EXE
3004	EXCEL.EXE
3004	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

bff363a92ac43ff249652a83dadc02ab.exebff363a92ac43ff249652a83dadc02ab.exe._cache_bff363a92ac43ff249652a83dadc02ab.exeWINDOWS.EXE._cache_WINDOWS.EXESynaptics.exeSynaptics.exe._cache_Synaptics.exe

description	pid	process	target process
PID 2760 wrote to memory of 2296	2760	bff363a92ac43ff249652a83dadc02ab.exe	bff363a92ac43ff249652a83dadc02ab.exe
PID 2760 wrote to memory of 2296	2760	bff363a92ac43ff249652a83dadc02ab.exe	bff363a92ac43ff249652a83dadc02ab.exe
PID 2760 wrote to memory of 2296	2760	bff363a92ac43ff249652a83dadc02ab.exe	bff363a92ac43ff249652a83dadc02ab.exe
PID 2760 wrote to memory of 2188	2760	bff363a92ac43ff249652a83dadc02ab.exe	bff363a92ac43ff249652a83dadc02ab.exe
PID 2760 wrote to memory of 2188	2760	bff363a92ac43ff249652a83dadc02ab.exe	bff363a92ac43ff249652a83dadc02ab.exe
PID 2760 wrote to memory of 2188	2760	bff363a92ac43ff249652a83dadc02ab.exe	bff363a92ac43ff249652a83dadc02ab.exe
PID 2760 wrote to memory of 2188	2760	bff363a92ac43ff249652a83dadc02ab.exe	bff363a92ac43ff249652a83dadc02ab.exe
PID 2760 wrote to memory of 2188	2760	bff363a92ac43ff249652a83dadc02ab.exe	bff363a92ac43ff249652a83dadc02ab.exe
PID 2760 wrote to memory of 2188	2760	bff363a92ac43ff249652a83dadc02ab.exe	bff363a92ac43ff249652a83dadc02ab.exe
PID 2760 wrote to memory of 2188	2760	bff363a92ac43ff249652a83dadc02ab.exe	bff363a92ac43ff249652a83dadc02ab.exe
PID 2760 wrote to memory of 2188	2760	bff363a92ac43ff249652a83dadc02ab.exe	bff363a92ac43ff249652a83dadc02ab.exe
PID 2760 wrote to memory of 2188	2760	bff363a92ac43ff249652a83dadc02ab.exe	bff363a92ac43ff249652a83dadc02ab.exe
PID 2760 wrote to memory of 2188	2760	bff363a92ac43ff249652a83dadc02ab.exe	bff363a92ac43ff249652a83dadc02ab.exe
PID 2760 wrote to memory of 2188	2760	bff363a92ac43ff249652a83dadc02ab.exe	bff363a92ac43ff249652a83dadc02ab.exe
PID 2188 wrote to memory of 1768	2188	bff363a92ac43ff249652a83dadc02ab.exe	._cache_bff363a92ac43ff249652a83dadc02ab.exe
PID 2188 wrote to memory of 1768	2188	bff363a92ac43ff249652a83dadc02ab.exe	._cache_bff363a92ac43ff249652a83dadc02ab.exe
PID 2188 wrote to memory of 1768	2188	bff363a92ac43ff249652a83dadc02ab.exe	._cache_bff363a92ac43ff249652a83dadc02ab.exe
PID 2188 wrote to memory of 604	2188	bff363a92ac43ff249652a83dadc02ab.exe	Synaptics.exe
PID 2188 wrote to memory of 604	2188	bff363a92ac43ff249652a83dadc02ab.exe	Synaptics.exe
PID 2188 wrote to memory of 604	2188	bff363a92ac43ff249652a83dadc02ab.exe	Synaptics.exe
PID 1768 wrote to memory of 372	1768	._cache_bff363a92ac43ff249652a83dadc02ab.exe	SYSTEM32.EXE
PID 1768 wrote to memory of 372	1768	._cache_bff363a92ac43ff249652a83dadc02ab.exe	SYSTEM32.EXE
PID 1768 wrote to memory of 372	1768	._cache_bff363a92ac43ff249652a83dadc02ab.exe	SYSTEM32.EXE
PID 1768 wrote to memory of 440	1768	._cache_bff363a92ac43ff249652a83dadc02ab.exe	WINDOWS.EXE
PID 1768 wrote to memory of 440	1768	._cache_bff363a92ac43ff249652a83dadc02ab.exe	WINDOWS.EXE
PID 1768 wrote to memory of 440	1768	._cache_bff363a92ac43ff249652a83dadc02ab.exe	WINDOWS.EXE
PID 440 wrote to memory of 1240	440	WINDOWS.EXE	._cache_WINDOWS.EXE
PID 440 wrote to memory of 1240	440	WINDOWS.EXE	._cache_WINDOWS.EXE
PID 440 wrote to memory of 1240	440	WINDOWS.EXE	._cache_WINDOWS.EXE
PID 440 wrote to memory of 1072	440	WINDOWS.EXE	Synaptics.exe
PID 440 wrote to memory of 1072	440	WINDOWS.EXE	Synaptics.exe
PID 440 wrote to memory of 1072	440	WINDOWS.EXE	Synaptics.exe
PID 1240 wrote to memory of 1436	1240	._cache_WINDOWS.EXE	schtasks.exe
PID 1240 wrote to memory of 1436	1240	._cache_WINDOWS.EXE	schtasks.exe
PID 1240 wrote to memory of 1436	1240	._cache_WINDOWS.EXE	schtasks.exe
PID 1240 wrote to memory of 1652	1240	._cache_WINDOWS.EXE	schtasks.exe
PID 1240 wrote to memory of 1652	1240	._cache_WINDOWS.EXE	schtasks.exe
PID 1240 wrote to memory of 1652	1240	._cache_WINDOWS.EXE	schtasks.exe
PID 604 wrote to memory of 3488	604	Synaptics.exe	Synaptics.exe
PID 604 wrote to memory of 3488	604	Synaptics.exe	Synaptics.exe
PID 604 wrote to memory of 3488	604	Synaptics.exe	Synaptics.exe
PID 604 wrote to memory of 2316	604	Synaptics.exe	Synaptics.exe
PID 604 wrote to memory of 2316	604	Synaptics.exe	Synaptics.exe
PID 604 wrote to memory of 2316	604	Synaptics.exe	Synaptics.exe
PID 604 wrote to memory of 3240	604	Synaptics.exe	Synaptics.exe
PID 604 wrote to memory of 3240	604	Synaptics.exe	Synaptics.exe
PID 604 wrote to memory of 3240	604	Synaptics.exe	Synaptics.exe
PID 604 wrote to memory of 2932	604	Synaptics.exe	Synaptics.exe
PID 604 wrote to memory of 2932	604	Synaptics.exe	Synaptics.exe
PID 604 wrote to memory of 2932	604	Synaptics.exe	Synaptics.exe
PID 604 wrote to memory of 2932	604	Synaptics.exe	Synaptics.exe
PID 604 wrote to memory of 2932	604	Synaptics.exe	Synaptics.exe
PID 604 wrote to memory of 2932	604	Synaptics.exe	Synaptics.exe
PID 604 wrote to memory of 2932	604	Synaptics.exe	Synaptics.exe
PID 604 wrote to memory of 2932	604	Synaptics.exe	Synaptics.exe
PID 604 wrote to memory of 2932	604	Synaptics.exe	Synaptics.exe
PID 604 wrote to memory of 2932	604	Synaptics.exe	Synaptics.exe
PID 604 wrote to memory of 2932	604	Synaptics.exe	Synaptics.exe
PID 2932 wrote to memory of 3176	2932	Synaptics.exe	._cache_Synaptics.exe
PID 2932 wrote to memory of 3176	2932	Synaptics.exe	._cache_Synaptics.exe
PID 2932 wrote to memory of 3176	2932	Synaptics.exe	._cache_Synaptics.exe
PID 3176 wrote to memory of 3012	3176	._cache_Synaptics.exe	SYSTEM32.EXE
PID 3176 wrote to memory of 3012	3176	._cache_Synaptics.exe	SYSTEM32.EXE
PID 3176 wrote to memory of 3012	3176	._cache_Synaptics.exe	SYSTEM32.EXE

C:\Users\Admin\AppData\Local\Temp\bff363a92ac43ff249652a83dadc02ab.exe
"C:\Users\Admin\AppData\Local\Temp\bff363a92ac43ff249652a83dadc02ab.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2760

C:\Users\Admin\AppData\Local\Temp\bff363a92ac43ff249652a83dadc02ab.exe
"C:\Users\Admin\AppData\Local\Temp\bff363a92ac43ff249652a83dadc02ab.exe"
2⤵
PID:2296

C:\Users\Admin\AppData\Local\Temp\bff363a92ac43ff249652a83dadc02ab.exe
"C:\Users\Admin\AppData\Local\Temp\bff363a92ac43ff249652a83dadc02ab.exe"
2⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2188

C:\Users\Admin\AppData\Local\Temp\._cache_bff363a92ac43ff249652a83dadc02ab.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_bff363a92ac43ff249652a83dadc02ab.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1768

C:\Users\Admin\AppData\Local\Temp\SYSTEM32.EXE
"C:\Users\Admin\AppData\Local\Temp\SYSTEM32.EXE"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:372

C:\Users\Admin\AppData\Local\Temp\WINDOWS.EXE
"C:\Users\Admin\AppData\Local\Temp\WINDOWS.EXE"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:440

C:\Users\Admin\AppData\Local\Temp\._cache_WINDOWS.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache_WINDOWS.EXE"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1240

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "NAT Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmpFD38.tmp"
6⤵
- Creates scheduled task(s)
PID:1436

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "NAT Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpFFAA.tmp"
6⤵
- Creates scheduled task(s)
PID:1652

C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1072

C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Modifies registry class
PID:3228

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"
7⤵
- Executes dropped EXE
PID:1288

C:\Users\Admin\AppData\Local\Temp\SYSTEM32.EXE
"C:\Users\Admin\AppData\Local\Temp\SYSTEM32.EXE"
8⤵
- Executes dropped EXE
PID:1300

C:\Users\Admin\AppData\Local\Temp\WINDOWS.EXE
"C:\Users\Admin\AppData\Local\Temp\WINDOWS.EXE"
8⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Modifies registry class
PID:912

C:\Users\Admin\AppData\Local\Temp\._cache_WINDOWS.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache_WINDOWS.EXE"
9⤵
- Executes dropped EXE
PID:1320

C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:604

C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe"
4⤵
- Executes dropped EXE
PID:3488

C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe"
4⤵
- Executes dropped EXE
PID:2316

C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2932

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3176

C:\Users\Admin\AppData\Local\Temp\SYSTEM32.EXE
"C:\Users\Admin\AppData\Local\Temp\SYSTEM32.EXE"
6⤵
- Executes dropped EXE
PID:3012

C:\Users\Admin\AppData\Local\Temp\WINDOWS.EXE
"C:\Users\Admin\AppData\Local\Temp\WINDOWS.EXE"
6⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Modifies registry class
PID:3156

C:\Users\Admin\AppData\Local\Temp\._cache_WINDOWS.EXE
"C:\Users\Admin\AppData\Local\Temp\._cache_WINDOWS.EXE"
7⤵
- Executes dropped EXE
PID:1868

C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe"
4⤵
- Executes dropped EXE
PID:3240

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3004

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe
MD5
bff363a92ac43ff249652a83dadc02ab

SHA1
3c7b47a3f4dc3c8555b656505244886cb3a172f5

SHA256
d054e33de2d63966c68b44dd1d1de8a9b7abb76781100fe82423c80e112d4580

SHA512
8ceef643926251a6d6b5ffee6e662b68580992117d98dbd24ccfde5cdad429ce4719a92c63f470c2857272330c9f3a4a2d7f175a6300d6b1833a387f4b841d29

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe
MD5
bff363a92ac43ff249652a83dadc02ab

SHA1
3c7b47a3f4dc3c8555b656505244886cb3a172f5

SHA256
d054e33de2d63966c68b44dd1d1de8a9b7abb76781100fe82423c80e112d4580

SHA512
8ceef643926251a6d6b5ffee6e662b68580992117d98dbd24ccfde5cdad429ce4719a92c63f470c2857272330c9f3a4a2d7f175a6300d6b1833a387f4b841d29

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe
MD5
bff363a92ac43ff249652a83dadc02ab

SHA1
3c7b47a3f4dc3c8555b656505244886cb3a172f5

SHA256
d054e33de2d63966c68b44dd1d1de8a9b7abb76781100fe82423c80e112d4580

SHA512
8ceef643926251a6d6b5ffee6e662b68580992117d98dbd24ccfde5cdad429ce4719a92c63f470c2857272330c9f3a4a2d7f175a6300d6b1833a387f4b841d29

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe
MD5
bff363a92ac43ff249652a83dadc02ab

SHA1
3c7b47a3f4dc3c8555b656505244886cb3a172f5

SHA256
d054e33de2d63966c68b44dd1d1de8a9b7abb76781100fe82423c80e112d4580

SHA512
8ceef643926251a6d6b5ffee6e662b68580992117d98dbd24ccfde5cdad429ce4719a92c63f470c2857272330c9f3a4a2d7f175a6300d6b1833a387f4b841d29

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe
MD5
bff363a92ac43ff249652a83dadc02ab

SHA1
3c7b47a3f4dc3c8555b656505244886cb3a172f5

SHA256
d054e33de2d63966c68b44dd1d1de8a9b7abb76781100fe82423c80e112d4580

SHA512
8ceef643926251a6d6b5ffee6e662b68580992117d98dbd24ccfde5cdad429ce4719a92c63f470c2857272330c9f3a4a2d7f175a6300d6b1833a387f4b841d29

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe
MD5
bff363a92ac43ff249652a83dadc02ab

SHA1
3c7b47a3f4dc3c8555b656505244886cb3a172f5

SHA256
d054e33de2d63966c68b44dd1d1de8a9b7abb76781100fe82423c80e112d4580

SHA512
8ceef643926251a6d6b5ffee6e662b68580992117d98dbd24ccfde5cdad429ce4719a92c63f470c2857272330c9f3a4a2d7f175a6300d6b1833a387f4b841d29

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe
MD5
bff363a92ac43ff249652a83dadc02ab

SHA1
3c7b47a3f4dc3c8555b656505244886cb3a172f5

SHA256
d054e33de2d63966c68b44dd1d1de8a9b7abb76781100fe82423c80e112d4580

SHA512
8ceef643926251a6d6b5ffee6e662b68580992117d98dbd24ccfde5cdad429ce4719a92c63f470c2857272330c9f3a4a2d7f175a6300d6b1833a387f4b841d29

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe
MD5
bff363a92ac43ff249652a83dadc02ab

SHA1
3c7b47a3f4dc3c8555b656505244886cb3a172f5

SHA256
d054e33de2d63966c68b44dd1d1de8a9b7abb76781100fe82423c80e112d4580

SHA512
8ceef643926251a6d6b5ffee6e662b68580992117d98dbd24ccfde5cdad429ce4719a92c63f470c2857272330c9f3a4a2d7f175a6300d6b1833a387f4b841d29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\._cache_WINDOWS.EXE.log
MD5
2004111a6d19b415cfdebc8238bd4f57

SHA1
413d4838d93a9136bbeea358a8ab519f47d003a6

SHA256
5ffdbafa2c3fd1dbe9aff106cc0178a16ee1d0af5ebab89f4753384eafd2ab69

SHA512
97bed46f3adace8cafe59c6616befe9c28444ac5276965478a382f2a38f3da8a849406a38dc683003f03a663c7b9dd03e4e52b9605455a9accae7177f49e1d5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SYSTEM32.EXE.log
MD5
605f809fab8c19729d39d075f7ffdb53

SHA1
c546f877c9bd53563174a90312a8337fdfc5fdd9

SHA256
6904d540649e76c55f99530b81be17e099184bb4cad415aa9b9b39cc3677f556

SHA512
82cc12c3186ae23884b8d5c104638c8206272c4389ade56b926dfc1d437b03888159b3c790b188b54d277a262e731927e703e680ea642e1417faee27443fd5b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Synaptics.exe.log
MD5
4a30a8132195c1aa1a62b78676b178d9

SHA1
506e6d99a2ba08c9d3553af30daaaa0fc46ae4be

SHA256
71636c227625058652c089035480b7bb3e5795f3998bc9823c401029fc844a20

SHA512
3272b5129525c2b8f7efb99f5a2115cf2572480ff6938ca80e63f02c52588216f861307b9ef962ba015787cae0d5a95e74ebb5fe4b35b34f1c4f3a7deac8ce09

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
MD5
3a5072a9a5dc35dfb99a59f67c3dc6c0

SHA1
335398bb44927ddb18905221c52a89aa101a3c7f

SHA256
29bf88f94ffab5559b5af5a9db05cfdbe2beeb81301f1e64e851cfa925c930ac

SHA512
b3b11f8e5b495c873a8afa58fdc2f2fef7e7d610a50516fb701dab1197ac11a63e5f857f9b6ecf1a9b33fdf0d875ecf59695be83ff35afcbc23f8293d068e8fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
MD5
3a5072a9a5dc35dfb99a59f67c3dc6c0

SHA1
335398bb44927ddb18905221c52a89aa101a3c7f

SHA256
29bf88f94ffab5559b5af5a9db05cfdbe2beeb81301f1e64e851cfa925c930ac

SHA512
b3b11f8e5b495c873a8afa58fdc2f2fef7e7d610a50516fb701dab1197ac11a63e5f857f9b6ecf1a9b33fdf0d875ecf59695be83ff35afcbc23f8293d068e8fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
MD5
3a5072a9a5dc35dfb99a59f67c3dc6c0

SHA1
335398bb44927ddb18905221c52a89aa101a3c7f

SHA256
29bf88f94ffab5559b5af5a9db05cfdbe2beeb81301f1e64e851cfa925c930ac

SHA512
b3b11f8e5b495c873a8afa58fdc2f2fef7e7d610a50516fb701dab1197ac11a63e5f857f9b6ecf1a9b33fdf0d875ecf59695be83ff35afcbc23f8293d068e8fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_WINDOWS.EXE
MD5
568e6a074378730cee0947c4c796372d

SHA1
7688894728b8207756f52384798e394de8d54070

SHA256
2f990b69464dab55b2ebc8f6a302fe09e5767844b4afb71b43a20a6c2ea48d8d

SHA512
250a1215fd28e4cd5f6da3e72b42a88f93664d4a2484d29f6141a81ef4968872b86379fb54aaf2e645d46ef8c881e43d1c32392dc3f7c381a86c252d7bdb2730

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_WINDOWS.EXE
MD5
568e6a074378730cee0947c4c796372d

SHA1
7688894728b8207756f52384798e394de8d54070

SHA256
2f990b69464dab55b2ebc8f6a302fe09e5767844b4afb71b43a20a6c2ea48d8d

SHA512
250a1215fd28e4cd5f6da3e72b42a88f93664d4a2484d29f6141a81ef4968872b86379fb54aaf2e645d46ef8c881e43d1c32392dc3f7c381a86c252d7bdb2730

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_WINDOWS.EXE
MD5
568e6a074378730cee0947c4c796372d

SHA1
7688894728b8207756f52384798e394de8d54070

SHA256
2f990b69464dab55b2ebc8f6a302fe09e5767844b4afb71b43a20a6c2ea48d8d

SHA512
250a1215fd28e4cd5f6da3e72b42a88f93664d4a2484d29f6141a81ef4968872b86379fb54aaf2e645d46ef8c881e43d1c32392dc3f7c381a86c252d7bdb2730

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_WINDOWS.EXE
MD5
568e6a074378730cee0947c4c796372d

SHA1
7688894728b8207756f52384798e394de8d54070

SHA256
2f990b69464dab55b2ebc8f6a302fe09e5767844b4afb71b43a20a6c2ea48d8d

SHA512
250a1215fd28e4cd5f6da3e72b42a88f93664d4a2484d29f6141a81ef4968872b86379fb54aaf2e645d46ef8c881e43d1c32392dc3f7c381a86c252d7bdb2730

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_bff363a92ac43ff249652a83dadc02ab.exe
MD5
3a5072a9a5dc35dfb99a59f67c3dc6c0

SHA1
335398bb44927ddb18905221c52a89aa101a3c7f

SHA256
29bf88f94ffab5559b5af5a9db05cfdbe2beeb81301f1e64e851cfa925c930ac

SHA512
b3b11f8e5b495c873a8afa58fdc2f2fef7e7d610a50516fb701dab1197ac11a63e5f857f9b6ecf1a9b33fdf0d875ecf59695be83ff35afcbc23f8293d068e8fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_bff363a92ac43ff249652a83dadc02ab.exe
MD5
3a5072a9a5dc35dfb99a59f67c3dc6c0

SHA1
335398bb44927ddb18905221c52a89aa101a3c7f

SHA256
29bf88f94ffab5559b5af5a9db05cfdbe2beeb81301f1e64e851cfa925c930ac

SHA512
b3b11f8e5b495c873a8afa58fdc2f2fef7e7d610a50516fb701dab1197ac11a63e5f857f9b6ecf1a9b33fdf0d875ecf59695be83ff35afcbc23f8293d068e8fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYSTEM32.EXE
MD5
807474fc253612359dc697e331f01b43

SHA1
d998bcdf573eb66781bbe931b2ca8b35492908ce

SHA256
1e2b305d0a5ce914591f712fe0b53be279d0ec8e598cec95fa6cfdc6cb94c4b5

SHA512
c2916e62d8b7b0ad214d57e2dc0dd5b0f910e06f2d070e0390612fd33c2ee416f252fba4fe3f523114acc14924bcfda105a9b4379ad443f1010bb29010b83adf

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYSTEM32.EXE
MD5
807474fc253612359dc697e331f01b43

SHA1
d998bcdf573eb66781bbe931b2ca8b35492908ce

SHA256
1e2b305d0a5ce914591f712fe0b53be279d0ec8e598cec95fa6cfdc6cb94c4b5

SHA512
c2916e62d8b7b0ad214d57e2dc0dd5b0f910e06f2d070e0390612fd33c2ee416f252fba4fe3f523114acc14924bcfda105a9b4379ad443f1010bb29010b83adf

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYSTEM32.EXE
MD5
807474fc253612359dc697e331f01b43

SHA1
d998bcdf573eb66781bbe931b2ca8b35492908ce

SHA256
1e2b305d0a5ce914591f712fe0b53be279d0ec8e598cec95fa6cfdc6cb94c4b5

SHA512
c2916e62d8b7b0ad214d57e2dc0dd5b0f910e06f2d070e0390612fd33c2ee416f252fba4fe3f523114acc14924bcfda105a9b4379ad443f1010bb29010b83adf

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYSTEM32.EXE
MD5
807474fc253612359dc697e331f01b43

SHA1
d998bcdf573eb66781bbe931b2ca8b35492908ce

SHA256
1e2b305d0a5ce914591f712fe0b53be279d0ec8e598cec95fa6cfdc6cb94c4b5

SHA512
c2916e62d8b7b0ad214d57e2dc0dd5b0f910e06f2d070e0390612fd33c2ee416f252fba4fe3f523114acc14924bcfda105a9b4379ad443f1010bb29010b83adf

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINDOWS.EXE
MD5
6278f321b0b9c85a0df4e485a8de7993

SHA1
48fe65a144aee7a9b437d7c8ae9bd5bfe5409d81

SHA256
4dc8cc4ecd4d173a024c221c61f282028bd03967c631ec6827544a36d036952a

SHA512
fdba000c5ab7ba6aaa4e2f94f248003d3505206b3b23aa03565bf0c36fa4c4a7654498a5002a979cb9d042e9f216fdfff21ecb4cb57883a0b2b35b020cdfeb6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINDOWS.EXE
MD5
6278f321b0b9c85a0df4e485a8de7993

SHA1
48fe65a144aee7a9b437d7c8ae9bd5bfe5409d81

SHA256
4dc8cc4ecd4d173a024c221c61f282028bd03967c631ec6827544a36d036952a

SHA512
fdba000c5ab7ba6aaa4e2f94f248003d3505206b3b23aa03565bf0c36fa4c4a7654498a5002a979cb9d042e9f216fdfff21ecb4cb57883a0b2b35b020cdfeb6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINDOWS.EXE
MD5
6278f321b0b9c85a0df4e485a8de7993

SHA1
48fe65a144aee7a9b437d7c8ae9bd5bfe5409d81

SHA256
4dc8cc4ecd4d173a024c221c61f282028bd03967c631ec6827544a36d036952a

SHA512
fdba000c5ab7ba6aaa4e2f94f248003d3505206b3b23aa03565bf0c36fa4c4a7654498a5002a979cb9d042e9f216fdfff21ecb4cb57883a0b2b35b020cdfeb6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINDOWS.EXE
MD5
6278f321b0b9c85a0df4e485a8de7993

SHA1
48fe65a144aee7a9b437d7c8ae9bd5bfe5409d81

SHA256
4dc8cc4ecd4d173a024c221c61f282028bd03967c631ec6827544a36d036952a

SHA512
fdba000c5ab7ba6aaa4e2f94f248003d3505206b3b23aa03565bf0c36fa4c4a7654498a5002a979cb9d042e9f216fdfff21ecb4cb57883a0b2b35b020cdfeb6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINDOWS.EXE
MD5
6278f321b0b9c85a0df4e485a8de7993

SHA1
48fe65a144aee7a9b437d7c8ae9bd5bfe5409d81

SHA256
4dc8cc4ecd4d173a024c221c61f282028bd03967c631ec6827544a36d036952a

SHA512
fdba000c5ab7ba6aaa4e2f94f248003d3505206b3b23aa03565bf0c36fa4c4a7654498a5002a979cb9d042e9f216fdfff21ecb4cb57883a0b2b35b020cdfeb6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgy1ZfdE.xlsm
MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFD38.tmp
MD5
439ec901bf0da2068ffda706616c6c4e

SHA1
6d64adaf144e811e5a0fb3611d8fe1b9236c1c99

SHA256
333efedb8e51e6deb6a1f84ae2cb00c4395ce13546f62be6274c6831ed87d86f

SHA512
e88a318670b8dbc464bf17b4a7d2e4a433da4e4682306eb6a183912be6a157277b1c67d84b03b2e945cdbe491f282c938857d7e48462d4c01c8863b8ff7f04a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFFAA.tmp
MD5
cd8e69b89899eb65a199cc8019e502ad

SHA1
19ae04c02d02e2828e4513de66734c383660d1a5

SHA256
cf1a9b78745b0f788fea2f579f1e3a82efc7425edb1f35abb8dd8e1cbaaf03ef

SHA512
9a2bf35fc687ec6ac81ad3fe16f82f104ad880be6b36afc7297264de09d50e85d9d3376ed9378d56b08ef94ca700b886cc40768587fc623c7fb6117265bd7033

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
MD5
3a5072a9a5dc35dfb99a59f67c3dc6c0

SHA1
335398bb44927ddb18905221c52a89aa101a3c7f

SHA256
29bf88f94ffab5559b5af5a9db05cfdbe2beeb81301f1e64e851cfa925c930ac

SHA512
b3b11f8e5b495c873a8afa58fdc2f2fef7e7d610a50516fb701dab1197ac11a63e5f857f9b6ecf1a9b33fdf0d875ecf59695be83ff35afcbc23f8293d068e8fa

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
MD5
3a5072a9a5dc35dfb99a59f67c3dc6c0

SHA1
335398bb44927ddb18905221c52a89aa101a3c7f

SHA256
29bf88f94ffab5559b5af5a9db05cfdbe2beeb81301f1e64e851cfa925c930ac

SHA512
b3b11f8e5b495c873a8afa58fdc2f2fef7e7d610a50516fb701dab1197ac11a63e5f857f9b6ecf1a9b33fdf0d875ecf59695be83ff35afcbc23f8293d068e8fa

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_WINDOWS.EXE
MD5
568e6a074378730cee0947c4c796372d

SHA1
7688894728b8207756f52384798e394de8d54070

SHA256
2f990b69464dab55b2ebc8f6a302fe09e5767844b4afb71b43a20a6c2ea48d8d

SHA512
250a1215fd28e4cd5f6da3e72b42a88f93664d4a2484d29f6141a81ef4968872b86379fb54aaf2e645d46ef8c881e43d1c32392dc3f7c381a86c252d7bdb2730

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_WINDOWS.EXE
MD5
568e6a074378730cee0947c4c796372d

SHA1
7688894728b8207756f52384798e394de8d54070

SHA256
2f990b69464dab55b2ebc8f6a302fe09e5767844b4afb71b43a20a6c2ea48d8d

SHA512
250a1215fd28e4cd5f6da3e72b42a88f93664d4a2484d29f6141a81ef4968872b86379fb54aaf2e645d46ef8c881e43d1c32392dc3f7c381a86c252d7bdb2730

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_WINDOWS.EXE
MD5
568e6a074378730cee0947c4c796372d

SHA1
7688894728b8207756f52384798e394de8d54070

SHA256
2f990b69464dab55b2ebc8f6a302fe09e5767844b4afb71b43a20a6c2ea48d8d

SHA512
250a1215fd28e4cd5f6da3e72b42a88f93664d4a2484d29f6141a81ef4968872b86379fb54aaf2e645d46ef8c881e43d1c32392dc3f7c381a86c252d7bdb2730

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_WINDOWS.EXE
MD5
568e6a074378730cee0947c4c796372d

SHA1
7688894728b8207756f52384798e394de8d54070

SHA256
2f990b69464dab55b2ebc8f6a302fe09e5767844b4afb71b43a20a6c2ea48d8d

SHA512
250a1215fd28e4cd5f6da3e72b42a88f93664d4a2484d29f6141a81ef4968872b86379fb54aaf2e645d46ef8c881e43d1c32392dc3f7c381a86c252d7bdb2730

Download Submit
memory/372-142-0x00000000053B0000-0x00000000053B1000-memory.dmp

Filesize
4KB

Download
memory/372-132-0x0000000000A80000-0x0000000000A92000-memory.dmp

Filesize
72KB

Download
memory/440-136-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/604-135-0x00000000056A0000-0x0000000005B9E000-memory.dmp

Filesize
5.0MB

Download
memory/1072-140-0x0000000004C00000-0x00000000050FE000-memory.dmp

Filesize
5.0MB

Download
memory/1240-141-0x0000000001100000-0x00000000011AE000-memory.dmp

Filesize
696KB

Download
memory/1300-183-0x0000000005830000-0x0000000005831000-memory.dmp

Filesize
4KB

Download
memory/1320-179-0x0000000002BF0000-0x0000000002BF1000-memory.dmp

Filesize
4KB

Download
memory/1868-167-0x0000000000D90000-0x0000000000D91000-memory.dmp

Filesize
4KB

Download
memory/2188-125-0x00000000010B0000-0x00000000010B1000-memory.dmp

Filesize
4KB

Download
memory/2188-123-0x0000000000400000-0x00000000005CB000-memory.dmp

Filesize
1.8MB

Download
memory/2188-124-0x0000000000400000-0x00000000005CB000-memory.dmp

Filesize
1.8MB

Download
memory/2760-120-0x0000000005C10000-0x0000000005C86000-memory.dmp

Filesize
472KB

Download
memory/2760-118-0x0000000005CA0000-0x000000000619E000-memory.dmp

Filesize
5.0MB

Download
memory/2760-119-0x0000000003640000-0x000000000364A000-memory.dmp

Filesize
40KB

Download
memory/2760-116-0x00000000061A0000-0x000000000669E000-memory.dmp

Filesize
5.0MB

Download
memory/2760-121-0x00000000066A0000-0x000000000686E000-memory.dmp

Filesize
1.8MB

Download
memory/2760-122-0x0000000006010000-0x000000000602E000-memory.dmp

Filesize
120KB

Download
memory/2760-117-0x0000000005AC0000-0x0000000005B52000-memory.dmp

Filesize
584KB

Download
memory/2760-115-0x0000000000F20000-0x0000000001122000-memory.dmp

Filesize
2.0MB

Download
memory/2932-150-0x0000000000400000-0x00000000005CB000-memory.dmp

Filesize
1.8MB

Download
memory/2932-151-0x0000000002F30000-0x0000000002F31000-memory.dmp

Filesize
4KB

Download
memory/3004-176-0x00007FF89DB10000-0x00007FF89DB20000-memory.dmp

Filesize
64KB

Download
memory/3004-178-0x00007FF89DB10000-0x00007FF89DB20000-memory.dmp

Filesize
64KB

Download
memory/3004-175-0x00007FF89DB10000-0x00007FF89DB20000-memory.dmp

Filesize
64KB

Download
memory/3004-174-0x00007FF89DB10000-0x00007FF89DB20000-memory.dmp

Filesize
64KB

Download
memory/3004-191-0x00007FF89A3C0000-0x00007FF89A3D0000-memory.dmp

Filesize
64KB

Download
memory/3004-171-0x00007FF89DB10000-0x00007FF89DB20000-memory.dmp

Filesize
64KB

Download
memory/3004-193-0x00007FF89A3C0000-0x00007FF89A3D0000-memory.dmp

Filesize
64KB

Download
memory/3012-180-0x0000000005360000-0x0000000005361000-memory.dmp

Filesize
4KB

Download
memory/3156-158-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/3228-166-0x0000000000400000-0x00000000005CB000-memory.dmp

Filesize
1.8MB

Download