blackmoon | fc2da18b286a09577e87876c4f789590f3bca1d9a5e2477f77542a094e3d9b4a

Analysis

max time kernel
149s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
31-03-2023 05:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27163309.exe
Size

964KB
MD5

6808aea60d1be28a1d7e24570a03b206
SHA1

5f7485e994a024e0bb13ef9c5dc316bd2f55d06e
SHA256

c9a4baae5adc1ce17e2c27a7aa04a9880cbc7ea0f347a3450edabca7f2494721
SHA512

ec65184c184f74d834ce54be5981f59abbf0656755db72e18fa20bd15b003d163ab36fa09f22bbb97836c33ba7f990d5a1f7afaf032d7f85f391c0bb746c5f84
SSDEEP

24576:PnsJ39LyjbJkQFMhmC+6GD91ztJFimsiPo:PnsHyjtk2MYC5GD3zzFzHQ

Score

10^/10

blackmoon gh0strat banker persistence rat trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 18 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4076-242-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackmoon
behavioral2/memory/4076-324-0x0000000002B50000-0x0000000002B88000-memory.dmp	family_blackmoon
behavioral2/memory/4076-338-0x0000000002F90000-0x0000000002FF6000-memory.dmp	family_blackmoon
behavioral2/memory/4076-339-0x0000000002F90000-0x0000000002FF6000-memory.dmp	family_blackmoon
behavioral2/memory/3524-341-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackmoon
behavioral2/memory/3524-342-0x00000000023C0000-0x00000000023F8000-memory.dmp	family_blackmoon
behavioral2/memory/4076-343-0x0000000002F90000-0x0000000002FF6000-memory.dmp	family_blackmoon
behavioral2/memory/3524-352-0x0000000002E70000-0x0000000002ED6000-memory.dmp	family_blackmoon
behavioral2/memory/3524-353-0x0000000002E70000-0x0000000002ED6000-memory.dmp	family_blackmoon
behavioral2/memory/3524-375-0x0000000002E70000-0x0000000002ED6000-memory.dmp	family_blackmoon
behavioral2/memory/4076-420-0x0000000000400000-0x0000000000473000-memory.dmp	family_blackmoon
behavioral2/memory/4076-453-0x0000000002B50000-0x0000000002B88000-memory.dmp	family_blackmoon
behavioral2/memory/3524-454-0x00000000023C0000-0x00000000023F8000-memory.dmp	family_blackmoon
behavioral2/memory/3524-457-0x0000000002E70000-0x0000000002ED6000-memory.dmp	family_blackmoon
behavioral2/memory/4076-458-0x0000000002F90000-0x0000000002FF6000-memory.dmp	family_blackmoon
behavioral2/memory/4076-460-0x0000000002F90000-0x0000000002FF6000-memory.dmp	family_blackmoon
behavioral2/memory/4076-470-0x0000000002F90000-0x0000000002FF6000-memory.dmp	family_blackmoon
behavioral2/memory/4076-473-0x0000000002B50000-0x0000000002B88000-memory.dmp	family_blackmoon

Gh0st RAT payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4076-429-0x0000000010001000-0x000000001000F000-memory.dmp	family_gh0strat
behavioral2/memory/4076-430-0x0000000010000000-0x0000000010017000-memory.dmp	family_gh0strat
behavioral2/memory/3524-451-0x0000000010000000-0x0000000010003000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

._cache_Synaptics.exe27163309.exeSynaptics.exe._cache_27163309.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	._cache_Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	27163309.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	._cache_27163309.exe

Executes dropped EXE 3 IoCs

Processes:

._cache_27163309.exeSynaptics.exe._cache_Synaptics.exe

pid process

4076 ._cache_27163309.exe
4760 Synaptics.exe
3524 ._cache_Synaptics.exe
Loads dropped DLL 4 IoCs

Processes:

._cache_27163309.exe._cache_Synaptics.exe

pid process

4076 ._cache_27163309.exe
3524 ._cache_Synaptics.exe
4076 ._cache_27163309.exe
3524 ._cache_Synaptics.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\._cache_27163309.exe	upx
C:\Users\Admin\AppData\Local\Temp\._cache_27163309.exe	upx
C:\Users\Admin\AppData\Local\Temp\._cache_27163309.exe	upx
behavioral2/memory/4076-242-0x0000000000400000-0x0000000000473000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe	upx
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe	upx
behavioral2/memory/3524-341-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral2/memory/4076-420-0x0000000000400000-0x0000000000473000-memory.dmp	upx

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

._cache_27163309.exe._cache_Synaptics.exe27163309.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows\CurrentVersion\Run	._cache_27163309.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qdate = "C:\\Users\\Public\\Documents\\Applicationhylkq.exe"	._cache_27163309.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows\CurrentVersion\Run	._cache_Synaptics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qdate = "C:\\Users\\Public\\Documents\\Applicationtddzl.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	27163309.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

._cache_27163309.exe

description	ioc	process
File opened (read-only)	\??\O:	._cache_27163309.exe
File opened (read-only)	\??\P:	._cache_27163309.exe
File opened (read-only)	\??\R:	._cache_27163309.exe
File opened (read-only)	\??\N:	._cache_27163309.exe
File opened (read-only)	\??\V:	._cache_27163309.exe
File opened (read-only)	\??\E:	._cache_27163309.exe
File opened (read-only)	\??\G:	._cache_27163309.exe
File opened (read-only)	\??\H:	._cache_27163309.exe
File opened (read-only)	\??\J:	._cache_27163309.exe
File opened (read-only)	\??\K:	._cache_27163309.exe
File opened (read-only)	\??\L:	._cache_27163309.exe
File opened (read-only)	\??\B:	._cache_27163309.exe
File opened (read-only)	\??\Q:	._cache_27163309.exe
File opened (read-only)	\??\S:	._cache_27163309.exe
File opened (read-only)	\??\U:	._cache_27163309.exe
File opened (read-only)	\??\X:	._cache_27163309.exe
File opened (read-only)	\??\Z:	._cache_27163309.exe
File opened (read-only)	\??\F:	._cache_27163309.exe
File opened (read-only)	\??\I:	._cache_27163309.exe
File opened (read-only)	\??\M:	._cache_27163309.exe
File opened (read-only)	\??\T:	._cache_27163309.exe
File opened (read-only)	\??\W:	._cache_27163309.exe
File opened (read-only)	\??\Y:	._cache_27163309.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4496 4076 WerFault.exe ._cache_27163309.exe

pid	pid_target	process	target process
4496	4076	WerFault.exe	._cache_27163309.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE._cache_27163309.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	._cache_27163309.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	._cache_27163309.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 4 IoCs

Processes:

27163309.exeSynaptics.exe._cache_27163309.exe._cache_Synaptics.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	27163309.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings	._cache_27163309.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings	._cache_Synaptics.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1568 EXCEL.EXE

pid	process
1568	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

._cache_27163309.exe._cache_Synaptics.exe

pid	process
4076	._cache_27163309.exe
4076	._cache_27163309.exe
4076	._cache_27163309.exe
4076	._cache_27163309.exe
4076	._cache_27163309.exe
4076	._cache_27163309.exe
4076	._cache_27163309.exe
4076	._cache_27163309.exe
4076	._cache_27163309.exe
4076	._cache_27163309.exe
4076	._cache_27163309.exe
4076	._cache_27163309.exe
4076	._cache_27163309.exe
4076	._cache_27163309.exe
4076	._cache_27163309.exe
4076	._cache_27163309.exe
3524	._cache_Synaptics.exe
3524	._cache_Synaptics.exe
3524	._cache_Synaptics.exe
3524	._cache_Synaptics.exe
3524	._cache_Synaptics.exe
3524	._cache_Synaptics.exe
3524	._cache_Synaptics.exe
3524	._cache_Synaptics.exe
3524	._cache_Synaptics.exe
3524	._cache_Synaptics.exe
3524	._cache_Synaptics.exe
3524	._cache_Synaptics.exe
3524	._cache_Synaptics.exe
3524	._cache_Synaptics.exe
3524	._cache_Synaptics.exe
3524	._cache_Synaptics.exe
4076	._cache_27163309.exe
4076	._cache_27163309.exe
4076	._cache_27163309.exe
4076	._cache_27163309.exe
4076	._cache_27163309.exe
4076	._cache_27163309.exe
4076	._cache_27163309.exe
4076	._cache_27163309.exe
4076	._cache_27163309.exe
4076	._cache_27163309.exe
4076	._cache_27163309.exe
4076	._cache_27163309.exe
4076	._cache_27163309.exe
4076	._cache_27163309.exe
4076	._cache_27163309.exe
4076	._cache_27163309.exe
4076	._cache_27163309.exe
4076	._cache_27163309.exe
4076	._cache_27163309.exe
4076	._cache_27163309.exe
4076	._cache_27163309.exe
4076	._cache_27163309.exe
4076	._cache_27163309.exe
4076	._cache_27163309.exe
4076	._cache_27163309.exe
4076	._cache_27163309.exe
4076	._cache_27163309.exe
4076	._cache_27163309.exe
4076	._cache_27163309.exe
4076	._cache_27163309.exe
4076	._cache_27163309.exe
4076	._cache_27163309.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

._cache_27163309.exe._cache_Synaptics.exeEXCEL.EXE

pid	process
4076	._cache_27163309.exe
3524	._cache_Synaptics.exe
1568	EXCEL.EXE
1568	EXCEL.EXE
1568	EXCEL.EXE
1568	EXCEL.EXE
4076	._cache_27163309.exe
4076	._cache_27163309.exe
4076	._cache_27163309.exe
4076	._cache_27163309.exe
3524	._cache_Synaptics.exe
3524	._cache_Synaptics.exe
3524	._cache_Synaptics.exe
3524	._cache_Synaptics.exe
1568	EXCEL.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

27163309.exeSynaptics.exe._cache_27163309.exe._cache_Synaptics.exe

description	pid	process	target process
PID 4400 wrote to memory of 4076	4400	27163309.exe	._cache_27163309.exe
PID 4400 wrote to memory of 4076	4400	27163309.exe	._cache_27163309.exe
PID 4400 wrote to memory of 4076	4400	27163309.exe	._cache_27163309.exe
PID 4400 wrote to memory of 4760	4400	27163309.exe	Synaptics.exe
PID 4400 wrote to memory of 4760	4400	27163309.exe	Synaptics.exe
PID 4400 wrote to memory of 4760	4400	27163309.exe	Synaptics.exe
PID 4760 wrote to memory of 3524	4760	Synaptics.exe	._cache_Synaptics.exe
PID 4760 wrote to memory of 3524	4760	Synaptics.exe	._cache_Synaptics.exe
PID 4760 wrote to memory of 3524	4760	Synaptics.exe	._cache_Synaptics.exe
PID 4076 wrote to memory of 1836	4076	._cache_27163309.exe	NOTEPAD.EXE
PID 4076 wrote to memory of 1836	4076	._cache_27163309.exe	NOTEPAD.EXE
PID 4076 wrote to memory of 1836	4076	._cache_27163309.exe	NOTEPAD.EXE
PID 3524 wrote to memory of 2564	3524	._cache_Synaptics.exe	NOTEPAD.EXE
PID 3524 wrote to memory of 2564	3524	._cache_Synaptics.exe	NOTEPAD.EXE
PID 3524 wrote to memory of 2564	3524	._cache_Synaptics.exe	NOTEPAD.EXE

C:\Users\Admin\AppData\Local\Temp\27163309.exe
"C:\Users\Admin\AppData\Local\Temp\27163309.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4400

C:\Users\Admin\AppData\Local\Temp\._cache_27163309.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_27163309.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4076

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\._cache_27163309.txt
3⤵
PID:1836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 2184
3⤵
- Program crash
PID:4496

C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4760

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3524

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.txt
4⤵
PID:2564

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4076 -ip 4076
1⤵
PID:1180

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe
Filesize
964KB

MD5
6808aea60d1be28a1d7e24570a03b206

SHA1
5f7485e994a024e0bb13ef9c5dc316bd2f55d06e

SHA256
c9a4baae5adc1ce17e2c27a7aa04a9880cbc7ea0f347a3450edabca7f2494721

SHA512
ec65184c184f74d834ce54be5981f59abbf0656755db72e18fa20bd15b003d163ab36fa09f22bbb97836c33ba7f990d5a1f7afaf032d7f85f391c0bb746c5f84

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe
Filesize
964KB

MD5
6808aea60d1be28a1d7e24570a03b206

SHA1
5f7485e994a024e0bb13ef9c5dc316bd2f55d06e

SHA256
c9a4baae5adc1ce17e2c27a7aa04a9880cbc7ea0f347a3450edabca7f2494721

SHA512
ec65184c184f74d834ce54be5981f59abbf0656755db72e18fa20bd15b003d163ab36fa09f22bbb97836c33ba7f990d5a1f7afaf032d7f85f391c0bb746c5f84

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe
Filesize
964KB

MD5
6808aea60d1be28a1d7e24570a03b206

SHA1
5f7485e994a024e0bb13ef9c5dc316bd2f55d06e

SHA256
c9a4baae5adc1ce17e2c27a7aa04a9880cbc7ea0f347a3450edabca7f2494721

SHA512
ec65184c184f74d834ce54be5981f59abbf0656755db72e18fa20bd15b003d163ab36fa09f22bbb97836c33ba7f990d5a1f7afaf032d7f85f391c0bb746c5f84

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_27163309.exe
Filesize
210KB

MD5
3c2241f0c7d29032d0130a2ddbc9c2fa

SHA1
0fdc6879b4e8d617827b7568ffacfec750945fbd

SHA256
82ae5e783b35a1bdc9574991132dea83e4d46b20f14f61ca764fc1057959f857

SHA512
21e27c63e393aab29637ba2b6f6a00b4e9f71331acbdc4efa793e7e7d806b5a401478aa0964234ef5dde13f4b2434abb1090b368792aedb9120dc3e0fc9ed6ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_27163309.exe
Filesize
210KB

MD5
3c2241f0c7d29032d0130a2ddbc9c2fa

SHA1
0fdc6879b4e8d617827b7568ffacfec750945fbd

SHA256
82ae5e783b35a1bdc9574991132dea83e4d46b20f14f61ca764fc1057959f857

SHA512
21e27c63e393aab29637ba2b6f6a00b4e9f71331acbdc4efa793e7e7d806b5a401478aa0964234ef5dde13f4b2434abb1090b368792aedb9120dc3e0fc9ed6ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_27163309.exe
Filesize
210KB

MD5
3c2241f0c7d29032d0130a2ddbc9c2fa

SHA1
0fdc6879b4e8d617827b7568ffacfec750945fbd

SHA256
82ae5e783b35a1bdc9574991132dea83e4d46b20f14f61ca764fc1057959f857

SHA512
21e27c63e393aab29637ba2b6f6a00b4e9f71331acbdc4efa793e7e7d806b5a401478aa0964234ef5dde13f4b2434abb1090b368792aedb9120dc3e0fc9ed6ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_27163309.txt
Filesize
120KB

MD5
3aea5b78bac5359a799c2714fecccd1a

SHA1
5d3203b328ecfc7a55c0ded1032d209e9f273367

SHA256
c05e763cab67cf9daf5be7a6a6cff2650223987a9693eaa119f69b2bbb6df6c3

SHA512
9513cc84a7ed3dd709d4affb03f6e286dcd43e82f33441c00a9d74d2b45449f2ee20baa8db46218d7a59d9e62fb7f95050ea305166e70f3e71dde39ccf07b6d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
Filesize
210KB

MD5
3c2241f0c7d29032d0130a2ddbc9c2fa

SHA1
0fdc6879b4e8d617827b7568ffacfec750945fbd

SHA256
82ae5e783b35a1bdc9574991132dea83e4d46b20f14f61ca764fc1057959f857

SHA512
21e27c63e393aab29637ba2b6f6a00b4e9f71331acbdc4efa793e7e7d806b5a401478aa0964234ef5dde13f4b2434abb1090b368792aedb9120dc3e0fc9ed6ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
Filesize
210KB

MD5
3c2241f0c7d29032d0130a2ddbc9c2fa

SHA1
0fdc6879b4e8d617827b7568ffacfec750945fbd

SHA256
82ae5e783b35a1bdc9574991132dea83e4d46b20f14f61ca764fc1057959f857

SHA512
21e27c63e393aab29637ba2b6f6a00b4e9f71331acbdc4efa793e7e7d806b5a401478aa0964234ef5dde13f4b2434abb1090b368792aedb9120dc3e0fc9ed6ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.txt
Filesize
120KB

MD5
3aea5b78bac5359a799c2714fecccd1a

SHA1
5d3203b328ecfc7a55c0ded1032d209e9f273367

SHA256
c05e763cab67cf9daf5be7a6a6cff2650223987a9693eaa119f69b2bbb6df6c3

SHA512
9513cc84a7ed3dd709d4affb03f6e286dcd43e82f33441c00a9d74d2b45449f2ee20baa8db46218d7a59d9e62fb7f95050ea305166e70f3e71dde39ccf07b6d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\aaaty.dll
Filesize
2KB

MD5
7943effe67a4647e06def2348949020e

SHA1
eabd561f0639a975de259633f63896d82c3f878d

SHA256
3fac47db92d581b2daef7a4f9493be2fe441041e5158101d80873d05808d5cfa

SHA512
c9db1962e7457c94426c2a5c7f439736697d4399db6982c45357459d58805daa4a9d297912135488b6990e265ffa59d687fd5ba43717aab46ccc212083ef5003

Download Submit
C:\Users\Admin\AppData\Local\Temp\aaaty.dll
Filesize
2KB

MD5
7943effe67a4647e06def2348949020e

SHA1
eabd561f0639a975de259633f63896d82c3f878d

SHA256
3fac47db92d581b2daef7a4f9493be2fe441041e5158101d80873d05808d5cfa

SHA512
c9db1962e7457c94426c2a5c7f439736697d4399db6982c45357459d58805daa4a9d297912135488b6990e265ffa59d687fd5ba43717aab46ccc212083ef5003

Download Submit
C:\Users\Admin\AppData\Local\Temp\aaaty.dll
Filesize
2KB

MD5
7943effe67a4647e06def2348949020e

SHA1
eabd561f0639a975de259633f63896d82c3f878d

SHA256
3fac47db92d581b2daef7a4f9493be2fe441041e5158101d80873d05808d5cfa

SHA512
c9db1962e7457c94426c2a5c7f439736697d4399db6982c45357459d58805daa4a9d297912135488b6990e265ffa59d687fd5ba43717aab46ccc212083ef5003

Download Submit
C:\Users\Admin\AppData\Local\Temp\u4taQeL3.xlsm
Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Public\Documents\hters.dll
Filesize
2KB

MD5
7943effe67a4647e06def2348949020e

SHA1
eabd561f0639a975de259633f63896d82c3f878d

SHA256
3fac47db92d581b2daef7a4f9493be2fe441041e5158101d80873d05808d5cfa

SHA512
c9db1962e7457c94426c2a5c7f439736697d4399db6982c45357459d58805daa4a9d297912135488b6990e265ffa59d687fd5ba43717aab46ccc212083ef5003

Download Submit
C:\Users\Public\Documents\hters.dll
Filesize
2KB

MD5
7943effe67a4647e06def2348949020e

SHA1
eabd561f0639a975de259633f63896d82c3f878d

SHA256
3fac47db92d581b2daef7a4f9493be2fe441041e5158101d80873d05808d5cfa

SHA512
c9db1962e7457c94426c2a5c7f439736697d4399db6982c45357459d58805daa4a9d297912135488b6990e265ffa59d687fd5ba43717aab46ccc212083ef5003

Download Submit
C:\Users\Public\Documents\hters.dll
Filesize
2KB

MD5
7943effe67a4647e06def2348949020e

SHA1
eabd561f0639a975de259633f63896d82c3f878d

SHA256
3fac47db92d581b2daef7a4f9493be2fe441041e5158101d80873d05808d5cfa

SHA512
c9db1962e7457c94426c2a5c7f439736697d4399db6982c45357459d58805daa4a9d297912135488b6990e265ffa59d687fd5ba43717aab46ccc212083ef5003

Download Submit
C:\Users\Public\Documents\hters.dll
Filesize
2KB

MD5
7943effe67a4647e06def2348949020e

SHA1
eabd561f0639a975de259633f63896d82c3f878d

SHA256
3fac47db92d581b2daef7a4f9493be2fe441041e5158101d80873d05808d5cfa

SHA512
c9db1962e7457c94426c2a5c7f439736697d4399db6982c45357459d58805daa4a9d297912135488b6990e265ffa59d687fd5ba43717aab46ccc212083ef5003

Download Submit
C:\Users\Public\Documents\sjsw.log
Filesize
209B

MD5
9aa8843dc08ee15ae64c55d96457ddc5

SHA1
1a378d1e99d028a46b1503811c4f4587a7655dcd

SHA256
03babba57720d41d73c385e1b3afe58f24e9c3718a76bf73df8a048779a91496

SHA512
e885d57ebcd91a6d81fba2fa376986d64530ace434f0bad02f44c2eac8ce070fa39a248d9e353f124bf13616d214ec3e7dada7bc8f11914e79a3525416794658

Download Submit
C:\Users\Public\Documents\sjsw.log
Filesize
212B

MD5
fd9b6fb863fb5833b203c268f4da337f

SHA1
9721de4f50eb3eef69aeeb789bc2cc06e98b9b31

SHA256
450242b17f6b73f6067c0b3de59d2397cc72e45368200ed699f14f7bd363ef78

SHA512
506eea7a3489144e24905065fa9df38b94665f156df36ecb824b20c14e3994ee013c539af10bc82562c47df22a2767752bac48a6d3b1f9fdfc842632372c3f78

Download Submit
C:\Users\Public\Documents\sjsw.log
Filesize
212B

MD5
fd9b6fb863fb5833b203c268f4da337f

SHA1
9721de4f50eb3eef69aeeb789bc2cc06e98b9b31

SHA256
450242b17f6b73f6067c0b3de59d2397cc72e45368200ed699f14f7bd363ef78

SHA512
506eea7a3489144e24905065fa9df38b94665f156df36ecb824b20c14e3994ee013c539af10bc82562c47df22a2767752bac48a6d3b1f9fdfc842632372c3f78

Download Submit
C:\Users\Public\Documents\sjwback.dat
Filesize
189B

MD5
942998bb8e787b7225cdb553198ded92

SHA1
e27067e9fbd6d5bf7bc7cf4c413fc5b288c663d6

SHA256
0803dc3741aaff2888dd74ccad66de68f564d7cad44667e1b57edb1d639d4c69

SHA512
74a8dc51dd30fa8b030086ace232091bf553cdf3123c1203bbd1e1806ba0c4a27e3e77cbcf21f840394c3c5a8ee0bbdbc98c37e1df1c35f51b14879ee10c1300

Download Submit
memory/1568-378-0x00007FFA306F0000-0x00007FFA30700000-memory.dmp

Filesize
64KB

Download
memory/1568-374-0x00007FFA306F0000-0x00007FFA30700000-memory.dmp

Filesize
64KB

Download
memory/1568-401-0x00007FFA2E3C0000-0x00007FFA2E3D0000-memory.dmp

Filesize
64KB

Download
memory/1568-399-0x00007FFA2E3C0000-0x00007FFA2E3D0000-memory.dmp

Filesize
64KB

Download
memory/1568-379-0x00007FFA306F0000-0x00007FFA30700000-memory.dmp

Filesize
64KB

Download
memory/1568-380-0x00007FFA306F0000-0x00007FFA30700000-memory.dmp

Filesize
64KB

Download
memory/1568-377-0x00007FFA306F0000-0x00007FFA30700000-memory.dmp

Filesize
64KB

Download
memory/3524-436-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3524-425-0x0000000003C10000-0x0000000003D02000-memory.dmp

Filesize
968KB

Download
memory/3524-457-0x0000000002E70000-0x0000000002ED6000-memory.dmp

Filesize
408KB

Download
memory/3524-375-0x0000000002E70000-0x0000000002ED6000-memory.dmp

Filesize
408KB

Download
memory/3524-376-0x0000000002400000-0x0000000002403000-memory.dmp

Filesize
12KB

Download
memory/3524-341-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3524-454-0x00000000023C0000-0x00000000023F8000-memory.dmp

Filesize
224KB

Download
memory/3524-451-0x0000000010000000-0x0000000010003000-memory.dmp

Filesize
12KB

Download
memory/3524-442-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3524-428-0x0000000003C10000-0x0000000003D02000-memory.dmp

Filesize
968KB

Download
memory/3524-353-0x0000000002E70000-0x0000000002ED6000-memory.dmp

Filesize
408KB

Download
memory/3524-352-0x0000000002E70000-0x0000000002ED6000-memory.dmp

Filesize
408KB

Download
memory/3524-342-0x00000000023C0000-0x00000000023F8000-memory.dmp

Filesize
224KB

Download
memory/3524-426-0x0000000003C10000-0x0000000003D02000-memory.dmp

Filesize
968KB

Download
memory/4076-432-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4076-430-0x0000000010000000-0x0000000010017000-memory.dmp

Filesize
92KB

Download
memory/4076-458-0x0000000002F90000-0x0000000002FF6000-memory.dmp

Filesize
408KB

Download
memory/4076-421-0x0000000003AD0000-0x0000000003BC2000-memory.dmp

Filesize
968KB

Download
memory/4076-422-0x0000000003AD0000-0x0000000003BC2000-memory.dmp

Filesize
968KB

Download
memory/4076-423-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4076-424-0x0000000003AD0000-0x0000000003BC2000-memory.dmp

Filesize
968KB

Download
memory/4076-338-0x0000000002F90000-0x0000000002FF6000-memory.dmp

Filesize
408KB

Download
memory/4076-345-0x0000000002B90000-0x0000000002B93000-memory.dmp

Filesize
12KB

Download
memory/4076-242-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4076-429-0x0000000010001000-0x000000001000F000-memory.dmp

Filesize
56KB

Download
memory/4076-470-0x0000000002F90000-0x0000000002FF6000-memory.dmp

Filesize
408KB

Download
memory/4076-420-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4076-343-0x0000000002F90000-0x0000000002FF6000-memory.dmp

Filesize
408KB

Download
memory/4076-460-0x0000000002F90000-0x0000000002FF6000-memory.dmp

Filesize
408KB

Download
memory/4076-324-0x0000000002B50000-0x0000000002B88000-memory.dmp

Filesize
224KB

Download
memory/4076-453-0x0000000002B50000-0x0000000002B88000-memory.dmp

Filesize
224KB

Download
memory/4076-473-0x0000000002B50000-0x0000000002B88000-memory.dmp

Filesize
224KB

Download
memory/4076-339-0x0000000002F90000-0x0000000002FF6000-memory.dmp

Filesize
408KB

Download
memory/4076-466-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4400-183-0x0000000002380000-0x0000000002381000-memory.dmp

Filesize
4KB

Download
memory/4400-262-0x0000000000400000-0x00000000004F7000-memory.dmp

Filesize
988KB

Download
memory/4760-496-0x0000000000400000-0x00000000004F7000-memory.dmp

Filesize
988KB

Download
memory/4760-456-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/4760-325-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/4760-474-0x0000000000400000-0x00000000004F7000-memory.dmp

Filesize
988KB

Download
memory/4760-419-0x0000000000400000-0x00000000004F7000-memory.dmp

Filesize
988KB

Download