gh0strat | fafacde20582d467fd1f98b7fc69b35233f1d013542f4488937e7763e7c2e192

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
04-08-2023 07:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fafacde20582d467fd1f98b7fc69b35233f1d013542f4488937e7763e7c2e192.exe
Size

2.8MB
MD5

f08834a754ec6420f761356a999408e5
SHA1

2e430d55e601e1dc969e4f1c364d344b68f15fde
SHA256

fafacde20582d467fd1f98b7fc69b35233f1d013542f4488937e7763e7c2e192
SHA512

9f6647dd945eb374d75a300a1e1e1719940d5100eca7c4a9a395da36712bba26c3eab11ce6af2f1d04e673813a7b49641987e0fcfb6927aaf577f55ec96ede6e
SSDEEP

49152:c09XJt4HIN2H2tFvduySSnsHyjtk2MYC5GDPgfIKYpxqtYW+0Cc+:BZJt4HINy2LkSnsmtk2a2q/3Cb

Score

10^/10

gh0strat purplefox aspackv2 persistence rat rootkit trojan upx

Malware Config

Signatures

Detect PurpleFox Rootkit 10 IoCs

Detect PurpleFox Rootkit.

rootkit

Processes:

resource	yara_rule
behavioral2/memory/1644-140-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/1644-141-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/1644-139-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/4352-149-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/4352-150-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/1644-154-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/4352-156-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/1164-164-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/1164-166-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/1164-172-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 10 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1644-140-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/1644-141-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/1644-139-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/4352-149-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/4352-150-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/1644-154-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/4352-156-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/1164-164-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/1164-166-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/1164-172-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Drops file in Drivers directory 1 IoCs

Processes:

TXPlatforn.exe

description ioc process

File created C:\Windows\system32\drivers\QAssist.sys TXPlatforn.exe

description	ioc	process
File created	C:\Windows\system32\drivers\QAssist.sys	TXPlatforn.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

TXPlatforn.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	TXPlatforn.exe

ASPack v2.12-2.42 5 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\._cache_HD_fafacde20582d467fd1f98b7fc69b35233f1d013542f4488937e7763e7c2e192.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\._cache_HD_fafacde20582d467fd1f98b7fc69b35233f1d013542f4488937e7763e7c2e192.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\._cache_HD_fafacde20582d467fd1f98b7fc69b35233f1d013542f4488937e7763e7c2e192.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe	aspack_v212_v242

Executes dropped EXE 7 IoCs

Processes:

RVN.exeTXPlatforn.exeTXPlatforn.exeHD_fafacde20582d467fd1f98b7fc69b35233f1d013542f4488937e7763e7c2e192.exe._cache_HD_fafacde20582d467fd1f98b7fc69b35233f1d013542f4488937e7763e7c2e192.exeSynaptics.exe._cache_Synaptics.exe

pid	process
1644	RVN.exe
4352	TXPlatforn.exe
1164	TXPlatforn.exe
3656	HD_fafacde20582d467fd1f98b7fc69b35233f1d013542f4488937e7763e7c2e192.exe
872	._cache_HD_fafacde20582d467fd1f98b7fc69b35233f1d013542f4488937e7763e7c2e192.exe
2160	Synaptics.exe
3992	._cache_Synaptics.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1644-137-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/1644-140-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/1644-141-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/1644-139-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/4352-146-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/4352-149-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/4352-150-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/1644-154-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/4352-156-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/1164-164-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/1164-166-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/1164-172-0x0000000010000000-0x00000000101B6000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

HD_fafacde20582d467fd1f98b7fc69b35233f1d013542f4488937e7763e7c2e192.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	HD_fafacde20582d467fd1f98b7fc69b35233f1d013542f4488937e7763e7c2e192.exe

Drops file in System32 directory 2 IoCs

Processes:

RVN.exe

description ioc process

File created C:\Windows\SysWOW64\TXPlatforn.exe RVN.exe
File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe RVN.exe

description	ioc	process
File created	C:\Windows\SysWOW64\TXPlatforn.exe	RVN.exe
File opened for modification	C:\Windows\SysWOW64\TXPlatforn.exe	RVN.exe

Drops file in Program Files directory 5 IoCs

Processes:

fafacde20582d467fd1f98b7fc69b35233f1d013542f4488937e7763e7c2e192.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	fafacde20582d467fd1f98b7fc69b35233f1d013542f4488937e7763e7c2e192.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	fafacde20582d467fd1f98b7fc69b35233f1d013542f4488937e7763e7c2e192.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	fafacde20582d467fd1f98b7fc69b35233f1d013542f4488937e7763e7c2e192.exe
File created	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	fafacde20582d467fd1f98b7fc69b35233f1d013542f4488937e7763e7c2e192.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	fafacde20582d467fd1f98b7fc69b35233f1d013542f4488937e7763e7c2e192.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

Processes:

HD_fafacde20582d467fd1f98b7fc69b35233f1d013542f4488937e7763e7c2e192.exeSynaptics.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	HD_fafacde20582d467fd1f98b7fc69b35233f1d013542f4488937e7763e7c2e192.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4112 PING.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

824 EXCEL.EXE

pid	process
4112	PING.EXE

pid	process
824	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

fafacde20582d467fd1f98b7fc69b35233f1d013542f4488937e7763e7c2e192.exe

pid	process
2356	fafacde20582d467fd1f98b7fc69b35233f1d013542f4488937e7763e7c2e192.exe
2356	fafacde20582d467fd1f98b7fc69b35233f1d013542f4488937e7763e7c2e192.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

TXPlatforn.exe

pid process

1164 TXPlatforn.exe

pid	process
1164	TXPlatforn.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

RVN.exeTXPlatforn.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	1644	RVN.exe
Token: SeLoadDriverPrivilege	1164	TXPlatforn.exe
Token: 33	1164	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	1164	TXPlatforn.exe
Token: 33	1164	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	1164	TXPlatforn.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

fafacde20582d467fd1f98b7fc69b35233f1d013542f4488937e7763e7c2e192.exeEXCEL.EXE

pid	process
2356	fafacde20582d467fd1f98b7fc69b35233f1d013542f4488937e7763e7c2e192.exe
2356	fafacde20582d467fd1f98b7fc69b35233f1d013542f4488937e7763e7c2e192.exe
824	EXCEL.EXE
824	EXCEL.EXE
824	EXCEL.EXE
824	EXCEL.EXE
824	EXCEL.EXE

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

fafacde20582d467fd1f98b7fc69b35233f1d013542f4488937e7763e7c2e192.exeTXPlatforn.exeRVN.execmd.exeHD_fafacde20582d467fd1f98b7fc69b35233f1d013542f4488937e7763e7c2e192.exeSynaptics.exe

description	pid	process	target process
PID 2356 wrote to memory of 1644	2356	fafacde20582d467fd1f98b7fc69b35233f1d013542f4488937e7763e7c2e192.exe	RVN.exe
PID 2356 wrote to memory of 1644	2356	fafacde20582d467fd1f98b7fc69b35233f1d013542f4488937e7763e7c2e192.exe	RVN.exe
PID 2356 wrote to memory of 1644	2356	fafacde20582d467fd1f98b7fc69b35233f1d013542f4488937e7763e7c2e192.exe	RVN.exe
PID 4352 wrote to memory of 1164	4352	TXPlatforn.exe	TXPlatforn.exe
PID 4352 wrote to memory of 1164	4352	TXPlatforn.exe	TXPlatforn.exe
PID 4352 wrote to memory of 1164	4352	TXPlatforn.exe	TXPlatforn.exe
PID 1644 wrote to memory of 2900	1644	RVN.exe	cmd.exe
PID 1644 wrote to memory of 2900	1644	RVN.exe	cmd.exe
PID 1644 wrote to memory of 2900	1644	RVN.exe	cmd.exe
PID 2356 wrote to memory of 3656	2356	fafacde20582d467fd1f98b7fc69b35233f1d013542f4488937e7763e7c2e192.exe	HD_fafacde20582d467fd1f98b7fc69b35233f1d013542f4488937e7763e7c2e192.exe
PID 2356 wrote to memory of 3656	2356	fafacde20582d467fd1f98b7fc69b35233f1d013542f4488937e7763e7c2e192.exe	HD_fafacde20582d467fd1f98b7fc69b35233f1d013542f4488937e7763e7c2e192.exe
PID 2356 wrote to memory of 3656	2356	fafacde20582d467fd1f98b7fc69b35233f1d013542f4488937e7763e7c2e192.exe	HD_fafacde20582d467fd1f98b7fc69b35233f1d013542f4488937e7763e7c2e192.exe
PID 2900 wrote to memory of 4112	2900	cmd.exe	PING.EXE
PID 2900 wrote to memory of 4112	2900	cmd.exe	PING.EXE
PID 2900 wrote to memory of 4112	2900	cmd.exe	PING.EXE
PID 3656 wrote to memory of 872	3656	HD_fafacde20582d467fd1f98b7fc69b35233f1d013542f4488937e7763e7c2e192.exe	._cache_HD_fafacde20582d467fd1f98b7fc69b35233f1d013542f4488937e7763e7c2e192.exe
PID 3656 wrote to memory of 872	3656	HD_fafacde20582d467fd1f98b7fc69b35233f1d013542f4488937e7763e7c2e192.exe	._cache_HD_fafacde20582d467fd1f98b7fc69b35233f1d013542f4488937e7763e7c2e192.exe
PID 3656 wrote to memory of 872	3656	HD_fafacde20582d467fd1f98b7fc69b35233f1d013542f4488937e7763e7c2e192.exe	._cache_HD_fafacde20582d467fd1f98b7fc69b35233f1d013542f4488937e7763e7c2e192.exe
PID 3656 wrote to memory of 2160	3656	HD_fafacde20582d467fd1f98b7fc69b35233f1d013542f4488937e7763e7c2e192.exe	Synaptics.exe
PID 3656 wrote to memory of 2160	3656	HD_fafacde20582d467fd1f98b7fc69b35233f1d013542f4488937e7763e7c2e192.exe	Synaptics.exe
PID 3656 wrote to memory of 2160	3656	HD_fafacde20582d467fd1f98b7fc69b35233f1d013542f4488937e7763e7c2e192.exe	Synaptics.exe
PID 2160 wrote to memory of 3992	2160	Synaptics.exe	._cache_Synaptics.exe
PID 2160 wrote to memory of 3992	2160	Synaptics.exe	._cache_Synaptics.exe
PID 2160 wrote to memory of 3992	2160	Synaptics.exe	._cache_Synaptics.exe

C:\Users\Admin\AppData\Local\Temp\fafacde20582d467fd1f98b7fc69b35233f1d013542f4488937e7763e7c2e192.exe
"C:\Users\Admin\AppData\Local\Temp\fafacde20582d467fd1f98b7fc69b35233f1d013542f4488937e7763e7c2e192.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2356

C:\Users\Admin\AppData\Local\Temp\RVN.exe
C:\Users\Admin\AppData\Local\Temp\\RVN.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul
3⤵
- Suspicious use of WriteProcessMemory
PID:2900

C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
4⤵
- Runs ping.exe
PID:4112

C:\Users\Admin\AppData\Local\Temp\HD_fafacde20582d467fd1f98b7fc69b35233f1d013542f4488937e7763e7c2e192.exe
C:\Users\Admin\AppData\Local\Temp\HD_fafacde20582d467fd1f98b7fc69b35233f1d013542f4488937e7763e7c2e192.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3656

C:\Users\Admin\AppData\Local\Temp\._cache_HD_fafacde20582d467fd1f98b7fc69b35233f1d013542f4488937e7763e7c2e192.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_HD_fafacde20582d467fd1f98b7fc69b35233f1d013542f4488937e7763e7c2e192.exe"
3⤵
- Executes dropped EXE
PID:872

C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2160

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
4⤵
- Executes dropped EXE
PID:3992

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4352

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -acsi
2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:1164

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:824

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe
Filesize
1.6MB

MD5
f197e2437b457e87ded2bc5c47cf2631

SHA1
1cb55e9a652a02fe6537bae6da61ea716d4b04d0

SHA256
98ad0b99f7d1b83a24876dac3b98cbee48083f70775eb2400d474ccd4f18e8fb

SHA512
90d1bbe3786b8e6875bcefbbb6af06c00d020bc00752a89d10c18468dc0740440203e6971e78e228a477961fc8a56de7a6ecac171e89c0ba516a636d66a9beb7

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe
Filesize
1.6MB

MD5
f197e2437b457e87ded2bc5c47cf2631

SHA1
1cb55e9a652a02fe6537bae6da61ea716d4b04d0

SHA256
98ad0b99f7d1b83a24876dac3b98cbee48083f70775eb2400d474ccd4f18e8fb

SHA512
90d1bbe3786b8e6875bcefbbb6af06c00d020bc00752a89d10c18468dc0740440203e6971e78e228a477961fc8a56de7a6ecac171e89c0ba516a636d66a9beb7

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe
Filesize
1.6MB

MD5
f197e2437b457e87ded2bc5c47cf2631

SHA1
1cb55e9a652a02fe6537bae6da61ea716d4b04d0

SHA256
98ad0b99f7d1b83a24876dac3b98cbee48083f70775eb2400d474ccd4f18e8fb

SHA512
90d1bbe3786b8e6875bcefbbb6af06c00d020bc00752a89d10c18468dc0740440203e6971e78e228a477961fc8a56de7a6ecac171e89c0ba516a636d66a9beb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_HD_fafacde20582d467fd1f98b7fc69b35233f1d013542f4488937e7763e7c2e192.exe
Filesize
859KB

MD5
295dd02dead7ca1ac4f42cc6cea2ca5e

SHA1
7bea8bf050039edaa4706135bc36651250876f95

SHA256
b77b542ddb10f2327b75ac6fbb144499b898d9c8e26028a18fc7955851176ed7

SHA512
47eab9bf2ec65e1ad774c6699e3e613db74edf1e32008e57c3eea63b2fb60e1218443935921f0da8a2576aaad9e798458171b78bbd4220e24a70196d0ca9ea31

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_HD_fafacde20582d467fd1f98b7fc69b35233f1d013542f4488937e7763e7c2e192.exe
Filesize
859KB

MD5
295dd02dead7ca1ac4f42cc6cea2ca5e

SHA1
7bea8bf050039edaa4706135bc36651250876f95

SHA256
b77b542ddb10f2327b75ac6fbb144499b898d9c8e26028a18fc7955851176ed7

SHA512
47eab9bf2ec65e1ad774c6699e3e613db74edf1e32008e57c3eea63b2fb60e1218443935921f0da8a2576aaad9e798458171b78bbd4220e24a70196d0ca9ea31

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_HD_fafacde20582d467fd1f98b7fc69b35233f1d013542f4488937e7763e7c2e192.exe
Filesize
859KB

MD5
295dd02dead7ca1ac4f42cc6cea2ca5e

SHA1
7bea8bf050039edaa4706135bc36651250876f95

SHA256
b77b542ddb10f2327b75ac6fbb144499b898d9c8e26028a18fc7955851176ed7

SHA512
47eab9bf2ec65e1ad774c6699e3e613db74edf1e32008e57c3eea63b2fb60e1218443935921f0da8a2576aaad9e798458171b78bbd4220e24a70196d0ca9ea31

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
Filesize
859KB

MD5
295dd02dead7ca1ac4f42cc6cea2ca5e

SHA1
7bea8bf050039edaa4706135bc36651250876f95

SHA256
b77b542ddb10f2327b75ac6fbb144499b898d9c8e26028a18fc7955851176ed7

SHA512
47eab9bf2ec65e1ad774c6699e3e613db74edf1e32008e57c3eea63b2fb60e1218443935921f0da8a2576aaad9e798458171b78bbd4220e24a70196d0ca9ea31

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
Filesize
859KB

MD5
295dd02dead7ca1ac4f42cc6cea2ca5e

SHA1
7bea8bf050039edaa4706135bc36651250876f95

SHA256
b77b542ddb10f2327b75ac6fbb144499b898d9c8e26028a18fc7955851176ed7

SHA512
47eab9bf2ec65e1ad774c6699e3e613db74edf1e32008e57c3eea63b2fb60e1218443935921f0da8a2576aaad9e798458171b78bbd4220e24a70196d0ca9ea31

Download Submit
C:\Users\Admin\AppData\Local\Temp\2OTD6rSQ.xlsm
Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_X.dat
Filesize
1.2MB

MD5
84170a8a55c38047d47a5eff180b59bf

SHA1
b3c86c56ac25829e2e53ae7d7d90db60797d9e88

SHA256
a06d1f4b6bced5fbb5f8201a51ee79e48fcae1e4f98b9ff6f3aca11da16d4638

SHA512
922594521440e3be91e19bc48b7bff01c6718641b9cfc640581c5f591129faef224c1745664c81efc7b9ddaf743efb89fbc973d8fd73aec4e15bb1d498b206a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_fafacde20582d467fd1f98b7fc69b35233f1d013542f4488937e7763e7c2e192.exe
Filesize
1.6MB

MD5
f197e2437b457e87ded2bc5c47cf2631

SHA1
1cb55e9a652a02fe6537bae6da61ea716d4b04d0

SHA256
98ad0b99f7d1b83a24876dac3b98cbee48083f70775eb2400d474ccd4f18e8fb

SHA512
90d1bbe3786b8e6875bcefbbb6af06c00d020bc00752a89d10c18468dc0740440203e6971e78e228a477961fc8a56de7a6ecac171e89c0ba516a636d66a9beb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_fafacde20582d467fd1f98b7fc69b35233f1d013542f4488937e7763e7c2e192.exe
Filesize
1.6MB

MD5
f197e2437b457e87ded2bc5c47cf2631

SHA1
1cb55e9a652a02fe6537bae6da61ea716d4b04d0

SHA256
98ad0b99f7d1b83a24876dac3b98cbee48083f70775eb2400d474ccd4f18e8fb

SHA512
90d1bbe3786b8e6875bcefbbb6af06c00d020bc00752a89d10c18468dc0740440203e6971e78e228a477961fc8a56de7a6ecac171e89c0ba516a636d66a9beb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RVN.exe
Filesize
377KB

MD5
80ade1893dec9cab7f2e63538a464fcc

SHA1
c06614da33a65eddb506db00a124a3fc3f5be02e

SHA256
57a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd

SHA512
fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RVN.exe
Filesize
377KB

MD5
80ade1893dec9cab7f2e63538a464fcc

SHA1
c06614da33a65eddb506db00a124a3fc3f5be02e

SHA256
57a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd

SHA512
fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4

Download Submit
C:\Windows\SysWOW64\TXPlatforn.exe
Filesize
377KB

MD5
80ade1893dec9cab7f2e63538a464fcc

SHA1
c06614da33a65eddb506db00a124a3fc3f5be02e

SHA256
57a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd

SHA512
fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4

Download Submit
C:\Windows\SysWOW64\TXPlatforn.exe
Filesize
377KB

MD5
80ade1893dec9cab7f2e63538a464fcc

SHA1
c06614da33a65eddb506db00a124a3fc3f5be02e

SHA256
57a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd

SHA512
fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4

Download Submit
C:\Windows\SysWOW64\TXPlatforn.exe
Filesize
377KB

MD5
80ade1893dec9cab7f2e63538a464fcc

SHA1
c06614da33a65eddb506db00a124a3fc3f5be02e

SHA256
57a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd

SHA512
fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4

Download Submit
memory/824-424-0x00007FFE3E250000-0x00007FFE3E445000-memory.dmp

Filesize
2.0MB

Download
memory/824-422-0x00007FFE3E250000-0x00007FFE3E445000-memory.dmp

Filesize
2.0MB

Download
memory/824-428-0x00007FFDFB9A0000-0x00007FFDFB9B0000-memory.dmp

Filesize
64KB

Download
memory/824-427-0x00007FFE3E250000-0x00007FFE3E445000-memory.dmp

Filesize
2.0MB

Download
memory/824-426-0x00007FFE3E250000-0x00007FFE3E445000-memory.dmp

Filesize
2.0MB

Download
memory/824-425-0x00007FFE3E250000-0x00007FFE3E445000-memory.dmp

Filesize
2.0MB

Download
memory/824-430-0x00007FFDFB9A0000-0x00007FFDFB9B0000-memory.dmp

Filesize
64KB

Download
memory/824-413-0x00007FFE3E250000-0x00007FFE3E445000-memory.dmp

Filesize
2.0MB

Download
memory/824-446-0x00007FFE3E250000-0x00007FFE3E445000-memory.dmp

Filesize
2.0MB

Download
memory/824-429-0x00007FFE3E250000-0x00007FFE3E445000-memory.dmp

Filesize
2.0MB

Download
memory/824-420-0x00007FFE3E250000-0x00007FFE3E445000-memory.dmp

Filesize
2.0MB

Download
memory/824-421-0x00007FFDFE2D0000-0x00007FFDFE2E0000-memory.dmp

Filesize
64KB

Download
memory/824-418-0x00007FFDFE2D0000-0x00007FFDFE2E0000-memory.dmp

Filesize
64KB

Download
memory/824-419-0x00007FFE3E250000-0x00007FFE3E445000-memory.dmp

Filesize
2.0MB

Download
memory/824-414-0x00007FFDFE2D0000-0x00007FFDFE2E0000-memory.dmp

Filesize
64KB

Download
memory/824-417-0x00007FFE3E250000-0x00007FFE3E445000-memory.dmp

Filesize
2.0MB

Download
memory/824-416-0x00007FFDFE2D0000-0x00007FFDFE2E0000-memory.dmp

Filesize
64KB

Download
memory/824-415-0x00007FFE3E250000-0x00007FFE3E445000-memory.dmp

Filesize
2.0MB

Download
memory/824-412-0x00007FFDFE2D0000-0x00007FFDFE2E0000-memory.dmp

Filesize
64KB

Download
memory/872-272-0x0000000000400000-0x0000000000697000-memory.dmp

Filesize
2.6MB

Download
memory/872-338-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/872-442-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/872-444-0x0000000000400000-0x0000000000697000-memory.dmp

Filesize
2.6MB

Download
memory/1164-172-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1164-164-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1164-166-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1644-154-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1644-139-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1644-141-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1644-140-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1644-137-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2160-445-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2160-346-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/2160-443-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/2160-496-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/3656-344-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/3656-163-0x00000000021F0000-0x00000000021F1000-memory.dmp

Filesize
4KB

Download
memory/3992-423-0x0000000000400000-0x0000000000697000-memory.dmp

Filesize
2.6MB

Download
memory/3992-408-0x00000000007D0000-0x00000000007D1000-memory.dmp

Filesize
4KB

Download
memory/3992-406-0x0000000000400000-0x0000000000697000-memory.dmp

Filesize
2.6MB

Download
memory/4352-150-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/4352-149-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/4352-146-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/4352-156-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download