Windows Analysis Report
F.exe

Overview

General Information

Sample name: F.exe
Analysis ID: 1465838
MD5: e501c275814bfcb58fe845c38227d5c5
SHA1: e2dd36fd738326611cc8d80462451beb842b2d93
SHA256: d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0
Infos:

Detection

AsyncRAT, Neshta, XWorm
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected Neshta
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Creates an undocumented autostart registry key
Drops PE files to the document folder of the user
Drops PE files with a suspicious file extension
Drops executable to a common third party application directory
Drops executables to the windows directory (C:\Windows) and starts them
Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS)
Infects executable files (exe, dll, sys, html)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample is not signed and drops a device driver
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates driver files
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains executable resources (Code or Archives)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Classes Autorun Keys Modification
Sigma detected: Excel Network Connections
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Office Outbound Connections
Sigma detected: Use NTFS Short Name in Command Line
Sigma detected: Use Short Name Path in Command Line
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
AsyncRAT AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat
Name Description Attribution Blogpost URLs Link
neshta Neshta is a 2005 Belarusian file infector virus written in Delphi. The name of the virus comes from the Belarusian word "nesta" meaning "something." No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.neshta
Name Description Attribution Blogpost URLs Link
XWorm Malware with wide range of capabilities ranging from RAT to ransomware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: F.exe Avira: detected
Antivirus detection for URL or domain
Source: http://xred.site50.net/syn/SSLLibrary.dll Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe Avira: detection malicious, Label: W32/Delf.I
Found malware configuration
Source: 00000003.00000002.3299291942.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Xworm {"C2 url": ["45.141.26.232"], "Port": "6666", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.4"}
Multi AV Scanner detection for domain / URL
Source: xred.mooo.com Virustotal: Detection: 8% Perma Link
Source: http://xred.site50.net/syn/Synaptics.rarZ Virustotal: Detection: 6% Perma Link
Source: http://xred.site50.net/syn/SSLLibrary.dl Virustotal: Detection: 6% Perma Link
Source: http://xred.site50.net/syn/SUpdate.iniZ Virustotal: Detection: 5% Perma Link
Source: http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978 Virustotal: Detection: 8% Perma Link
Source: https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1 Virustotal: Detection: 6% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe ReversingLabs: Detection: 97%
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe ReversingLabs: Detection: 93%
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe ReversingLabs: Detection: 100%
Multi AV Scanner detection for submitted file
Source: F.exe ReversingLabs: Detection: 100%
Source: F.exe Virustotal: Detection: 90% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.5% probability
Machine Learning detection for dropped file
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: F.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 0.3.F.exe.2257504.0.raw.unpack String decryptor: 45.141.26.232
Source: 0.3.F.exe.2257504.0.raw.unpack String decryptor: 6666
Source: 0.3.F.exe.2257504.0.raw.unpack String decryptor: <123456789>
Source: 0.3.F.exe.2257504.0.raw.unpack String decryptor: <Xwormmm>
Source: 0.3.F.exe.2257504.0.raw.unpack String decryptor: XWorm V5.4
Source: 0.3.F.exe.2257504.0.raw.unpack String decryptor: USB.exe
Source: 0.3.F.exe.2257504.0.raw.unpack String decryptor: %ProgramData%
Source: 0.3.F.exe.2257504.0.raw.unpack String decryptor: XClient.exe
Uses 32bit PE files
Source: F.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll
Source: unknown HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.184.225:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.184.225:443 -> 192.168.2.5:49717 version: TLS 1.2
Source: unknown HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.5:49739 version: TLS 1.2
Source: unknown HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.5:49741 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.184.225:443 -> 192.168.2.5:49744 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.184.225:443 -> 192.168.2.5:49747 version: TLS 1.2
Source: unknown HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.5:49766 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.184.225:443 -> 192.168.2.5:49765 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.184.225:443 -> 192.168.2.5:49767 version: TLS 1.2
Source: unknown HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.5:49768 version: TLS 1.2
Source: unknown HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.5:49778 version: TLS 1.2
Source: unknown HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.5:49781 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.184.225:443 -> 192.168.2.5:49798 version: TLS 1.2
Source: unknown HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.5:49799 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.184.225:443 -> 192.168.2.5:49800 version: TLS 1.2
Source: unknown HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.5:49801 version: TLS 1.2
Source: unknown HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.5:49804 version: TLS 1.2
Source: unknown HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.5:49805 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.184.225:443 -> 192.168.2.5:49812 version: TLS 1.2
Source: unknown HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.5:49820 version: TLS 1.2
Source: unknown HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.5:49821 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.184.225:443 -> 192.168.2.5:49824 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.184.225:443 -> 192.168.2.5:49826 version: TLS 1.2
Source: unknown HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.5:49839 version: TLS 1.2
Source: unknown HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.5:49841 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.184.225:443 -> 192.168.2.5:49840 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.184.225:443 -> 192.168.2.5:49847 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.5:49850 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.5:49851 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.5:49852 version: TLS 1.2
Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: armsvc.exe.0.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2rcross\x-none\appsharinghookcontroller.pdb source: AppSharingHookController.exe.0.dr
Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: F.exe, 00000000.00000003.2055179492.00000000021D4000.00000004.00001000.00020000.00000000.sdmp, F.exe, 00000000.00000003.2055145770.00000000021D0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: AppVDllSurrogate64.pdb source: AppVDllSurrogate64.exe.0.dr
Source: Binary string: D:\a\_work\e\src\out\Release_x64\identity_helper.exe.pdbOGP source: identity_helper.exe.0.dr
Source: Binary string: d:\dbs\el\ja2\target\x86\ship\dw\x-none\dw20.pdb source: DW20.EXE.7.dr
Source: Binary string: winload_prod.pdb source: F.exe, 00000000.00000003.2055179492.00000000021D4000.00000004.00001000.00020000.00000000.sdmp, F.exe, 00000000.00000003.2055145770.00000000021D0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: d:\dbs\el\omr\target\x86\ship\graphics_filterloader\x-none\FLTLDR.pdb source: FLTLDR.EXE.7.dr
Source: Binary string: D:\dbs\el\ja2\Target\x86\ship\dcf\x-none\Common.DBConnection64.pdb source: Common.DBConnection64.exe.0.dr
Source: Binary string: MicrosoftEdgeUpdate_unsigned.pdb source: MicrosoftEdgeUpdate.exe.0.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\cnfnot32.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: CNFNOT32.EXE.0.dr
Source: Binary string: GoogleCrashHandler64_unsigned.pdb source: GoogleCrashHandler64.exe.0.dr
Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: F.exe, 00000000.00000003.2055179492.00000000021D4000.00000004.00001000.00020000.00000000.sdmp, F.exe, 00000000.00000003.2055145770.00000000021D0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\e\src\out\Release_x64\msedge_pwa_launcher.exe.pdb source: msedge_pwa_launcher.exe.0.dr
Source: Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\Aut2Exe\Aut2Exe.pdb source: Aut2exe.exe.0.dr
Source: Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb source: integrator.exe.0.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\graph.pdb source: GRAPH.EXE.0.dr
Source: Binary string: r.pdb source: AppSharingHookController.exe.0.dr
Source: Binary string: d:\dbs\el\ja2\target\x86\ship\dcf\x-none\FileCompare.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: filecompare.exe.7.dr
Source: Binary string: WINLOA~1.PDB source: F.exe, 00000000.00000003.2055179492.00000000021D4000.00000004.00001000.00020000.00000000.sdmp, F.exe, 00000000.00000003.2055145770.00000000021D0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: integrator.exe.0.dr
Source: Binary string: VSTOInstaller.pdb source: VSTOInstaller.exe.0.dr
Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\pp source: F.exe, 00000000.00000003.2055179492.00000000021D4000.00000004.00001000.00020000.00000000.sdmp, F.exe, 00000000.00000003.2055145770.00000000021D0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\clview.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: CLVIEW.EXE.0.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\sdxhelper.pdblper.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: SDXHelper.exe.0.dr
Source: Binary string: D:\a\_work\1\s\src\ai\windows\dll\x64\Release\aimgr.pdb source: aimgr.exe.0.dr
Source: Binary string: D:\a\_work\e\src\out\Release_x64\msedge_pwa_launcher.exe.pdbOGP source: msedge_pwa_launcher.exe.0.dr
Source: Binary string: AppVDllSurrogate64.pdbGCTL source: AppVDllSurrogate64.exe.0.dr
Source: Binary string: @ntkrnlmp.pdb source: F.exe, 00000000.00000003.2055179492.00000000021D4000.00000004.00001000.00020000.00000000.sdmp, F.exe, 00000000.00000003.2055145770.00000000021D0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\src\ai\windows\dll\x64\Release\ai.exe.pdb+ source: ai.exe.7.dr
Source: Binary string: @winload_prod.pdbk source: F.exe, 00000000.00000003.2055179492.00000000021D4000.00000004.00001000.00020000.00000000.sdmp, F.exe, 00000000.00000003.2055145770.00000000021D0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdb source: F.exe, 00000000.00000003.2055179492.00000000021D4000.00000004.00001000.00020000.00000000.sdmp, F.exe, 00000000.00000003.2055145770.00000000021D0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\cnfnot32.pdb source: CNFNOT32.EXE.0.dr
Source: Binary string: GoogleCrashHandler64_unsigned.pdbl source: GoogleCrashHandler64.exe.0.dr
Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\*.* source: F.exe, 00000000.00000003.2055179492.00000000021D4000.00000004.00001000.00020000.00000000.sdmp, F.exe, 00000000.00000003.2055145770.00000000021D0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: @winload_prod.pdb source: F.exe, 00000000.00000003.2055179492.00000000021D4000.00000004.00001000.00020000.00000000.sdmp, F.exe, 00000000.00000003.2055145770.00000000021D0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\src\ai\windows\dll\x64\Release\ai.exe.pdb source: ai.exe.7.dr
Source: Binary string: D:\a\_work\1\s\src\ai\windows\dll\Win32\Release\ai.exe.pdb source: ai.exe0.7.dr
Source: Binary string: WINLOA~1.PDBa source: F.exe, 00000000.00000003.2055179492.00000000021D4000.00000004.00001000.00020000.00000000.sdmp, F.exe, 00000000.00000003.2055145770.00000000021D0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: lper.pdb source: SDXHelper.exe.0.dr
Source: Binary string: d:\dbs\el\omr\target\x86\ship\graphics_filterloader\x-none\FLTLDR.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: FLTLDR.EXE.7.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2rcross\x-none\appsharinghookcontroller.pdbr.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: AppSharingHookController.exe.0.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\clview.pdb source: CLVIEW.EXE.0.dr
Source: Binary string: D:\dbs\el\ja2\Target\x86\ship\dcf\x-none\DatabaseCompare.pdb source: DATABASECOMPARE.EXE.0.dr
Source: Binary string: D:\a\_work\e\src\out\Release_x64\identity_helper.exe.pdb source: identity_helper.exe.0.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\sdxhelper.pdb source: SDXHelper.exe.0.dr
Source: Binary string: d:\dbs\el\ja2\target\x86\ship\dw\x-none\dw20.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: DW20.EXE.7.dr
Source: Binary string: D:\a\_work\1\s\src\ai\windows\dll\Win32\Release\ai.exe.pdb/ source: ai.exe0.7.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\graph.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: GRAPH.EXE.0.dr
Source: Binary string: d:\dbs\el\ja2\target\x86\ship\dcf\x-none\FileCompare.pdb source: filecompare.exe.7.dr

Spreading
barindex
Yara detected Neshta
Source: Yara match File source: 00000000.00000002.2697226300.0000000000409000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: F.exe PID: 1560, type: MEMORYSTR
Infects executable files (exe, dll, sys, html)
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE Jump to behavior
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE Jump to behavior
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe
Source: C:\Users\user\Desktop\F.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe Jump to behavior
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE Jump to behavior
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exe
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe Jump to behavior
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe Jump to behavior
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe Jump to behavior
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe
Source: C:\Users\user\Desktop\F.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE Jump to behavior
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe Jump to behavior
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe Jump to behavior
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe Jump to behavior
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE Jump to behavior
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exe
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Jump to behavior
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE Jump to behavior
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Users\user\AppData\Local\Temp\chrome.exe Jump to behavior
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exe
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE Jump to behavior
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe Jump to behavior
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe Jump to behavior
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exe
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe Jump to behavior
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
Source: C:\Users\user\Desktop\F.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe Jump to behavior
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe Jump to behavior
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe Jump to behavior
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\AutoIt3\Uninstall.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE Jump to behavior
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe Jump to behavior
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe Jump to behavior
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe Jump to behavior
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe
Source: C:\Users\user\Desktop\F.exe System file written: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe Jump to behavior
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Jump to behavior
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exe
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE Jump to behavior
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE Jump to behavior
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE Jump to behavior
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe Jump to behavior
May infect USB drives
Source: F.exe, 00000000.00000003.2045892912.00000000021B4000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: [autorun]
Source: F.exe, 00000000.00000003.2045892912.00000000021B4000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: [autorun]
Source: F.exe, 00000000.00000003.2045892912.00000000021B4000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: autorun.inf
Source: F.exe, 00000002.00000000.2048183618.0000000000401000.00000020.00000001.01000000.00000005.sdmp Binary or memory string: [autorun]
Source: F.exe, 00000002.00000000.2048183618.0000000000401000.00000020.00000001.01000000.00000005.sdmp Binary or memory string: [autorun]
Source: F.exe, 00000002.00000000.2048183618.0000000000401000.00000020.00000001.01000000.00000005.sdmp Binary or memory string: autorun.inf
Source: F.exe, 00000002.00000003.2060756017.000000000089B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [autorun]
Source: F.exe, 00000002.00000003.2060756017.000000000089B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [autorun]
Source: F.exe, 00000002.00000003.2060756017.000000000089B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: autorun.inf
Source: Synaptics.exe, 00000004.00000003.2134791646.00000000006F1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [autorun]
Source: Synaptics.exe, 00000004.00000003.2134791646.00000000006F1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [autorun]
Source: Synaptics.exe, 00000004.00000003.2134791646.00000000006F1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: autorun.inf
Source: Synaptics.exe, 00000004.00000003.2067928599.000000000299E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [autorun]
Source: Synaptics.exe, 00000004.00000003.2067928599.000000000299E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [autorun]
Source: Synaptics.exe, 00000004.00000003.2067928599.000000000299E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: autorun.inf
Source: Synaptics.exe, 00000004.00000003.2068336947.0000000002134000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: [autorun]
Source: Synaptics.exe, 00000004.00000003.2068336947.0000000002134000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: [autorun]
Source: Synaptics.exe, 00000004.00000003.2068336947.0000000002134000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: autorun.inf
Source: Synaptics.exe, 00000004.00000003.2067838228.00000000006EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [autorun]
Source: Synaptics.exe, 00000004.00000003.2067838228.00000000006EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [autorun]
Source: Synaptics.exe, 00000004.00000003.2067838228.00000000006EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: autorun.inf
Source: F.exe Binary or memory string: [autorun]
Source: F.exe Binary or memory string: [autorun]
Source: F.exe Binary or memory string: autorun.inf
Source: Synaptics.exe.2.dr Binary or memory string: [autorun]
Source: Synaptics.exe.2.dr Binary or memory string: [autorun]
Source: Synaptics.exe.2.dr Binary or memory string: autorun.inf
Source: C:\Users\user\Desktop\F.exe File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\ Jump to behavior
Source: C:\Users\user\Desktop\F.exe File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\ Jump to behavior
Source: C:\Users\user\Desktop\F.exe File opened: C:\Documents and Settings\user\AppData\Local\Adobe\ Jump to behavior
Source: C:\Users\user\Desktop\F.exe File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\Cache\ Jump to behavior
Source: C:\Users\user\Desktop\F.exe File opened: C:\Documents and Settings\user\AppData\Local\ Jump to behavior
Source: C:\Users\user\Desktop\F.exe File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\ Jump to behavior
Source: excel.exe Memory has grown: Private usage: 2MB later: 67MB

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2832617 ETPRO TROJAN W32.Bloat-A Checkin 192.168.2.5:49714 -> 69.42.215.252:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 45.141.26.232
Uses dynamic DNS services
Source: unknown DNS query: name: freedns.afraid.org
Yara detected Generic Downloader
Source: Yara match File source: 2.3.F.exe.8cc070.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.._cache_F.exe.6a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.F.exe.2257504.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.Synaptics.exe.2a4f458.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.F.exe.4b6c38.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.Synaptics.exe.21e5438.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.._cache_F.exe.12ac1a78.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: C:\ProgramData\XClient.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\Desktop\._cache_F.exe, type: DROPPED
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49849 -> 45.141.26.232:6666
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View IP Address: 13.107.246.60 13.107.246.60
Source: Joe Sandbox View IP Address: 69.42.215.252 69.42.215.252
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TUT-ASUS TUT-ASUS
Source: Joe Sandbox View ASN Name: AWKNET-LLCUS AWKNET-LLCUS
Source: Joe Sandbox View ASN Name: SPECTRAIPSpectraIPBVNL SPECTRAIPSpectraIPBVNL
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
May check the online IP address of the machine
Source: unknown DNS query: name: ip-api.com
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: global traffic HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=515=IbPQbmkO8S1c__kDzWy2niX9im8MAVnJ0ifr197baqmYgMBHx1Gdq7YI3NNXycd3ge8Qf-Mkbwlt27bx5bRdhUEvWlqwVraURIaL3FIv8h2ePtmkvqEjd_HFpPJYvCrj-dzSXhJdnl_4WxISiCzdyaSwhb0j4OcPgFDXebu_nlw
Source: global traffic HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=515=A3_DWj-uYlS8SG5SSf4h2bgber-DsAFUfVFi3FxDtVi6jdEuIU6gVf6qK91beLGBvOf1aDV0Nep13pF86ny2gczGzT-3nbHCtLKC8cn0g8_K7gZDcqKMbM307ceTmcEP8JCdf4BXdMiJYzViINyBdRPd8CGRJRG-5NAuxhs9Z5M
Source: global traffic HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=515=o4szNmhRxdEOpFNobS4rMMbmu-3EivKfgD6Q5al0DAW64LhUikGaJlMI-cBm7mLNXwkxPvbBZ-Ia6dvia8iuaYEoPaezX_sHVk5jDetH_LWMtVG34SM7KNzlV54GIajonBPBWzetB_m_DRq14rcIWPdoZKfiq8MFkIXaYmOJRGs
Source: global traffic HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=515=o4szNmhRxdEOpFNobS4rMMbmu-3EivKfgD6Q5al0DAW64LhUikGaJlMI-cBm7mLNXwkxPvbBZ-Ia6dvia8iuaYEoPaezX_sHVk5jDetH_LWMtVG34SM7KNzlV54GIajonBPBWzetB_m_DRq14rcIWPdoZKfiq8MFkIXaYmOJRGs
Source: global traffic HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=515=o4szNmhRxdEOpFNobS4rMMbmu-3EivKfgD6Q5al0DAW64LhUikGaJlMI-cBm7mLNXwkxPvbBZ-Ia6dvia8iuaYEoPaezX_sHVk5jDetH_LWMtVG34SM7KNzlV54GIajonBPBWzetB_m_DRq14rcIWPdoZKfiq8MFkIXaYmOJRGs
Source: global traffic HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=515=o4szNmhRxdEOpFNobS4rMMbmu-3EivKfgD6Q5al0DAW64LhUikGaJlMI-cBm7mLNXwkxPvbBZ-Ia6dvia8iuaYEoPaezX_sHVk5jDetH_LWMtVG34SM7KNzlV54GIajonBPBWzetB_m_DRq14rcIWPdoZKfiq8MFkIXaYmOJRGs
Source: global traffic HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=515=o4szNmhRxdEOpFNobS4rMMbmu-3EivKfgD6Q5al0DAW64LhUikGaJlMI-cBm7mLNXwkxPvbBZ-Ia6dvia8iuaYEoPaezX_sHVk5jDetH_LWMtVG34SM7KNzlV54GIajonBPBWzetB_m_DRq14rcIWPdoZKfiq8MFkIXaYmOJRGs
Source: global traffic HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=515=o4szNmhRxdEOpFNobS4rMMbmu-3EivKfgD6Q5al0DAW64LhUikGaJlMI-cBm7mLNXwkxPvbBZ-Ia6dvia8iuaYEoPaezX_sHVk5jDetH_LWMtVG34SM7KNzlV54GIajonBPBWzetB_m_DRq14rcIWPdoZKfiq8MFkIXaYmOJRGs
Source: global traffic HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=515=o4szNmhRxdEOpFNobS4rMMbmu-3EivKfgD6Q5al0DAW64LhUikGaJlMI-cBm7mLNXwkxPvbBZ-Ia6dvia8iuaYEoPaezX_sHVk5jDetH_LWMtVG34SM7KNzlV54GIajonBPBWzetB_m_DRq14rcIWPdoZKfiq8MFkIXaYmOJRGs
Source: global traffic HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=515=o4szNmhRxdEOpFNobS4rMMbmu-3EivKfgD6Q5al0DAW64LhUikGaJlMI-cBm7mLNXwkxPvbBZ-Ia6dvia8iuaYEoPaezX_sHVk5jDetH_LWMtVG34SM7KNzlV54GIajonBPBWzetB_m_DRq14rcIWPdoZKfiq8MFkIXaYmOJRGs
Source: global traffic HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=515=o4szNmhRxdEOpFNobS4rMMbmu-3EivKfgD6Q5al0DAW64LhUikGaJlMI-cBm7mLNXwkxPvbBZ-Ia6dvia8iuaYEoPaezX_sHVk5jDetH_LWMtVG34SM7KNzlV54GIajonBPBWzetB_m_DRq14rcIWPdoZKfiq8MFkIXaYmOJRGs
Source: global traffic HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=515=o4szNmhRxdEOpFNobS4rMMbmu-3EivKfgD6Q5al0DAW64LhUikGaJlMI-cBm7mLNXwkxPvbBZ-Ia6dvia8iuaYEoPaezX_sHVk5jDetH_LWMtVG34SM7KNzlV54GIajonBPBWzetB_m_DRq14rcIWPdoZKfiq8MFkIXaYmOJRGs
Source: global traffic HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=515=hvNqLQGGTW_jz-Z-2Gifs1ZmMOcy9V7YwuCTkJ9UsaPlvIDjrgJvd-weTfYLZ6plN_u27mHeGvvWsNasfuhssEgcVrwaGUfDL1rg6SbcVNO2Nw5L9UyXxHRiiCXTd3QV4aREWJhGdvGnJQwd-rryP0B_x1r3oXK265LQum1pmfM
Source: global traffic HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=515=hvNqLQGGTW_jz-Z-2Gifs1ZmMOcy9V7YwuCTkJ9UsaPlvIDjrgJvd-weTfYLZ6plN_u27mHeGvvWsNasfuhssEgcVrwaGUfDL1rg6SbcVNO2Nw5L9UyXxHRiiCXTd3QV4aREWJhGdvGnJQwd-rryP0B_x1r3oXK265LQum1pmfM
Source: global traffic HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=515=hvNqLQGGTW_jz-Z-2Gifs1ZmMOcy9V7YwuCTkJ9UsaPlvIDjrgJvd-weTfYLZ6plN_u27mHeGvvWsNasfuhssEgcVrwaGUfDL1rg6SbcVNO2Nw5L9UyXxHRiiCXTd3QV4aREWJhGdvGnJQwd-rryP0B_x1r3oXK265LQum1pmfM
Source: global traffic HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=515=o4szNmhRxdEOpFNobS4rMMbmu-3EivKfgD6Q5al0DAW64LhUikGaJlMI-cBm7mLNXwkxPvbBZ-Ia6dvia8iuaYEoPaezX_sHVk5jDetH_LWMtVG34SM7KNzlV54GIajonBPBWzetB_m_DRq14rcIWPdoZKfiq8MFkIXaYmOJRGs
Source: global traffic HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=515=o4szNmhRxdEOpFNobS4rMMbmu-3EivKfgD6Q5al0DAW64LhUikGaJlMI-cBm7mLNXwkxPvbBZ-Ia6dvia8iuaYEoPaezX_sHVk5jDetH_LWMtVG34SM7KNzlV54GIajonBPBWzetB_m_DRq14rcIWPdoZKfiq8MFkIXaYmOJRGs
Source: global traffic HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=515=IbPQbmkO8S1c__kDzWy2niX9im8MAVnJ0ifr197baqmYgMBHx1Gdq7YI3NNXycd3ge8Qf-Mkbwlt27bx5bRdhUEvWlqwVraURIaL3FIv8h2ePtmkvqEjd_HFpPJYvCrj-dzSXhJdnl_4WxISiCzdyaSwhb0j4OcPgFDXebu_nlw
Source: global traffic HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=515=IbPQbmkO8S1c__kDzWy2niX9im8MAVnJ0ifr197baqmYgMBHx1Gdq7YI3NNXycd3ge8Qf-Mkbwlt27bx5bRdhUEvWlqwVraURIaL3FIv8h2ePtmkvqEjd_HFpPJYvCrj-dzSXhJdnl_4WxISiCzdyaSwhb0j4OcPgFDXebu_nlw
Source: global traffic HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=515=IbPQbmkO8S1c__kDzWy2niX9im8MAVnJ0ifr197baqmYgMBHx1Gdq7YI3NNXycd3ge8Qf-Mkbwlt27bx5bRdhUEvWlqwVraURIaL3FIv8h2ePtmkvqEjd_HFpPJYvCrj-dzSXhJdnl_4WxISiCzdyaSwhb0j4OcPgFDXebu_nlw
Source: global traffic HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=515=o4szNmhRxdEOpFNobS4rMMbmu-3EivKfgD6Q5al0DAW64LhUikGaJlMI-cBm7mLNXwkxPvbBZ-Ia6dvia8iuaYEoPaezX_sHVk5jDetH_LWMtVG34SM7KNzlV54GIajonBPBWzetB_m_DRq14rcIWPdoZKfiq8MFkIXaYmOJRGs
Source: global traffic HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=515=o4szNmhRxdEOpFNobS4rMMbmu-3EivKfgD6Q5al0DAW64LhUikGaJlMI-cBm7mLNXwkxPvbBZ-Ia6dvia8iuaYEoPaezX_sHVk5jDetH_LWMtVG34SM7KNzlV54GIajonBPBWzetB_m_DRq14rcIWPdoZKfiq8MFkIXaYmOJRGs
Source: global traffic HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=515=IbPQbmkO8S1c__kDzWy2niX9im8MAVnJ0ifr197baqmYgMBHx1Gdq7YI3NNXycd3ge8Qf-Mkbwlt27bx5bRdhUEvWlqwVraURIaL3FIv8h2ePtmkvqEjd_HFpPJYvCrj-dzSXhJdnl_4WxISiCzdyaSwhb0j4OcPgFDXebu_nlw
Source: global traffic HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=515=IbPQbmkO8S1c__kDzWy2niX9im8MAVnJ0ifr197baqmYgMBHx1Gdq7YI3NNXycd3ge8Qf-Mkbwlt27bx5bRdhUEvWlqwVraURIaL3FIv8h2ePtmkvqEjd_HFpPJYvCrj-dzSXhJdnl_4WxISiCzdyaSwhb0j4OcPgFDXebu_nlw
Source: global traffic HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=515=IbPQbmkO8S1c__kDzWy2niX9im8MAVnJ0ifr197baqmYgMBHx1Gdq7YI3NNXycd3ge8Qf-Mkbwlt27bx5bRdhUEvWlqwVraURIaL3FIv8h2ePtmkvqEjd_HFpPJYvCrj-dzSXhJdnl_4WxISiCzdyaSwhb0j4OcPgFDXebu_nlw
Source: global traffic HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=515=IbPQbmkO8S1c__kDzWy2niX9im8MAVnJ0ifr197baqmYgMBHx1Gdq7YI3NNXycd3ge8Qf-Mkbwlt27bx5bRdhUEvWlqwVraURIaL3FIv8h2ePtmkvqEjd_HFpPJYvCrj-dzSXhJdnl_4WxISiCzdyaSwhb0j4OcPgFDXebu_nlw
Source: global traffic HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=515=o4szNmhRxdEOpFNobS4rMMbmu-3EivKfgD6Q5al0DAW64LhUikGaJlMI-cBm7mLNXwkxPvbBZ-Ia6dvia8iuaYEoPaezX_sHVk5jDetH_LWMtVG34SM7KNzlV54GIajonBPBWzetB_m_DRq14rcIWPdoZKfiq8MFkIXaYmOJRGs
Source: global traffic HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=515=IbPQbmkO8S1c__kDzWy2niX9im8MAVnJ0ifr197baqmYgMBHx1Gdq7YI3NNXycd3ge8Qf-Mkbwlt27bx5bRdhUEvWlqwVraURIaL3FIv8h2ePtmkvqEjd_HFpPJYvCrj-dzSXhJdnl_4WxISiCzdyaSwhb0j4OcPgFDXebu_nlw
Source: global traffic HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=515=o4szNmhRxdEOpFNobS4rMMbmu-3EivKfgD6Q5al0DAW64LhUikGaJlMI-cBm7mLNXwkxPvbBZ-Ia6dvia8iuaYEoPaezX_sHVk5jDetH_LWMtVG34SM7KNzlV54GIajonBPBWzetB_m_DRq14rcIWPdoZKfiq8MFkIXaYmOJRGs
Source: global traffic HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=515=IbPQbmkO8S1c__kDzWy2niX9im8MAVnJ0ifr197baqmYgMBHx1Gdq7YI3NNXycd3ge8Qf-Mkbwlt27bx5bRdhUEvWlqwVraURIaL3FIv8h2ePtmkvqEjd_HFpPJYvCrj-dzSXhJdnl_4WxISiCzdyaSwhb0j4OcPgFDXebu_nlw
Source: global traffic HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=515=IbPQbmkO8S1c__kDzWy2niX9im8MAVnJ0ifr197baqmYgMBHx1Gdq7YI3NNXycd3ge8Qf-Mkbwlt27bx5bRdhUEvWlqwVraURIaL3FIv8h2ePtmkvqEjd_HFpPJYvCrj-dzSXhJdnl_4WxISiCzdyaSwhb0j4OcPgFDXebu_nlw
Source: global traffic HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=515=A3_DWj-uYlS8SG5SSf4h2bgber-DsAFUfVFi3FxDtVi6jdEuIU6gVf6qK91beLGBvOf1aDV0Nep13pF86ny2gczGzT-3nbHCtLKC8cn0g8_K7gZDcqKMbM307ceTmcEP8JCdf4BXdMiJYzViINyBdRPd8CGRJRG-5NAuxhs9Z5M
Source: global traffic HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=515=o4szNmhRxdEOpFNobS4rMMbmu-3EivKfgD6Q5al0DAW64LhUikGaJlMI-cBm7mLNXwkxPvbBZ-Ia6dvia8iuaYEoPaezX_sHVk5jDetH_LWMtVG34SM7KNzlV54GIajonBPBWzetB_m_DRq14rcIWPdoZKfiq8MFkIXaYmOJRGs
Source: global traffic HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=515=o4szNmhRxdEOpFNobS4rMMbmu-3EivKfgD6Q5al0DAW64LhUikGaJlMI-cBm7mLNXwkxPvbBZ-Ia6dvia8iuaYEoPaezX_sHVk5jDetH_LWMtVG34SM7KNzlV54GIajonBPBWzetB_m_DRq14rcIWPdoZKfiq8MFkIXaYmOJRGs
Source: global traffic HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=515=A3_DWj-uYlS8SG5SSf4h2bgber-DsAFUfVFi3FxDtVi6jdEuIU6gVf6qK91beLGBvOf1aDV0Nep13pF86ny2gczGzT-3nbHCtLKC8cn0g8_K7gZDcqKMbM307ceTmcEP8JCdf4BXdMiJYzViINyBdRPd8CGRJRG-5NAuxhs9Z5M
Source: global traffic HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=515=o4szNmhRxdEOpFNobS4rMMbmu-3EivKfgD6Q5al0DAW64LhUikGaJlMI-cBm7mLNXwkxPvbBZ-Ia6dvia8iuaYEoPaezX_sHVk5jDetH_LWMtVG34SM7KNzlV54GIajonBPBWzetB_m_DRq14rcIWPdoZKfiq8MFkIXaYmOJRGs
Source: global traffic HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=515=o4szNmhRxdEOpFNobS4rMMbmu-3EivKfgD6Q5al0DAW64LhUikGaJlMI-cBm7mLNXwkxPvbBZ-Ia6dvia8iuaYEoPaezX_sHVk5jDetH_LWMtVG34SM7KNzlV54GIajonBPBWzetB_m_DRq14rcIWPdoZKfiq8MFkIXaYmOJRGs
Source: global traffic HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=515=o4szNmhRxdEOpFNobS4rMMbmu-3EivKfgD6Q5al0DAW64LhUikGaJlMI-cBm7mLNXwkxPvbBZ-Ia6dvia8iuaYEoPaezX_sHVk5jDetH_LWMtVG34SM7KNzlV54GIajonBPBWzetB_m_DRq14rcIWPdoZKfiq8MFkIXaYmOJRGs
Source: global traffic HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=515=o4szNmhRxdEOpFNobS4rMMbmu-3EivKfgD6Q5al0DAW64LhUikGaJlMI-cBm7mLNXwkxPvbBZ-Ia6dvia8iuaYEoPaezX_sHVk5jDetH_LWMtVG34SM7KNzlV54GIajonBPBWzetB_m_DRq14rcIWPdoZKfiq8MFkIXaYmOJRGs
Source: global traffic HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=515=o4szNmhRxdEOpFNobS4rMMbmu-3EivKfgD6Q5al0DAW64LhUikGaJlMI-cBm7mLNXwkxPvbBZ-Ia6dvia8iuaYEoPaezX_sHVk5jDetH_LWMtVG34SM7KNzlV54GIajonBPBWzetB_m_DRq14rcIWPdoZKfiq8MFkIXaYmOJRGs
Source: global traffic HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=515=o4szNmhRxdEOpFNobS4rMMbmu-3EivKfgD6Q5al0DAW64LhUikGaJlMI-cBm7mLNXwkxPvbBZ-Ia6dvia8iuaYEoPaezX_sHVk5jDetH_LWMtVG34SM7KNzlV54GIajonBPBWzetB_m_DRq14rcIWPdoZKfiq8MFkIXaYmOJRGs
Source: global traffic HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=515=o4szNmhRxdEOpFNobS4rMMbmu-3EivKfgD6Q5al0DAW64LhUikGaJlMI-cBm7mLNXwkxPvbBZ-Ia6dvia8iuaYEoPaezX_sHVk5jDetH_LWMtVG34SM7KNzlV54GIajonBPBWzetB_m_DRq14rcIWPdoZKfiq8MFkIXaYmOJRGs
Source: global traffic HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=515=o4szNmhRxdEOpFNobS4rMMbmu-3EivKfgD6Q5al0DAW64LhUikGaJlMI-cBm7mLNXwkxPvbBZ-Ia6dvia8iuaYEoPaezX_sHVk5jDetH_LWMtVG34SM7KNzlV54GIajonBPBWzetB_m_DRq14rcIWPdoZKfiq8MFkIXaYmOJRGs
Source: global traffic HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=515=o4szNmhRxdEOpFNobS4rMMbmu-3EivKfgD6Q5al0DAW64LhUikGaJlMI-cBm7mLNXwkxPvbBZ-Ia6dvia8iuaYEoPaezX_sHVk5jDetH_LWMtVG34SM7KNzlV54GIajonBPBWzetB_m_DRq14rcIWPdoZKfiq8MFkIXaYmOJRGs
Source: global traffic HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=515=o4szNmhRxdEOpFNobS4rMMbmu-3EivKfgD6Q5al0DAW64LhUikGaJlMI-cBm7mLNXwkxPvbBZ-Ia6dvia8iuaYEoPaezX_sHVk5jDetH_LWMtVG34SM7KNzlV54GIajonBPBWzetB_m_DRq14rcIWPdoZKfiq8MFkIXaYmOJRGs
Source: global traffic HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=515=o4szNmhRxdEOpFNobS4rMMbmu-3EivKfgD6Q5al0DAW64LhUikGaJlMI-cBm7mLNXwkxPvbBZ-Ia6dvia8iuaYEoPaezX_sHVk5jDetH_LWMtVG34SM7KNzlV54GIajonBPBWzetB_m_DRq14rcIWPdoZKfiq8MFkIXaYmOJRGs
Source: global traffic HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=515=o4szNmhRxdEOpFNobS4rMMbmu-3EivKfgD6Q5al0DAW64LhUikGaJlMI-cBm7mLNXwkxPvbBZ-Ia6dvia8iuaYEoPaezX_sHVk5jDetH_LWMtVG34SM7KNzlV54GIajonBPBWzetB_m_DRq14rcIWPdoZKfiq8MFkIXaYmOJRGs
Source: global traffic HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=515=o4szNmhRxdEOpFNobS4rMMbmu-3EivKfgD6Q5al0DAW64LhUikGaJlMI-cBm7mLNXwkxPvbBZ-Ia6dvia8iuaYEoPaezX_sHVk5jDetH_LWMtVG34SM7KNzlV54GIajonBPBWzetB_m_DRq14rcIWPdoZKfiq8MFkIXaYmOJRGs
Source: global traffic HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=515=o4szNmhRxdEOpFNobS4rMMbmu-3EivKfgD6Q5al0DAW64LhUikGaJlMI-cBm7mLNXwkxPvbBZ-Ia6dvia8iuaYEoPaezX_sHVk5jDetH_LWMtVG34SM7KNzlV54GIajonBPBWzetB_m_DRq14rcIWPdoZKfiq8MFkIXaYmOJRGs
Source: global traffic HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=515=o4szNmhRxdEOpFNobS4rMMbmu-3EivKfgD6Q5al0DAW64LhUikGaJlMI-cBm7mLNXwkxPvbBZ-Ia6dvia8iuaYEoPaezX_sHVk5jDetH_LWMtVG34SM7KNzlV54GIajonBPBWzetB_m_DRq14rcIWPdoZKfiq8MFkIXaYmOJRGs
Source: global traffic HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=515=o4szNmhRxdEOpFNobS4rMMbmu-3EivKfgD6Q5al0DAW64LhUikGaJlMI-cBm7mLNXwkxPvbBZ-Ia6dvia8iuaYEoPaezX_sHVk5jDetH_LWMtVG34SM7KNzlV54GIajonBPBWzetB_m_DRq14rcIWPdoZKfiq8MFkIXaYmOJRGs
Source: global traffic HTTP traffic detected: GET /rules/rule63067v4s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule170012v10s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule490016v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978 HTTP/1.1User-Agent: MyAppHost: freedns.afraid.orgCache-Control: no-cache
Source: global traffic DNS traffic detected: DNS query: ip-api.com
Source: global traffic DNS traffic detected: DNS query: docs.google.com
Source: global traffic DNS traffic detected: DNS query: xred.mooo.com
Source: global traffic DNS traffic detected: DNS query: freedns.afraid.org
Source: global traffic DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Tue, 02 Jul 2024 04:51:23 GMTP3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Content-Security-Policy: script-src 'report-sample' 'nonce-0QV0jR1sln1Fj9GcaoYkkw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Length: 1642X-GUploader-UploadID: ACJd0NqEruspLaOOJrRSdie2_aGIN3xoT1qKJPCv28Ewi5NyH5stL_p5JWbOIcSn2tbgeHGVOMMServer: UploadServerSet-Cookie: NID=515=hvNqLQGGTW_jz-Z-2Gifs1ZmMOcy9V7YwuCTkJ9UsaPlvIDjrgJvd-weTfYLZ6plN_u27mHeGvvWsNasfuhssEgcVrwaGUfDL1rg6SbcVNO2Nw5L9UyXxHRiiCXTd3QV4aREWJhGdvGnJQwd-rryP0B_x1r3oXK265LQum1pmfM; expires=Wed, 01-Jan-2025 04:51:23 GMT; path=/; domain=.google.com; HttpOnlyAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Tue, 02 Jul 2024 04:51:23 GMTP3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Content-Security-Policy: script-src 'report-sample' 'nonce-h6h2GTXVoNqcKn8WTpvzTg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originContent-Length: 1642X-GUploader-UploadID: ACJd0NqU4FYcxiiXDjGMJzLQJaDvq7BpoOuNldwUMM6frWlpQrbTz676Tb4JJwdF83wtqWaRJ5YServer: UploadServerSet-Cookie: NID=515=IbPQbmkO8S1c__kDzWy2niX9im8MAVnJ0ifr197baqmYgMBHx1Gdq7YI3NNXycd3ge8Qf-Mkbwlt27bx5bRdhUEvWlqwVraURIaL3FIv8h2ePtmkvqEjd_HFpPJYvCrj-dzSXhJdnl_4WxISiCzdyaSwhb0j4OcPgFDXebu_nlw; expires=Wed, 01-Jan-2025 04:51:23 GMT; path=/; domain=.google.com; HttpOnlyAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Tue, 02 Jul 2024 04:51:24 GMTP3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-JGh5ZFeigZoyePwda9d-Sg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originContent-Length: 1642X-GUploader-UploadID: ACJd0NoLCQuFTHxzixSymh4FWFC4x7z1FNMxw8JsUy91o2gN6O-whJC79yHNdGRSUWuH6s1E32wServer: UploadServerSet-Cookie: NID=515=A3_DWj-uYlS8SG5SSf4h2bgber-DsAFUfVFi3FxDtVi6jdEuIU6gVf6qK91beLGBvOf1aDV0Nep13pF86ny2gczGzT-3nbHCtLKC8cn0g8_K7gZDcqKMbM307ceTmcEP8JCdf4BXdMiJYzViINyBdRPd8CGRJRG-5NAuxhs9Z5M; expires=Wed, 01-Jan-2025 04:51:24 GMT; path=/; domain=.google.com; HttpOnlyAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Tue, 02 Jul 2024 04:51:25 GMTP3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-txAM4vljkJyEOkerxJU83g' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Cross-Origin-Opener-Policy: same-originContent-Length: 1642X-GUploader-UploadID: ACJd0NoIVJD2eFQPpsPLn5BXSyvuiRddYNe_07ekdyBCjEpO79bvO9OvT_0IRPjpa7ovx8qt0tYServer: UploadServerSet-Cookie: NID=515=o4szNmhRxdEOpFNobS4rMMbmu-3EivKfgD6Q5al0DAW64LhUikGaJlMI-cBm7mLNXwkxPvbBZ-Ia6dvia8iuaYEoPaezX_sHVk5jDetH_LWMtVG34SM7KNzlV54GIajonBPBWzetB_m_DRq14rcIWPdoZKfiq8MFkIXaYmOJRGs; expires=Wed, 01-Jan-2025 04:51:25 GMT; path=/; domain=.google.com; HttpOnlyAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Tue, 02 Jul 2024 04:51:26 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-ncqU9Si3T-i0tD_uYa4hWw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Cross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1642X-GUploader-UploadID: ACJd0NqZbGTKI7NPl2CG9mv_MEl7yd0TmKVw7-JxVwt-58cOfdrB8aPEl4KQO_fZGmhR1vfcLkhdyEURVQServer: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Tue, 02 Jul 2024 04:51:27 GMTPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-a-T4zE9cKFjSGMXrX7JDPQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Cross-Origin-Opener-Policy: same-originContent-Length: 1642X-GUploader-UploadID: ACJd0NpUVMUdbztLVSQ7m7mrEIGog5Ar7xWuxOu_QMsj78GavUeu5GUoAfZcGUVoehwoKYHtbHbePRjRKAServer: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Tue, 02 Jul 2024 04:51:28 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-fR-ApMskgTBFLtSq6sCb_Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Cross-Origin-Opener-Policy: same-originContent-Length: 1642X-GUploader-UploadID: ACJd0NqeN6Q4cT-zvrdPVy3snhenb7Dna7q2HehB5y46bz5vBA7IdDxbsvaaX34U1T-NfeyoWxIServer: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Tue, 02 Jul 2024 04:51:28 GMTCross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-J1EF8EbxuretIqP9HY1t4w' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Length: 1642X-GUploader-UploadID: ACJd0Nqkwod2GI1rEvL1pUygarQ45gBBvoToZhpZvGNv9f5z2dam5fVRcp0HYgnKMgPA1203X6sServer: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Tue, 02 Jul 2024 04:51:29 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-kVDpRuKCD4uyuO0WUvhtDQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Cross-Origin-Opener-Policy: same-originContent-Length: 1642X-GUploader-UploadID: ACJd0Nqf4Xf7TbVGyTmpmS6jUy7oOwqdZyFvU26b6o4sSmO6gkMLHzeIy1F1oMmXDnHFECUi4YAServer: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Tue, 02 Jul 2024 04:51:29 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-blvq0Cz9Ibl-rnmTliQcow' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Cross-Origin-Opener-Policy: same-originContent-Length: 1642X-GUploader-UploadID: ACJd0NrmlMPjateOnBoiprlBLO2a8AJlEaufhd__rfL658RGh_jF9ua7yxuUvjvcJnMfIDP-_XkServer: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Tue, 02 Jul 2024 04:51:33 GMTContent-Security-Policy: script-src 'report-sample' 'nonce-c_5y4Y0Lf2Rp-dq9AXCPJg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportCross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Length: 1642X-GUploader-UploadID: ACJd0NqW3G8dHkA1FBHS1uwDFkop-lfiHxzcliTjWvVPEKthxFl7pqihGQgb5IRf6l24kY96_aX9605MygServer: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Tue, 02 Jul 2024 04:51:33 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-Z_comFUqJ7Xzw8Er5iZsvw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originContent-Length: 1642X-GUploader-UploadID: ACJd0NqCJ9hnVyLCfOc2Qy3PWaize7-8y2smhAIkcx0BeQja-m36-Nw_60zfNafuUIqHSPMnsWNvp9eG-wServer: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Tue, 02 Jul 2024 04:51:34 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-6JhqyyozaqQAfPPyvHb86w' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originContent-Length: 1642X-GUploader-UploadID: ACJd0NoK2QvzEuzcJ3HE8WfNiOTcuxTayeiyOGwj9KKU2EH0W28TrovVdMiHLE2n6dvooPc0TlktjLy-LgServer: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Tue, 02 Jul 2024 04:51:36 GMTContent-Security-Policy: script-src 'report-sample' 'nonce-LFtiodpXKCu1h31CpN-iSg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1642X-GUploader-UploadID: ACJd0NpTn0hN5UTqxW0z_a8lgdpJ2_i4IFuK1-6SKJ0lmSUFH3U-7hVhjs-VzFCL9KW_mzX26Nsr0Mu7NQServer: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Tue, 02 Jul 2024 04:51:36 GMTPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-RCw0PqSvDk3TIVvm2KJuRA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1642X-GUploader-UploadID: ACJd0NpHnwrMyeiIEaGDnYysUriMvR4DYBPgTzzF2L3hiDu-k5yEDrDrnURj9iiE_WB_VKW_HgwServer: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Tue, 02 Jul 2024 04:51:37 GMTPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-6pXfD0g84yghekOISxDelw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1642X-GUploader-UploadID: ACJd0Nrt9m-1jFOYMKnkshATZSidTuvLSd5CMrE6Gut81FJMn1a559m_sJIr6WseUVBgkxuogHIServer: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Tue, 02 Jul 2024 04:51:38 GMTCross-Origin-Opener-Policy: same-originContent-Security-Policy: script-src 'report-sample' 'nonce-KUYoDuJNS0F3Y8xM7eMdDA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Length: 1642X-GUploader-UploadID: ACJd0NrD3jAHuAPqJTrQALYZMSg6-PhMFVCeR3ciIqJDdd2ZXXkJs87Yhq0hgc_af3J0DP0xqPoServer: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Tue, 02 Jul 2024 04:51:40 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Security-Policy: script-src 'report-sample' 'nonce-EbkfP9u4Vq-yZpzq-_Djkw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Length: 1642X-GUploader-UploadID: ACJd0NqwFDaLaxx8FYHMbgw3yLH-fhoxE4VV52E8qaOeg23FPcMAyA4qhOzPl4IXBd2dVYn2BgServer: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Tue, 02 Jul 2024 04:51:40 GMTPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-eY94xt3BZCEdHZyJSp9JZw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Cross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1642X-GUploader-UploadID: ACJd0No98RWlRzMRK5gED_7lbzunIEd50U9VvzwSMd5t4L7G7nbKyjn0DBsl5mJdNnsy_lIXfNUServer: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Tue, 02 Jul 2024 04:51:41 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Security-Policy: script-src 'report-sample' 'nonce-rEvFjCO2FNKLGjtGY8Y6bA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportCross-Origin-Opener-Policy: same-originContent-Length: 1642X-GUploader-UploadID: ACJd0Nrld67_aAVtJz1_Du_CPnw3HIVAcGhSRnIqlt1VJ65LklsGTDcbQfahkTIF6ioebjd1CEcbsqzNeAServer: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Tue, 02 Jul 2024 04:51:41 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-2Jz4d6Qt33HPueKfi6qztg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1642X-GUploader-UploadID: ACJd0NpQpOQG7CGhN3_ya49SG2rth0th2_-kgzTl8jZK-mW9b4YzoaHDQWnw6USWSglYd6iLgS5x2kIgaQServer: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Tue, 02 Jul 2024 04:51:42 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-LupTqJQw3HlWzat2QzvmTw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Cross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1642X-GUploader-UploadID: ACJd0NpDd4tqHHaheh7yAxi4SfGZhN9Pn00FvcZuv9GKJikpDEowq1No-mABeFM4bJINSD5NggServer: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Tue, 02 Jul 2024 04:51:42 GMTPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-gYZHdWbq5A2RJc4E3R0mlw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Cross-Origin-Opener-Policy: same-originContent-Length: 1642X-GUploader-UploadID: ACJd0No2EHOubJIn3YFoYe2sE91ou3Q3pcNmji4KfQXtpCLqBatOuJFfDeN7lvpQxt1N1zs522Maac29UQServer: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Tue, 02 Jul 2024 04:51:45 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-_Y6qAiylT6xf8fDV6Fte9A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1642X-GUploader-UploadID: ACJd0NqgqRuATWkRMmymU7u7OWym97dVHafQSM41U-udIhRMYtjmeV2qL5aUjW5Jixv4ZcvoHc4Z_BX6FQServer: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Tue, 02 Jul 2024 04:51:45 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-_BdP4Wt5sLb6aiL2xSyKIQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Cross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Length: 1642X-GUploader-UploadID: ACJd0NrwUisrag8Jtvnvdz3fPymXOfLS7yrD7ix0I-uRvFNISRBRv-9EhjAUwCeXcoD62-ERYD6w1hNR1gServer: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Tue, 02 Jul 2024 04:51:46 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-wFEKGs1YUBSVa-shpU7naQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Length: 1642X-GUploader-UploadID: ACJd0NpQtXD6yPnqF9_FM_QLM4d-kexvuuEAcrIy6hyR5tM_OAO-frYy9uoZm2AzjMKDBu3DwsAServer: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Tue, 02 Jul 2024 04:51:46 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-p6dwDb7nRsxTPrOUptDVVA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originContent-Length: 1642X-GUploader-UploadID: ACJd0NqiVmD_3i-gfw8BxH5-Y_1XWeDswdEP1PqP_zQj3yeO0OEq0Nhduu1Q1FGKc97iXUTSd6NgOkt-6AServer: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: integrator.exe.0.dr String found in binary or memory: http://127.0.0.1:13556/InsiderSlabBehaviorReportedBuildInsiderSlabBehaviorInsiderSlabBehaviorReporte
Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: powershell.exe, 00000018.00000002.2852792660.000000000774F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.micros
Source: powershell.exe, 00000015.00000002.2829712033.0000000007B14000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2865908533.0000000008121000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.microsoft
Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: GoogleCrashHandler64.exe.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: GoogleCrashHandler64.exe.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: armsvc.exe.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: Synaptics.exe.2.dr String found in binary or memory: http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
Source: Synaptics.exe, 00000004.00000002.2505106985.000000000070A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978T
Source: Synaptics.exe, 00000004.00000002.2505106985.000000000070A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978w
Source: Synaptics.exe, 00000004.00000002.2505106985.00000000006CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978y)_
Source: ._cache_F.exe, 00000003.00000002.3299291942.0000000002B72000.00000004.00000800.00020000.00000000.sdmp, ._cache_F.exe, 00000003.00000002.3299291942.0000000002B59000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ip-api.com
Source: F.exe, Synaptics.exe.2.dr String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: F.exe, 00000000.00000002.2697075823.0000000000190000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000008.00000002.2281858184.00000000055BD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2802481932.0000000006529000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2823008513.0000000006039000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2834693917.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0
Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: powershell.exe, 0000001B.00000002.2765152080.0000000004EF6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000008.00000002.2264524529.00000000046A7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2752155516.0000000005616000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2757579122.0000000005126000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2765152080.0000000004EF6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: ._cache_F.exe, 00000003.00000002.3299291942.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, ._cache_F.exe, 00000003.00000002.3299291942.0000000002B59000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2264524529.0000000004551000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2752155516.00000000054CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2757579122.0000000004FD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2765152080.0000000004DA1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000008.00000002.2264524529.00000000046A7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2752155516.0000000005616000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2757579122.0000000005126000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2765152080.0000000004EF6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000001B.00000002.2765152080.0000000004EF6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: Aut2exe.exe.0.dr String found in binary or memory: http://www.autoitscript.com/autoit3/
Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: F.exe, Synaptics.exe.2.dr String found in binary or memory: http://www.eyuyan.com)DVarFileInfo$
Source: F.exe, 00000002.00000003.2064449004.00000000021A0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://xred.site50.net/syn/SSLLibrary.dl
Source: Synaptics.exe.2.dr String found in binary or memory: http://xred.site50.net/syn/SSLLibrary.dll
Source: Synaptics.exe, 00000004.00000002.2511829684.0000000002130000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://xred.site50.net/syn/SSLLibrary.dll6
Source: Synaptics.exe.2.dr String found in binary or memory: http://xred.site50.net/syn/SUpdate.ini
Source: Synaptics.exe, 00000004.00000002.2511829684.0000000002130000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://xred.site50.net/syn/SUpdate.iniZ
Source: Synaptics.exe.2.dr String found in binary or memory: http://xred.site50.net/syn/Synaptics.rar
Source: Synaptics.exe, 00000004.00000002.2511829684.0000000002130000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://xred.site50.net/syn/Synaptics.rarZ
Source: powershell.exe, 00000008.00000002.2264524529.0000000004551000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2752155516.00000000054CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2757579122.0000000004FD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2765152080.0000000004DA1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lBcq
Source: powershell.exe, 0000001B.00000002.2834693917.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000001B.00000002.2834693917.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000001B.00000002.2834693917.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.000000000070A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/
Source: Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/T.xlsx
Source: Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/UDTUBZFW.xlsx
Source: Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/elleme
Source: Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/etleniyor...
Source: Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/fons
Source: Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/google.com/APT
Source: Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/rver
Source: Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/ta
Source: Synaptics.exe, 00000004.00000002.2525129927.00000000053CE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2539347979.000000000D86E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2535191044.000000000AF2E000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0;
Source: Synaptics.exe, 00000004.00000002.2537824769.000000000CD2E000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXG
Source: Synaptics.exe.2.dr String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
Source: Synaptics.exe, 00000004.00000002.2511829684.0000000002130000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=downloadN
Source: F.exe, 00000002.00000003.2064449004.00000000021A0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=downlot
Source: F.exe, 00000002.00000003.2064449004.00000000021A0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downlo
Source: Synaptics.exe.2.dr String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
Source: Synaptics.exe, 00000004.00000002.2530140781.000000000747C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download#
Source: Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download#x5
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download$
Source: Synaptics.exe, 00000004.00000002.2547909817.000000000DEEE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download$B
Source: Synaptics.exe, 00000004.00000002.2530140781.00000000074D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download$MF
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download$v
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007585000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2530140781.000000000747C000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2547909817.000000000DEEE000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2549645289.000000000DF35000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.000000000070A000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2530140781.00000000074D1000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download%
Source: Synaptics.exe, 00000004.00000002.2505106985.000000000070A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download%C
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download%KE
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007514000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download%r
Source: Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download&
Source: Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download&0
Source: Synaptics.exe, 00000004.00000002.2530140781.000000000747C000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.000000000070A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download(
Source: Synaptics.exe, 00000004.00000002.2530140781.00000000074D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download(HR
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download)
Source: Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download)BT
Source: Synaptics.exe, 00000004.00000002.2547909817.000000000DEEE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download)Bu
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download)v
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2549645289.000000000DF35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download-
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download-Polq
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007514000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download-cn.net
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download.
Source: Synaptics.exe, 00000004.00000002.2540164357.000000000DD8E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download..9
Source: Synaptics.exe, 00000004.00000002.2540164357.000000000DD8E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download..q
Source: Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download.1
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download.E
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download.G
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007514000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download.c
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download.com;l
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007514000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download.cx
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download.goog
Source: Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2547909817.000000000DEEE000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000724000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download/
Source: Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download/UM
Source: Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download/d5
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download/m
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000724000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download/u
Source: Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download/yI
Source: Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download0
Source: Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download00
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download01045ksv
Source: Synaptics.exe, 00000004.00000002.2530140781.00000000074D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download0Mj
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download0u
Source: Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2549645289.000000000DF35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download1
Source: Synaptics.exe, 00000004.00000002.2547909817.000000000DEEE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download1Cm
Source: Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download1T
Source: Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download1kC
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007585000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download2
Source: Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download2.
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download23
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download2;Z
Source: Synaptics.exe, 00000004.00000002.2549645289.000000000DF8B000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download3
Source: Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2547909817.000000000DEEE000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.000000000070A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download4
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download4CQ
Source: Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download4UX
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download4d
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download4m
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007585000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2530140781.000000000747C000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2530140781.0000000007514000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2549645289.000000000DF35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download5
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download51:25
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download6
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download6M
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007585000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2549645289.000000000DF8B000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2547909817.000000000DEEE000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000724000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download7
Source: Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download7VE
Source: Synaptics.exe, 00000004.00000002.2505106985.000000000070A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download8
Source: Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download81
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download8CG
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download8E
Source: Synaptics.exe, 00000004.00000002.2530140781.00000000074D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download8Ob
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2547909817.000000000DEEE000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2549645289.000000000DF35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download9
Source: Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download9US
Source: Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download9d
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download9m
Source: Synaptics.exe, 00000004.00000002.2540164357.000000000DD8E000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2530140781.000000000747C000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download:
Source: Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000724000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download;
Source: Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download;y
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2530140781.000000000747C000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2549645289.000000000DF35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download=
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007585000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download?
Source: Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download?xY
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2549645289.000000000DF35000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadA
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadA-
Source: Synaptics.exe, 00000004.00000002.2547909817.000000000DEEE000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadAB
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadAPPKBM
Source: Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadAj
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadB
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadB0
Source: Synaptics.exe, 00000004.00000002.2549645289.000000000DF8B000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadC
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadC1L
Source: Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadCerLi
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadCompa
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2530140781.0000000007514000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadD
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadD6c
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007585000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadDB
Source: Synaptics.exe, 00000004.00000002.2547909817.000000000DEEE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadDC
Source: Synaptics.exe, 00000004.00000002.2530140781.00000000074D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadDL
Source: Synaptics.exe, 00000004.00000002.2540164357.000000000DD8E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadDe
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007585000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadDenet
Source: Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadDk
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadDl
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007585000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2530140781.000000000747C000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2549645289.000000000DF35000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadE
Source: Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadE.
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadEE
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadF
Source: Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadF1
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadFE
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadFM
Source: Synaptics.exe, 00000004.00000002.2549645289.000000000DF8B000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2547909817.000000000DEEE000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000724000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadG
Source: Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadG1-0
Source: Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadG3
Source: Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadG3N
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadGRXZ
Source: Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadGU
Source: Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadG~
Source: Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadH
Source: Synaptics.exe, 00000004.00000002.2530140781.00000000074D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadHO
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadI
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadI6v
Source: Synaptics.exe, 00000004.00000002.2547909817.000000000DEEE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadIC
Source: Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadIT
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadIlW
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007585000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2530140781.000000000747C000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2511829684.0000000002130000.00000004.00001000.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadJ
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadJd0N8
Source: Synaptics.exe, 00000004.00000002.2549645289.000000000DF8B000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadK
Source: Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadK1N
Source: Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadKy
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007585000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2547909817.000000000DEEE000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2530140781.0000000007514000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadL
Source: Synaptics.exe, 00000004.00000002.2530140781.00000000074D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadLN
Source: Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadLU
Source: Synaptics.exe, 00000004.00000002.2530140781.000000000747C000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2549645289.000000000DF35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadM
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadMFkIXaYmOJRGsm
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadN
Source: Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadNA?
Source: Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadNo
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007585000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000724000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadO
Source: Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadOx
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2556341223.00000000101EE000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadP
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadP0
Source: Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadP1Y
Source: Synaptics.exe, 00000004.00000002.2530140781.00000000074D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadPL
Source: Synaptics.exe, 00000004.00000002.2540164357.000000000DD8E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadPW
Source: Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2547909817.000000000DEEE000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2549645289.000000000DF35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadQ
Source: Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadQU
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2530140781.000000000747C000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadR
Source: Synaptics.exe, 00000004.00000002.2549645289.000000000DF8B000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000724000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadS
Source: Synaptics.exe, 00000004.00000002.2547909817.000000000DEEE000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadSA
Source: Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadS~
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2530140781.0000000007514000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadT
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadUserR
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadV
Source: Synaptics.exe, 00000004.00000002.2547909817.000000000DEEE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadVB
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadVL
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadVv
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007585000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2549645289.000000000DF8B000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000724000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.000000000070A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadW
Source: Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadX
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadX-V
Source: Synaptics.exe, 00000004.00000002.2547909817.000000000DEEE000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadXA
Source: Synaptics.exe, 00000004.00000002.2530140781.00000000074D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadXN
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007585000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2549645289.000000000DF35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadY
Source: Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadZ$
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007585000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2549645289.000000000DF8B000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2530140781.000000000747C000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download_
Source: Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download_.(
Source: Synaptics.exe, 00000004.00000002.2530140781.000000000747C000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2549645289.000000000DF35000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.000000000070A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloada
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadalifoy
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadb
Source: Synaptics.exe, 00000004.00000002.2547909817.000000000DEEE000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadbB
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadbv
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007585000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadc
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007514000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadce
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007514000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadce$
Source: Synaptics.exe, 00000004.00000002.2540164357.000000000DD8E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadce-
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007585000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadcelle
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadcher
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadcom
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000724000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadct
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadcuri
Source: Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadcyu
Source: Synaptics.exe, 00000004.00000002.2540164357.000000000DD8E000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadd
Source: Synaptics.exe, 00000004.00000002.2530140781.00000000074D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloaddN
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2549645289.000000000DF35000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloade
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloade.com
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007514000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloade8
Source: Synaptics.exe, 00000004.00000002.2547909817.000000000DEEE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadeC
Source: Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadeTw
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadeV
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadectin
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadef.
Source: Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadek
Source: Synaptics.exe, 00000004.00000002.2540164357.000000000DD8E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadel
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007585000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloademe
Source: Synaptics.exe, 00000004.00000002.2540164357.000000000DD8E000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloaden
Source: Synaptics.exe, 00000004.00000002.2540164357.000000000DD8E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadena
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007585000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadenet
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007585000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadeniyo
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadeniyoa
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007514000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloader
Source: Synaptics.exe, 00000004.00000002.2540164357.000000000DD8E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadere
Source: Synaptics.exe, 00000004.00000002.2540164357.000000000DD8E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadet
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadetle
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadf
Source: Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadfPr
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadfor
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000724000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadg
Source: Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadg1
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadgE
Source: Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadggpht.cn?(
Source: Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadgxq
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007585000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadh
Source: Synaptics.exe, 00000004.00000002.2530140781.00000000074D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadhL
Source: Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadhU
Source: Synaptics.exe, 00000004.00000002.2537092293.000000000C96E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2528325445.000000000699E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2561933231.0000000014B3E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2562937353.00000000158FE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2531914603.00000000076EE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2556961561.0000000010AAE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2555989110.000000000FCEE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2560893436.0000000013EBE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2537365829.000000000CBEE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2551206758.000000000E52E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2557582484.000000001136E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2557875148.000000001172E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2553023388.000000000F06E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2560816353.0000000013D7E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2560189642.00000000134BE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2551380076.000000000E66E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2560371513.000000001373E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2561336497.00000000143BE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2557489077.000000001122E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2529069116.00000000073AE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2557682794.00000000114AE000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadi
Source: Synaptics.exe, 00000004.00000002.2532759525.00000000089AE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2536053347.000000000BBAE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2568239629.0000000016BBE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2527568628.000000000601E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2532898946.0000000008C2E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2569440947.0000000016F7E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2559082108.00000000125BE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2532693655.000000000886E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2558290618.0000000011E3E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2559460304.0000000012ABE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2559365558.000000001297E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2556595304.00000000105AE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2533252926.000000000926E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2559731200.0000000012E7E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2538721882.000000000D36E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2534712710.000000000A8EE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2529000793.000000000726E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2559551653.0000000012BFE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2556504535.000000001046E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2568872141.0000000016CFE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2559644828.0000000012D3E000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadi4
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007514000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadic
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007514000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadie
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007514000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadio0
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadion07
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadj
Source: Synaptics.exe, 00000004.00000002.2547909817.000000000DEEE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadjC6
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadjM
Source: Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadjT
Source: Synaptics.exe, 00000004.00000002.2540164357.000000000DD8E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadje
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadjecti
Source: Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadjk
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadjlv
Source: Synaptics.exe, 00000004.00000002.2549645289.000000000DF8B000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000724000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadk
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000724000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadk&
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadlE
Source: Synaptics.exe, 00000004.00000002.2540164357.000000000DD8E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadleI
Source: Synaptics.exe, 00000004.00000002.2540164357.000000000DD8E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadleM
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007585000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadleme
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadli
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2547909817.000000000DEEE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadm
Source: Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadmU
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2530140781.0000000007514000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadme
Source: Synaptics.exe, 00000004.00000002.2540164357.000000000DD8E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadmeY
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2530140781.000000000747C000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadn
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007514000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadn.(
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadnL
Source: Synaptics.exe, 00000004.00000002.2540164357.000000000DD8E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadnc
Source: Synaptics.exe, 00000004.00000002.2540164357.000000000DD8E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadng
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadns-P
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadnt
Source: Synaptics.exe, 00000004.00000002.2547909817.000000000DE98000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2549645289.000000000DF8B000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000724000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloado
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadog
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007514000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadom8
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadomI
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007514000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadoml
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadone
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadonz
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2530140781.0000000007514000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadoo
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2530140781.0000000007514000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadp
Source: Synaptics.exe, 00000004.00000002.2530140781.00000000074D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadpN
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadpe
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadpl
Source: Synaptics.exe, 00000004.00000002.2549645289.000000000DF35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadq
Source: Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadq1
Source: Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadq1B
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadqE
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000724000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadr
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadr...
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadr...#
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000724000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadrK
Source: Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadrU
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000724000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadrc
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007514000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadrg
Source: Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadrtDT
Source: Synaptics.exe, 00000004.00000002.2549645289.000000000DF8B000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2530140781.000000000747C000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000724000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloads
Source: Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadsx
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadt
Source: Synaptics.exe, 00000004.00000002.2530140781.00000000074D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadtM
Source: Synaptics.exe, 00000004.00000002.2540164357.000000000DD8E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadtc
Source: Synaptics.exe, 00000004.00000002.2540164357.000000000DD8E000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadte
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadtent
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007514000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadti
Source: Synaptics.exe, 00000004.00000002.2540164357.000000000DD8E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadtl
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadtop
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadts
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007585000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2547909817.000000000DEEE000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2549645289.000000000DF35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadu
Source: Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadutub
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.000000000070A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadv
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007514000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadve4
Source: Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadviZ
Source: Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadw
Source: Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadwB
Source: Synaptics.exe, 00000004.00000002.2547909817.000000000DEEE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadwB3
Source: Synaptics.exe, 00000004.00000002.2530140781.000000000747C000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadx
Source: Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloady
Source: Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadyA$
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007585000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadyor...
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadyoutu
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007585000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadz
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadzL
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download~
Source: F.exe, 00000002.00000003.2064449004.00000000021A0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=downloX
Source: F.exe, 00000002.00000003.2064449004.00000000021A0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=downloXO
Source: vbaProject.bin String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
Source: Synaptics.exe, 00000004.00000002.2511829684.0000000002130000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=downloadN
Source: Synaptics.exe, 00000004.00000002.2547909817.000000000DE98000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2549645289.000000000DF8B000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.000000000070A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/
Source: Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/7
Source: Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/Y
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005580000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000724000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
Source: Synaptics.exe, 00000004.00000002.2529101852.00000000073F8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download/4
Source: Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download4
Source: Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadF
Source: Synaptics.exe, 00000004.00000002.2529101852.00000000073F8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadOx
Source: Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadV
Source: Synaptics.exe, 00000004.00000002.2529101852.0000000007409000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadg
Source: Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadu
Source: Synaptics.exe, 00000004.00000002.2547909817.000000000DE98000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/z
Source: powershell.exe, 0000001B.00000002.2765152080.0000000004EF6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: msedge_pwa_launcher.exe.0.dr, identity_helper.exe.0.dr String found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff
Source: msedge_pwa_launcher.exe.0.dr, identity_helper.exe.0.dr String found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffDilithium2Dilith
Source: powershell.exe, 00000015.00000002.2752155516.0000000005CAA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2752155516.0000000005E1A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: integrator.exe.0.dr String found in binary or memory: https://nexus.officeapps.live.comhttps://nexusrules.officeapps.live.com
Source: powershell.exe, 00000008.00000002.2281858184.00000000055BD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2802481932.0000000006529000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2823008513.0000000006039000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2834693917.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: integrator.exe.0.dr String found in binary or memory: https://otelrules.azureedge.net/rules/.bundlesdxhelper.exeFailed
Source: F.exe, 00000002.00000003.2064449004.00000000021A0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=
Source: Synaptics.exe.2.dr String found in binary or memory: https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
Source: Synaptics.exe, 00000004.00000002.2511829684.0000000002130000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1:
Source: F.exe, 00000002.00000003.2064449004.00000000021A0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl
Source: Synaptics.exe.2.dr String found in binary or memory: https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
Source: Synaptics.exe, 00000004.00000002.2511829684.0000000002130000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=16
Source: vbaProject.bin String found in binary or memory: https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
Source: Synaptics.exe, 00000004.00000002.2511829684.0000000002130000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1:
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49846 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.184.225:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.184.225:443 -> 192.168.2.5:49717 version: TLS 1.2
Source: unknown HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.5:49739 version: TLS 1.2
Source: unknown HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.5:49741 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.184.225:443 -> 192.168.2.5:49744 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.184.225:443 -> 192.168.2.5:49747 version: TLS 1.2
Source: unknown HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.5:49766 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.184.225:443 -> 192.168.2.5:49765 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.184.225:443 -> 192.168.2.5:49767 version: TLS 1.2
Source: unknown HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.5:49768 version: TLS 1.2
Source: unknown HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.5:49778 version: TLS 1.2
Source: unknown HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.5:49781 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.184.225:443 -> 192.168.2.5:49798 version: TLS 1.2
Source: unknown HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.5:49799 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.184.225:443 -> 192.168.2.5:49800 version: TLS 1.2
Source: unknown HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.5:49801 version: TLS 1.2
Source: unknown HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.5:49804 version: TLS 1.2
Source: unknown HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.5:49805 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.184.225:443 -> 192.168.2.5:49812 version: TLS 1.2
Source: unknown HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.5:49820 version: TLS 1.2
Source: unknown HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.5:49821 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.184.225:443 -> 192.168.2.5:49824 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.184.225:443 -> 192.168.2.5:49826 version: TLS 1.2
Source: unknown HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.5:49839 version: TLS 1.2
Source: unknown HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.5:49841 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.184.225:443 -> 192.168.2.5:49840 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.184.225:443 -> 192.168.2.5:49847 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.5:49850 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.5:49851 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.5:49852 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Yara detected AsyncRAT
Source: Yara match File source: F.exe, type: SAMPLE
Source: Yara match File source: 2.3.F.exe.8cc070.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.F.exe.8cc070.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.._cache_F.exe.6a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.Synaptics.exe.2a4f458.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.Synaptics.exe.21e5438.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.F.exe.2257504.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.._cache_F.exe.12ac1a78.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.F.exe.4b6c38.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.F.exe.2257504.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.Synaptics.exe.2a4f458.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.F.exe.4b6c38.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.Synaptics.exe.21e5438.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.._cache_F.exe.12ac1a78.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.F.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.3303772990.0000000012AC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2045892912.00000000021B4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.2067928599.000000000299E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2060756017.000000000089B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.2060247485.00000000006A2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.2048511281.00000000004A5000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.2068336947.00000000021D3000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: F.exe PID: 1560, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: F.exe PID: 2668, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Synaptics.exe PID: 3868, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\XClient.exe, type: DROPPED
Source: Yara match File source: C:\ProgramData\Synaptics\Synaptics.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\Desktop\._cache_F.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\cyXtjfIL.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\RCXAE3F.tmp, type: DROPPED
Contains functionality to log keystrokes (.Net Source)
Source: 0.3.F.exe.2257504.0.raw.unpack, XLogger.cs .Net Code: KeyboardLayout
Source: ._cache_F.exe.2.dr, XLogger.cs .Net Code: KeyboardLayout
Installs a raw input device (often for capturing keystrokes)
Source: FLTLDR.EXE.7.dr Binary or memory string: RegisterRawInputDevices memstr_7506c74c-8

Operating System Destruction
barindex
Protects its processes via BreakOnTermination flag
Source: C:\Users\user\Desktop\._cache_F.exe Process information set: 01 00 00 00 Jump to behavior

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: F.exe, type: SAMPLE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 2.3.F.exe.8cc070.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 2.3.F.exe.8cc070.0.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 3.0.._cache_F.exe.6a0000.0.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.3.Synaptics.exe.2a4f458.0.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.3.Synaptics.exe.21e5438.1.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.3.F.exe.2257504.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 3.2.._cache_F.exe.12ac1a78.1.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 2.0.F.exe.4b6c38.1.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.3.F.exe.2257504.0.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.3.Synaptics.exe.2a4f458.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 2.0.F.exe.4b6c38.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.3.Synaptics.exe.21e5438.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 3.2.._cache_F.exe.12ac1a78.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 2.0.F.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000003.00000002.3303772990.0000000012AC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000003.2045892912.00000000021B4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000004.00000003.2067928599.000000000299E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000002.00000003.2060756017.000000000089B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000003.00000000.2060247485.00000000006A2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000002.00000000.2048511281.00000000004A5000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000004.00000003.2068336947.00000000021D3000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\ProgramData\XClient.exe, type: DROPPED Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\ProgramData\Synaptics\Synaptics.exe, type: DROPPED Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\Desktop\._cache_F.exe, type: DROPPED Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\cyXtjfIL.exe, type: DROPPED Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe, type: DROPPED Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\RCXAE3F.tmp, type: DROPPED Matched rule: Detects AsyncRAT Author: ditekSHen
Creates driver files
Source: C:\Windows\svchost.com File created: C:\Windows\directx.sys
Creates files inside the system directory
Source: C:\Users\user\Desktop\F.exe File created: C:\Windows\svchost.com Jump to behavior
Source: C:\Windows\svchost.com File created: C:\Windows\directx.sys
Detected potential crypto function
Source: C:\Users\user\Desktop\._cache_F.exe Code function: 3_2_00007FF848F06662 3_2_00007FF848F06662
Source: C:\Users\user\Desktop\._cache_F.exe Code function: 3_2_00007FF848F00610 3_2_00007FF848F00610
Source: C:\Users\user\Desktop\._cache_F.exe Code function: 3_2_00007FF848F01771 3_2_00007FF848F01771
Source: C:\Users\user\Desktop\._cache_F.exe Code function: 3_2_00007FF848F058B6 3_2_00007FF848F058B6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_0415B490 8_2_0415B490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_0415B470 8_2_0415B470
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 21_2_04FBB490 21_2_04FBB490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 21_2_04FBB470 21_2_04FBB470
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 24_2_04F0B490 24_2_04F0B490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 24_2_04F0B470 24_2_04F0B470
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 24_2_08AA3E98 24_2_08AA3E98
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 27_2_04BEB490 27_2_04BEB490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 27_2_04BEB470 27_2_04BEB470
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 27_2_085D3E98 27_2_085D3E98
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Program Files (x86)\AutoIt3\Au3Check.exe A3C4641D4CB4608AF18CD06E4C01339C65C25B9289F0AA01CABE0E5C250A0E15
Source: Joe Sandbox View Dropped File: C:\Program Files (x86)\AutoIt3\Au3Info.exe 55075BDACF914AF03AD6CD417AFFC3A604A73AFD3D06A2256A1835CBF0F39B5E
Source: Joe Sandbox View Dropped File: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe B904C8888CD019FAD590E1135E917D944BC16340757BC90DDD3511359766B8BB
Source: Joe Sandbox View Dropped File: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe 15D3823B1CB8C10E2F0A0882BC273093742E957F0E7DB05B98B8FF020897559D
One or more processes crash
Source: C:\ProgramData\Synaptics\Synaptics.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 3276
PE file contains executable resources (Code or Archives)
Source: Synaptics.exe.2.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Source: Synaptics.exe.2.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Sample file is different than original file name gathered from version info
Source: F.exe, 00000000.00000003.2045892912.0000000002271000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameXClient.exe4 vs F.exe
Source: F.exe, 00000000.00000003.2045892912.00000000021B4000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFileName vs F.exe
Source: F.exe, 00000002.00000003.2064567983.000000000088F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFileName vs F.exe
Source: F.exe, 00000002.00000003.2064567983.000000000088F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameXClient.exe4 vs F.exe
Source: F.exe, 00000002.00000003.2061562260.000000000088F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameXClient.exe4 vs F.exe
Source: F.exe, 00000002.00000003.2064567983.000000000087D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFileName vs F.exe
Source: F.exe, 00000002.00000000.2048183618.0000000000401000.00000020.00000001.01000000.00000005.sdmp Binary or memory string: OriginalFileName vs F.exe
Source: F.exe, 00000002.00000003.2062267957.00000000008B5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameXClient.exe4 vs F.exe
Source: F.exe, 00000002.00000003.2062923839.00000000008B5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameXClient.exe4 vs F.exe
Source: F.exe, 00000002.00000003.2060756017.000000000089B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameXClient.exe4 vs F.exe
Source: F.exe, 00000002.00000000.2048511281.00000000004A5000.00000002.00000001.01000000.00000005.sdmp Binary or memory string: OriginalFilenameXClient.exe4 vs F.exe
Source: F.exe, 00000002.00000003.2061562260.000000000084C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFileName vs F.exe
Source: ._cache_F.exe, 00000003.00000002.3303772990.0000000012AC1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameXClient.exe4 vs F.exe
Source: ._cache_F.exe, 00000003.00000000.2060247485.00000000006BC000.00000002.00000001.01000000.00000006.sdmp Binary or memory string: OriginalFilenameXClient.exe4 vs F.exe
Source: F.exe Binary or memory string: OriginalFileName vs F.exe
Source: F.exe Binary or memory string: OriginalFilenameXClient.exe4 vs F.exe
Uses 32bit PE files
Source: F.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Yara signature match
Source: F.exe, type: SAMPLE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 2.3.F.exe.8cc070.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 2.3.F.exe.8cc070.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 3.0.._cache_F.exe.6a0000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.3.Synaptics.exe.2a4f458.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.3.Synaptics.exe.21e5438.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.3.F.exe.2257504.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 3.2.._cache_F.exe.12ac1a78.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 2.0.F.exe.4b6c38.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.3.F.exe.2257504.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.3.Synaptics.exe.2a4f458.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 2.0.F.exe.4b6c38.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.3.Synaptics.exe.21e5438.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 3.2.._cache_F.exe.12ac1a78.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 2.0.F.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000003.00000002.3303772990.0000000012AC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000003.2045892912.00000000021B4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000004.00000003.2067928599.000000000299E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000002.00000003.2060756017.000000000089B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000003.00000000.2060247485.00000000006A2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000002.00000000.2048511281.00000000004A5000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000004.00000003.2068336947.00000000021D3000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\ProgramData\XClient.exe, type: DROPPED Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\ProgramData\Synaptics\Synaptics.exe, type: DROPPED Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\Desktop\._cache_F.exe, type: DROPPED Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Local\Temp\cyXtjfIL.exe, type: DROPPED Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe, type: DROPPED Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Local\Temp\RCXAE3F.tmp, type: DROPPED Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.3.F.exe.2257504.0.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.3.F.exe.2257504.0.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.3.F.exe.2257504.0.raw.unpack, AlgorithmAES.cs Cryptographic APIs: 'TransformFinalBlock'
Source: ._cache_F.exe.2.dr, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: ._cache_F.exe.2.dr, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: ._cache_F.exe.2.dr, AlgorithmAES.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.3.F.exe.2257504.0.raw.unpack, ClientSocket.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.3.F.exe.2257504.0.raw.unpack, ClientSocket.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: ._cache_F.exe.2.dr, ClientSocket.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: ._cache_F.exe.2.dr, ClientSocket.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.spre.troj.spyw.evad.winEXE@32/223@8/6
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe File created: C:\Users\user\Desktop\._cache_F.exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7340:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8624:120:WilError_03
Source: C:\ProgramData\Synaptics\Synaptics.exe Mutant created: \Sessions\1\BaseNamedObjects\Synaptics2X
Source: C:\Users\user\Desktop\._cache_F.exe Mutant created: \Sessions\1\BaseNamedObjects\mbuYWmhQxC0l7ybb
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3868
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8832:120:WilError_03
Source: C:\Windows\svchost.com Mutant created: \Sessions\1\BaseNamedObjects\MutexPolesskayaGlush*.* svchost.com n X . t N t h ` T 5 @
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8532:120:WilError_03
Source: C:\Users\user\Desktop\F.exe File created: C:\Users\user\AppData\Local\Temp\3582-490 Jump to behavior
Source: Yara match File source: F.exe, type: SAMPLE
Source: Yara match File source: 2.0.F.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000003.2068336947.00000000021FF000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.2048183618.0000000000401000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.2067928599.0000000002A69000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\ProgramData\Synaptics\Synaptics.exe, type: DROPPED
Source: Yara match File source: C:\ProgramData\Synaptics\RCXAC4B.tmp, type: DROPPED
Source: Yara match File source: C:\Users\user\Documents\BJZFPPWAPT\~$cache1, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\cyXtjfIL.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\RCXAE3F.tmp, type: DROPPED
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: F.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 46.72%
Source: C:\Users\user\Desktop\F.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\F.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: integrator.exe.0.dr Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: integrator.exe.0.dr Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: integrator.exe.0.dr Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: integrator.exe.0.dr Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: F.exe ReversingLabs: Detection: 100%
Source: F.exe Virustotal: Detection: 90%
Source: C:\Users\user\Desktop\F.exe File read: C:\Users\user\Desktop\F.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\F.exe "C:\Users\user\Desktop\F.exe"
Source: C:\Users\user\Desktop\F.exe Process created: C:\Users\user\AppData\Local\Temp\3582-490\F.exe "C:\Users\user\AppData\Local\Temp\3582-490\F.exe"
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe Process created: C:\Users\user\Desktop\._cache_F.exe "C:\Users\user\Desktop\._cache_F.exe"
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe Process created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
Source: unknown Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
Source: C:\Users\user\Desktop\._cache_F.exe Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\._cache_F.exe'
Source: C:\Windows\svchost.com Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\._cache_F.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\PROGRA~3\SYNAPT~1\SYNAPT~1.EXE"
Source: C:\Windows\svchost.com Process created: C:\ProgramData\Synaptics\Synaptics.exe C:\PROGRA~3\SYNAPT~1\SYNAPT~1.EXE
Source: C:\ProgramData\Synaptics\Synaptics.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 3276
Source: C:\Users\user\Desktop\._cache_F.exe Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '._cache_F.exe'
Source: C:\Windows\svchost.com Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '._cache_F.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\._cache_F.exe Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\XClient.exe'
Source: C:\Windows\svchost.com Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\XClient.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\._cache_F.exe Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
Source: C:\Windows\svchost.com Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\F.exe Process created: C:\Users\user\AppData\Local\Temp\3582-490\F.exe "C:\Users\user\AppData\Local\Temp\3582-490\F.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe Process created: C:\Users\user\Desktop\._cache_F.exe "C:\Users\user\Desktop\._cache_F.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe Process created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\._cache_F.exe' Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '._cache_F.exe' Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\XClient.exe' Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe' Jump to behavior
Source: C:\Windows\svchost.com Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\._cache_F.exe'
Source: C:\Windows\svchost.com Process created: C:\ProgramData\Synaptics\Synaptics.exe C:\PROGRA~3\SYNAPT~1\SYNAPT~1.EXE
Source: C:\Windows\svchost.com Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '._cache_F.exe'
Source: C:\Windows\svchost.com Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\XClient.exe'
Source: C:\Windows\svchost.com Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
Source: C:\Users\user\Desktop\F.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\F.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\F.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\F.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\F.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\F.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\F.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\F.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\F.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\F.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\F.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\F.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\F.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\F.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\F.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\F.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\F.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\F.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\F.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\F.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\F.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\F.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe Section loaded: twext.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe Section loaded: shacct.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe Section loaded: idstore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe Section loaded: samlib.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe Section loaded: wlidprov.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe Section loaded: provsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe Section loaded: starttiledata.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe Section loaded: acppage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe Section loaded: msi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe Section loaded: aepic.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe Section loaded: twext.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe Section loaded: starttiledata.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe Section loaded: acppage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe Section loaded: msi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe Section loaded: aepic.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Section loaded: avicap32.dll Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Section loaded: msvfw32.dll Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Section loaded: winmm.dll Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Section loaded: version.dll Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Section loaded: wininet.dll Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Section loaded: wldp.dll Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Section loaded: profapi.dll Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Section loaded: propsys.dll Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Section loaded: netutils.dll Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Section loaded: schannel.dll Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\svchost.com Section loaded: apphelp.dll
Source: C:\Windows\svchost.com Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: linkinfo.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntshrui.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cscapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: policymanager.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\ProgramData\Synaptics\Synaptics.exe Section loaded: version.dll
Source: C:\ProgramData\Synaptics\Synaptics.exe Section loaded: wininet.dll
Source: C:\ProgramData\Synaptics\Synaptics.exe Section loaded: wsock32.dll
Source: C:\ProgramData\Synaptics\Synaptics.exe Section loaded: netapi32.dll
Source: C:\ProgramData\Synaptics\Synaptics.exe Section loaded: uxtheme.dll
Source: C:\ProgramData\Synaptics\Synaptics.exe Section loaded: windows.storage.dll
Source: C:\ProgramData\Synaptics\Synaptics.exe Section loaded: wldp.dll
Source: C:\ProgramData\Synaptics\Synaptics.exe Section loaded: kernel.appcore.dll
Source: C:\ProgramData\Synaptics\Synaptics.exe Section loaded: textshaping.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: linkinfo.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntshrui.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cscapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: policymanager.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: linkinfo.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntshrui.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cscapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: policymanager.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: linkinfo.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntshrui.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cscapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: policymanager.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\Desktop\F.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe File written: C:\Users\user\AppData\Local\Temp\mnmJwSz.ini Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll
Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: armsvc.exe.0.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2rcross\x-none\appsharinghookcontroller.pdb source: AppSharingHookController.exe.0.dr
Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: F.exe, 00000000.00000003.2055179492.00000000021D4000.00000004.00001000.00020000.00000000.sdmp, F.exe, 00000000.00000003.2055145770.00000000021D0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: AppVDllSurrogate64.pdb source: AppVDllSurrogate64.exe.0.dr
Source: Binary string: D:\a\_work\e\src\out\Release_x64\identity_helper.exe.pdbOGP source: identity_helper.exe.0.dr
Source: Binary string: d:\dbs\el\ja2\target\x86\ship\dw\x-none\dw20.pdb source: DW20.EXE.7.dr
Source: Binary string: winload_prod.pdb source: F.exe, 00000000.00000003.2055179492.00000000021D4000.00000004.00001000.00020000.00000000.sdmp, F.exe, 00000000.00000003.2055145770.00000000021D0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: d:\dbs\el\omr\target\x86\ship\graphics_filterloader\x-none\FLTLDR.pdb source: FLTLDR.EXE.7.dr
Source: Binary string: D:\dbs\el\ja2\Target\x86\ship\dcf\x-none\Common.DBConnection64.pdb source: Common.DBConnection64.exe.0.dr
Source: Binary string: MicrosoftEdgeUpdate_unsigned.pdb source: MicrosoftEdgeUpdate.exe.0.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\cnfnot32.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: CNFNOT32.EXE.0.dr
Source: Binary string: GoogleCrashHandler64_unsigned.pdb source: GoogleCrashHandler64.exe.0.dr
Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: F.exe, 00000000.00000003.2055179492.00000000021D4000.00000004.00001000.00020000.00000000.sdmp, F.exe, 00000000.00000003.2055145770.00000000021D0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\e\src\out\Release_x64\msedge_pwa_launcher.exe.pdb source: msedge_pwa_launcher.exe.0.dr
Source: Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\Aut2Exe\Aut2Exe.pdb source: Aut2exe.exe.0.dr
Source: Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb source: integrator.exe.0.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\graph.pdb source: GRAPH.EXE.0.dr
Source: Binary string: r.pdb source: AppSharingHookController.exe.0.dr
Source: Binary string: d:\dbs\el\ja2\target\x86\ship\dcf\x-none\FileCompare.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: filecompare.exe.7.dr
Source: Binary string: WINLOA~1.PDB source: F.exe, 00000000.00000003.2055179492.00000000021D4000.00000004.00001000.00020000.00000000.sdmp, F.exe, 00000000.00000003.2055145770.00000000021D0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: integrator.exe.0.dr
Source: Binary string: VSTOInstaller.pdb source: VSTOInstaller.exe.0.dr
Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\pp source: F.exe, 00000000.00000003.2055179492.00000000021D4000.00000004.00001000.00020000.00000000.sdmp, F.exe, 00000000.00000003.2055145770.00000000021D0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\clview.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: CLVIEW.EXE.0.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\sdxhelper.pdblper.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: SDXHelper.exe.0.dr
Source: Binary string: D:\a\_work\1\s\src\ai\windows\dll\x64\Release\aimgr.pdb source: aimgr.exe.0.dr
Source: Binary string: D:\a\_work\e\src\out\Release_x64\msedge_pwa_launcher.exe.pdbOGP source: msedge_pwa_launcher.exe.0.dr
Source: Binary string: AppVDllSurrogate64.pdbGCTL source: AppVDllSurrogate64.exe.0.dr
Source: Binary string: @ntkrnlmp.pdb source: F.exe, 00000000.00000003.2055179492.00000000021D4000.00000004.00001000.00020000.00000000.sdmp, F.exe, 00000000.00000003.2055145770.00000000021D0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\src\ai\windows\dll\x64\Release\ai.exe.pdb+ source: ai.exe.7.dr
Source: Binary string: @winload_prod.pdbk source: F.exe, 00000000.00000003.2055179492.00000000021D4000.00000004.00001000.00020000.00000000.sdmp, F.exe, 00000000.00000003.2055145770.00000000021D0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdb source: F.exe, 00000000.00000003.2055179492.00000000021D4000.00000004.00001000.00020000.00000000.sdmp, F.exe, 00000000.00000003.2055145770.00000000021D0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\cnfnot32.pdb source: CNFNOT32.EXE.0.dr
Source: Binary string: GoogleCrashHandler64_unsigned.pdbl source: GoogleCrashHandler64.exe.0.dr
Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\*.* source: F.exe, 00000000.00000003.2055179492.00000000021D4000.00000004.00001000.00020000.00000000.sdmp, F.exe, 00000000.00000003.2055145770.00000000021D0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: @winload_prod.pdb source: F.exe, 00000000.00000003.2055179492.00000000021D4000.00000004.00001000.00020000.00000000.sdmp, F.exe, 00000000.00000003.2055145770.00000000021D0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\src\ai\windows\dll\x64\Release\ai.exe.pdb source: ai.exe.7.dr
Source: Binary string: D:\a\_work\1\s\src\ai\windows\dll\Win32\Release\ai.exe.pdb source: ai.exe0.7.dr
Source: Binary string: WINLOA~1.PDBa source: F.exe, 00000000.00000003.2055179492.00000000021D4000.00000004.00001000.00020000.00000000.sdmp, F.exe, 00000000.00000003.2055145770.00000000021D0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: lper.pdb source: SDXHelper.exe.0.dr
Source: Binary string: d:\dbs\el\omr\target\x86\ship\graphics_filterloader\x-none\FLTLDR.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: FLTLDR.EXE.7.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2rcross\x-none\appsharinghookcontroller.pdbr.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: AppSharingHookController.exe.0.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\clview.pdb source: CLVIEW.EXE.0.dr
Source: Binary string: D:\dbs\el\ja2\Target\x86\ship\dcf\x-none\DatabaseCompare.pdb source: DATABASECOMPARE.EXE.0.dr
Source: Binary string: D:\a\_work\e\src\out\Release_x64\identity_helper.exe.pdb source: identity_helper.exe.0.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\sdxhelper.pdb source: SDXHelper.exe.0.dr
Source: Binary string: d:\dbs\el\ja2\target\x86\ship\dw\x-none\dw20.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: DW20.EXE.7.dr
Source: Binary string: D:\a\_work\1\s\src\ai\windows\dll\Win32\Release\ai.exe.pdb/ source: ai.exe0.7.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\graph.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: GRAPH.EXE.0.dr
Source: Binary string: d:\dbs\el\ja2\target\x86\ship\dcf\x-none\FileCompare.pdb source: filecompare.exe.7.dr

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: 0.3.F.exe.2257504.0.raw.unpack, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.3.F.exe.2257504.0.raw.unpack, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.3.F.exe.2257504.0.raw.unpack, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: ._cache_F.exe.2.dr, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: ._cache_F.exe.2.dr, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: ._cache_F.exe.2.dr, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
.NET source code contains potential unpacker
Source: 0.3.F.exe.2257504.0.raw.unpack, Messages.cs .Net Code: Plugin System.AppDomain.Load(byte[])
Source: 0.3.F.exe.2257504.0.raw.unpack, Messages.cs .Net Code: Memory System.AppDomain.Load(byte[])
Source: 0.3.F.exe.2257504.0.raw.unpack, Messages.cs .Net Code: Memory
Source: ._cache_F.exe.2.dr, Messages.cs .Net Code: Plugin System.AppDomain.Load(byte[])
Source: ._cache_F.exe.2.dr, Messages.cs .Net Code: Memory System.AppDomain.Load(byte[])
Source: ._cache_F.exe.2.dr, Messages.cs .Net Code: Memory
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\._cache_F.exe Code function: 3_2_00007FF848F000BD pushad ; iretd 3_2_00007FF848F000C1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_0415629D push eax; ret 8_2_04156351
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_06E6365C push cs; retf 8_2_06E6366E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_06E60000 push es; ret 8_2_06E6001E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 21_2_04FB633D push eax; ret 21_2_04FB6351
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 24_2_04F04210 push ebx; ret 24_2_04F042DA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 24_2_04F06338 push eax; ret 24_2_04F06341
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 24_2_04F03ACD push ebx; retf 24_2_04F03ADA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 27_2_04BE42CD push ebx; ret 27_2_04BE42DA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 27_2_04BE2C95 push 04B80755h; retf 27_2_04BE2CEE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 27_2_04BE2C5C push 04B80755h; retf 27_2_04BE2CEE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 27_2_04BE3ADD push ebx; retf 27_2_04BE3ADA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 27_2_04BE3A78 push ebx; retf 27_2_04BE3ADA

Persistence and Installation Behavior
barindex
Yara detected Neshta
Source: Yara match File source: 00000000.00000002.2697226300.0000000000409000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: F.exe PID: 1560, type: MEMORYSTR
Drops PE files to the document folder of the user
Source: C:\ProgramData\Synaptics\Synaptics.exe File created: C:\Users\user\Documents\BJZFPPWAPT\~$cache1 Jump to dropped file
Drops PE files with a suspicious file extension
Source: C:\Users\user\Desktop\F.exe File created: C:\Windows\svchost.com Jump to dropped file
Drops executable to a common third party application directory
Source: C:\Users\user\Desktop\F.exe File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Users\user\Desktop\._cache_F.exe Executable created and started: C:\Windows\svchost.com Jump to behavior
Infects executable files (exe, dll, sys, html)
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE Jump to behavior
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE Jump to behavior
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe
Source: C:\Users\user\Desktop\F.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe Jump to behavior
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE Jump to behavior
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exe
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe Jump to behavior
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe Jump to behavior
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe Jump to behavior
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe
Source: C:\Users\user\Desktop\F.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE Jump to behavior
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe Jump to behavior
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe Jump to behavior
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe Jump to behavior
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE Jump to behavior
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exe
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Jump to behavior
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE Jump to behavior
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Users\user\AppData\Local\Temp\chrome.exe Jump to behavior
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exe
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE Jump to behavior
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe Jump to behavior
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe Jump to behavior
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exe
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe Jump to behavior
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
Source: C:\Users\user\Desktop\F.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe Jump to behavior
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe Jump to behavior
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe Jump to behavior
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\AutoIt3\Uninstall.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE Jump to behavior
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe Jump to behavior
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe Jump to behavior
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe Jump to behavior
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe
Source: C:\Users\user\Desktop\F.exe System file written: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe Jump to behavior
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Jump to behavior
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exe
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE Jump to behavior
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE Jump to behavior
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe Jump to behavior
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE Jump to behavior
Source: C:\Windows\svchost.com System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe
Source: C:\Users\user\Desktop\F.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe Jump to behavior
Sample is not signed and drops a device driver
Source: C:\Windows\svchost.com File created: C:\Windows\directx.sys
Drops PE files
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe Jump to dropped file
Source: C:\Windows\svchost.com File created: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe Jump to dropped file
Source: C:\Windows\svchost.com File created: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe Jump to dropped file
Source: C:\Windows\svchost.com File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe File created: C:\ProgramData\Synaptics\Synaptics.exe Jump to dropped file
Source: C:\Windows\svchost.com File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE Jump to dropped file
Source: C:\Windows\svchost.com File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Windows\svchost.com Jump to dropped file
Source: C:\Windows\svchost.com File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe Jump to dropped file
Source: C:\Windows\svchost.com File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe Jump to dropped file
Source: C:\Windows\svchost.com File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe Jump to dropped file
Source: C:\Windows\svchost.com File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE Jump to dropped file
Source: C:\Windows\svchost.com File created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE Jump to dropped file
Source: C:\ProgramData\Synaptics\Synaptics.exe File created: C:\Users\user\Documents\BJZFPPWAPT\~$cache1 Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Users\user\AppData\Local\Temp\3582-490\F.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe Jump to dropped file
Source: C:\Windows\svchost.com File created: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe Jump to dropped file
Source: C:\Windows\svchost.com File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe Jump to dropped file
Source: C:\Windows\svchost.com File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe Jump to dropped file
Source: C:\Windows\svchost.com File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE Jump to dropped file
Source: C:\Windows\svchost.com File created: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Jump to dropped file
Source: C:\ProgramData\Synaptics\Synaptics.exe File created: C:\Users\user\AppData\Local\Temp\RCXAE3F.tmp Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\AutoIt3\Au3Check.exe Jump to dropped file
Source: C:\ProgramData\Synaptics\Synaptics.exe File created: C:\Users\user\AppData\Local\Temp\cyXtjfIL.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE Jump to dropped file
Source: C:\Windows\svchost.com File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE Jump to dropped file
Source: C:\Windows\svchost.com File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Jump to dropped file
Source: C:\Windows\svchost.com File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Jump to dropped file
Source: C:\Windows\svchost.com File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE Jump to dropped file
Source: C:\Windows\svchost.com File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe File created: C:\Users\user\Desktop\._cache_F.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Users\user\AppData\Local\Temp\chrome.exe Jump to dropped file
Source: C:\Windows\svchost.com File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE Jump to dropped file
Source: C:\Windows\svchost.com File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe Jump to dropped file
Source: C:\Windows\svchost.com File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe Jump to dropped file
Source: C:\Windows\svchost.com File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe Jump to dropped file
Source: C:\Windows\svchost.com File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe Jump to dropped file
Source: C:\Windows\svchost.com File created: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE Jump to dropped file
Source: C:\Windows\svchost.com File created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe Jump to dropped file
Source: C:\Windows\svchost.com File created: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe Jump to dropped file
Source: C:\Windows\svchost.com File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\AutoIt3\Uninstall.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE Jump to dropped file
Source: C:\Windows\svchost.com File created: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\AutoIt3\Au3Info.exe Jump to dropped file
Source: C:\Windows\svchost.com File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe File created: C:\ProgramData\Synaptics\RCXAC4B.tmp Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe Jump to dropped file
Source: C:\Windows\svchost.com File created: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe Jump to dropped file
Source: C:\Windows\svchost.com File created: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe Jump to dropped file
Source: C:\Windows\svchost.com File created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Jump to dropped file
Source: C:\Windows\svchost.com File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE Jump to dropped file
Source: C:\Windows\svchost.com File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE Jump to dropped file
Source: C:\Windows\svchost.com File created: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe Jump to dropped file
Source: C:\Users\user\Desktop\._cache_F.exe File created: C:\ProgramData\XClient.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\F.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe File created: C:\ProgramData\Synaptics\Synaptics.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe File created: C:\ProgramData\Synaptics\RCXAC4B.tmp Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe Jump to dropped file
Source: C:\Users\user\Desktop\._cache_F.exe File created: C:\ProgramData\XClient.exe Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\Desktop\F.exe File created: C:\Windows\svchost.com Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\ProgramData\Synaptics\Synaptics.exe File created: C:\Users\user\Documents\BJZFPPWAPT\~$cache1 Jump to dropped file

Boot Survival
barindex
Yara detected AsyncRAT
Source: Yara match File source: F.exe, type: SAMPLE
Source: Yara match File source: 2.3.F.exe.8cc070.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.F.exe.8cc070.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.._cache_F.exe.6a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.Synaptics.exe.2a4f458.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.Synaptics.exe.21e5438.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.F.exe.2257504.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.._cache_F.exe.12ac1a78.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.F.exe.4b6c38.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.F.exe.2257504.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.Synaptics.exe.2a4f458.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.F.exe.4b6c38.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.Synaptics.exe.21e5438.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.._cache_F.exe.12ac1a78.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.F.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.3303772990.0000000012AC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2045892912.00000000021B4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.2067928599.000000000299E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2060756017.000000000089B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.2060247485.00000000006A2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.2048511281.00000000004A5000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.2068336947.00000000021D3000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: F.exe PID: 1560, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: F.exe PID: 2668, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Synaptics.exe PID: 3868, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\XClient.exe, type: DROPPED
Source: Yara match File source: C:\ProgramData\Synaptics\Synaptics.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\Desktop\._cache_F.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\cyXtjfIL.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\RCXAE3F.tmp, type: DROPPED
Yara detected Neshta
Source: Yara match File source: 00000000.00000002.2697226300.0000000000409000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: F.exe PID: 1560, type: MEMORYSTR
Creates an undocumented autostart registry key
Source: C:\Users\user\Desktop\F.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command NULL Jump to behavior
Source: C:\Users\user\Desktop\F.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command NULL Jump to behavior
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\Desktop\._cache_F.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\Desktop\._cache_F.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run ????? Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run ????? Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\ProgramData\Synaptics\Synaptics.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: F.exe PID: 1560, type: MEMORYSTR
Yara detected AsyncRAT
Source: Yara match File source: F.exe, type: SAMPLE
Source: Yara match File source: 2.3.F.exe.8cc070.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.F.exe.8cc070.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.._cache_F.exe.6a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.Synaptics.exe.2a4f458.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.Synaptics.exe.21e5438.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.F.exe.2257504.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.._cache_F.exe.12ac1a78.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.F.exe.4b6c38.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.F.exe.2257504.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.Synaptics.exe.2a4f458.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.F.exe.4b6c38.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.Synaptics.exe.21e5438.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.._cache_F.exe.12ac1a78.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.F.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.3303772990.0000000012AC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2045892912.00000000021B4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.2067928599.000000000299E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2060756017.000000000089B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.2060247485.00000000006A2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.2048511281.00000000004A5000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.2068336947.00000000021D3000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: F.exe PID: 1560, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: F.exe PID: 2668, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Synaptics.exe PID: 3868, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\XClient.exe, type: DROPPED
Source: Yara match File source: C:\ProgramData\Synaptics\Synaptics.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\Desktop\._cache_F.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\cyXtjfIL.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\RCXAE3F.tmp, type: DROPPED
Check if machine is in data center or colocation facility
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Users\user\Desktop\._cache_F.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\._cache_F.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\._cache_F.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\._cache_F.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\._cache_F.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\._cache_F.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\._cache_F.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\._cache_F.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\._cache_F.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\._cache_F.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\._cache_F.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\._cache_F.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\._cache_F.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\._cache_F.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\._cache_F.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: ._cache_F.exe, 00000003.00000002.3299291942.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Source: F.exe, Synaptics.exe.2.dr Binary or memory string: SBIEDLL.DLLINFO
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\._cache_F.exe Memory allocated: 28A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Memory allocated: 1AAB0000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\._cache_F.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\._cache_F.exe Window / User API: threadDelayed 7590 Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Window / User API: threadDelayed 2005 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2522
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4058
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4748
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4750
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 402
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE Jump to dropped file
Source: C:\Windows\svchost.com Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe Jump to dropped file
Source: C:\Windows\svchost.com Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe Jump to dropped file
Source: C:\Windows\svchost.com Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE Jump to dropped file
Source: C:\Windows\svchost.com Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE Jump to dropped file
Source: C:\Windows\svchost.com Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE Jump to dropped file
Source: C:\Windows\svchost.com Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe Jump to dropped file
Source: C:\Windows\svchost.com Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe Jump to dropped file
Source: C:\Windows\svchost.com Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe Jump to dropped file
Source: C:\Windows\svchost.com Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE Jump to dropped file
Source: C:\Windows\svchost.com Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe Jump to dropped file
Source: C:\Windows\svchost.com Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe Jump to dropped file
Source: C:\Windows\svchost.com Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe Jump to dropped file
Source: C:\Windows\svchost.com Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe Jump to dropped file
Source: C:\Windows\svchost.com Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE Jump to dropped file
Source: C:\Windows\svchost.com Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe Jump to dropped file
Source: C:\ProgramData\Synaptics\Synaptics.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RCXAE3F.tmp Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Jump to dropped file
Source: C:\ProgramData\Synaptics\Synaptics.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\cyXtjfIL.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Check.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE Jump to dropped file
Source: C:\Windows\svchost.com Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE Jump to dropped file
Source: C:\Windows\svchost.com Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exe Jump to dropped file
Source: C:\Windows\svchost.com Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Jump to dropped file
Source: C:\Windows\svchost.com Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE Jump to dropped file
Source: C:\Windows\svchost.com Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\chrome.exe Jump to dropped file
Source: C:\Windows\svchost.com Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE Jump to dropped file
Source: C:\Windows\svchost.com Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe Jump to dropped file
Source: C:\Windows\svchost.com Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe Jump to dropped file
Source: C:\Windows\svchost.com Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe Jump to dropped file
Source: C:\Windows\svchost.com Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe Jump to dropped file
Source: C:\Windows\svchost.com Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE Jump to dropped file
Source: C:\Windows\svchost.com Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe Jump to dropped file
Source: C:\Windows\svchost.com Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe Jump to dropped file
Source: C:\Windows\svchost.com Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Uninstall.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE Jump to dropped file
Source: C:\Windows\svchost.com Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info.exe Jump to dropped file
Source: C:\Windows\svchost.com Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe Jump to dropped file
Source: C:\Windows\svchost.com Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe Jump to dropped file
Source: C:\Windows\svchost.com Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe Jump to dropped file
Source: C:\Windows\svchost.com Dropped PE file which has not been started: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Jump to dropped file
Source: C:\Windows\svchost.com Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE Jump to dropped file
Source: C:\Windows\svchost.com Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE Jump to dropped file
Source: C:\Windows\svchost.com Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe Jump to dropped file
Source: C:\Users\user\Desktop\F.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\._cache_F.exe TID: 8980 Thread sleep time: -33204139332677172s >= -30000s Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe TID: 7400 Thread sleep count: 114 > 30 Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe TID: 7400 Thread sleep time: -6840000s >= -30000s Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe TID: 8380 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7576 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7532 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8680 Thread sleep count: 4058 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8796 Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8720 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8828 Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8788 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8904 Thread sleep count: 4750 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8964 Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8908 Thread sleep count: 402 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8932 Thread sleep time: -922337203685477s >= -30000s
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Users\user\Desktop\._cache_F.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\._cache_F.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Thread delayed: delay time: 60000 Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Thread delayed: delay time: 60000 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\F.exe File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\ Jump to behavior
Source: C:\Users\user\Desktop\F.exe File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\ Jump to behavior
Source: C:\Users\user\Desktop\F.exe File opened: C:\Documents and Settings\user\AppData\Local\Adobe\ Jump to behavior
Source: C:\Users\user\Desktop\F.exe File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\Cache\ Jump to behavior
Source: C:\Users\user\Desktop\F.exe File opened: C:\Documents and Settings\user\AppData\Local\ Jump to behavior
Source: C:\Users\user\Desktop\F.exe File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\ Jump to behavior
Source: Synaptics.exe.2.dr Binary or memory string: vmware
Source: F.exe, 00000002.00000003.2062983320.0000000000863000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\{
Source: ._cache_F.exe, 00000003.00000002.3306082752.000000001B7E7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll%
Source: Synaptics.exe, 00000004.00000002.2505106985.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000724000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Users\user\Desktop\._cache_F.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Source: C:\Users\user\Desktop\._cache_F.exe Code function: 3_2_00007FF848F06E61 CheckRemoteDebuggerPresent, 3_2_00007FF848F06E61
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\._cache_F.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Process queried: DebugPort Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\._cache_F.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\._cache_F.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\._cache_F.exe Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\._cache_F.exe'
Source: C:\Windows\svchost.com Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\._cache_F.exe'
Source: C:\Users\user\Desktop\._cache_F.exe Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\XClient.exe'
Source: C:\Windows\svchost.com Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\XClient.exe'
Source: C:\Users\user\Desktop\._cache_F.exe Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\._cache_F.exe' Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\XClient.exe' Jump to behavior
Source: C:\Windows\svchost.com Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\._cache_F.exe'
Source: C:\Windows\svchost.com Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\XClient.exe'
Bypasses PowerShell execution policy
Source: C:\Windows\svchost.com Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\._cache_F.exe'
Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS)
Source: C:\Users\user\Desktop\F.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe Jump to dropped file
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\F.exe Process created: C:\Users\user\AppData\Local\Temp\3582-490\F.exe "C:\Users\user\AppData\Local\Temp\3582-490\F.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe Process created: C:\Users\user\Desktop\._cache_F.exe "C:\Users\user\Desktop\._cache_F.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe Process created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\._cache_F.exe' Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '._cache_F.exe' Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\XClient.exe' Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe' Jump to behavior
Queries the installation date of Windows
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion InstallDate Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\._cache_F.exe Queries volume information: C:\Users\user\Desktop\._cache_F.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\Desktop\._cache_F.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Yara detected AsyncRAT
Source: Yara match File source: F.exe, type: SAMPLE
Source: Yara match File source: 2.3.F.exe.8cc070.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.F.exe.8cc070.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.._cache_F.exe.6a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.Synaptics.exe.2a4f458.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.Synaptics.exe.21e5438.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.F.exe.2257504.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.._cache_F.exe.12ac1a78.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.F.exe.4b6c38.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.F.exe.2257504.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.Synaptics.exe.2a4f458.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.F.exe.4b6c38.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.Synaptics.exe.21e5438.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.._cache_F.exe.12ac1a78.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.F.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.3303772990.0000000012AC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2045892912.00000000021B4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.2067928599.000000000299E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2060756017.000000000089B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.2060247485.00000000006A2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.2048511281.00000000004A5000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.2068336947.00000000021D3000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: F.exe PID: 1560, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: F.exe PID: 2668, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Synaptics.exe PID: 3868, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\XClient.exe, type: DROPPED
Source: Yara match File source: C:\ProgramData\Synaptics\Synaptics.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\Desktop\._cache_F.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\cyXtjfIL.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\RCXAE3F.tmp, type: DROPPED
AV process strings found (often used to terminate AV products)
Source: ._cache_F.exe, 00000003.00000002.3293239774.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, ._cache_F.exe, 00000003.00000002.3306082752.000000001B7D1000.00000004.00000020.00020000.00000000.sdmp, ._cache_F.exe, 00000003.00000002.3306082752.000000001B823000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: ._cache_F.exe, 00000003.00000002.3306082752.000000001B7D1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\._cache_F.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\._cache_F.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\._cache_F.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\._cache_F.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\._cache_F.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\._cache_F.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\._cache_F.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\._cache_F.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\._cache_F.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\._cache_F.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\._cache_F.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\._cache_F.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\._cache_F.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\._cache_F.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\._cache_F.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information
barindex
Yara detected Neshta
Source: Yara match File source: 00000000.00000002.2697226300.0000000000409000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: F.exe PID: 1560, type: MEMORYSTR
Yara detected XWorm
Source: Yara match File source: F.exe, type: SAMPLE
Source: Yara match File source: 2.3.F.exe.8cc070.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.F.exe.8cc070.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.._cache_F.exe.6a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.Synaptics.exe.2a4f458.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.Synaptics.exe.21e5438.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.F.exe.2257504.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.._cache_F.exe.12ac1a78.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.F.exe.4b6c38.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.F.exe.2257504.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.Synaptics.exe.2a4f458.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.F.exe.4b6c38.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.Synaptics.exe.21e5438.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.._cache_F.exe.12ac1a78.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.F.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.3299291942.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.3303772990.0000000012AC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2045892912.00000000021B4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.2067928599.000000000299E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2060756017.000000000089B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.2060247485.00000000006A2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.2048511281.00000000004A5000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.2068336947.00000000021D3000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: F.exe PID: 1560, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: F.exe PID: 2668, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ._cache_F.exe PID: 2616, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Synaptics.exe PID: 3868, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\XClient.exe, type: DROPPED
Source: Yara match File source: C:\ProgramData\Synaptics\Synaptics.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\Desktop\._cache_F.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\cyXtjfIL.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\RCXAE3F.tmp, type: DROPPED

Remote Access Functionality
barindex
Yara detected XWorm
Source: Yara match File source: F.exe, type: SAMPLE
Source: Yara match File source: 2.3.F.exe.8cc070.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.F.exe.8cc070.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.._cache_F.exe.6a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.Synaptics.exe.2a4f458.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.Synaptics.exe.21e5438.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.F.exe.2257504.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.._cache_F.exe.12ac1a78.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.F.exe.4b6c38.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.F.exe.2257504.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.Synaptics.exe.2a4f458.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.F.exe.4b6c38.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.Synaptics.exe.21e5438.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.._cache_F.exe.12ac1a78.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.F.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.3299291942.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.3303772990.0000000012AC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2045892912.00000000021B4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.2067928599.000000000299E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2060756017.000000000089B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.2060247485.00000000006A2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.2048511281.00000000004A5000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.2068336947.00000000021D3000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: F.exe PID: 1560, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: F.exe PID: 2668, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ._cache_F.exe PID: 2616, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Synaptics.exe PID: 3868, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\XClient.exe, type: DROPPED
Source: Yara match File source: C:\ProgramData\Synaptics\Synaptics.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\Desktop\._cache_F.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\cyXtjfIL.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\RCXAE3F.tmp, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1465838 Sample: F.exe Startdate: 02/07/2024 Architecture: WINDOWS Score: 100 91 freedns.afraid.org 2->91 93 xred.mooo.com 2->93 95 5 other IPs or domains 2->95 117 Snort IDS alert for network traffic 2->117 119 Multi AV Scanner detection for domain / URL 2->119 121 Found malware configuration 2->121 125 22 other signatures 2->125 11 F.exe 5 2->11         started        15 EXCEL.EXE 2->15         started        18 svchost.com 2->18         started        signatures3 123 Uses dynamic DNS services 91->123 process4 dnsIp5 83 C:\Windows\svchost.com, PE32 11->83 dropped 85 C:\Users\user\AppData\Local\Temp\chrome.exe, PE32 11->85 dropped 87 C:\Users\user\AppData\Local\Temp\...\F.exe, PE32 11->87 dropped 89 113 other malicious files 11->89 dropped 137 Creates an undocumented autostart registry key 11->137 139 Drops PE files with a suspicious file extension 11->139 141 Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS) 11->141 143 2 other signatures 11->143 20 F.exe 1 5 11->20         started        107 s-part-0032.t-0009.t-msedge.net 13.107.246.60, 443, 49850, 49851 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 15->107 23 Synaptics.exe 18->23         started        file6 signatures7 process8 file9 69 C:\Users\user\Desktop\._cache_F.exe, PE32 20->69 dropped 71 C:\ProgramData\Synaptics\Synaptics.exe, PE32 20->71 dropped 73 C:\ProgramData\Synaptics\RCXAC4B.tmp, PE32 20->73 dropped 25 ._cache_F.exe 20 6 20->25         started        30 Synaptics.exe 65 20->30         started        process10 dnsIp11 97 ip-api.com 208.95.112.1, 49709, 80 TUT-ASUS United States 25->97 99 45.141.26.232, 49849, 49854, 49855 SPECTRAIPSpectraIPBVNL Netherlands 25->99 75 C:\ProgramData\XClient.exe, PE32 25->75 dropped 127 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 25->127 129 Protects its processes via BreakOnTermination flag 25->129 131 Drops executables to the windows directory (C:\Windows) and starts them 25->131 135 3 other signatures 25->135 32 svchost.com 25->32         started        36 svchost.com 25->36         started        38 svchost.com 25->38         started        40 svchost.com 25->40         started        101 freedns.afraid.org 69.42.215.252, 49714, 80 AWKNET-LLCUS United States 30->101 103 drive.usercontent.google.com 142.250.184.225, 443, 49717, 49718 GOOGLEUS United States 30->103 105 docs.google.com 216.58.206.78, 443, 49711, 49712 GOOGLEUS United States 30->105 77 C:\Users\user\Documents\BJZFPPWAPT\~$cache1, PE32 30->77 dropped 79 C:\Users\user\AppData\Local\...\cyXtjfIL.exe, PE32 30->79 dropped 81 C:\Users\user\AppData\Local\...\RCXAE3F.tmp, PE32 30->81 dropped 133 Drops PE files to the document folder of the user 30->133 42 WerFault.exe 30->42         started        file12 signatures13 process14 file15 61 C:\...\maintenanceservice.exe, PE32 32->61 dropped 63 C:\Program Files (x86)\...\misc.exe, PE32 32->63 dropped 65 C:\Program Files (x86)\...\misc.exe, PE32 32->65 dropped 67 35 other malicious files 32->67 dropped 109 Bypasses PowerShell execution policy 32->109 111 Adds a directory exclusion to Windows Defender 32->111 113 Sample is not signed and drops a device driver 32->113 115 Infects executable files (exe, dll, sys, html) 32->115 44 powershell.exe 32->44         started        47 powershell.exe 36->47         started        49 powershell.exe 38->49         started        51 powershell.exe 40->51         started        signatures16 process17 signatures18 145 Loading BitLocker PowerShell Module 44->145 53 conhost.exe 44->53         started        55 conhost.exe 47->55         started        57 conhost.exe 49->57         started        59 conhost.exe 51->59         started        process19
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
208.95.112.1
 ip-api.com United States
53334 TUT-ASUS true
216.58.206.78
 docs.google.com United States
15169 GOOGLEUS false
142.250.184.225
 drive.usercontent.google.com United States
15169 GOOGLEUS false
13.107.246.60
 s-part-0032.t-0009.t-msedge.net United States
8068 MICROSOFT-CORP-MSN-AS-BLOCKUS false
69.42.215.252
 freedns.afraid.org United States
17048 AWKNET-LLCUS true
45.141.26.232
 unknown Netherlands
62068 SPECTRAIPSpectraIPBVNL true

Contacted Domains

Name IP Active
freedns.afraid.org 69.42.215.252 true
docs.google.com 216.58.206.78 true
ip-api.com 208.95.112.1 true
drive.usercontent.google.com 142.250.184.225 true
s-part-0032.t-0009.t-msedge.net 13.107.246.60 true
xred.mooo.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
45.141.26.232 true
  • 3%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978 true
  • 8%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
http://ip-api.com/line/?fields=hosting false
  • URL Reputation: safe
 unknown