xred | 940f4d6772f50d20f4303ea10b95db7fd39efefd1b8ff8136a21c60e24acd459

Analysis

max time kernel
112s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-11-2024 18:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

940f4d6772f50d20f4303ea10b95db7fd39efefd1b8ff8136a21c60e24acd459N.exe
Size

1.2MB
MD5

64ace44faaea86f0c330eb1362ee46e0
SHA1

f6d730bfb6ac0eba02b7cbeddba9182dbd0d31e7
SHA256

940f4d6772f50d20f4303ea10b95db7fd39efefd1b8ff8136a21c60e24acd459
SHA512

134096945706c2b5d1c3f6f796593245e982a6939d075965d4b68189abed238984f2e1f331684b8ac1a4b6f6580a49d30407ed5a55b4e65b7775001fb0024911
SSDEEP

24576:TnsJ39LyjbJkQFMhmC+6GD9wrYUhw/Fcy0f1u/olezk:TnsHyjtk2MYC5GDO0Ujs/oleo

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

940f4d6772f50d20f4303ea10b95db7fd39efefd1b8ff8136a21c60e24acd459N.exeSynaptics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	940f4d6772f50d20f4303ea10b95db7fd39efefd1b8ff8136a21c60e24acd459N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 7 IoCs

Processes:

._cache_940f4d6772f50d20f4303ea10b95db7fd39efefd1b8ff8136a21c60e24acd459N.exesetup.exeSynaptics.exesetup.tmp._cache_Synaptics.exesetup.exesetup.tmp

pid	process
4796	._cache_940f4d6772f50d20f4303ea10b95db7fd39efefd1b8ff8136a21c60e24acd459N.exe
1844	setup.exe
3108	Synaptics.exe
3564	setup.tmp
1404	._cache_Synaptics.exe
1868	setup.exe
4408	setup.tmp

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

940f4d6772f50d20f4303ea10b95db7fd39efefd1b8ff8136a21c60e24acd459N.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	940f4d6772f50d20f4303ea10b95db7fd39efefd1b8ff8136a21c60e24acd459N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

._cache_Synaptics.exesetup.exesetup.tmp940f4d6772f50d20f4303ea10b95db7fd39efefd1b8ff8136a21c60e24acd459N.exe._cache_940f4d6772f50d20f4303ea10b95db7fd39efefd1b8ff8136a21c60e24acd459N.exeSynaptics.exesetup.exesetup.tmp

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	940f4d6772f50d20f4303ea10b95db7fd39efefd1b8ff8136a21c60e24acd459N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_940f4d6772f50d20f4303ea10b95db7fd39efefd1b8ff8136a21c60e24acd459N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.tmp

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 2 IoCs

Processes:

940f4d6772f50d20f4303ea10b95db7fd39efefd1b8ff8136a21c60e24acd459N.exeSynaptics.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	940f4d6772f50d20f4303ea10b95db7fd39efefd1b8ff8136a21c60e24acd459N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1436 EXCEL.EXE
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

EXCEL.EXE

pid process

1436 EXCEL.EXE
1436 EXCEL.EXE
1436 EXCEL.EXE
1436 EXCEL.EXE
1436 EXCEL.EXE
1436 EXCEL.EXE
1436 EXCEL.EXE
1436 EXCEL.EXE

pid	process
1436	EXCEL.EXE

pid	process
1436	EXCEL.EXE
1436	EXCEL.EXE
1436	EXCEL.EXE
1436	EXCEL.EXE
1436	EXCEL.EXE
1436	EXCEL.EXE
1436	EXCEL.EXE
1436	EXCEL.EXE

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

940f4d6772f50d20f4303ea10b95db7fd39efefd1b8ff8136a21c60e24acd459N.exe._cache_940f4d6772f50d20f4303ea10b95db7fd39efefd1b8ff8136a21c60e24acd459N.exesetup.exeSynaptics.exe._cache_Synaptics.exesetup.exe

description	pid	process	target process
PID 4992 wrote to memory of 4796	4992	940f4d6772f50d20f4303ea10b95db7fd39efefd1b8ff8136a21c60e24acd459N.exe	._cache_940f4d6772f50d20f4303ea10b95db7fd39efefd1b8ff8136a21c60e24acd459N.exe
PID 4992 wrote to memory of 4796	4992	940f4d6772f50d20f4303ea10b95db7fd39efefd1b8ff8136a21c60e24acd459N.exe	._cache_940f4d6772f50d20f4303ea10b95db7fd39efefd1b8ff8136a21c60e24acd459N.exe
PID 4992 wrote to memory of 4796	4992	940f4d6772f50d20f4303ea10b95db7fd39efefd1b8ff8136a21c60e24acd459N.exe	._cache_940f4d6772f50d20f4303ea10b95db7fd39efefd1b8ff8136a21c60e24acd459N.exe
PID 4796 wrote to memory of 1844	4796	._cache_940f4d6772f50d20f4303ea10b95db7fd39efefd1b8ff8136a21c60e24acd459N.exe	setup.exe
PID 4796 wrote to memory of 1844	4796	._cache_940f4d6772f50d20f4303ea10b95db7fd39efefd1b8ff8136a21c60e24acd459N.exe	setup.exe
PID 4796 wrote to memory of 1844	4796	._cache_940f4d6772f50d20f4303ea10b95db7fd39efefd1b8ff8136a21c60e24acd459N.exe	setup.exe
PID 4992 wrote to memory of 3108	4992	940f4d6772f50d20f4303ea10b95db7fd39efefd1b8ff8136a21c60e24acd459N.exe	Synaptics.exe
PID 4992 wrote to memory of 3108	4992	940f4d6772f50d20f4303ea10b95db7fd39efefd1b8ff8136a21c60e24acd459N.exe	Synaptics.exe
PID 4992 wrote to memory of 3108	4992	940f4d6772f50d20f4303ea10b95db7fd39efefd1b8ff8136a21c60e24acd459N.exe	Synaptics.exe
PID 1844 wrote to memory of 3564	1844	setup.exe	setup.tmp
PID 1844 wrote to memory of 3564	1844	setup.exe	setup.tmp
PID 1844 wrote to memory of 3564	1844	setup.exe	setup.tmp
PID 3108 wrote to memory of 1404	3108	Synaptics.exe	._cache_Synaptics.exe
PID 3108 wrote to memory of 1404	3108	Synaptics.exe	._cache_Synaptics.exe
PID 3108 wrote to memory of 1404	3108	Synaptics.exe	._cache_Synaptics.exe
PID 1404 wrote to memory of 1868	1404	._cache_Synaptics.exe	setup.exe
PID 1404 wrote to memory of 1868	1404	._cache_Synaptics.exe	setup.exe
PID 1404 wrote to memory of 1868	1404	._cache_Synaptics.exe	setup.exe
PID 1868 wrote to memory of 4408	1868	setup.exe	setup.tmp
PID 1868 wrote to memory of 4408	1868	setup.exe	setup.tmp
PID 1868 wrote to memory of 4408	1868	setup.exe	setup.tmp

C:\Users\Admin\AppData\Local\Temp\940f4d6772f50d20f4303ea10b95db7fd39efefd1b8ff8136a21c60e24acd459N.exe
"C:\Users\Admin\AppData\Local\Temp\940f4d6772f50d20f4303ea10b95db7fd39efefd1b8ff8136a21c60e24acd459N.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4992
- C:\Users\Admin\AppData\Local\Temp\._cache_940f4d6772f50d20f4303ea10b95db7fd39efefd1b8ff8136a21c60e24acd459N.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_940f4d6772f50d20f4303ea10b95db7fd39efefd1b8ff8136a21c60e24acd459N.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4796
- - C:\Users\Admin\AppData\Local\Temp\7zSAA78.tmp\setup.exe
    .\setup.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1844
  - - C:\Users\Admin\AppData\Local\Temp\is-FMSR1.tmp\setup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-FMSR1.tmp\setup.tmp" /SL5="$501EC,54272,54272,C:\Users\Admin\AppData\Local\Temp\7zSAA78.tmp\setup.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3564
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3108
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1404
  - - C:\Users\Admin\AppData\Local\Temp\7zSAE70.tmp\setup.exe
      .\setup.exe InjUpdate
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1868
    - - C:\Users\Admin\AppData\Local\Temp\is-DHIIL.tmp\setup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-DHIIL.tmp\setup.tmp" /SL5="$70258,54272,54272,C:\Users\Admin\AppData\Local\Temp\7zSAE70.tmp\setup.exe" InjUpdate
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4408

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.2MB

MD5
64ace44faaea86f0c330eb1362ee46e0

SHA1
f6d730bfb6ac0eba02b7cbeddba9182dbd0d31e7

SHA256
940f4d6772f50d20f4303ea10b95db7fd39efefd1b8ff8136a21c60e24acd459

SHA512
134096945706c2b5d1c3f6f796593245e982a6939d075965d4b68189abed238984f2e1f331684b8ac1a4b6f6580a49d30407ed5a55b4e65b7775001fb0024911

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_940f4d6772f50d20f4303ea10b95db7fd39efefd1b8ff8136a21c60e24acd459N.exe

Filesize
440KB

MD5
dc675f369e523ed611106d410d0a5562

SHA1
64ac68397eb3f18f8a9bfeb494e4983c7ab49cef

SHA256
f83c2506a6af61d5c8a4d4b9f901cb1d5a6eb3a18c5f179bdf1fefe1e1283112

SHA512
6bb3a5e3bd6f6f01f7f53a6bbbff56edc5bf0c6a22f9dac16014eaefc38b73a11f78c4aac3545bca413973b4a2090a722b7610651cc8865dd0e558d09d8f9f8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSAA78.tmp\setup.exe

Filesize
309KB

MD5
ea383686b37fc135fc75eac4e1b9de88

SHA1
73ce3d8b38a4237d29f8bbeabe04c40baae42f35

SHA256
40253e3508db7e8aae52627c4f10e0122e512f57cf3890012028f454b422cd50

SHA512
bce78e7428c1a61b864decc833fbc9a3c24b2c91a7e100551a0a521b260436898e8017e554cd49bd5c5c1219dc9c7e0ac73ccfbf24c86cc7b5dd7c977c4bc22e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSAA78.tmp\setup.ini

Filesize
2KB

MD5
1213ae755a10906c4064a3cefa4b2cf7

SHA1
11898b83e6e0c618e7f16673e0ac79c7b3a8d1ce

SHA256
6ea21d1fe9515467afeeb5eef360dde1cc4f7b87015f30f4194108e4f57cdb8e

SHA512
0c559712d0e41f36109e9aebea9b5fed5f491e0b71b226ede566edc3a4520480b0838ab2ad304bfe558cb7361a6372b261c79c99137b20a37a0d1b82b8ee6cb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSAE70.tmp\DATA\AddBplotMenu.VLX

Filesize
3KB

MD5
f01acf3a1b29d9ea79d45ccdd4fb51ee

SHA1
3740a5260fb134119a5ab30fc8757264d9377ef7

SHA256
afbd1705b23a0e9d56b9a695dc1f6699f1b38d4fc66d6dd1887973b9d963f21c

SHA512
8a935fbfc3f869f3fa7f00a2c7354293eeba20c6ce6229ceca436df6c8997b02ed6d5a962a32f5587e363bbcdc620b45712b4ae84880d8b9ef0b54117b85a27c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSAE70.tmp\DATA\BP_Help.htm

Filesize
7KB

MD5
4e2c672b039af5336f1e8be8ff718b43

SHA1
d7042f3a165986ae5c83c476e60f73dc57a1211e

SHA256
2f6a76c99355627965623d91823c4b957f69807a4675c2b4e409c9d4c3f33baa

SHA512
c90020f312d2e3c740bf8e43f656dd73fe2c21739e4c453fac3c5140bfc4c4fe10be0ed6213f23bce1322eb9d9f0276b13cdc968cd6ac5823f6ee3038b478ce4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSAE70.tmp\DATA\BatchPlot.VLX

Filesize
91KB

MD5
05c2dc36f2019f116b815d848e287699

SHA1
062f6a8eceab1ea25f11b829f6c25fa1bb3be094

SHA256
fcca4e4f69d4192099491a1855815042b6615888eb54f71bf2e3ef52cd4db3ba

SHA512
a602e258e289cfbd321b44d97ad63ee968fa7e9351a482f50d117371cc1be1b1511c35a57b2a15d13077856210672d5337038ffd8c2eb821510beb630cfa4bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSAE70.tmp\DATA\Batchplot.ini

Filesize
1KB

MD5
3a10c8ca361c29a3b25ec29e87ac1f4b

SHA1
f4b2c41ec1c084a4ba0a167975a96929c346e714

SHA256
7a9cb44434363740ad9891fe05d498f2597968e29fb18be2deabb1cc04462395

SHA512
1c9bc5e86a8985f0b7c0fa940d146779a10025df49e064be05bd5e249d3b7cd03c57e65f3c3fb78d490462157e539687caba7be4c3cc77574ed2ad7f306efd0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSAE70.tmp\DATA\History.htm

Filesize
6KB

MD5
a6157b4b0608061d8cb12ea87a685eae

SHA1
dc13b65840453aa4113a86a627d9c30ab1badb87

SHA256
65e70a4ecb5e42dffff0e9ad414a83a691e78e972006aa674a7a9cb07e908335

SHA512
55b787e43c101c13e6ee30dfb4009a5625c884826afc9ab072f7ad9a600f3445e22833a814e2766202612390b7fe1361d3384e952bae89b3d378d6f1bce5a8c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSAE70.tmp\DATA\Info.rtf

Filesize
5KB

MD5
759ea99e342b0c7c3749e0fb6ac68c3c

SHA1
00dbc55fddf034287dcdf28be6f54ef66eaab40d

SHA256
41382a6af30e01b0ca7b2b36d5f86dae90cad5ff109d9a76c6090719b67d03ca

SHA512
6ae0a8dc015632b139694183f39f7202e314ba16f63f841107184dfe0b82f73d9460eff494a80d3b3559903d17d5fdbbeff60579d20e693ce2dba235f7cff2f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSAE70.tmp\DATA\License.rtf

Filesize
6KB

MD5
95131db75bb16a676fe9836757c49e67

SHA1
2da41a6f91c88b9df84c7482a20793d5f3490c12

SHA256
9646c1af1dba61ae5245e5282048f250fd9b871810ba2969d6ae9c46e3553176

SHA512
ff22a398d21c90749a0462573b2f20a374f9dce8f28d67f82e4c2d0d1d39e5013ef52bfecfb8f9ba1eab7e575a1599013e0f7b2a8a10a6cb5cb4fd7bc2d143d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSAE70.tmp\DATA\Visit Home Page.url

Filesize
87B

MD5
79d0b300f17c1f9af86876d49d66401d

SHA1
6e902355a3bfa6328d0b1c253aa4bc5172140fef

SHA256
83f6c1b24160a01be3381471b9647c818002b1351b5c4d11e1c8cbc9480ecdb4

SHA512
4aa0334c847683dfce449d9654518a2e1d2caa90377b485e4ac6a6b5446ef426b0f27b05fa14ecc4aef6ee6eea8dbb09078543d71c186419c316ba2919e1fce3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSAE70.tmp\DATA\donate.htm

Filesize
1KB

MD5
6a89a2905139522d3a1b4269d0b6ebd6

SHA1
617a4a0cdc9231c845d72acdd26d0b9ea195af56

SHA256
00b34c3b0c7359f7f3e4a6cb1a85db641732dd56b72907725da6eb4a74cc3417

SHA512
513ae4952ba460367bf180ff601c8d69ca0ebd0c1cdd23628fd51f7784075350acfc41d46284786ff6e6fbeb313602a6ac24deeedd0ffbbdb391a2d7f4a6b067

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSAE70.tmp\DATA\loadBatchPlot.VLX

Filesize
2KB

MD5
8da98c7db3497cff27c160a4c0a019fc

SHA1
a6367cfdd51767db6fa862158a9e392032e6aa00

SHA256
43b0fb6a39684018ddb4c14ed59abdaaa43073893537b0e378bc918161fdd849

SHA512
672b2ad6a55c4e234526d19da4f2eba53b1e8207d6ffdef085f052ae05455f02f74bf597da55a4b4e4afa3bef92bc44e9b094c2dabf71e54750772a0fb6c78bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\F0E75E00

Filesize
22KB

MD5
92513ea2ab5a92e71ec5fd2896b73b32

SHA1
bdfa011fb8c7622586581e789bc125524c0a7499

SHA256
4317ad41f9a57099a18ca78f62f87ee247da922614f159594cbcad089bd9099b

SHA512
b2df07bc919ffe63e4c72ef64f4647c7873fda098ba34f44e96ce2c7c07f1eb7b69e721edbaf2eddc1c8185002aa6e8cdf8ce24e7c9ca3132071d240c8a9125f

Download Submit
C:\Users\Admin\AppData\Local\Temp\PKlFVBCL.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9EN1M.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FMSR1.tmp\setup.tmp

Filesize
695KB

MD5
620f32e56b46e90e8aee43febc59f6e3

SHA1
d5edd63dd1390a1420b85f746e12a66625ae9354

SHA256
bcc9d63213012bf25a37f48015e5f755d359f3b08d05d35319b03b4a72710730

SHA512
8a9d2a2eb3891265cec379978399ad6c9b4bf3e12e0f381946b4390621b943b97fa04fbb87ad628652bd765b706eb2ff56001f24de24e9bcc487a59ca2f07d9c

Download Submit
memory/1436-337-0x00007FF818C60000-0x00007FF818C70000-memory.dmp

Filesize
64KB

Download
memory/1436-335-0x00007FF81ADD0000-0x00007FF81ADE0000-memory.dmp

Filesize
64KB

Download
memory/1436-334-0x00007FF81ADD0000-0x00007FF81ADE0000-memory.dmp

Filesize
64KB

Download
memory/1436-333-0x00007FF81ADD0000-0x00007FF81ADE0000-memory.dmp

Filesize
64KB

Download
memory/1436-338-0x00007FF818C60000-0x00007FF818C70000-memory.dmp

Filesize
64KB

Download
memory/1436-336-0x00007FF81ADD0000-0x00007FF81ADE0000-memory.dmp

Filesize
64KB

Download
memory/1436-332-0x00007FF81ADD0000-0x00007FF81ADE0000-memory.dmp

Filesize
64KB

Download
memory/1844-311-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1844-304-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1844-162-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1868-283-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1868-267-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3108-305-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/3108-416-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/3108-385-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/3564-310-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/3564-306-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/4408-282-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/4992-161-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/4992-0-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download