chinese_generic_botnet | a985a64aa7b6f5175e0f4e47b0eb41db10b2cb1236862f4610bcd09ead2fe663

Analysis

max time kernel
127s
max time network
149s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-09-2022 04:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

362KB
MD5

af50ecd46089929f90385f6c90000c20
SHA1

9ae6f31c8f5b7f3b8c25d24bfe82c704b205beca
SHA256

a985a64aa7b6f5175e0f4e47b0eb41db10b2cb1236862f4610bcd09ead2fe663
SHA512

415a0a208b1ce87d2f43f4ff735afbc25ae4b6bfb683d39bca1ef8c6e81a07f9403182eebac912414da8fecef510375a8d4bb78b4934cd9dfcc3e53dc2a59259
SSDEEP

3072:N8jSZi34eTzl5IVp7Kw9ftm0dmNk7pzyEO05SVp14aJiwFXr:quZ5e65Q0djzKtawF7

Score

10^/10

chinese_generic_botnet botnet persistence

Malware Config

Signatures

Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
botnet chinese_generic_botnet

Chinese Botnet payload 2 IoCs

botnet

resource	yara_rule
behavioral1/memory/1672-61-0x0000000010000000-0x0000000010018000-memory.dmp	unk_chinese_botnet
behavioral1/memory/1356-76-0x0000000010000000-0x0000000010018000-memory.dmp	unk_chinese_botnet

Downloads MZ/PE file

Executes dropped EXE 12 IoCs

pid	Process
1780	computer.exe
1356	._cache_computer.exe
1724	Synaptics.exe
828	Terms.exe
1576	computer.exe
912	._cache_computer.exe
1708	Synaptics.exe
1912	Peahrfb.exe
1520	Terms.exe
384	Peahrfb.exe
1692	computer.exe
1608	._cache_computer.exe

Loads dropped DLL 19 IoCs

pid	Process
1672	tmp.exe
1672	tmp.exe
1780	computer.exe
1780	computer.exe
1780	computer.exe
1780	computer.exe
1780	computer.exe
828	Terms.exe
828	Terms.exe
1576	computer.exe
1576	computer.exe
1576	computer.exe
1576	computer.exe
1520	Terms.exe
1520	Terms.exe
1692	computer.exe
1692	computer.exe
1692	computer.exe
1692	computer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	computer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	computer.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	._cache_computer.exe
File opened (read-only)	\??\N:	._cache_computer.exe
File opened (read-only)	\??\T:	tmp.exe
File opened (read-only)	\??\V:	tmp.exe
File opened (read-only)	\??\I:	._cache_computer.exe
File opened (read-only)	\??\R:	._cache_computer.exe
File opened (read-only)	\??\H:	._cache_computer.exe
File opened (read-only)	\??\E:	tmp.exe
File opened (read-only)	\??\G:	._cache_computer.exe
File opened (read-only)	\??\L:	._cache_computer.exe
File opened (read-only)	\??\B:	._cache_computer.exe
File opened (read-only)	\??\O:	._cache_computer.exe
File opened (read-only)	\??\Y:	tmp.exe
File opened (read-only)	\??\U:	tmp.exe
File opened (read-only)	\??\K:	._cache_computer.exe
File opened (read-only)	\??\M:	._cache_computer.exe
File opened (read-only)	\??\H:	tmp.exe
File opened (read-only)	\??\P:	._cache_computer.exe
File opened (read-only)	\??\F:	._cache_computer.exe
File opened (read-only)	\??\W:	._cache_computer.exe
File opened (read-only)	\??\Q:	tmp.exe
File opened (read-only)	\??\M:	tmp.exe
File opened (read-only)	\??\N:	tmp.exe
File opened (read-only)	\??\O:	tmp.exe
File opened (read-only)	\??\W:	tmp.exe
File opened (read-only)	\??\E:	._cache_computer.exe
File opened (read-only)	\??\K:	._cache_computer.exe
File opened (read-only)	\??\L:	tmp.exe
File opened (read-only)	\??\I:	._cache_computer.exe
File opened (read-only)	\??\P:	._cache_computer.exe
File opened (read-only)	\??\F:	._cache_computer.exe
File opened (read-only)	\??\Q:	._cache_computer.exe
File opened (read-only)	\??\V:	._cache_computer.exe
File opened (read-only)	\??\Z:	._cache_computer.exe
File opened (read-only)	\??\L:	._cache_computer.exe
File opened (read-only)	\??\U:	._cache_computer.exe
File opened (read-only)	\??\V:	._cache_computer.exe
File opened (read-only)	\??\Y:	._cache_computer.exe
File opened (read-only)	\??\G:	tmp.exe
File opened (read-only)	\??\Z:	._cache_computer.exe
File opened (read-only)	\??\J:	._cache_computer.exe
File opened (read-only)	\??\J:	tmp.exe
File opened (read-only)	\??\P:	tmp.exe
File opened (read-only)	\??\B:	._cache_computer.exe
File opened (read-only)	\??\H:	._cache_computer.exe
File opened (read-only)	\??\S:	._cache_computer.exe
File opened (read-only)	\??\T:	._cache_computer.exe
File opened (read-only)	\??\F:	tmp.exe
File opened (read-only)	\??\S:	._cache_computer.exe
File opened (read-only)	\??\X:	._cache_computer.exe
File opened (read-only)	\??\I:	tmp.exe
File opened (read-only)	\??\G:	._cache_computer.exe
File opened (read-only)	\??\Q:	._cache_computer.exe
File opened (read-only)	\??\K:	tmp.exe
File opened (read-only)	\??\X:	._cache_computer.exe
File opened (read-only)	\??\Y:	._cache_computer.exe
File opened (read-only)	\??\J:	._cache_computer.exe
File opened (read-only)	\??\T:	._cache_computer.exe
File opened (read-only)	\??\M:	._cache_computer.exe
File opened (read-only)	\??\N:	._cache_computer.exe
File opened (read-only)	\??\R:	._cache_computer.exe
File opened (read-only)	\??\X:	tmp.exe
File opened (read-only)	\??\R:	tmp.exe
File opened (read-only)	\??\S:	tmp.exe

Drops file in System32 directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_CF87DC3CD4D7D734E7613C483D179E8C	Synaptics.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	Terms.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\WinSl	Synaptics.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	Terms.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\exploror[1].exe	Terms.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	._cache_computer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	Synaptics.exe
File opened for modification	C:\Windows\SysWOW64\._cache_computer.exe	computer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	Synaptics.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	Synaptics.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\exploror[1].exe	Terms.exe
File opened for modification	C:\Windows\SysWOW64\._cache_computer.exe	computer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	Synaptics.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\exploror[2].exe	Terms.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	Peahrfb.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_CF87DC3CD4D7D734E7613C483D179E8C	Synaptics.exe
File created	C:\Windows\SysWOW64\._cache_computer.exe	computer.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\WinSl\L9\5\2022	Synaptics.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	._cache_computer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	Peahrfb.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	Synaptics.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Terms.exe	tmp.exe
File opened for modification	C:\Program Files (x86)\Terms.exe	tmp.exe
File created	C:\Program Files (x86)\Microsoft Eeuaeq\Peahrfb.exe	._cache_computer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Eeuaeq\Peahrfb.exe	._cache_computer.exe
File created	C:\Program Files (x86)\Microsoft Eeuaeq\Peahrfb.exe	._cache_computer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Eeuaeq\Peahrfb.exe	._cache_computer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	tmp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	._cache_computer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	._cache_computer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	._cache_computer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	._cache_computer.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	Synaptics.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0663148E-4699-4794-AF7A-467FE32528E0}\WpadDecisionReason = "1"	Peahrfb.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	Peahrfb.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0663148E-4699-4794-AF7A-467FE32528E0}\WpadDecisionTime = 80f6f006f1c0d801	Peahrfb.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6a-c6-09-e9-f0-bf\WpadDecisionTime = e060d101f1c0d801	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	computer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	._cache_computer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	Peahrfb.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	Synaptics.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0663148E-4699-4794-AF7A-467FE32528E0}\WpadDecisionTime = e060d101f1c0d801	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	Synaptics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0663148E-4699-4794-AF7A-467FE32528E0}\WpadNetworkName = "Network 3"	Synaptics.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	._cache_computer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	._cache_computer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	Synaptics.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6a-c6-09-e9-f0-bf\WpadDecisionTime = 6055aefbf0c0d801	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0663148E-4699-4794-AF7A-467FE32528E0}\WpadDecision = "0"	._cache_computer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6a-c6-09-e9-f0-bf\WpadDetectedUrl	._cache_computer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	Synaptics.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f007f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6a-c6-09-e9-f0-bf\WpadDecision = "0"	Terms.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1D27F844-3A1F-4410-85AC-14651078412D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 010000000000000080c405f7f0c0d801	computer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0663148E-4699-4794-AF7A-467FE32528E0}	Terms.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000006000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f007f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	Synaptics.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	Synaptics.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	._cache_computer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	._cache_computer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	._cache_computer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	Synaptics.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	Synaptics.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	Synaptics.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6a-c6-09-e9-f0-bf\WpadDecisionTime = 004e7901f1c0d801	Peahrfb.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000007000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f007f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Peahrfb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6a-c6-09-e9-f0-bf\WpadDecisionReason = "1"	._cache_computer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{85BBD920-42A0-1069-A2E4-08002B30309D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000206303f7f0c0d801	computer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6a-c6-09-e9-f0-bf\WpadDetectedUrl	._cache_computer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0663148E-4699-4794-AF7A-467FE32528E0}\WpadNetworkName = "Network 3"	Peahrfb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	._cache_computer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	._cache_computer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	._cache_computer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	Peahrfb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	Peahrfb.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0663148E-4699-4794-AF7A-467FE32528E0}\WpadDecisionTime = a09728fff0c0d801	Synaptics.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0663148E-4699-4794-AF7A-467FE32528E0}\6a-c6-09-e9-f0-bf	Peahrfb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	._cache_computer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	Synaptics.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	Synaptics.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{23170F69-40C1-278A-1000-000100020000} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000206303f7f0c0d801	computer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	Peahrfb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6a-c6-09-e9-f0-bf	Terms.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0663148E-4699-4794-AF7A-467FE32528E0}\WpadDecision = "0"	._cache_computer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	Synaptics.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0663148E-4699-4794-AF7A-467FE32528E0}\6a-c6-09-e9-f0-bf	._cache_computer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f007f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Synaptics.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0663148E-4699-4794-AF7A-467FE32528E0}\WpadDecisionTime = c0807107f1c0d801	Terms.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0663148E-4699-4794-AF7A-467FE32528E0}\6a-c6-09-e9-f0-bf	Peahrfb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	Terms.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0663148E-4699-4794-AF7A-467FE32528E0}\WpadDecisionTime = 6056ce07f1c0d801	._cache_computer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0663148E-4699-4794-AF7A-467FE32528E0}\WpadDecisionTime = 60d528f2f0c0d801	Terms.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1672	tmp.exe
828	Terms.exe
912	._cache_computer.exe
1672	tmp.exe
1356	._cache_computer.exe
1520	Terms.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 1580	1672	tmp.exe	27
PID 1672 wrote to memory of 1580	1672	tmp.exe	27
PID 1672 wrote to memory of 1580	1672	tmp.exe	27
PID 1672 wrote to memory of 1580	1672	tmp.exe	27
PID 1672 wrote to memory of 1780	1672	tmp.exe	31
PID 1672 wrote to memory of 1780	1672	tmp.exe	31
PID 1672 wrote to memory of 1780	1672	tmp.exe	31
PID 1672 wrote to memory of 1780	1672	tmp.exe	31
PID 1780 wrote to memory of 1356	1780	computer.exe	32
PID 1780 wrote to memory of 1356	1780	computer.exe	32
PID 1780 wrote to memory of 1356	1780	computer.exe	32
PID 1780 wrote to memory of 1356	1780	computer.exe	32
PID 1780 wrote to memory of 1724	1780	computer.exe	33
PID 1780 wrote to memory of 1724	1780	computer.exe	33
PID 1780 wrote to memory of 1724	1780	computer.exe	33
PID 1780 wrote to memory of 1724	1780	computer.exe	33
PID 828 wrote to memory of 768	828	Terms.exe	35
PID 828 wrote to memory of 768	828	Terms.exe	35
PID 828 wrote to memory of 768	828	Terms.exe	35
PID 828 wrote to memory of 768	828	Terms.exe	35
PID 828 wrote to memory of 1576	828	Terms.exe	39
PID 828 wrote to memory of 1576	828	Terms.exe	39
PID 828 wrote to memory of 1576	828	Terms.exe	39
PID 828 wrote to memory of 1576	828	Terms.exe	39
PID 1576 wrote to memory of 912	1576	computer.exe	40
PID 1576 wrote to memory of 912	1576	computer.exe	40
PID 1576 wrote to memory of 912	1576	computer.exe	40
PID 1576 wrote to memory of 912	1576	computer.exe	40
PID 1576 wrote to memory of 1708	1576	computer.exe	41
PID 1576 wrote to memory of 1708	1576	computer.exe	41
PID 1576 wrote to memory of 1708	1576	computer.exe	41
PID 1576 wrote to memory of 1708	1576	computer.exe	41
PID 828 wrote to memory of 1520	828	Terms.exe	43
PID 828 wrote to memory of 1520	828	Terms.exe	43
PID 828 wrote to memory of 1520	828	Terms.exe	43
PID 828 wrote to memory of 1520	828	Terms.exe	43
PID 1520 wrote to memory of 1592	1520	Terms.exe	44
PID 1520 wrote to memory of 1592	1520	Terms.exe	44
PID 1520 wrote to memory of 1592	1520	Terms.exe	44
PID 1520 wrote to memory of 1592	1520	Terms.exe	44
PID 1912 wrote to memory of 384	1912	Peahrfb.exe	46
PID 1912 wrote to memory of 384	1912	Peahrfb.exe	46
PID 1912 wrote to memory of 384	1912	Peahrfb.exe	46
PID 1912 wrote to memory of 384	1912	Peahrfb.exe	46
PID 1520 wrote to memory of 1692	1520	Terms.exe	47
PID 1520 wrote to memory of 1692	1520	Terms.exe	47
PID 1520 wrote to memory of 1692	1520	Terms.exe	47
PID 1520 wrote to memory of 1692	1520	Terms.exe	47
PID 1692 wrote to memory of 1608	1692	computer.exe	48
PID 1692 wrote to memory of 1608	1692	computer.exe	48
PID 1692 wrote to memory of 1608	1692	computer.exe	48
PID 1692 wrote to memory of 1608	1692	computer.exe	48

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c md C:\windowss64
  2⤵
  PID:1580
- C:\windowss64\computer.exe
  "C:\windowss64\computer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1780
- - C:\Users\Admin\AppData\Local\Temp\._cache_computer.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_computer.exe"
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:1356
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    PID:1724

C:\Program Files (x86)\Terms.exe
"C:\Program Files (x86)\Terms.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:828
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c md C:\windowss64
  2⤵
  PID:768
- C:\windowss64\computer.exe
  "C:\windowss64\computer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:1576
- - C:\Windows\SysWOW64\._cache_computer.exe
    "C:\Windows\system32\._cache_computer.exe"
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Checks processor information in registry
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    PID:912
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    PID:1708
- C:\Program Files (x86)\Terms.exe
  "C:\Program Files (x86)\Terms.exe" Win7
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c md C:\windowss64
    3⤵
    PID:1592
- - C:\windowss64\computer.exe
    "C:\windowss64\computer.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious use of WriteProcessMemory
    PID:1692
  - - C:\Windows\SysWOW64\._cache_computer.exe
      "C:\Windows\system32\._cache_computer.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      PID:1608

C:\Program Files (x86)\Microsoft Eeuaeq\Peahrfb.exe
"C:\Program Files (x86)\Microsoft Eeuaeq\Peahrfb.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Program Files (x86)\Microsoft Eeuaeq\Peahrfb.exe
  "C:\Program Files (x86)\Microsoft Eeuaeq\Peahrfb.exe" Win7
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:384

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Eeuaeq\Peahrfb.exe

Filesize
400KB

MD5
f82f50d6a61d3d73172fcbf3ff665e89

SHA1
2e5cde938a2822a13348e55f4ad0dfa75d545fee

SHA256
afbf8e478edc3d239953a3653a5ec113363fb9406552536d6469581b52585bcd

SHA512
f5945f9c5b4cfcd29498b24ec43000e6ec2927ec264d758aeeb4325f4c5f2b1d03fb997c84b38daec82b4a1dbc9f049b932ca399ef02778072cf594b1b5044fb

Download Submit
C:\Program Files (x86)\Microsoft Eeuaeq\Peahrfb.exe

Filesize
400KB

MD5
f82f50d6a61d3d73172fcbf3ff665e89

SHA1
2e5cde938a2822a13348e55f4ad0dfa75d545fee

SHA256
afbf8e478edc3d239953a3653a5ec113363fb9406552536d6469581b52585bcd

SHA512
f5945f9c5b4cfcd29498b24ec43000e6ec2927ec264d758aeeb4325f4c5f2b1d03fb997c84b38daec82b4a1dbc9f049b932ca399ef02778072cf594b1b5044fb

Download Submit
C:\Program Files (x86)\Microsoft Eeuaeq\Peahrfb.exe

Filesize
400KB

MD5
f82f50d6a61d3d73172fcbf3ff665e89

SHA1
2e5cde938a2822a13348e55f4ad0dfa75d545fee

SHA256
afbf8e478edc3d239953a3653a5ec113363fb9406552536d6469581b52585bcd

SHA512
f5945f9c5b4cfcd29498b24ec43000e6ec2927ec264d758aeeb4325f4c5f2b1d03fb997c84b38daec82b4a1dbc9f049b932ca399ef02778072cf594b1b5044fb

Download Submit
C:\Program Files (x86)\Terms.exe

Filesize
362KB

MD5
af50ecd46089929f90385f6c90000c20

SHA1
9ae6f31c8f5b7f3b8c25d24bfe82c704b205beca

SHA256
a985a64aa7b6f5175e0f4e47b0eb41db10b2cb1236862f4610bcd09ead2fe663

SHA512
415a0a208b1ce87d2f43f4ff735afbc25ae4b6bfb683d39bca1ef8c6e81a07f9403182eebac912414da8fecef510375a8d4bb78b4934cd9dfcc3e53dc2a59259

Download Submit
C:\Program Files (x86)\Terms.exe

Filesize
362KB

MD5
af50ecd46089929f90385f6c90000c20

SHA1
9ae6f31c8f5b7f3b8c25d24bfe82c704b205beca

SHA256
a985a64aa7b6f5175e0f4e47b0eb41db10b2cb1236862f4610bcd09ead2fe663

SHA512
415a0a208b1ce87d2f43f4ff735afbc25ae4b6bfb683d39bca1ef8c6e81a07f9403182eebac912414da8fecef510375a8d4bb78b4934cd9dfcc3e53dc2a59259

Download Submit
C:\Program Files (x86)\Terms.exe

Filesize
362KB

MD5
af50ecd46089929f90385f6c90000c20

SHA1
9ae6f31c8f5b7f3b8c25d24bfe82c704b205beca

SHA256
a985a64aa7b6f5175e0f4e47b0eb41db10b2cb1236862f4610bcd09ead2fe663

SHA512
415a0a208b1ce87d2f43f4ff735afbc25ae4b6bfb683d39bca1ef8c6e81a07f9403182eebac912414da8fecef510375a8d4bb78b4934cd9dfcc3e53dc2a59259

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
754KB

MD5
310a7ff41f6633132e6c2bc25e51e567

SHA1
5f687df8cc3185ed68d77d0e05502c2eb308c5c8

SHA256
d1425edf482717cb64db2a36357866045b0c6306d919296591ffc9bc45d680ab

SHA512
ee9b3114cb37e52793bccdf20a27158f5def67ed9c7d8eb772e1deaf5d5f9a0030e847dea40bb320637f29508f1be2a49c3095460a6fd3afbc3bca196f642980

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
754KB

MD5
310a7ff41f6633132e6c2bc25e51e567

SHA1
5f687df8cc3185ed68d77d0e05502c2eb308c5c8

SHA256
d1425edf482717cb64db2a36357866045b0c6306d919296591ffc9bc45d680ab

SHA512
ee9b3114cb37e52793bccdf20a27158f5def67ed9c7d8eb772e1deaf5d5f9a0030e847dea40bb320637f29508f1be2a49c3095460a6fd3afbc3bca196f642980

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
754KB

MD5
310a7ff41f6633132e6c2bc25e51e567

SHA1
5f687df8cc3185ed68d77d0e05502c2eb308c5c8

SHA256
d1425edf482717cb64db2a36357866045b0c6306d919296591ffc9bc45d680ab

SHA512
ee9b3114cb37e52793bccdf20a27158f5def67ed9c7d8eb772e1deaf5d5f9a0030e847dea40bb320637f29508f1be2a49c3095460a6fd3afbc3bca196f642980

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_computer.exe

Filesize
400KB

MD5
f82f50d6a61d3d73172fcbf3ff665e89

SHA1
2e5cde938a2822a13348e55f4ad0dfa75d545fee

SHA256
afbf8e478edc3d239953a3653a5ec113363fb9406552536d6469581b52585bcd

SHA512
f5945f9c5b4cfcd29498b24ec43000e6ec2927ec264d758aeeb4325f4c5f2b1d03fb997c84b38daec82b4a1dbc9f049b932ca399ef02778072cf594b1b5044fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_computer.exe

Filesize
400KB

MD5
f82f50d6a61d3d73172fcbf3ff665e89

SHA1
2e5cde938a2822a13348e55f4ad0dfa75d545fee

SHA256
afbf8e478edc3d239953a3653a5ec113363fb9406552536d6469581b52585bcd

SHA512
f5945f9c5b4cfcd29498b24ec43000e6ec2927ec264d758aeeb4325f4c5f2b1d03fb997c84b38daec82b4a1dbc9f049b932ca399ef02778072cf594b1b5044fb

Download Submit
C:\Windows\SysWOW64\._cache_computer.exe

Filesize
400KB

MD5
f82f50d6a61d3d73172fcbf3ff665e89

SHA1
2e5cde938a2822a13348e55f4ad0dfa75d545fee

SHA256
afbf8e478edc3d239953a3653a5ec113363fb9406552536d6469581b52585bcd

SHA512
f5945f9c5b4cfcd29498b24ec43000e6ec2927ec264d758aeeb4325f4c5f2b1d03fb997c84b38daec82b4a1dbc9f049b932ca399ef02778072cf594b1b5044fb

Download Submit
C:\Windows\SysWOW64\._cache_computer.exe

Filesize
400KB

MD5
f82f50d6a61d3d73172fcbf3ff665e89

SHA1
2e5cde938a2822a13348e55f4ad0dfa75d545fee

SHA256
afbf8e478edc3d239953a3653a5ec113363fb9406552536d6469581b52585bcd

SHA512
f5945f9c5b4cfcd29498b24ec43000e6ec2927ec264d758aeeb4325f4c5f2b1d03fb997c84b38daec82b4a1dbc9f049b932ca399ef02778072cf594b1b5044fb

Download Submit
C:\Windows\SysWOW64\._cache_computer.exe

Filesize
400KB

MD5
f82f50d6a61d3d73172fcbf3ff665e89

SHA1
2e5cde938a2822a13348e55f4ad0dfa75d545fee

SHA256
afbf8e478edc3d239953a3653a5ec113363fb9406552536d6469581b52585bcd

SHA512
f5945f9c5b4cfcd29498b24ec43000e6ec2927ec264d758aeeb4325f4c5f2b1d03fb997c84b38daec82b4a1dbc9f049b932ca399ef02778072cf594b1b5044fb

Download Submit
C:\windowss64\computer.exe

Filesize
1.1MB

MD5
d6df53506b123f5717463d0355336979

SHA1
7720fb4b89a4ebcef32a6d6a9a7a88c65cad2c14

SHA256
70969f1d56ec1ddcae3fc50545c0a351b798226c62d870db8ae5170eeec67694

SHA512
1bfefa221ed77ef05fc72fbc20a322cae990b2a33a9af47b9ee4d9fa1c09d5c81f6a8fd8496ed43a47ee2862e1e2bf1651b4cca2f5e9e23e491c3d4b3249ad2f

Download Submit
C:\windowss64\computer.exe

Filesize
1.1MB

MD5
d6df53506b123f5717463d0355336979

SHA1
7720fb4b89a4ebcef32a6d6a9a7a88c65cad2c14

SHA256
70969f1d56ec1ddcae3fc50545c0a351b798226c62d870db8ae5170eeec67694

SHA512
1bfefa221ed77ef05fc72fbc20a322cae990b2a33a9af47b9ee4d9fa1c09d5c81f6a8fd8496ed43a47ee2862e1e2bf1651b4cca2f5e9e23e491c3d4b3249ad2f

Download Submit
C:\windowss64\computer.exe

Filesize
1.1MB

MD5
d6df53506b123f5717463d0355336979

SHA1
7720fb4b89a4ebcef32a6d6a9a7a88c65cad2c14

SHA256
70969f1d56ec1ddcae3fc50545c0a351b798226c62d870db8ae5170eeec67694

SHA512
1bfefa221ed77ef05fc72fbc20a322cae990b2a33a9af47b9ee4d9fa1c09d5c81f6a8fd8496ed43a47ee2862e1e2bf1651b4cca2f5e9e23e491c3d4b3249ad2f

Download Submit
C:\windowss64\computer.exe

Filesize
1.1MB

MD5
d6df53506b123f5717463d0355336979

SHA1
7720fb4b89a4ebcef32a6d6a9a7a88c65cad2c14

SHA256
70969f1d56ec1ddcae3fc50545c0a351b798226c62d870db8ae5170eeec67694

SHA512
1bfefa221ed77ef05fc72fbc20a322cae990b2a33a9af47b9ee4d9fa1c09d5c81f6a8fd8496ed43a47ee2862e1e2bf1651b4cca2f5e9e23e491c3d4b3249ad2f

Download Submit
C:\windowss64\computer.exe

Filesize
1.1MB

MD5
d6df53506b123f5717463d0355336979

SHA1
7720fb4b89a4ebcef32a6d6a9a7a88c65cad2c14

SHA256
70969f1d56ec1ddcae3fc50545c0a351b798226c62d870db8ae5170eeec67694

SHA512
1bfefa221ed77ef05fc72fbc20a322cae990b2a33a9af47b9ee4d9fa1c09d5c81f6a8fd8496ed43a47ee2862e1e2bf1651b4cca2f5e9e23e491c3d4b3249ad2f

Download Submit
C:\windowss64\computer.exe

Filesize
1.1MB

MD5
d6df53506b123f5717463d0355336979

SHA1
7720fb4b89a4ebcef32a6d6a9a7a88c65cad2c14

SHA256
70969f1d56ec1ddcae3fc50545c0a351b798226c62d870db8ae5170eeec67694

SHA512
1bfefa221ed77ef05fc72fbc20a322cae990b2a33a9af47b9ee4d9fa1c09d5c81f6a8fd8496ed43a47ee2862e1e2bf1651b4cca2f5e9e23e491c3d4b3249ad2f

Download Submit
\ProgramData\Synaptics\Synaptics.exe

Filesize
754KB

MD5
310a7ff41f6633132e6c2bc25e51e567

SHA1
5f687df8cc3185ed68d77d0e05502c2eb308c5c8

SHA256
d1425edf482717cb64db2a36357866045b0c6306d919296591ffc9bc45d680ab

SHA512
ee9b3114cb37e52793bccdf20a27158f5def67ed9c7d8eb772e1deaf5d5f9a0030e847dea40bb320637f29508f1be2a49c3095460a6fd3afbc3bca196f642980

Download Submit
\ProgramData\Synaptics\Synaptics.exe

Filesize
754KB

MD5
310a7ff41f6633132e6c2bc25e51e567

SHA1
5f687df8cc3185ed68d77d0e05502c2eb308c5c8

SHA256
d1425edf482717cb64db2a36357866045b0c6306d919296591ffc9bc45d680ab

SHA512
ee9b3114cb37e52793bccdf20a27158f5def67ed9c7d8eb772e1deaf5d5f9a0030e847dea40bb320637f29508f1be2a49c3095460a6fd3afbc3bca196f642980

Download Submit
\ProgramData\Synaptics\Synaptics.exe

Filesize
754KB

MD5
310a7ff41f6633132e6c2bc25e51e567

SHA1
5f687df8cc3185ed68d77d0e05502c2eb308c5c8

SHA256
d1425edf482717cb64db2a36357866045b0c6306d919296591ffc9bc45d680ab

SHA512
ee9b3114cb37e52793bccdf20a27158f5def67ed9c7d8eb772e1deaf5d5f9a0030e847dea40bb320637f29508f1be2a49c3095460a6fd3afbc3bca196f642980

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_computer.exe

Filesize
400KB

MD5
f82f50d6a61d3d73172fcbf3ff665e89

SHA1
2e5cde938a2822a13348e55f4ad0dfa75d545fee

SHA256
afbf8e478edc3d239953a3653a5ec113363fb9406552536d6469581b52585bcd

SHA512
f5945f9c5b4cfcd29498b24ec43000e6ec2927ec264d758aeeb4325f4c5f2b1d03fb997c84b38daec82b4a1dbc9f049b932ca399ef02778072cf594b1b5044fb

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_computer.exe

Filesize
400KB

MD5
f82f50d6a61d3d73172fcbf3ff665e89

SHA1
2e5cde938a2822a13348e55f4ad0dfa75d545fee

SHA256
afbf8e478edc3d239953a3653a5ec113363fb9406552536d6469581b52585bcd

SHA512
f5945f9c5b4cfcd29498b24ec43000e6ec2927ec264d758aeeb4325f4c5f2b1d03fb997c84b38daec82b4a1dbc9f049b932ca399ef02778072cf594b1b5044fb

Download Submit
\Windows\SysWOW64\._cache_computer.exe

Filesize
400KB

MD5
f82f50d6a61d3d73172fcbf3ff665e89

SHA1
2e5cde938a2822a13348e55f4ad0dfa75d545fee

SHA256
afbf8e478edc3d239953a3653a5ec113363fb9406552536d6469581b52585bcd

SHA512
f5945f9c5b4cfcd29498b24ec43000e6ec2927ec264d758aeeb4325f4c5f2b1d03fb997c84b38daec82b4a1dbc9f049b932ca399ef02778072cf594b1b5044fb

Download Submit
\Windows\SysWOW64\._cache_computer.exe

Filesize
400KB

MD5
f82f50d6a61d3d73172fcbf3ff665e89

SHA1
2e5cde938a2822a13348e55f4ad0dfa75d545fee

SHA256
afbf8e478edc3d239953a3653a5ec113363fb9406552536d6469581b52585bcd

SHA512
f5945f9c5b4cfcd29498b24ec43000e6ec2927ec264d758aeeb4325f4c5f2b1d03fb997c84b38daec82b4a1dbc9f049b932ca399ef02778072cf594b1b5044fb

Download Submit
\Windows\SysWOW64\._cache_computer.exe

Filesize
400KB

MD5
f82f50d6a61d3d73172fcbf3ff665e89

SHA1
2e5cde938a2822a13348e55f4ad0dfa75d545fee

SHA256
afbf8e478edc3d239953a3653a5ec113363fb9406552536d6469581b52585bcd

SHA512
f5945f9c5b4cfcd29498b24ec43000e6ec2927ec264d758aeeb4325f4c5f2b1d03fb997c84b38daec82b4a1dbc9f049b932ca399ef02778072cf594b1b5044fb

Download Submit
\Windows\SysWOW64\._cache_computer.exe

Filesize
400KB

MD5
f82f50d6a61d3d73172fcbf3ff665e89

SHA1
2e5cde938a2822a13348e55f4ad0dfa75d545fee

SHA256
afbf8e478edc3d239953a3653a5ec113363fb9406552536d6469581b52585bcd

SHA512
f5945f9c5b4cfcd29498b24ec43000e6ec2927ec264d758aeeb4325f4c5f2b1d03fb997c84b38daec82b4a1dbc9f049b932ca399ef02778072cf594b1b5044fb

Download Submit
\Windows\SysWOW64\._cache_computer.exe

Filesize
400KB

MD5
f82f50d6a61d3d73172fcbf3ff665e89

SHA1
2e5cde938a2822a13348e55f4ad0dfa75d545fee

SHA256
afbf8e478edc3d239953a3653a5ec113363fb9406552536d6469581b52585bcd

SHA512
f5945f9c5b4cfcd29498b24ec43000e6ec2927ec264d758aeeb4325f4c5f2b1d03fb997c84b38daec82b4a1dbc9f049b932ca399ef02778072cf594b1b5044fb

Download Submit
\windowss64\computer.exe

Filesize
1.1MB

MD5
d6df53506b123f5717463d0355336979

SHA1
7720fb4b89a4ebcef32a6d6a9a7a88c65cad2c14

SHA256
70969f1d56ec1ddcae3fc50545c0a351b798226c62d870db8ae5170eeec67694

SHA512
1bfefa221ed77ef05fc72fbc20a322cae990b2a33a9af47b9ee4d9fa1c09d5c81f6a8fd8496ed43a47ee2862e1e2bf1651b4cca2f5e9e23e491c3d4b3249ad2f

Download Submit
\windowss64\computer.exe

Filesize
1.1MB

MD5
d6df53506b123f5717463d0355336979

SHA1
7720fb4b89a4ebcef32a6d6a9a7a88c65cad2c14

SHA256
70969f1d56ec1ddcae3fc50545c0a351b798226c62d870db8ae5170eeec67694

SHA512
1bfefa221ed77ef05fc72fbc20a322cae990b2a33a9af47b9ee4d9fa1c09d5c81f6a8fd8496ed43a47ee2862e1e2bf1651b4cca2f5e9e23e491c3d4b3249ad2f

Download Submit
\windowss64\computer.exe

Filesize
1.1MB

MD5
d6df53506b123f5717463d0355336979

SHA1
7720fb4b89a4ebcef32a6d6a9a7a88c65cad2c14

SHA256
70969f1d56ec1ddcae3fc50545c0a351b798226c62d870db8ae5170eeec67694

SHA512
1bfefa221ed77ef05fc72fbc20a322cae990b2a33a9af47b9ee4d9fa1c09d5c81f6a8fd8496ed43a47ee2862e1e2bf1651b4cca2f5e9e23e491c3d4b3249ad2f

Download Submit
\windowss64\computer.exe

Filesize
1.1MB

MD5
d6df53506b123f5717463d0355336979

SHA1
7720fb4b89a4ebcef32a6d6a9a7a88c65cad2c14

SHA256
70969f1d56ec1ddcae3fc50545c0a351b798226c62d870db8ae5170eeec67694

SHA512
1bfefa221ed77ef05fc72fbc20a322cae990b2a33a9af47b9ee4d9fa1c09d5c81f6a8fd8496ed43a47ee2862e1e2bf1651b4cca2f5e9e23e491c3d4b3249ad2f

Download Submit
\windowss64\computer.exe

Filesize
1.1MB

MD5
d6df53506b123f5717463d0355336979

SHA1
7720fb4b89a4ebcef32a6d6a9a7a88c65cad2c14

SHA256
70969f1d56ec1ddcae3fc50545c0a351b798226c62d870db8ae5170eeec67694

SHA512
1bfefa221ed77ef05fc72fbc20a322cae990b2a33a9af47b9ee4d9fa1c09d5c81f6a8fd8496ed43a47ee2862e1e2bf1651b4cca2f5e9e23e491c3d4b3249ad2f

Download Submit
\windowss64\computer.exe

Filesize
1.1MB

MD5
d6df53506b123f5717463d0355336979

SHA1
7720fb4b89a4ebcef32a6d6a9a7a88c65cad2c14

SHA256
70969f1d56ec1ddcae3fc50545c0a351b798226c62d870db8ae5170eeec67694

SHA512
1bfefa221ed77ef05fc72fbc20a322cae990b2a33a9af47b9ee4d9fa1c09d5c81f6a8fd8496ed43a47ee2862e1e2bf1651b4cca2f5e9e23e491c3d4b3249ad2f

Download Submit
\windowss64\computer.exe

Filesize
1.1MB

MD5
d6df53506b123f5717463d0355336979

SHA1
7720fb4b89a4ebcef32a6d6a9a7a88c65cad2c14

SHA256
70969f1d56ec1ddcae3fc50545c0a351b798226c62d870db8ae5170eeec67694

SHA512
1bfefa221ed77ef05fc72fbc20a322cae990b2a33a9af47b9ee4d9fa1c09d5c81f6a8fd8496ed43a47ee2862e1e2bf1651b4cca2f5e9e23e491c3d4b3249ad2f

Download Submit
\windowss64\computer.exe

Filesize
1.1MB

MD5
d6df53506b123f5717463d0355336979

SHA1
7720fb4b89a4ebcef32a6d6a9a7a88c65cad2c14

SHA256
70969f1d56ec1ddcae3fc50545c0a351b798226c62d870db8ae5170eeec67694

SHA512
1bfefa221ed77ef05fc72fbc20a322cae990b2a33a9af47b9ee4d9fa1c09d5c81f6a8fd8496ed43a47ee2862e1e2bf1651b4cca2f5e9e23e491c3d4b3249ad2f

Download Submit
\windowss64\computer.exe

Filesize
1.1MB

MD5
d6df53506b123f5717463d0355336979

SHA1
7720fb4b89a4ebcef32a6d6a9a7a88c65cad2c14

SHA256
70969f1d56ec1ddcae3fc50545c0a351b798226c62d870db8ae5170eeec67694

SHA512
1bfefa221ed77ef05fc72fbc20a322cae990b2a33a9af47b9ee4d9fa1c09d5c81f6a8fd8496ed43a47ee2862e1e2bf1651b4cca2f5e9e23e491c3d4b3249ad2f

Download Submit
memory/1356-76-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/1672-61-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/1672-54-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

Filesize
8KB

Download