Malware Analysis Report

2025-04-13 21:02

Sample ID 250102-rt2mbavnhy
Target fix_device_gameloop.rar
SHA256 d51776621cd1ac69169b594b2bc892ca4d9c6040bb6aadd62207285e51cc79b9
Tags
discovery xred backdoor persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d51776621cd1ac69169b594b2bc892ca4d9c6040bb6aadd62207285e51cc79b9

Threat Level: Known bad

The file fix_device_gameloop.rar was found to be: Known bad.

Malicious Activity Summary

discovery xred backdoor persistence

Xred

Xred family

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

AutoIT Executable

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Modifies registry class

Enumerates system info in registry

Checks processor information in registry

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-02 14:29

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-02 14:29

Reported

2025-01-02 14:30

Platform

win10v2004-20241007-en

Max time kernel

24s

Max time network

25s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\._cache_fix_device.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\._cache_fix_device.exe N/A
N/A N/A C:\Windows\svchost.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe C:\Windows\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\svchost.exe C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\._cache_fix_device.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\._cache_fix_device.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\._cache_fix_device.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\._cache_fix_device.exe

"C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\._cache_fix_device.exe"

C:\Windows\svchost.exe

"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\._cache_fix_device.exe"

C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\._cache_fix_device.exe

"C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\._cache_fix_device.exe"

C:\Windows\svchost.exe

C:\Windows\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp

Files

memory/960-3-0x0000000000400000-0x0000000000415000-memory.dmp

C:\Windows\svchost.exe

MD5 9e3c13b6556d5636b745d3e466d47467
SHA1 2ac1c19e268c49bc508f83fe3d20f495deb3e538
SHA256 20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8
SHA512 5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\._cache_fix_device.exe

MD5 bb6313c9386fec91dee75c4782b43687
SHA1 3793824aa931adefaad27d29e8e17886966e6ba6
SHA256 33c85146a06edc2d7bbe77e277e88a27a3ea9109a7bd14025bf30d66937f6a26
SHA512 2c87791c0ecc922c947b4337ea1ff56145e40e8fd5d20352518249d3725e9838d35f8bbd5b13252ec11eb06847abe9ae800cb8988ad486cd83976e09e9e5c0e5

memory/1672-9-0x0000000000AB0000-0x0000000000B8E000-memory.dmp

memory/3392-11-0x0000000000400000-0x000000000040D000-memory.dmp

memory/1672-15-0x0000000000AB0000-0x0000000000B8E000-memory.dmp

memory/1284-16-0x0000000000400000-0x000000000040D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-02 14:29

Reported

2025-01-02 14:30

Platform

win10v2004-20241007-en

Max time kernel

16s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\fix_device.exe"

Signatures

Xred

backdoor xred

Xred family

xred

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\fix_device.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\ProgramData\Synaptics\Synaptics.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\fix_device.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe C:\Windows\svchost.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe C:\Windows\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\svchost.exe C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\._cache_Synaptics.exe N/A
File created C:\Windows\svchost.exe C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\fix_device.exe N/A
File created C:\Windows\svchost.exe C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\._cache_fix_device.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Synaptics\Synaptics.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\._cache_Synaptics.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\fix_device.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\._cache_fix_device.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\._cache_fix_device.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\._cache_Synaptics.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\fix_device.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\svchost.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\fix_device.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\ProgramData\Synaptics\Synaptics.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2280 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\fix_device.exe C:\Windows\svchost.exe
PID 2280 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\fix_device.exe C:\Windows\svchost.exe
PID 2280 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\fix_device.exe C:\Windows\svchost.exe
PID 2524 wrote to memory of 876 N/A C:\Windows\svchost.exe C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\fix_device.exe
PID 2524 wrote to memory of 876 N/A C:\Windows\svchost.exe C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\fix_device.exe
PID 2524 wrote to memory of 876 N/A C:\Windows\svchost.exe C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\fix_device.exe
PID 876 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\fix_device.exe C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\._cache_fix_device.exe
PID 876 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\fix_device.exe C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\._cache_fix_device.exe
PID 876 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\fix_device.exe C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\._cache_fix_device.exe
PID 3308 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\._cache_fix_device.exe C:\Windows\svchost.exe
PID 3308 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\._cache_fix_device.exe C:\Windows\svchost.exe
PID 3308 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\._cache_fix_device.exe C:\Windows\svchost.exe
PID 3728 wrote to memory of 4816 N/A C:\Windows\svchost.exe C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\._cache_fix_device.exe
PID 3728 wrote to memory of 4816 N/A C:\Windows\svchost.exe C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\._cache_fix_device.exe
PID 3728 wrote to memory of 4816 N/A C:\Windows\svchost.exe C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\._cache_fix_device.exe
PID 876 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\fix_device.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 876 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\fix_device.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 876 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\fix_device.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2948 wrote to memory of 3792 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\._cache_Synaptics.exe
PID 2948 wrote to memory of 3792 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\._cache_Synaptics.exe
PID 2948 wrote to memory of 3792 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\._cache_Synaptics.exe
PID 3792 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\._cache_Synaptics.exe C:\Windows\svchost.exe
PID 3792 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\._cache_Synaptics.exe C:\Windows\svchost.exe
PID 3792 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\._cache_Synaptics.exe C:\Windows\svchost.exe
PID 4596 wrote to memory of 2464 N/A C:\Windows\svchost.exe C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\._cache_Synaptics.exe
PID 4596 wrote to memory of 2464 N/A C:\Windows\svchost.exe C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\._cache_Synaptics.exe
PID 4596 wrote to memory of 2464 N/A C:\Windows\svchost.exe C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\._cache_Synaptics.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\fix_device.exe

"C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\fix_device.exe"

C:\Windows\svchost.exe

"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\fix_device.exe"

C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\fix_device.exe

"C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\fix_device.exe"

C:\Windows\svchost.exe

C:\Windows\svchost.exe

C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\._cache_fix_device.exe

"C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\._cache_fix_device.exe"

C:\Windows\svchost.exe

"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\._cache_fix_device.exe"

C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\._cache_fix_device.exe

"C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\._cache_fix_device.exe"

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\._cache_Synaptics.exe" InjUpdate

C:\Windows\svchost.exe

"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\._cache_Synaptics.exe" InjUpdate

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\._cache_Synaptics.exe" InjUpdate

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 xred.mooo.com udp
US 8.8.8.8:53 freedns.afraid.org udp
US 69.42.215.252:80 freedns.afraid.org tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 252.215.42.69.in-addr.arpa udp
US 8.8.8.8:53 27.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp

Files

C:\Windows\svchost.exe

MD5 9e3c13b6556d5636b745d3e466d47467
SHA1 2ac1c19e268c49bc508f83fe3d20f495deb3e538
SHA256 20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8
SHA512 5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

memory/2280-3-0x0000000000400000-0x00000000004FF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\fix_device.exe

MD5 1bae18d3be9196a6c913827bc72f5cb5
SHA1 06123ee722eac2184bab0e0236a229d6bd0a935c
SHA256 a86d51a4c4ca79adae8ac8540d8ee7be96b8c0259c61d933ba88657fa6342f74
SHA512 39fc5f6714b1c29a876aeb34173a39a36920366e28f372f3a4a5fc40d7ef2569002f7e5ca0bcc675f11b6f1c80c0ef1f1a2acff76eb20f99b3257293d099fcc3

memory/2524-10-0x0000000000400000-0x000000000040D000-memory.dmp

memory/876-13-0x00000000006D0000-0x00000000006D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\._cache_fix_device.exe

MD5 1f85b6ae7834b3f8c9e4b234c7e6264c
SHA1 159742f5cca121b659bac208609dcac9e34a8a64
SHA256 f131ccf12dd54d7cb7e17913d0d13c9f3c5adfb69f978387df328a88cfbf4473
SHA512 d8bba178e8f97268c5a2ebb0fdb473c090e9cdaffe83e00bbd0311203e5e7d6eab2ac4b94c2eb6792108d5a67fbc4960f58ebd35098cfa75542e0c15cb65808c

memory/3308-18-0x0000000000400000-0x0000000000415000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\._cache_fix_device.exe

MD5 bb6313c9386fec91dee75c4782b43687
SHA1 3793824aa931adefaad27d29e8e17886966e6ba6
SHA256 33c85146a06edc2d7bbe77e277e88a27a3ea9109a7bd14025bf30d66937f6a26
SHA512 2c87791c0ecc922c947b4337ea1ff56145e40e8fd5d20352518249d3725e9838d35f8bbd5b13252ec11eb06847abe9ae800cb8988ad486cd83976e09e9e5c0e5

memory/3728-30-0x0000000000400000-0x000000000040D000-memory.dmp

memory/4816-32-0x0000000000110000-0x00000000001EE000-memory.dmp

memory/876-92-0x0000000000400000-0x00000000005A3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fix_device_gameloop\._cache_Synaptics.exe

MD5 8b07d76ec57ec6318ba2b11184d4660b
SHA1 dd19f8115c74474280e0a111e4aed880589c4a9e
SHA256 db9d357b2ec908814f357d54bd0657d22d43d82f5b76de43201f99b68e2bc5b2
SHA512 25c317f85407274a3aaa4d3b218df9dae672943f95f5166c463105b7aafa1554c65772c71718a9306b34d940055ea1fdfb58f4eecc25a65f2ae1c340eae8c2d9

memory/3792-153-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2464-160-0x0000000000D90000-0x0000000000E6E000-memory.dmp

memory/4596-159-0x0000000000400000-0x000000000040D000-memory.dmp

memory/3408-162-0x00007FF846470000-0x00007FF846480000-memory.dmp

memory/3408-164-0x00007FF846470000-0x00007FF846480000-memory.dmp

memory/3408-163-0x00007FF846470000-0x00007FF846480000-memory.dmp

memory/3408-165-0x00007FF846470000-0x00007FF846480000-memory.dmp

memory/3408-166-0x00007FF846470000-0x00007FF846480000-memory.dmp

memory/3408-167-0x00007FF844410000-0x00007FF844420000-memory.dmp

memory/3408-168-0x00007FF844410000-0x00007FF844420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Ps4f3t2T.xlsm

MD5 e566fc53051035e1e6fd0ed1823de0f9
SHA1 00bc96c48b98676ecd67e81a6f1d7754e4156044
SHA256 8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512 a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

C:\Users\Admin\AppData\Local\Temp\71875E00

MD5 d8969d429ef66a9b9d74c3f0bd6ca651
SHA1 58333025f22c605a841a34f51fb65344ac5aa560
SHA256 53734dab884d820313ea86c5731ecf9bdfec5c7f20649baf51829c797b2aa25d
SHA512 6c8d56948c66e4c9a93bd2611ee2d42f153a60645d57529a2c4e4f8ed6b8ef7f6540359786d3cb373bc9a4b9267f2834e2789ae322dab8b29b1fa26e54cc49a2

memory/2464-217-0x0000000000D90000-0x0000000000E6E000-memory.dmp

memory/784-218-0x0000000000400000-0x000000000040D000-memory.dmp

memory/4816-219-0x0000000000110000-0x00000000001EE000-memory.dmp

memory/2948-220-0x0000000000400000-0x00000000005A3000-memory.dmp

memory/4816-221-0x0000000000110000-0x00000000001EE000-memory.dmp