Malware Analysis Report

2025-08-06 02:58

Sample ID 240112-ptxx1sgfe4
Target 567b2021c7a3db81cfd1421d3d7d37a1
SHA256 4a0d83439be8a28152984b5800a6a1882d95e5ac361ad24131a688237bf403b7
Tags
redline sectoprat @cryptex777 infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4a0d83439be8a28152984b5800a6a1882d95e5ac361ad24131a688237bf403b7

Threat Level: Known bad

The file 567b2021c7a3db81cfd1421d3d7d37a1 was found to be: Known bad.

Malicious Activity Summary

redline sectoprat @cryptex777 infostealer persistence rat trojan

RedLine

RedLine payload

SectopRAT payload

SectopRAT

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-12 12:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-12 12:37

Reported

2024-01-12 12:40

Platform

win7-20231215-en

Max time kernel

144s

Max time network

163s

Command Line

"C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_567b2021c7a3db81cfd1421d3d7d37a1.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\ C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2052 set thread context of 2084 N/A C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\windows\test.txt C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_567b2021c7a3db81cfd1421d3d7d37a1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2052 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe C:\Windows\SysWOW64\schtasks.exe
PID 2052 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe C:\Windows\SysWOW64\schtasks.exe
PID 2052 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe C:\Windows\SysWOW64\schtasks.exe
PID 2052 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe C:\Windows\SysWOW64\schtasks.exe
PID 2052 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe
PID 2052 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe
PID 2052 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe
PID 2052 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe
PID 2052 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe
PID 2052 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe
PID 2052 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe
PID 2052 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe
PID 2052 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe
PID 2052 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe
PID 2052 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe
PID 2052 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe
PID 2084 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe C:\Users\Admin\AppData\Local\Temp\._cache_567b2021c7a3db81cfd1421d3d7d37a1.exe
PID 2084 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe C:\Users\Admin\AppData\Local\Temp\._cache_567b2021c7a3db81cfd1421d3d7d37a1.exe
PID 2084 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe C:\Users\Admin\AppData\Local\Temp\._cache_567b2021c7a3db81cfd1421d3d7d37a1.exe
PID 2084 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe C:\Users\Admin\AppData\Local\Temp\._cache_567b2021c7a3db81cfd1421d3d7d37a1.exe
PID 2084 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2084 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2084 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2084 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe C:\ProgramData\Synaptics\Synaptics.exe

Processes

C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe

"C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1134416911.xml"

C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe

"C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe"

C:\Users\Admin\AppData\Local\Temp\._cache_567b2021c7a3db81cfd1421d3d7d37a1.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_567b2021c7a3db81cfd1421d3d7d37a1.exe"

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

Network

Country Destination Domain Proto
RU 109.248.203.166:29888 tcp
RU 109.248.203.166:29888 tcp
RU 109.248.203.166:29888 tcp
RU 109.248.203.166:29888 tcp
RU 109.248.203.166:29888 tcp
RU 109.248.203.166:29888 tcp

Files

memory/2052-0-0x0000000074CC0000-0x000000007526B000-memory.dmp

memory/2052-1-0x0000000074CC0000-0x000000007526B000-memory.dmp

memory/2052-2-0x00000000003F0000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1134416911.xml

MD5 e01551dd4eaae7daac1a481b968bd322
SHA1 1eedd233a4f81ac79aae4c1688ef7dcb93a963d4
SHA256 6ec51bd8855a8bced5cd045a80eaebf660d294446efa969b78bdf3ca568f4080
SHA512 464cdef19a28e8c99ac7b84e9befecf87c147120f035c985af1b366881407d40a48066f8172d0683bcca9e722594f281d17d4b096dfcd2e4719132842e6c46f2

memory/2084-7-0x0000000000400000-0x00000000004DB000-memory.dmp

memory/2084-11-0x0000000000400000-0x00000000004DB000-memory.dmp

memory/2084-8-0x0000000000400000-0x00000000004DB000-memory.dmp

memory/2084-6-0x0000000000400000-0x00000000004DB000-memory.dmp

memory/2084-15-0x0000000000400000-0x00000000004DB000-memory.dmp

memory/2084-19-0x0000000000400000-0x00000000004DB000-memory.dmp

memory/2084-22-0x0000000000400000-0x00000000004DB000-memory.dmp

memory/2084-29-0x0000000000400000-0x00000000004DB000-memory.dmp

memory/2052-30-0x0000000074CC0000-0x000000007526B000-memory.dmp

memory/2084-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2084-25-0x0000000000400000-0x00000000004DB000-memory.dmp

memory/2084-32-0x00000000000E0000-0x00000000000E1000-memory.dmp

memory/2084-31-0x0000000000400000-0x00000000004DB000-memory.dmp

C:\ProgramData\Synaptics\Synaptics.exe

MD5 bba7f37febe5a32aaf106efbdb9dae31
SHA1 7f6131c49b06e8629922cb36079eb0582ce2ec62
SHA256 17d2c6e4da5ca57a442399df9c36c433c04a1a96b9ba953bb22ec484cc09e32e
SHA512 fabed325c5434411abc3f68c8184b8a4aad8784c36722d40a32c68b48e9d5b240da454c3caa0d1bc3fe56f6dd4b9664bd7aa4278b70aac64e69b75f3153e99d2

C:\Users\Admin\AppData\Local\Temp\._cache_567b2021c7a3db81cfd1421d3d7d37a1.exe

MD5 baa3ebcb1877d2bbafae1c9114d1b0de
SHA1 1279eade8092f4b6c401013e1355581e282ec748
SHA256 0859cbf8dab2379d2f4a0ef118a5075188a26b1233887e54ae696ba0293667a1
SHA512 8218474b2c64078a20421b62a0c8c9df8395aaab71b70ca77b2921bfbabaf8439c8c4fb63edc4f1a250922b58bf8c8797d91c2018c0dcc18449fae7bb6a238ea

\ProgramData\Synaptics\Synaptics.exe

MD5 e747cc0dd9903ef4eaff64d928a81194
SHA1 c5b07e187ddd1ace0c7eccdd97f20ea8550e1150
SHA256 ca4270b67ff57964634116c6cae14c13809dd96cc47c7b73c95c07ddf69d70c4
SHA512 bc4d2f2c892964d72c589aa42006de24f74e95182430fd86f1e1db61456ebc7f5cfcfb5eca0effa875597182424b221cccb513cae043c09f37aa389cfae0808c

C:\ProgramData\Synaptics\Synaptics.exe

MD5 60883e6613e3e8717b94bba6373cd9d4
SHA1 c44eae8177af2f60c71b3449da3d98ce5e974172
SHA256 4e52eeb1609be6fc149c1afb5dce015a4dcc34c71016b12cd5c23921e543203c
SHA512 d7ce933fbce4024b027201a7a8af622e276db57468773d933a5162bfb8b74a82e00455091ef7ac8b92de8153b9312831425819cc394db7d070d4d5683e5e5054

C:\ProgramData\Synaptics\Synaptics.exe

MD5 9e7c30e83596786a6c051c4343bc92b4
SHA1 f440ccc6f8c955f088cae9c7e5f50c081ddd100a
SHA256 a07011034caa74c2ba00b86a5727f4ce0cc53f3b6a3c15ceb5f840f5971479bc
SHA512 c53b8d45bd359f98b8778e7f17341e063d9c56928626367509e0267d0c3a93ee63dd8008ecc1ac4555895ec3c35e82c7860978028881e1fac319f646801fafea

\ProgramData\Synaptics\Synaptics.exe

MD5 0b1e4e922febc20e6d493dd7796c899f
SHA1 b8f52ae241dc4b2ceda5d288c27157f489d826b7
SHA256 820673c6d11604e0777a6a205cbf7f46dc8f63795abe5bbf678b8f6a851516f1
SHA512 c857de75fb34645117c72046985ae9df54f0dd8dcb0707664f9eb3d89488e0d9d690ebb7aa695ea051d2162613cc9a371e6187da5ed198a3c557430544fdc44d

memory/2724-56-0x0000000073880000-0x0000000073F6E000-memory.dmp

memory/2724-55-0x00000000000E0000-0x00000000000FE000-memory.dmp

memory/1672-57-0x00000000747B0000-0x0000000074D5B000-memory.dmp

memory/1672-58-0x0000000000300000-0x0000000000340000-memory.dmp

memory/2724-59-0x00000000048F0000-0x0000000004930000-memory.dmp

memory/2724-60-0x0000000073880000-0x0000000073F6E000-memory.dmp

memory/1672-61-0x00000000747B0000-0x0000000074D5B000-memory.dmp

memory/1672-62-0x0000000000300000-0x0000000000340000-memory.dmp

memory/2724-63-0x00000000048F0000-0x0000000004930000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-12 12:37

Reported

2024-01-12 12:40

Platform

win10v2004-20231215-en

Max time kernel

140s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_567b2021c7a3db81cfd1421d3d7d37a1.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\ C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2876 set thread context of 4780 N/A C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\windows\test.txt C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_567b2021c7a3db81cfd1421d3d7d37a1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2876 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe C:\Windows\SysWOW64\schtasks.exe
PID 2876 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe C:\Windows\SysWOW64\schtasks.exe
PID 2876 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe C:\Windows\SysWOW64\schtasks.exe
PID 2876 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe
PID 2876 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe
PID 2876 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe
PID 2876 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe
PID 2876 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe
PID 2876 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe
PID 2876 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe
PID 2876 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe
PID 2876 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe
PID 2876 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe
PID 2876 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe
PID 2876 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe
PID 2876 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe
PID 4780 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe C:\Users\Admin\AppData\Local\Temp\._cache_567b2021c7a3db81cfd1421d3d7d37a1.exe
PID 4780 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe C:\Users\Admin\AppData\Local\Temp\._cache_567b2021c7a3db81cfd1421d3d7d37a1.exe
PID 4780 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe C:\Users\Admin\AppData\Local\Temp\._cache_567b2021c7a3db81cfd1421d3d7d37a1.exe
PID 4780 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 4780 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 4780 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe C:\ProgramData\Synaptics\Synaptics.exe

Processes

C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe

"C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1221637971.xml"

C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe

"C:\Users\Admin\AppData\Local\Temp\567b2021c7a3db81cfd1421d3d7d37a1.exe"

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_567b2021c7a3db81cfd1421d3d7d37a1.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_567b2021c7a3db81cfd1421d3d7d37a1.exe"

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 188.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
RU 109.248.203.166:29888 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
RU 109.248.203.166:29888 tcp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
RU 109.248.203.166:29888 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
RU 109.248.203.166:29888 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
RU 109.248.203.166:29888 tcp
RU 109.248.203.166:29888 tcp

Files

memory/2876-0-0x0000000074810000-0x0000000074DC1000-memory.dmp

memory/2876-1-0x00000000015B0000-0x00000000015C0000-memory.dmp

memory/2876-2-0x0000000074810000-0x0000000074DC1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1221637971.xml

MD5 96d9b445e5ef478537dd07eb639374fa
SHA1 f10f497562fd6aa3e9788b40254c146316784415
SHA256 30513d1f58f1f4a23b66262710f670c92f493b571e862e9231ddf0181b91a186
SHA512 b07668478ae645220a72641e7f56f5f0f6a719d289e1dc0d8f1499c2e6041d28fdae57c8679e12ea70ba7e13b486e4aeb0a9ca5c12e27a85ae1126d20232a772

memory/4780-6-0x0000000000400000-0x00000000004DB000-memory.dmp

memory/4780-13-0x0000000000400000-0x00000000004DB000-memory.dmp

memory/2876-17-0x0000000074810000-0x0000000074DC1000-memory.dmp

memory/4780-18-0x0000000001330000-0x0000000001331000-memory.dmp

memory/4780-16-0x0000000000400000-0x00000000004DB000-memory.dmp

memory/4780-12-0x0000000000400000-0x00000000004DB000-memory.dmp

memory/1576-143-0x0000000000620000-0x000000000063E000-memory.dmp

memory/1116-142-0x0000000074810000-0x0000000074DC1000-memory.dmp

memory/1116-144-0x0000000074810000-0x0000000074DC1000-memory.dmp

memory/1576-147-0x00000000721A0000-0x0000000072950000-memory.dmp

memory/1576-148-0x0000000006240000-0x0000000006858000-memory.dmp

memory/1576-146-0x0000000005160000-0x00000000051F2000-memory.dmp

memory/1576-150-0x0000000005D10000-0x0000000005D4C000-memory.dmp

memory/1576-149-0x0000000005200000-0x0000000005212000-memory.dmp

memory/1576-151-0x00000000052B0000-0x00000000052C0000-memory.dmp

memory/1576-152-0x0000000005F20000-0x0000000005F6C000-memory.dmp

memory/1576-145-0x0000000005670000-0x0000000005C14000-memory.dmp

memory/4780-11-0x0000000000400000-0x00000000004DB000-memory.dmp

memory/1576-153-0x00000000060C0000-0x00000000061CA000-memory.dmp

memory/4780-9-0x0000000000400000-0x00000000004DB000-memory.dmp

memory/4780-7-0x0000000000400000-0x00000000004DB000-memory.dmp

memory/1116-155-0x0000000000DD0000-0x0000000000DE0000-memory.dmp

memory/1576-156-0x00000000721A0000-0x0000000072950000-memory.dmp

memory/1116-154-0x0000000074810000-0x0000000074DC1000-memory.dmp

memory/1576-157-0x00000000052B0000-0x00000000052C0000-memory.dmp