xred | 8443e8e36ecb3de50c0da24617eed2b73bc16c9979af18e4f054b408ff44778d

Analysis

max time kernel
114s
max time network
103s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
17-11-2024 21:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8443e8e36ecb3de50c0da24617eed2b73bc16c9979af18e4f054b408ff44778dN.exe
Size

2.7MB
MD5

64ef0e8e77e87aceae7bfc101aa74730
SHA1

fc6f1c046f57823f70f5a3776fd0fc44d0aff809
SHA256

8443e8e36ecb3de50c0da24617eed2b73bc16c9979af18e4f054b408ff44778d
SHA512

c6bcb9d03f1b52699a28eca63d8fe27d460c2cf7ad3a690b4d4cc25b91fb236f42aaa403b09ee04f0269064e9f3e5b6ce4341bb875c776ad35f713ac44c3f4e3
SSDEEP

49152:0nsHyjtk2MYC5GD09D9vdaaGtXKEY9f5NsJwY03vMNOm:0nsmtk2aZD91aaXL4wY03kIm

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 6 IoCs

pid	Process
3008	._cache_8443e8e36ecb3de50c0da24617eed2b73bc16c9979af18e4f054b408ff44778dN.exe
2960	._cache_8443e8e36ecb3de50c0da24617eed2b73bc16c9979af18e4f054b408ff44778dN.tmp
2784	Synaptics.exe
1564	._cache_Synaptics.exe
2688	._cache_Synaptics.tmp
1768	WBH-Diag.exe

Loads dropped DLL 18 IoCs

pid	Process
2448	8443e8e36ecb3de50c0da24617eed2b73bc16c9979af18e4f054b408ff44778dN.exe
3008	._cache_8443e8e36ecb3de50c0da24617eed2b73bc16c9979af18e4f054b408ff44778dN.exe
2448	8443e8e36ecb3de50c0da24617eed2b73bc16c9979af18e4f054b408ff44778dN.exe
2448	8443e8e36ecb3de50c0da24617eed2b73bc16c9979af18e4f054b408ff44778dN.exe
2784	Synaptics.exe
2784	Synaptics.exe
1564	._cache_Synaptics.exe
2688	._cache_Synaptics.tmp
2688	._cache_Synaptics.tmp
2960	._cache_8443e8e36ecb3de50c0da24617eed2b73bc16c9979af18e4f054b408ff44778dN.tmp
2960	._cache_8443e8e36ecb3de50c0da24617eed2b73bc16c9979af18e4f054b408ff44778dN.tmp
2688	._cache_Synaptics.tmp
1768	WBH-Diag.exe
1768	WBH-Diag.exe
1768	WBH-Diag.exe
1768	WBH-Diag.exe
1768	WBH-Diag.exe
1768	WBH-Diag.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	8443e8e36ecb3de50c0da24617eed2b73bc16c9979af18e4f054b408ff44778dN.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 35 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\wbh-diag\unins000.dat	._cache_Synaptics.tmp
File created	C:\Program Files (x86)\wbh-diag\is-VGG0E.tmp	._cache_Synaptics.tmp
File created	C:\Program Files (x86)\wbh-diag\is-BSV9N.tmp	._cache_Synaptics.tmp
File opened for modification	C:\Program Files (x86)\wbh-diag\Microsoft.VisualBasic.PowerPacks.dll	._cache_Synaptics.tmp
File created	C:\Program Files (x86)\wbh-diag\is-62FJ4.tmp	._cache_Synaptics.tmp
File created	C:\Program Files (x86)\wbh-diag\labelfiles_de\is-OB8S6.tmp	._cache_Synaptics.tmp
File created	C:\Program Files (x86)\wbh-diag\labelfiles_de\is-02Q8A.tmp	._cache_Synaptics.tmp
File created	C:\Program Files (x86)\wbh-diag\labelfiles_de\is-K9TLR.tmp	._cache_Synaptics.tmp
File opened for modification	C:\Program Files (x86)\wbh-diag\MySql.Data.dll	._cache_8443e8e36ecb3de50c0da24617eed2b73bc16c9979af18e4f054b408ff44778dN.tmp
File created	C:\Program Files (x86)\wbh-diag\is-8TN53.tmp	._cache_Synaptics.tmp
File created	C:\Program Files (x86)\wbh-diag\is-927D4.tmp	._cache_Synaptics.tmp
File created	C:\Program Files (x86)\wbh-diag\labelfiles_de\is-NS5AJ.tmp	._cache_Synaptics.tmp
File created	C:\Program Files (x86)\wbh-diag\labelfiles_de\is-SPT3M.tmp	._cache_Synaptics.tmp
File opened for modification	C:\Program Files (x86)\wbh-diag\Microsoft.VisualBasic.PowerPacks.dll	._cache_8443e8e36ecb3de50c0da24617eed2b73bc16c9979af18e4f054b408ff44778dN.tmp
File opened for modification	C:\Program Files (x86)\wbh-diag\WBH-Diag.exe	._cache_Synaptics.tmp
File opened for modification	C:\Program Files (x86)\wbh-diag\WBH-Diag.vshost.exe	._cache_Synaptics.tmp
File opened for modification	C:\Program Files (x86)\wbh-diag\WBH-Diag.vshost.exe	._cache_8443e8e36ecb3de50c0da24617eed2b73bc16c9979af18e4f054b408ff44778dN.tmp
File created	C:\Program Files (x86)\wbh-diag\is-DP67H.tmp	._cache_Synaptics.tmp
File created	C:\Program Files (x86)\wbh-diag\labelfiles_de\is-2LODB.tmp	._cache_Synaptics.tmp
File opened for modification	C:\Program Files (x86)\wbh-diag\MySql.Data.dll	._cache_Synaptics.tmp
File created	C:\Program Files (x86)\wbh-diag\is-MOM2K.tmp	._cache_Synaptics.tmp
File created	C:\Program Files (x86)\wbh-diag\is-QKP0L.tmp	._cache_Synaptics.tmp
File created	C:\Program Files (x86)\wbh-diag\is-D5I50.tmp	._cache_Synaptics.tmp
File created	C:\Program Files (x86)\wbh-diag\labelfiles_de\is-B47QB.tmp	._cache_Synaptics.tmp
File created	C:\Program Files (x86)\wbh-diag\is-H2VV5.tmp	._cache_Synaptics.tmp
File created	C:\Program Files (x86)\wbh-diag\labelfiles_de\is-K5N5J.tmp	._cache_Synaptics.tmp
File created	C:\Program Files (x86)\wbh-diag\labelfiles_de\is-JO1CE.tmp	._cache_Synaptics.tmp
File created	C:\Program Files (x86)\wbh-diag\labelfiles_de\is-LLG4V.tmp	._cache_Synaptics.tmp
File opened for modification	C:\Program Files (x86)\wbh-diag\WBH-Diag.exe	._cache_8443e8e36ecb3de50c0da24617eed2b73bc16c9979af18e4f054b408ff44778dN.tmp
File created	C:\Program Files (x86)\wbh-diag\is-VB0NQ.tmp	._cache_Synaptics.tmp
File created	C:\Program Files (x86)\wbh-diag\is-A7RL2.tmp	._cache_Synaptics.tmp
File created	C:\Program Files (x86)\wbh-diag\is-E9V4G.tmp	._cache_Synaptics.tmp
File created	C:\Program Files (x86)\wbh-diag\is-FVFCJ.tmp	._cache_Synaptics.tmp
File created	C:\Program Files (x86)\wbh-diag\labelfiles_de\is-NS9J5.tmp	._cache_Synaptics.tmp
File opened for modification	C:\Program Files (x86)\wbh-diag\unins000.dat	._cache_Synaptics.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WBH-Diag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8443e8e36ecb3de50c0da24617eed2b73bc16c9979af18e4f054b408ff44778dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_8443e8e36ecb3de50c0da24617eed2b73bc16c9979af18e4f054b408ff44778dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_8443e8e36ecb3de50c0da24617eed2b73bc16c9979af18e4f054b408ff44778dN.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1852	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2688	._cache_Synaptics.tmp
2688	._cache_Synaptics.tmp
2960	._cache_8443e8e36ecb3de50c0da24617eed2b73bc16c9979af18e4f054b408ff44778dN.tmp
2960	._cache_8443e8e36ecb3de50c0da24617eed2b73bc16c9979af18e4f054b408ff44778dN.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2688	._cache_Synaptics.tmp

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1768	WBH-Diag.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2960	._cache_8443e8e36ecb3de50c0da24617eed2b73bc16c9979af18e4f054b408ff44778dN.tmp
2688	._cache_Synaptics.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1852	EXCEL.EXE

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 3008	2448	8443e8e36ecb3de50c0da24617eed2b73bc16c9979af18e4f054b408ff44778dN.exe	30
PID 2448 wrote to memory of 3008	2448	8443e8e36ecb3de50c0da24617eed2b73bc16c9979af18e4f054b408ff44778dN.exe	30
PID 2448 wrote to memory of 3008	2448	8443e8e36ecb3de50c0da24617eed2b73bc16c9979af18e4f054b408ff44778dN.exe	30
PID 2448 wrote to memory of 3008	2448	8443e8e36ecb3de50c0da24617eed2b73bc16c9979af18e4f054b408ff44778dN.exe	30
PID 2448 wrote to memory of 3008	2448	8443e8e36ecb3de50c0da24617eed2b73bc16c9979af18e4f054b408ff44778dN.exe	30
PID 2448 wrote to memory of 3008	2448	8443e8e36ecb3de50c0da24617eed2b73bc16c9979af18e4f054b408ff44778dN.exe	30
PID 2448 wrote to memory of 3008	2448	8443e8e36ecb3de50c0da24617eed2b73bc16c9979af18e4f054b408ff44778dN.exe	30
PID 3008 wrote to memory of 2960	3008	._cache_8443e8e36ecb3de50c0da24617eed2b73bc16c9979af18e4f054b408ff44778dN.exe	31
PID 3008 wrote to memory of 2960	3008	._cache_8443e8e36ecb3de50c0da24617eed2b73bc16c9979af18e4f054b408ff44778dN.exe	31
PID 3008 wrote to memory of 2960	3008	._cache_8443e8e36ecb3de50c0da24617eed2b73bc16c9979af18e4f054b408ff44778dN.exe	31
PID 3008 wrote to memory of 2960	3008	._cache_8443e8e36ecb3de50c0da24617eed2b73bc16c9979af18e4f054b408ff44778dN.exe	31
PID 3008 wrote to memory of 2960	3008	._cache_8443e8e36ecb3de50c0da24617eed2b73bc16c9979af18e4f054b408ff44778dN.exe	31
PID 3008 wrote to memory of 2960	3008	._cache_8443e8e36ecb3de50c0da24617eed2b73bc16c9979af18e4f054b408ff44778dN.exe	31
PID 3008 wrote to memory of 2960	3008	._cache_8443e8e36ecb3de50c0da24617eed2b73bc16c9979af18e4f054b408ff44778dN.exe	31
PID 2448 wrote to memory of 2784	2448	8443e8e36ecb3de50c0da24617eed2b73bc16c9979af18e4f054b408ff44778dN.exe	32
PID 2448 wrote to memory of 2784	2448	8443e8e36ecb3de50c0da24617eed2b73bc16c9979af18e4f054b408ff44778dN.exe	32
PID 2448 wrote to memory of 2784	2448	8443e8e36ecb3de50c0da24617eed2b73bc16c9979af18e4f054b408ff44778dN.exe	32
PID 2448 wrote to memory of 2784	2448	8443e8e36ecb3de50c0da24617eed2b73bc16c9979af18e4f054b408ff44778dN.exe	32
PID 2784 wrote to memory of 1564	2784	Synaptics.exe	33
PID 2784 wrote to memory of 1564	2784	Synaptics.exe	33
PID 2784 wrote to memory of 1564	2784	Synaptics.exe	33
PID 2784 wrote to memory of 1564	2784	Synaptics.exe	33
PID 2784 wrote to memory of 1564	2784	Synaptics.exe	33
PID 2784 wrote to memory of 1564	2784	Synaptics.exe	33
PID 2784 wrote to memory of 1564	2784	Synaptics.exe	33
PID 1564 wrote to memory of 2688	1564	._cache_Synaptics.exe	35
PID 1564 wrote to memory of 2688	1564	._cache_Synaptics.exe	35
PID 1564 wrote to memory of 2688	1564	._cache_Synaptics.exe	35
PID 1564 wrote to memory of 2688	1564	._cache_Synaptics.exe	35
PID 1564 wrote to memory of 2688	1564	._cache_Synaptics.exe	35
PID 1564 wrote to memory of 2688	1564	._cache_Synaptics.exe	35
PID 1564 wrote to memory of 2688	1564	._cache_Synaptics.exe	35
PID 2688 wrote to memory of 1768	2688	._cache_Synaptics.tmp	37
PID 2688 wrote to memory of 1768	2688	._cache_Synaptics.tmp	37
PID 2688 wrote to memory of 1768	2688	._cache_Synaptics.tmp	37
PID 2688 wrote to memory of 1768	2688	._cache_Synaptics.tmp	37
PID 2688 wrote to memory of 1768	2688	._cache_Synaptics.tmp	37
PID 2688 wrote to memory of 1768	2688	._cache_Synaptics.tmp	37

C:\Users\Admin\AppData\Local\Temp\8443e8e36ecb3de50c0da24617eed2b73bc16c9979af18e4f054b408ff44778dN.exe
"C:\Users\Admin\AppData\Local\Temp\8443e8e36ecb3de50c0da24617eed2b73bc16c9979af18e4f054b408ff44778dN.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Users\Admin\AppData\Local\Temp\._cache_8443e8e36ecb3de50c0da24617eed2b73bc16c9979af18e4f054b408ff44778dN.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_8443e8e36ecb3de50c0da24617eed2b73bc16c9979af18e4f054b408ff44778dN.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Users\Admin\AppData\Local\Temp\is-TLOJ2.tmp\._cache_8443e8e36ecb3de50c0da24617eed2b73bc16c9979af18e4f054b408ff44778dN.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-TLOJ2.tmp\._cache_8443e8e36ecb3de50c0da24617eed2b73bc16c9979af18e4f054b408ff44778dN.tmp" /SL5="$9018C,1720962,424960,C:\Users\Admin\AppData\Local\Temp\._cache_8443e8e36ecb3de50c0da24617eed2b73bc16c9979af18e4f054b408ff44778dN.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:2960
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1564
  - - C:\Users\Admin\AppData\Local\Temp\is-ISO8S.tmp\._cache_Synaptics.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-ISO8S.tmp\._cache_Synaptics.tmp" /SL5="$A0198,1720962,424960,C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2688
    - - C:\Program Files (x86)\wbh-diag\WBH-Diag.exe
        
        "C:\Program Files (x86)\wbh-diag\WBH-Diag.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1768

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\wbh-diag\Microsoft.VisualBasic.PowerPacks.dll

Filesize
263KB

MD5
e8e4ad69eb6199e3ea7a8e7bc5d253d2

SHA1
7713c550e75421bb034790252997fe570e5f929c

SHA256
f52a5b0e1d13b197d4cc0632f71c2a3bc44a62a5a6df1ee2116d6547893dd2f6

SHA512
d51c234f2defce4191d0c3eff232655ff25384b266d7ccdc09a6212a59e5a22748edac2fc24f30b5eaf68119deed64261c09f5bd2d02f0fcacc8d339f5286ac0

Download Submit
C:\Program Files (x86)\wbh-diag\MySql.Data.dll

Filesize
446KB

MD5
94bbe02a2b7494833014b31da9961c19

SHA1
25e0041be5a76545d2d4000e42acf34561c03e37

SHA256
d6b70ac9aa8b91570e24a86c5fb44ef183278132781f65f639878eef9477b6fa

SHA512
8acfce099b7b5914e83659d630a6c8602a84441dc70ddabc93332cd0ab779d3a5f1a5992d0af8f708be10a8fb93d45e08bc73636a971656e7dc6207de07d3f6d

Download Submit
C:\Program Files (x86)\wbh-diag\WBH-Diag.exe.config

Filesize
3KB

MD5
180dba8197005a4879e6ebb0f6de3743

SHA1
455dc84860c6756687caec67635cec67b53e1ca9

SHA256
ce01b25c7a052569868f5cc0f0a228bced404e29ec6a5150183cacd9b5eba5d4

SHA512
c3f305f45c9e26a043cd3de70723c4bae002199dee12bdd642222a20cc1683a26701be1e88a64281db18bf84bc8512410359172af30351e733b0b288b84f4a2e

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
2.7MB

MD5
64ef0e8e77e87aceae7bfc101aa74730

SHA1
fc6f1c046f57823f70f5a3776fd0fc44d0aff809

SHA256
8443e8e36ecb3de50c0da24617eed2b73bc16c9979af18e4f054b408ff44778d

SHA512
c6bcb9d03f1b52699a28eca63d8fe27d460c2cf7ad3a690b4d4cc25b91fb236f42aaa403b09ee04f0269064e9f3e5b6ce4341bb875c776ad35f713ac44c3f4e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CTLwe4NQ.xlsm

Filesize
17KB

MD5
af4d37aad8b34471da588360a43e768a

SHA1
83ed64667d4e68ea531b8bcf58aab3ed4a5ca998

SHA256
e7550c3453156531308fda255a198c3710aa4bc7412819c180b103c11e85cef1

SHA512
74f5000038c47b7c909c4ee5740e0e87cac12c9c96fff8b1c7ec749541ee3d4b7efd80f9ac02cd39809dca3f2707d0063fa852a3a541342d93a9d03de08823da

Download Submit
\Program Files (x86)\wbh-diag\WBH-Diag.exe

Filesize
2.1MB

MD5
d9427afabf59556cb442b3173b0d0f65

SHA1
60e0997a1eaa51f298eb18d59c69093e922ed348

SHA256
5841ff1a15a68f31bc62d6c56e3f5a846f13b08a2a2d73bc688fc60427871178

SHA512
e979b88212aed0dcf99041b8f9bcee2acd49c730c9fd1650cd41ff65f6fc48515be12afc5e8d23c340ae7679aa685013e81104f278d8432cb67871d7b454e172

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_8443e8e36ecb3de50c0da24617eed2b73bc16c9979af18e4f054b408ff44778dN.exe

Filesize
1.9MB

MD5
b9cdb56c6e2a49c486751f7e00258726

SHA1
1bdc5792898a1d4e53b020df8b2f9e2b98806837

SHA256
3bb02f84367e17338b79ed7829df18790f34d0d3e634df71fcf7147a87c3c8dc

SHA512
57bc1eee5589fa09bc56cdf4ec53a673a7910574f07254999156ff5fb9840b0c66308a17cb70f70c1aedd957b76549bb831eea89d0d6a2fb766de71767d7c775

Download Submit
\Users\Admin\AppData\Local\Temp\is-J2HH2.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-TLOJ2.tmp\._cache_8443e8e36ecb3de50c0da24617eed2b73bc16c9979af18e4f054b408ff44778dN.tmp

Filesize
1.0MB

MD5
f911f075a9be615cbd60aa192dc88c54

SHA1
580c8a34169daf2730c4afe4675780e3fa928c2c

SHA256
3b1215484731c8bf063ad0dd2ff1f83f739186e277ef5bdc4c5d03a181c8a44b

SHA512
1902541e66d8d250729f06242c0ef1e545a44586c47b90803b6423bba2ac5d8fa2c3422a8f4fc36cf56506c63aeac3e72c92f9ba4d042e0c4c9b359d304a636e

Download Submit
memory/1564-71-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1564-44-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1564-150-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1768-154-0x0000000000510000-0x0000000000556000-memory.dmp

Filesize
280KB

Download
memory/1768-158-0x0000000008650000-0x00000000086C6000-memory.dmp

Filesize
472KB

Download
memory/1768-146-0x0000000001110000-0x000000000132E000-memory.dmp

Filesize
2.1MB

Download
memory/1852-52-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2448-34-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/2448-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2688-77-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/2688-72-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/2688-82-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/2688-149-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/2688-139-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/2784-75-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/2784-70-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/2784-199-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/2960-74-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/2960-79-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/2960-136-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/2960-69-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/2960-162-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/2960-166-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/3008-68-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3008-8-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3008-20-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/3008-168-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download