gh0strat | ad703f331424f586f1fa115208df9a9358eda25570716c933139869f98807e3d

Analysis

max time kernel
150s
max time network
141s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
14/11/2023, 12:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad703f331424f586f1fa115208df9a9358eda25570716c933139869f98807e3d.exe
Size

4.0MB
MD5

b775a85be1fe185df0fe41762e79c5b4
SHA1

736c0db14bd496091a888e640d7ec9d3fad62f0b
SHA256

ad703f331424f586f1fa115208df9a9358eda25570716c933139869f98807e3d
SHA512

2ce01c0a669c8bac32502ca54289b14d682ded403038530b9ebac62c3443eb4c18b49b22a98fdaaf0bc3a4826103a729825d08636c266461ab460cb9587f7de3
SSDEEP

49152:OCwsbCANnKXferL7Vwe/Gg0P+Wh3E4nsHyjtk2MYC5GDNCSdpX91d9k6X+l:pws2ANnKXOaeOgmh/nsmtk2a7SdpX9fw

Score

10^/10

gh0strat purplefox persistence rat rootkit trojan upx

Malware Config

Signatures

Detect PurpleFox Rootkit 7 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral1/memory/2912-21-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2912-20-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2612-40-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2912-30-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/1928-41-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/1928-51-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/1928-57-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 11 IoCs

resource	yara_rule
behavioral1/files/0x00080000000120ed-6.dat	family_gh0strat
behavioral1/files/0x00080000000120ed-9.dat	family_gh0strat
behavioral1/files/0x00080000000120ed-11.dat	family_gh0strat
behavioral1/memory/2912-21-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2912-20-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2612-40-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2912-30-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/1928-41-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/1928-51-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/1928-57-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/files/0x00080000000120ed-92.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\QAssist.sys	TXPlatfor.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Remote Data\Parameters\ServiceDll = "C:\\Windows\\system32\\259408961.txt"	R.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	TXPlatfor.exe

Executes dropped EXE 9 IoCs

pid	Process
2140	R.exe
2912	N.exe
2612	TXPlatfor.exe
1928	TXPlatfor.exe
2904	HD_ad703f331424f586f1fa115208df9a9358eda25570716c933139869f98807e3d.exe
1892	._cache_HD_ad703f331424f586f1fa115208df9a9358eda25570716c933139869f98807e3d.exe
1860	Synaptics.exe
1704	Remote Data.exe
2860	._cache_Synaptics.exe

Loads dropped DLL 15 IoCs

pid	Process
1804	ad703f331424f586f1fa115208df9a9358eda25570716c933139869f98807e3d.exe
2140	R.exe
2316	svchost.exe
1804	ad703f331424f586f1fa115208df9a9358eda25570716c933139869f98807e3d.exe
2612	TXPlatfor.exe
1804	ad703f331424f586f1fa115208df9a9358eda25570716c933139869f98807e3d.exe
1804	ad703f331424f586f1fa115208df9a9358eda25570716c933139869f98807e3d.exe
2904	HD_ad703f331424f586f1fa115208df9a9358eda25570716c933139869f98807e3d.exe
2904	HD_ad703f331424f586f1fa115208df9a9358eda25570716c933139869f98807e3d.exe
2904	HD_ad703f331424f586f1fa115208df9a9358eda25570716c933139869f98807e3d.exe
2904	HD_ad703f331424f586f1fa115208df9a9358eda25570716c933139869f98807e3d.exe
2316	svchost.exe
1704	Remote Data.exe
1860	Synaptics.exe
1860	Synaptics.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2912-21-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2912-20-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2912-18-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2612-40-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2912-30-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/1928-41-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/1928-51-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/1928-57-0x0000000010000000-0x00000000101B6000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	HD_ad703f331424f586f1fa115208df9a9358eda25570716c933139869f98807e3d.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Remote Data.exe	svchost.exe
File created	C:\Windows\SysWOW64\TXPlatfor.exe	N.exe
File opened for modification	C:\Windows\SysWOW64\TXPlatfor.exe	N.exe
File created	C:\Windows\SysWOW64\259408961.txt	R.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	R.exe
File created	C:\Windows\SysWOW64\Remote Data.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 51 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\DOMStorage\manyopen.com	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	._cache_HD_ad703f331424f586f1fa115208df9a9358eda25570716c933139869f98807e3d.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	._cache_HD_ad703f331424f586f1fa115208df9a9358eda25570716c933139869f98807e3d.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.manyopen.com\ = "63"	._cache_HD_ad703f331424f586f1fa115208df9a9358eda25570716c933139869f98807e3d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\DOMStorage\manyopen.com\NumberOfSubdomains = "1"	._cache_HD_ad703f331424f586f1fa115208df9a9358eda25570716c933139869f98807e3d.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.manyopen.com	._cache_Synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.manyopen.com	._cache_HD_ad703f331424f586f1fa115208df9a9358eda25570716c933139869f98807e3d.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	._cache_Synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "74"	._cache_Synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	._cache_HD_ad703f331424f586f1fa115208df9a9358eda25570716c933139869f98807e3d.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\DOMStorage\manyopen.com	._cache_HD_ad703f331424f586f1fa115208df9a9358eda25570716c933139869f98807e3d.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\DOMStorage\manyopen.com\Total = "63"	._cache_HD_ad703f331424f586f1fa115208df9a9358eda25570716c933139869f98807e3d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\DOMStorage\manyopen.com\Total = "74"	._cache_Synaptics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\DOMStorage	._cache_HD_ad703f331424f586f1fa115208df9a9358eda25570716c933139869f98807e3d.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	._cache_HD_ad703f331424f586f1fa115208df9a9358eda25570716c933139869f98807e3d.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	._cache_Synaptics.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main	._cache_HD_ad703f331424f586f1fa115208df9a9358eda25570716c933139869f98807e3d.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.manyopen.com\ = "74"	._cache_Synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	._cache_Synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main	._cache_Synaptics.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	EXCEL.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2532	PING.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3048	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1804	ad703f331424f586f1fa115208df9a9358eda25570716c933139869f98807e3d.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
1928	TXPlatfor.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2912	N.exe
Token: SeLoadDriverPrivilege	1928	TXPlatfor.exe
Token: SeDebugPrivilege	1892	._cache_HD_ad703f331424f586f1fa115208df9a9358eda25570716c933139869f98807e3d.exe
Token: SeDebugPrivilege	2860	._cache_Synaptics.exe
Token: 33	1928	TXPlatfor.exe
Token: SeIncBasePriorityPrivilege	1928	TXPlatfor.exe
Token: 33	1928	TXPlatfor.exe
Token: SeIncBasePriorityPrivilege	1928	TXPlatfor.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1804	ad703f331424f586f1fa115208df9a9358eda25570716c933139869f98807e3d.exe
1804	ad703f331424f586f1fa115208df9a9358eda25570716c933139869f98807e3d.exe
1892	._cache_HD_ad703f331424f586f1fa115208df9a9358eda25570716c933139869f98807e3d.exe
1892	._cache_HD_ad703f331424f586f1fa115208df9a9358eda25570716c933139869f98807e3d.exe
2860	._cache_Synaptics.exe
2860	._cache_Synaptics.exe
3048	EXCEL.EXE

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 1804 wrote to memory of 2140	1804	ad703f331424f586f1fa115208df9a9358eda25570716c933139869f98807e3d.exe	28
PID 1804 wrote to memory of 2140	1804	ad703f331424f586f1fa115208df9a9358eda25570716c933139869f98807e3d.exe	28
PID 1804 wrote to memory of 2140	1804	ad703f331424f586f1fa115208df9a9358eda25570716c933139869f98807e3d.exe	28
PID 1804 wrote to memory of 2140	1804	ad703f331424f586f1fa115208df9a9358eda25570716c933139869f98807e3d.exe	28
PID 1804 wrote to memory of 2912	1804	ad703f331424f586f1fa115208df9a9358eda25570716c933139869f98807e3d.exe	31
PID 1804 wrote to memory of 2912	1804	ad703f331424f586f1fa115208df9a9358eda25570716c933139869f98807e3d.exe	31
PID 1804 wrote to memory of 2912	1804	ad703f331424f586f1fa115208df9a9358eda25570716c933139869f98807e3d.exe	31
PID 1804 wrote to memory of 2912	1804	ad703f331424f586f1fa115208df9a9358eda25570716c933139869f98807e3d.exe	31
PID 1804 wrote to memory of 2912	1804	ad703f331424f586f1fa115208df9a9358eda25570716c933139869f98807e3d.exe	31
PID 1804 wrote to memory of 2912	1804	ad703f331424f586f1fa115208df9a9358eda25570716c933139869f98807e3d.exe	31
PID 1804 wrote to memory of 2912	1804	ad703f331424f586f1fa115208df9a9358eda25570716c933139869f98807e3d.exe	31
PID 2912 wrote to memory of 2720	2912	N.exe	33
PID 2912 wrote to memory of 2720	2912	N.exe	33
PID 2912 wrote to memory of 2720	2912	N.exe	33
PID 2912 wrote to memory of 2720	2912	N.exe	33
PID 2612 wrote to memory of 1928	2612	TXPlatfor.exe	34
PID 2612 wrote to memory of 1928	2612	TXPlatfor.exe	34
PID 2612 wrote to memory of 1928	2612	TXPlatfor.exe	34
PID 2612 wrote to memory of 1928	2612	TXPlatfor.exe	34
PID 2612 wrote to memory of 1928	2612	TXPlatfor.exe	34
PID 2612 wrote to memory of 1928	2612	TXPlatfor.exe	34
PID 2612 wrote to memory of 1928	2612	TXPlatfor.exe	34
PID 1804 wrote to memory of 2904	1804	ad703f331424f586f1fa115208df9a9358eda25570716c933139869f98807e3d.exe	36
PID 1804 wrote to memory of 2904	1804	ad703f331424f586f1fa115208df9a9358eda25570716c933139869f98807e3d.exe	36
PID 1804 wrote to memory of 2904	1804	ad703f331424f586f1fa115208df9a9358eda25570716c933139869f98807e3d.exe	36
PID 1804 wrote to memory of 2904	1804	ad703f331424f586f1fa115208df9a9358eda25570716c933139869f98807e3d.exe	36
PID 2720 wrote to memory of 2532	2720	cmd.exe	37
PID 2720 wrote to memory of 2532	2720	cmd.exe	37
PID 2720 wrote to memory of 2532	2720	cmd.exe	37
PID 2720 wrote to memory of 2532	2720	cmd.exe	37
PID 2904 wrote to memory of 1892	2904	HD_ad703f331424f586f1fa115208df9a9358eda25570716c933139869f98807e3d.exe	38
PID 2904 wrote to memory of 1892	2904	HD_ad703f331424f586f1fa115208df9a9358eda25570716c933139869f98807e3d.exe	38
PID 2904 wrote to memory of 1892	2904	HD_ad703f331424f586f1fa115208df9a9358eda25570716c933139869f98807e3d.exe	38
PID 2904 wrote to memory of 1892	2904	HD_ad703f331424f586f1fa115208df9a9358eda25570716c933139869f98807e3d.exe	38
PID 2904 wrote to memory of 1860	2904	HD_ad703f331424f586f1fa115208df9a9358eda25570716c933139869f98807e3d.exe	39
PID 2904 wrote to memory of 1860	2904	HD_ad703f331424f586f1fa115208df9a9358eda25570716c933139869f98807e3d.exe	39
PID 2904 wrote to memory of 1860	2904	HD_ad703f331424f586f1fa115208df9a9358eda25570716c933139869f98807e3d.exe	39
PID 2904 wrote to memory of 1860	2904	HD_ad703f331424f586f1fa115208df9a9358eda25570716c933139869f98807e3d.exe	39
PID 2316 wrote to memory of 1704	2316	svchost.exe	40
PID 2316 wrote to memory of 1704	2316	svchost.exe	40
PID 2316 wrote to memory of 1704	2316	svchost.exe	40
PID 2316 wrote to memory of 1704	2316	svchost.exe	40
PID 1860 wrote to memory of 2860	1860	Synaptics.exe	42
PID 1860 wrote to memory of 2860	1860	Synaptics.exe	42
PID 1860 wrote to memory of 2860	1860	Synaptics.exe	42
PID 1860 wrote to memory of 2860	1860	Synaptics.exe	42

C:\Users\Admin\AppData\Local\Temp\ad703f331424f586f1fa115208df9a9358eda25570716c933139869f98807e3d.exe
"C:\Users\Admin\AppData\Local\Temp\ad703f331424f586f1fa115208df9a9358eda25570716c933139869f98807e3d.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1804
- C:\Users\Admin\AppData\Local\Temp\R.exe
  C:\Users\Admin\AppData\Local\Temp\\R.exe
  2⤵
  - Sets DLL path for service in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:2140
- C:\Users\Admin\AppData\Local\Temp\N.exe
  C:\Users\Admin\AppData\Local\Temp\\N.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\N.exe > nul
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      Runs ping.exe
      PID:2532
- C:\Users\Admin\AppData\Local\Temp\HD_ad703f331424f586f1fa115208df9a9358eda25570716c933139869f98807e3d.exe
  C:\Users\Admin\AppData\Local\Temp\HD_ad703f331424f586f1fa115208df9a9358eda25570716c933139869f98807e3d.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Users\Admin\AppData\Local\Temp\._cache_HD_ad703f331424f586f1fa115208df9a9358eda25570716c933139869f98807e3d.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_HD_ad703f331424f586f1fa115208df9a9358eda25570716c933139869f98807e3d.exe"
    3⤵
    - Executes dropped EXE
    - Modifies Internet Explorer settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1892
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1860
  - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      Modifies Internet Explorer settings
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2860

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Remote Data"
1⤵
PID:2340

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Remote Data"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Windows\SysWOW64\Remote Data.exe
  "C:\Windows\system32\Remote Data.exe" "c:\windows\system32\259408961.txt",MainThread
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1704

C:\Windows\SysWOW64\TXPlatfor.exe
C:\Windows\SysWOW64\TXPlatfor.exe -auto
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612
- C:\Windows\SysWOW64\TXPlatfor.exe
  C:\Windows\SysWOW64\TXPlatfor.exe -acsi
  2⤵
  - Drops file in Drivers directory
  - Sets service image path in registry
  - Executes dropped EXE
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:1928

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.7MB

MD5
c9b5b505b52f8d15f569c94cfbf3e96d

SHA1
7998305c76e26fcf09fb3d23728c6314ba5106ae

SHA256
12239638f014ba4dd052d1115728a789b0f8d26b7cdc04f2da2a73daf2a5c651

SHA512
45154bcfaf2fb8506e81d26147ad08939485228fe168b953ba49fefa6df685adcb68f590550bd93a4c3a2e0d6afc2ea2162c37f22679efad4ad9d49cd1fedc88

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.7MB

MD5
c9b5b505b52f8d15f569c94cfbf3e96d

SHA1
7998305c76e26fcf09fb3d23728c6314ba5106ae

SHA256
12239638f014ba4dd052d1115728a789b0f8d26b7cdc04f2da2a73daf2a5c651

SHA512
45154bcfaf2fb8506e81d26147ad08939485228fe168b953ba49fefa6df685adcb68f590550bd93a4c3a2e0d6afc2ea2162c37f22679efad4ad9d49cd1fedc88

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B

Filesize
1KB

MD5
49cfe43f53a1e0991c86ca8f65e8c4d1

SHA1
b7b13c570bec87ed2dd630c4f23d7f35b42889e0

SHA256
cb55d38795e9aacbf24712b6fd1bafc77b08202d4a6613110143058ed7e02009

SHA512
0b0354bc976f17e6a93a169af0a1422b40dee0f3c24c90d17c6d0d84995989924b94df853f0baeecf6f59a30ab1977671f96d3a93f4b72ed3427609d8fe1167c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\349D186F1CB5682FA0194D4F3754EF36_CE21678B3713ACF5F5ED4AAA700C6173

Filesize
1KB

MD5
cb791aa59607f320cd9de26b373c172b

SHA1
d0ad6bc62c5222332259ceca51d79c724778414a

SHA256
c6c4bb5c17c1bae5ae2ee87afb0eba02a34d8f21d7ce1f84925e42c5576bdf54

SHA512
0b6d48ee235d9e335879b08f63e90241d50342417295ef5a72c4b40301847836d8542c779b3a977503ae753f5d3eea6575cc1f049da8fe1ec184fccdb6c7228b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3

Filesize
1KB

MD5
3fe148a9032bfaa7fe12fbea65875455

SHA1
c1cd4c90b94264a6c1ae734250431b11be2203eb

SHA256
00d6c665730149c045bd479dc7f18bb900f3557b3658fa2ae6e91e8366d22b9e

SHA512
fffd10702d7a0b48b321411c1e16778fd582a1efdb326324c7b8385f64c34d646855870d2ee02297827d077914e10ea40923eb70698e6cd65da5961eada06175

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B

Filesize
508B

MD5
26c0dee382df4fe26b3229b9ebde8c9f

SHA1
1fc3ee343d067ce5d533e11a519b956c5a7f5fac

SHA256
e5ce64ac746f873b1939ad83822384c15ca436354b9160770d020061daa46e21

SHA512
b7f120411c1d3c43ad0b7e2b6789830496921a8c1819159e96b171d7dadff27192b2b14ef2551b3aaf6b25d7722e4b9ef78aceebcd74ae07dd22a84481f4e9dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\349D186F1CB5682FA0194D4F3754EF36_CE21678B3713ACF5F5ED4AAA700C6173

Filesize
540B

MD5
58cbab24d40df77f5a034c30bc63e16d

SHA1
a06df5c5a0d629727f16de37f054213309e9daf6

SHA256
414af83364cdef7840acf0c7de3ac33f6d8e9fec873eef7d729e495ad91033ff

SHA512
08f5008276eef148f073f7852f5e43507b7dd73588e81ed0f80691858b5864769d2e377caf78b82eafd92838e05c92e9c6b9d1e701bfcd528936d9d6d111e7c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cd08319e218c2b6ae655de687b5899bb

SHA1
b15fb0f5277a6cad587ca75e41da38b5685227eb

SHA256
5a1354ee3416b65fed31cf424420aa39af30863c218077e2cd4052ba002a3e71

SHA512
3b25c3fc6bf361a01f1fbc79b06b757d2513aa764b3f4f1e8eca99be168d37dddb661ed5ba12cefff6275c0ab4ece99934929f6e16084df6395effd24c0ab130

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3

Filesize
506B

MD5
5655941c7f8e26a2211deb19ce8b7d53

SHA1
352027957759f5f5a382681653b41382bd5ef51e

SHA256
09cee679e1b5ffdcd0c355808eaccd174a7c5ac9df3ec77b6c5ace99c13072b2

SHA512
64ff1681eb0c2f21decca4ee9525ccd825063f2af3f43c206a4c6c6a9fbdc72fc826d6136e1393e32324ff55c4cce5d404ec6e076d96f38ecab94010cd0ca3da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\ZDV60FHI\www.manyopen[1].xml

Filesize
137B

MD5
a807991b11f1ddff0db9c5c19795c5aa

SHA1
5806b8a1a640973401e9997a425b29cc553cd3d7

SHA256
6201c8b7be9c60c26bf822db22159d11f33491dba6dffd10d1ccd214a37db620

SHA512
a9aa0715cfe12a640d6d61822f1db1de3c7e378259fd9efca30c84e7ba98efdd2aaf70d73cb880c3c6779254387a2c293154b441a89caf4926abd2a60cbc305b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7TVQOT0Y\btn2[1].png

Filesize
4KB

MD5
0ebc0da8c749a808e70478fcc6df12e2

SHA1
13f48600caf04259419cebf2b9938deb7e36e22c

SHA256
28155891d0eaf2be40e2e292ece8e58ef8c9e29fa800c3b2b4e9d9d18cec63d3

SHA512
dea9c1029d080ceff1ff93d85acb876d0931115c82254d76f94be5d4aa315cf6efa08ae8aeb1477e1f86701dfc0b1ead2559dc757f753f8ab3cc9465fe4c0961

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7TVQOT0Y\hm[1].js

Filesize
29KB

MD5
fdbff24217758ac780dae61b4e2cea60

SHA1
c52f017b3d2196675eb1efda613972171d503cb5

SHA256
9f402dd1e78e66678e8385c3a1877cb7f926580e85d021bd6e7f25b232587ca6

SHA512
6efc2256020622088b1ddff921d0cb3ead595e24846ba4579d873290d63f50f45ab1ae0ff9a0fbc05df114620377afca8facf1e221f8a269186816001802cd39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7TVQOT0Y\style[1].css

Filesize
1KB

MD5
48cf8b54214c8b670db0c002f6d604f4

SHA1
e482ed2c6f5a17c3f27c386e818e2c40cc4aa6e0

SHA256
79f5f64af255ce830de8aa886cddb67a7db5db77e4e903c0504d35ef8756254b

SHA512
fabe4a0149dde55b67e1cf90e1622c4608cb9116ebc152c4d02c9a5c1b13fe0a9b5361004c73b4c3e6b99f00a734d48995decdd576964970d4fe2f0f4f010500

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9G8QJ0N4\btn1[1].png

Filesize
223B

MD5
15f0703dd82b4cafcd9440a164c2d61e

SHA1
8086b8f065ccd95a32e6a46f3030e3bae59fd0d9

SHA256
be39b5e8e3dbf75ec3c1230fb93bf0e62328e7a0e0a256eb76d0864a6ffa75c9

SHA512
3ef9bc07bfca750a795bb423ffe6a00a3b993b63495801205b95508d1ba14b59c2661a7eb755de0cbb11b88d00adc6157c7b9fb15f6b90e4a5de05496a4b28d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9G8QJ0N4\wbg[1].png

Filesize
48KB

MD5
2f05d27d47f274f7ba77b97eca6e947a

SHA1
a2e377744466f6f4a2c2cbf91af50d4cbb9aabcd

SHA256
ea314b0ccece8963496dab2ccf9ec74249c2bbdc963b6f874837e883e32e0b46

SHA512
090d5caeb96279dd9dd23cabebdff1b651e4075fd51d005093cb3555468f59a55b1537cfe4771445d8217d7bee8c61e76bf910d31559c6199d9fac208fb85f0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HNDI6Z3B\index[1].js

Filesize
962B

MD5
f0878c3f92d9e45806da9119af747f48

SHA1
287d51546a4e2b31f22c669a6419b9b4b4b6c667

SHA256
417940faaaa7bc4b82a5b17dc7c5c0cafedad43578ddb34821638f494159cea6

SHA512
4dac0d018c0fbe7029886e6d77bf908ff6f387a435f4c94d897a6d53ea99f5f222481a49eab27b6f25f9629be62e1af2c014b88fb76e707f08f2706da00ad34a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HNDI6Z3B\jquery.min[1].js

Filesize
82KB

MD5
7f9fb969ce353c5d77707836391eb28d

SHA1
62c4042e9ebc691a5372d653b424512a561d1670

SHA256
2051d61446d4dbffb03727031022a08c84528ab44d203a7669c101e5fbdd5515

SHA512
7a027f63edb63fd350f5a2325428745423ac7f27729fc78d9aa072fb2d829c91be7e9448c57312ea36d63fcb552a9d23a7e34ee67f16b4c5009cd9c6a092a2e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MQDFJ88W\btn4[1].png

Filesize
4KB

MD5
71c6e2f6c9fe26acf87e5bc79c7635f2

SHA1
c367208422b9011987b1bb595fef02aa06f58a50

SHA256
0795a153f6a54023ce4a2968b8b30e5bde6f99bd1212ae6780bd7e5ad7e00fbe

SHA512
ed21f91276399358516d4c82c5b4c8a3d65a5158bcb03266ac7aa54dc7d1153231e9c1281a8955c01d0015d5d214caa5a67cafb8711cee377256f764cdfd0cf1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MQDFJ88W\sj[1].png

Filesize
444B

MD5
a42f61b828628fe1651810bcc52ed47b

SHA1
fbd34c991d61fe5f22ef3d8db58f769df677f287

SHA256
92e8c6e61ffe78bcc0f0335378c9361a117565ad3cd61e3846c643745ce6243c

SHA512
40db870714d41127d66d46ebb89118beba5ccd3de2c5a3c881054c32681f9e05bdb74432e72084c6619b90299c773c66b938e6c573c4d3621c61b9af6673759f

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_HD_ad703f331424f586f1fa115208df9a9358eda25570716c933139869f98807e3d.exe

Filesize
970KB

MD5
edbab4ebc71910bb58af2b6b737b079e

SHA1
fed01a601a9dd7c26d23fdaaa7c7df5542de8cbf

SHA256
a4dc120c0b212f81534e8620e97491c34f38c4dabc7340b379c57ea602cbe777

SHA512
6fc3a76acf8be9450e37e51f45c130915bb64489d9ce95308b0386e0e05f5338b4f5d2846d543a2734973449ad30ed5fdda11fcb8fcde9ba2d038ae17c99afbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_HD_ad703f331424f586f1fa115208df9a9358eda25570716c933139869f98807e3d.exe

Filesize
970KB

MD5
edbab4ebc71910bb58af2b6b737b079e

SHA1
fed01a601a9dd7c26d23fdaaa7c7df5542de8cbf

SHA256
a4dc120c0b212f81534e8620e97491c34f38c4dabc7340b379c57ea602cbe777

SHA512
6fc3a76acf8be9450e37e51f45c130915bb64489d9ce95308b0386e0e05f5338b4f5d2846d543a2734973449ad30ed5fdda11fcb8fcde9ba2d038ae17c99afbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_HD_ad703f331424f586f1fa115208df9a9358eda25570716c933139869f98807e3d.exe

Filesize
970KB

MD5
edbab4ebc71910bb58af2b6b737b079e

SHA1
fed01a601a9dd7c26d23fdaaa7c7df5542de8cbf

SHA256
a4dc120c0b212f81534e8620e97491c34f38c4dabc7340b379c57ea602cbe777

SHA512
6fc3a76acf8be9450e37e51f45c130915bb64489d9ce95308b0386e0e05f5338b4f5d2846d543a2734973449ad30ed5fdda11fcb8fcde9ba2d038ae17c99afbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Filesize
970KB

MD5
edbab4ebc71910bb58af2b6b737b079e

SHA1
fed01a601a9dd7c26d23fdaaa7c7df5542de8cbf

SHA256
a4dc120c0b212f81534e8620e97491c34f38c4dabc7340b379c57ea602cbe777

SHA512
6fc3a76acf8be9450e37e51f45c130915bb64489d9ce95308b0386e0e05f5338b4f5d2846d543a2734973449ad30ed5fdda11fcb8fcde9ba2d038ae17c99afbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Filesize
970KB

MD5
edbab4ebc71910bb58af2b6b737b079e

SHA1
fed01a601a9dd7c26d23fdaaa7c7df5542de8cbf

SHA256
a4dc120c0b212f81534e8620e97491c34f38c4dabc7340b379c57ea602cbe777

SHA512
6fc3a76acf8be9450e37e51f45c130915bb64489d9ce95308b0386e0e05f5338b4f5d2846d543a2734973449ad30ed5fdda11fcb8fcde9ba2d038ae17c99afbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6FE3.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_X.dat

Filesize
2.3MB

MD5
58733ef9caf38fd16ab9cab00bfe2eaf

SHA1
7e9971704ca0c84b799bdcba58d04147f36a0be9

SHA256
b4b0b440705afd25f4bfd1b1f8f35c2e6e1bec43dbe0f226132c87dafd119fc6

SHA512
5510b27b60e0ce3d8f3d2beaa3f0a877b96603a5fcb9473f83a277044bc25105869338db645fa83b3e95ed745139c4010a9e342a6da02699dcabc224c5130b6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_ad703f331424f586f1fa115208df9a9358eda25570716c933139869f98807e3d.exe

Filesize
1.7MB

MD5
c9b5b505b52f8d15f569c94cfbf3e96d

SHA1
7998305c76e26fcf09fb3d23728c6314ba5106ae

SHA256
12239638f014ba4dd052d1115728a789b0f8d26b7cdc04f2da2a73daf2a5c651

SHA512
45154bcfaf2fb8506e81d26147ad08939485228fe168b953ba49fefa6df685adcb68f590550bd93a4c3a2e0d6afc2ea2162c37f22679efad4ad9d49cd1fedc88

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_ad703f331424f586f1fa115208df9a9358eda25570716c933139869f98807e3d.exe

Filesize
1.7MB

MD5
c9b5b505b52f8d15f569c94cfbf3e96d

SHA1
7998305c76e26fcf09fb3d23728c6314ba5106ae

SHA256
12239638f014ba4dd052d1115728a789b0f8d26b7cdc04f2da2a73daf2a5c651

SHA512
45154bcfaf2fb8506e81d26147ad08939485228fe168b953ba49fefa6df685adcb68f590550bd93a4c3a2e0d6afc2ea2162c37f22679efad4ad9d49cd1fedc88

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_ad703f331424f586f1fa115208df9a9358eda25570716c933139869f98807e3d.exe

Filesize
1.7MB

MD5
c9b5b505b52f8d15f569c94cfbf3e96d

SHA1
7998305c76e26fcf09fb3d23728c6314ba5106ae

SHA256
12239638f014ba4dd052d1115728a789b0f8d26b7cdc04f2da2a73daf2a5c651

SHA512
45154bcfaf2fb8506e81d26147ad08939485228fe168b953ba49fefa6df685adcb68f590550bd93a4c3a2e0d6afc2ea2162c37f22679efad4ad9d49cd1fedc88

Download Submit
C:\Users\Admin\AppData\Local\Temp\IlpwquOB.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\N.exe

Filesize
377KB

MD5
4a36a48e58829c22381572b2040b6fe0

SHA1
f09d30e44ff7e3f20a5de307720f3ad148c6143b

SHA256
3de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8

SHA512
5d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\N.exe

Filesize
377KB

MD5
4a36a48e58829c22381572b2040b6fe0

SHA1
f09d30e44ff7e3f20a5de307720f3ad148c6143b

SHA256
3de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8

SHA512
5d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\R.exe

Filesize
941KB

MD5
8dc3adf1c490211971c1e2325f1424d2

SHA1
4eec4a4e7cb97c5efa6c72e0731cd090c0c4adc5

SHA256
bc29f2022ab3b812e50c8681ff196f090c038b5ab51e37daffac4469a8c2eb2c

SHA512
ae92ea20b359849dcdba4808119b154e3af5ef3687ee09de1797610fe8c4d3eb9065b068074d35adddb4b225d17c619baff3944cb137ad196bcef7a6507f920d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4FF5.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\H4ZVD2K2.txt

Filesize
94B

MD5
2de2ef32057776165a888c12c1e61f7e

SHA1
eeb5b6dcfb7e6610c7e784040b73c933bce94726

SHA256
2eab2dea005680acc6bc0992c8c590e8ac8b7b9c04ffe83cdfb217485c69e125

SHA512
3fe70321b260f18d3481988063f26542f16b6c4b5346f34395a9492949473060c2b9be9eeb6a36348bab6a83a77206e548807a026351c640c6602de468849380

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\QR164SMO.txt

Filesize
112B

MD5
277eab1d8234e18427c065bf8884977d

SHA1
0f551c63aa377ad99017a0950fe5e196ad968605

SHA256
11b93c829ee8a5ec1ad2746d4e08b16d01e5adde43104ef891666b938b62644f

SHA512
66d5b7aa9b6d7885ae49fb47acf2829d330f2d95f8da032f4c038d729d4152c1904849a2e3c9e5a4b926a380c223db7896801351897d47a3dc28d01bbea32c7b

Download Submit
C:\Windows\SysWOW64\Remote Data.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
C:\Windows\SysWOW64\Remote Data.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
C:\Windows\SysWOW64\TXPlatfor.exe

Filesize
377KB

MD5
4a36a48e58829c22381572b2040b6fe0

SHA1
f09d30e44ff7e3f20a5de307720f3ad148c6143b

SHA256
3de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8

SHA512
5d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0

Download Submit
C:\Windows\SysWOW64\TXPlatfor.exe

Filesize
377KB

MD5
4a36a48e58829c22381572b2040b6fe0

SHA1
f09d30e44ff7e3f20a5de307720f3ad148c6143b

SHA256
3de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8

SHA512
5d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0

Download Submit
C:\Windows\SysWOW64\TXPlatfor.exe

Filesize
377KB

MD5
4a36a48e58829c22381572b2040b6fe0

SHA1
f09d30e44ff7e3f20a5de307720f3ad148c6143b

SHA256
3de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8

SHA512
5d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0

Download Submit
C:\Windows\SysWOW64\TXPlatfor.exe

Filesize
377KB

MD5
4a36a48e58829c22381572b2040b6fe0

SHA1
f09d30e44ff7e3f20a5de307720f3ad148c6143b

SHA256
3de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8

SHA512
5d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0

Download Submit
\??\c:\windows\SysWOW64\259408961.txt

Filesize
899KB

MD5
b1b4519563bd02e3c3ec86259cce229a

SHA1
631256dcbb8306993ee8ae845876887984870449

SHA256
9d9a1c7af67ad32b66a91a8824bed1291968c7321e6b85381f4087f0a3788dd1

SHA512
541c447ee11a4ed1c0ee930a5d969fb58317dbda73570c020fc510a26e710df93701360f3485731651735cf95bac05f9725c3c2f15d224d487f62f4a98222cde

Download Submit
\ProgramData\Synaptics\Synaptics.exe

Filesize
1.7MB

MD5
c9b5b505b52f8d15f569c94cfbf3e96d

SHA1
7998305c76e26fcf09fb3d23728c6314ba5106ae

SHA256
12239638f014ba4dd052d1115728a789b0f8d26b7cdc04f2da2a73daf2a5c651

SHA512
45154bcfaf2fb8506e81d26147ad08939485228fe168b953ba49fefa6df685adcb68f590550bd93a4c3a2e0d6afc2ea2162c37f22679efad4ad9d49cd1fedc88

Download Submit
\ProgramData\Synaptics\Synaptics.exe

Filesize
1.7MB

MD5
c9b5b505b52f8d15f569c94cfbf3e96d

SHA1
7998305c76e26fcf09fb3d23728c6314ba5106ae

SHA256
12239638f014ba4dd052d1115728a789b0f8d26b7cdc04f2da2a73daf2a5c651

SHA512
45154bcfaf2fb8506e81d26147ad08939485228fe168b953ba49fefa6df685adcb68f590550bd93a4c3a2e0d6afc2ea2162c37f22679efad4ad9d49cd1fedc88

Download Submit
\ProgramData\Synaptics\Synaptics.exe

Filesize
1.7MB

MD5
c9b5b505b52f8d15f569c94cfbf3e96d

SHA1
7998305c76e26fcf09fb3d23728c6314ba5106ae

SHA256
12239638f014ba4dd052d1115728a789b0f8d26b7cdc04f2da2a73daf2a5c651

SHA512
45154bcfaf2fb8506e81d26147ad08939485228fe168b953ba49fefa6df685adcb68f590550bd93a4c3a2e0d6afc2ea2162c37f22679efad4ad9d49cd1fedc88

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_HD_ad703f331424f586f1fa115208df9a9358eda25570716c933139869f98807e3d.exe

Filesize
970KB

MD5
edbab4ebc71910bb58af2b6b737b079e

SHA1
fed01a601a9dd7c26d23fdaaa7c7df5542de8cbf

SHA256
a4dc120c0b212f81534e8620e97491c34f38c4dabc7340b379c57ea602cbe777

SHA512
6fc3a76acf8be9450e37e51f45c130915bb64489d9ce95308b0386e0e05f5338b4f5d2846d543a2734973449ad30ed5fdda11fcb8fcde9ba2d038ae17c99afbc

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Filesize
970KB

MD5
edbab4ebc71910bb58af2b6b737b079e

SHA1
fed01a601a9dd7c26d23fdaaa7c7df5542de8cbf

SHA256
a4dc120c0b212f81534e8620e97491c34f38c4dabc7340b379c57ea602cbe777

SHA512
6fc3a76acf8be9450e37e51f45c130915bb64489d9ce95308b0386e0e05f5338b4f5d2846d543a2734973449ad30ed5fdda11fcb8fcde9ba2d038ae17c99afbc

Download Submit
\Users\Admin\AppData\Local\Temp\HD_ad703f331424f586f1fa115208df9a9358eda25570716c933139869f98807e3d.exe

Filesize
1.7MB

MD5
c9b5b505b52f8d15f569c94cfbf3e96d

SHA1
7998305c76e26fcf09fb3d23728c6314ba5106ae

SHA256
12239638f014ba4dd052d1115728a789b0f8d26b7cdc04f2da2a73daf2a5c651

SHA512
45154bcfaf2fb8506e81d26147ad08939485228fe168b953ba49fefa6df685adcb68f590550bd93a4c3a2e0d6afc2ea2162c37f22679efad4ad9d49cd1fedc88

Download Submit
\Users\Admin\AppData\Local\Temp\HD_ad703f331424f586f1fa115208df9a9358eda25570716c933139869f98807e3d.exe

Filesize
1.7MB

MD5
c9b5b505b52f8d15f569c94cfbf3e96d

SHA1
7998305c76e26fcf09fb3d23728c6314ba5106ae

SHA256
12239638f014ba4dd052d1115728a789b0f8d26b7cdc04f2da2a73daf2a5c651

SHA512
45154bcfaf2fb8506e81d26147ad08939485228fe168b953ba49fefa6df685adcb68f590550bd93a4c3a2e0d6afc2ea2162c37f22679efad4ad9d49cd1fedc88

Download Submit
\Users\Admin\AppData\Local\Temp\HD_ad703f331424f586f1fa115208df9a9358eda25570716c933139869f98807e3d.exe

Filesize
1.7MB

MD5
c9b5b505b52f8d15f569c94cfbf3e96d

SHA1
7998305c76e26fcf09fb3d23728c6314ba5106ae

SHA256
12239638f014ba4dd052d1115728a789b0f8d26b7cdc04f2da2a73daf2a5c651

SHA512
45154bcfaf2fb8506e81d26147ad08939485228fe168b953ba49fefa6df685adcb68f590550bd93a4c3a2e0d6afc2ea2162c37f22679efad4ad9d49cd1fedc88

Download Submit
\Users\Admin\AppData\Local\Temp\N.exe

Filesize
377KB

MD5
4a36a48e58829c22381572b2040b6fe0

SHA1
f09d30e44ff7e3f20a5de307720f3ad148c6143b

SHA256
3de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8

SHA512
5d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0

Download Submit
\Users\Admin\AppData\Local\Temp\R.exe

Filesize
941KB

MD5
8dc3adf1c490211971c1e2325f1424d2

SHA1
4eec4a4e7cb97c5efa6c72e0731cd090c0c4adc5

SHA256
bc29f2022ab3b812e50c8681ff196f090c038b5ab51e37daffac4469a8c2eb2c

SHA512
ae92ea20b359849dcdba4808119b154e3af5ef3687ee09de1797610fe8c4d3eb9065b068074d35adddb4b225d17c619baff3944cb137ad196bcef7a6507f920d

Download Submit
\Windows\SysWOW64\259408961.txt

Filesize
899KB

MD5
b1b4519563bd02e3c3ec86259cce229a

SHA1
631256dcbb8306993ee8ae845876887984870449

SHA256
9d9a1c7af67ad32b66a91a8824bed1291968c7321e6b85381f4087f0a3788dd1

SHA512
541c447ee11a4ed1c0ee930a5d969fb58317dbda73570c020fc510a26e710df93701360f3485731651735cf95bac05f9725c3c2f15d224d487f62f4a98222cde

Download Submit
\Windows\SysWOW64\259408961.txt

Filesize
899KB

MD5
b1b4519563bd02e3c3ec86259cce229a

SHA1
631256dcbb8306993ee8ae845876887984870449

SHA256
9d9a1c7af67ad32b66a91a8824bed1291968c7321e6b85381f4087f0a3788dd1

SHA512
541c447ee11a4ed1c0ee930a5d969fb58317dbda73570c020fc510a26e710df93701360f3485731651735cf95bac05f9725c3c2f15d224d487f62f4a98222cde

Download Submit
\Windows\SysWOW64\259408961.txt

Filesize
899KB

MD5
b1b4519563bd02e3c3ec86259cce229a

SHA1
631256dcbb8306993ee8ae845876887984870449

SHA256
9d9a1c7af67ad32b66a91a8824bed1291968c7321e6b85381f4087f0a3788dd1

SHA512
541c447ee11a4ed1c0ee930a5d969fb58317dbda73570c020fc510a26e710df93701360f3485731651735cf95bac05f9725c3c2f15d224d487f62f4a98222cde

Download Submit
\Windows\SysWOW64\Remote Data.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
\Windows\SysWOW64\TXPlatfor.exe

Filesize
377KB

MD5
4a36a48e58829c22381572b2040b6fe0

SHA1
f09d30e44ff7e3f20a5de307720f3ad148c6143b

SHA256
3de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8

SHA512
5d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0

Download Submit
memory/1860-84-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1860-239-0x0000000000400000-0x00000000005B5000-memory.dmp

Filesize
1.7MB

Download
memory/1860-208-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1860-207-0x0000000000400000-0x00000000005B5000-memory.dmp

Filesize
1.7MB

Download
memory/1860-205-0x0000000000400000-0x00000000005B5000-memory.dmp

Filesize
1.7MB

Download
memory/1928-51-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1928-41-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1928-57-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2612-40-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2904-52-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2904-83-0x0000000000400000-0x00000000005B5000-memory.dmp

Filesize
1.7MB

Download
memory/2912-21-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2912-30-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2912-20-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2912-18-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3048-209-0x000000007070D000-0x0000000070718000-memory.dmp

Filesize
44KB

Download
memory/3048-112-0x000000007070D000-0x0000000070718000-memory.dmp

Filesize
44KB

Download
memory/3048-111-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download