xred | bbd2b1d3ca9473ed3302becfece035c4547c0ad38737688b051ba492eac3aca3

Analysis

max time kernel
142s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29-11-2024 23:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bbd2b1d3ca9473ed3302becfece035c4547c0ad38737688b051ba492eac3aca3.exe
Size

2.9MB
MD5

3f3e0a24cfb5d4bcda0d2661e74fe237
SHA1

40f8c95cb8d6f24f6d8719ded45561c54c7f2d87
SHA256

bbd2b1d3ca9473ed3302becfece035c4547c0ad38737688b051ba492eac3aca3
SHA512

eb8c0e1082c39025620d546440167768fe2c4148906db91f02abf4fe1ecdc2d2ef77e9de961c46d2f101be96e3454bc8066ae488f42a392465ae44f0be1bdec8
SSDEEP

49152:PnsHyjtk2MYC5GD+4x8xfNOOWXT6bUWfCKfwHiEGq2LGZRvKKpgd52F2k2:Pnsmtk2ap4x8xfNnWBnCwHiEGLsRvKKC

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 5 IoCs

Processes:

._cache_bbd2b1d3ca9473ed3302becfece035c4547c0ad38737688b051ba492eac3aca3.exeSynaptics.exeSetup.exe._cache_Synaptics.exeSetup.exe

pid	Process
2836	._cache_bbd2b1d3ca9473ed3302becfece035c4547c0ad38737688b051ba492eac3aca3.exe
332	Synaptics.exe
2788	Setup.exe
1156	._cache_Synaptics.exe
2360	Setup.exe

Loads dropped DLL 15 IoCs

Processes:

bbd2b1d3ca9473ed3302becfece035c4547c0ad38737688b051ba492eac3aca3.exe._cache_bbd2b1d3ca9473ed3302becfece035c4547c0ad38737688b051ba492eac3aca3.exeSetup.exeSynaptics.exe._cache_Synaptics.exeSetup.exe

pid	Process
2772	bbd2b1d3ca9473ed3302becfece035c4547c0ad38737688b051ba492eac3aca3.exe
2772	bbd2b1d3ca9473ed3302becfece035c4547c0ad38737688b051ba492eac3aca3.exe
2772	bbd2b1d3ca9473ed3302becfece035c4547c0ad38737688b051ba492eac3aca3.exe
2836	._cache_bbd2b1d3ca9473ed3302becfece035c4547c0ad38737688b051ba492eac3aca3.exe
2788	Setup.exe
2788	Setup.exe
2788	Setup.exe
2788	Setup.exe
332	Synaptics.exe
332	Synaptics.exe
1156	._cache_Synaptics.exe
2360	Setup.exe
2360	Setup.exe
2360	Setup.exe
2360	Setup.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

bbd2b1d3ca9473ed3302becfece035c4547c0ad38737688b051ba492eac3aca3.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	bbd2b1d3ca9473ed3302becfece035c4547c0ad38737688b051ba492eac3aca3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

EXCEL.EXESetup.exebbd2b1d3ca9473ed3302becfece035c4547c0ad38737688b051ba492eac3aca3.exe._cache_bbd2b1d3ca9473ed3302becfece035c4547c0ad38737688b051ba492eac3aca3.exeSetup.exeSynaptics.exe._cache_Synaptics.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bbd2b1d3ca9473ed3302becfece035c4547c0ad38737688b051ba492eac3aca3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_bbd2b1d3ca9473ed3302becfece035c4547c0ad38737688b051ba492eac3aca3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Setup.exeSetup.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Setup.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid	Process
568	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

Setup.exeSetup.exe

pid	Process
2788	Setup.exe
2788	Setup.exe
2788	Setup.exe
2788	Setup.exe
2788	Setup.exe
2788	Setup.exe
2360	Setup.exe
2360	Setup.exe
2360	Setup.exe
2360	Setup.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Setup.exe

pid	Process
2360	Setup.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

EXCEL.EXESetup.exe

pid	Process
568	EXCEL.EXE
2360	Setup.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

bbd2b1d3ca9473ed3302becfece035c4547c0ad38737688b051ba492eac3aca3.exe._cache_bbd2b1d3ca9473ed3302becfece035c4547c0ad38737688b051ba492eac3aca3.exeSynaptics.exe._cache_Synaptics.exe

description	pid	Process	procid_target
PID 2772 wrote to memory of 2836	2772	bbd2b1d3ca9473ed3302becfece035c4547c0ad38737688b051ba492eac3aca3.exe	30
PID 2772 wrote to memory of 2836	2772	bbd2b1d3ca9473ed3302becfece035c4547c0ad38737688b051ba492eac3aca3.exe	30
PID 2772 wrote to memory of 2836	2772	bbd2b1d3ca9473ed3302becfece035c4547c0ad38737688b051ba492eac3aca3.exe	30
PID 2772 wrote to memory of 2836	2772	bbd2b1d3ca9473ed3302becfece035c4547c0ad38737688b051ba492eac3aca3.exe	30
PID 2772 wrote to memory of 2836	2772	bbd2b1d3ca9473ed3302becfece035c4547c0ad38737688b051ba492eac3aca3.exe	30
PID 2772 wrote to memory of 2836	2772	bbd2b1d3ca9473ed3302becfece035c4547c0ad38737688b051ba492eac3aca3.exe	30
PID 2772 wrote to memory of 2836	2772	bbd2b1d3ca9473ed3302becfece035c4547c0ad38737688b051ba492eac3aca3.exe	30
PID 2772 wrote to memory of 332	2772	bbd2b1d3ca9473ed3302becfece035c4547c0ad38737688b051ba492eac3aca3.exe	31
PID 2772 wrote to memory of 332	2772	bbd2b1d3ca9473ed3302becfece035c4547c0ad38737688b051ba492eac3aca3.exe	31
PID 2772 wrote to memory of 332	2772	bbd2b1d3ca9473ed3302becfece035c4547c0ad38737688b051ba492eac3aca3.exe	31
PID 2772 wrote to memory of 332	2772	bbd2b1d3ca9473ed3302becfece035c4547c0ad38737688b051ba492eac3aca3.exe	31
PID 2836 wrote to memory of 2788	2836	._cache_bbd2b1d3ca9473ed3302becfece035c4547c0ad38737688b051ba492eac3aca3.exe	32
PID 2836 wrote to memory of 2788	2836	._cache_bbd2b1d3ca9473ed3302becfece035c4547c0ad38737688b051ba492eac3aca3.exe	32
PID 2836 wrote to memory of 2788	2836	._cache_bbd2b1d3ca9473ed3302becfece035c4547c0ad38737688b051ba492eac3aca3.exe	32
PID 2836 wrote to memory of 2788	2836	._cache_bbd2b1d3ca9473ed3302becfece035c4547c0ad38737688b051ba492eac3aca3.exe	32
PID 2836 wrote to memory of 2788	2836	._cache_bbd2b1d3ca9473ed3302becfece035c4547c0ad38737688b051ba492eac3aca3.exe	32
PID 2836 wrote to memory of 2788	2836	._cache_bbd2b1d3ca9473ed3302becfece035c4547c0ad38737688b051ba492eac3aca3.exe	32
PID 2836 wrote to memory of 2788	2836	._cache_bbd2b1d3ca9473ed3302becfece035c4547c0ad38737688b051ba492eac3aca3.exe	32
PID 332 wrote to memory of 1156	332	Synaptics.exe	33
PID 332 wrote to memory of 1156	332	Synaptics.exe	33
PID 332 wrote to memory of 1156	332	Synaptics.exe	33
PID 332 wrote to memory of 1156	332	Synaptics.exe	33
PID 332 wrote to memory of 1156	332	Synaptics.exe	33
PID 332 wrote to memory of 1156	332	Synaptics.exe	33
PID 332 wrote to memory of 1156	332	Synaptics.exe	33
PID 1156 wrote to memory of 2360	1156	._cache_Synaptics.exe	35
PID 1156 wrote to memory of 2360	1156	._cache_Synaptics.exe	35
PID 1156 wrote to memory of 2360	1156	._cache_Synaptics.exe	35
PID 1156 wrote to memory of 2360	1156	._cache_Synaptics.exe	35
PID 1156 wrote to memory of 2360	1156	._cache_Synaptics.exe	35
PID 1156 wrote to memory of 2360	1156	._cache_Synaptics.exe	35
PID 1156 wrote to memory of 2360	1156	._cache_Synaptics.exe	35

C:\Users\Admin\AppData\Local\Temp\bbd2b1d3ca9473ed3302becfece035c4547c0ad38737688b051ba492eac3aca3.exe
"C:\Users\Admin\AppData\Local\Temp\bbd2b1d3ca9473ed3302becfece035c4547c0ad38737688b051ba492eac3aca3.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Users\Admin\AppData\Local\Temp\._cache_bbd2b1d3ca9473ed3302becfece035c4547c0ad38737688b051ba492eac3aca3.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_bbd2b1d3ca9473ed3302becfece035c4547c0ad38737688b051ba492eac3aca3.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\649da6be39494bd640b24a1d0c\Setup.exe
    C:\649da6be39494bd640b24a1d0c\\Setup.exe /x86 /x64 /lcid 2052
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:2788
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:332
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1156
  - - C:\81f5717907f2b1846a8a\Setup.exe
      C:\81f5717907f2b1846a8a\\Setup.exe InjUpdate /x86 /x64 /lcid 2052
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:2360

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\649da6be39494bd640b24a1d0c\1033\LocalizedData.xml

Filesize
75KB

MD5
326518603d85acd79a6258886fc85456

SHA1
f1cef14bc4671a132225d22a1385936ad9505348

SHA256
665797c7840b86379019e5a46227f888fa1a36a593ea41f9170ef018c337b577

SHA512
f8a514efd70e81d0f2f983282d69040bca6e42f29aa5df554e6874922a61f112e311ad5d2b719b6ca90012f69965447fb91e8cd4103efb2453ff160a9062e5d3

Download Submit
C:\649da6be39494bd640b24a1d0c\2052\EULA.rtf

Filesize
5KB

MD5
4288c2541843f75c348d825fc8b94153

SHA1
e0dd8ed7bdb3c941a589361ee764f49a3619c264

SHA256
c30a7597aa67e2847940e2c24f09b35c07b1ec759adbca7c8261141fc1ecca92

SHA512
7ba9991fe4eed625fe7bef96a1d3ae70cb7616aad034236d1a2b346a08b48280cb6c20d2b059da9953919b0265125fe56dc5f4cc619ac653b4c1164ed564b359

Download Submit
C:\649da6be39494bd640b24a1d0c\2052\LocalizedData.xml

Filesize
59KB

MD5
10da125eeabcbb45e0a272688b0e2151

SHA1
6c4124ec8ca2d03b5187ba567c922b6c3e5efc93

SHA256
1842f22c6fd4caf6ad217e331b74c6240b19991a82a1a030a6e57b1b8e9fd1ec

SHA512
d968abd74206a280f74bf6947757cca8dd9091b343203e5c2269af2e008d3bb0a17ff600eb961dbf69a93de4960133ade8d606fb9a99402d33b8889f2d0da710

Download Submit
C:\649da6be39494bd640b24a1d0c\DHTMLHeader.html

Filesize
15KB

MD5
cd131d41791a543cc6f6ed1ea5bd257c

SHA1
f42a2708a0b42a13530d26515274d1fcdbfe8490

SHA256
e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb

SHA512
a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a

Download Submit
C:\649da6be39494bd640b24a1d0c\ParameterInfo.xml

Filesize
82KB

MD5
caa527d7170cfe3cd339c539ff8390d9

SHA1
862c632e9d59c2ccb265d9193249a9cdee3942ea

SHA256
1f90c21884ac058ade44e7bb8ef4a3c0ea67b7eb6cef3731bb07396ed4253a84

SHA512
78187beb7d7db2e0959154aa9969c05e465c4ee0e808b3485a650d6c3f871b9956ace0c7084ae67a0be905294b5f706d102c49fb7936693accda08e1a07872c9

Download Submit
C:\649da6be39494bd640b24a1d0c\SetupUi.dll

Filesize
288KB

MD5
eb881e3dddc84b20bd92abcec444455f

SHA1
e2c32b1c86d4f70e39de65e9ebc4f361b24ff4a1

SHA256
11565d97287c01d22ad2e46c78d8a822fa3e6524561d4c02dfc87e8d346c44e7

SHA512
5750cec73b36a3f19bfb055f880f3b6498a7ae589017333f6272d26f1c72c6f475a3308826268a098372bbb096b43fbd1e06e93eecc0a81046668228bc179a75

Download Submit
C:\649da6be39494bd640b24a1d0c\SetupUi.xsd

Filesize
29KB

MD5
2fadd9e618eff8175f2a6e8b95c0cacc

SHA1
9ab1710a217d15b192188b19467932d947b0a4f8

SHA256
222211e8f512edf97d78bc93e1f271c922d5e91fa899e092b4a096776a704093

SHA512
a3a934a8572ff9208d38cf381649bd83de227c44b735489fd2a9dc5a636ead9bb62459c9460ee53f61f0587a494877cd3a3c2611997be563f3137f8236ffc4ca

Download Submit
C:\649da6be39494bd640b24a1d0c\SplashScreen.bmp

Filesize
40KB

MD5
0966fcd5a4ab0ddf71f46c01eff3cdd5

SHA1
8f4554f079edad23bcd1096e6501a61cf1f8ec34

SHA256
31c13ecfc0eb27f34036fb65cc0e735cd444eec75376eea2642f926ac162dcb3

SHA512
a9e70a2fb5a9899acf086474d71d0e180e2234c40e68bcadb9bf4fe145774680cb55584b39fe53cc75de445c6bf5741fc9b15b18385cbbe20fc595fe0ff86fce

Download Submit
C:\649da6be39494bd640b24a1d0c\Strings.xml

Filesize
13KB

MD5
8a28b474f4849bee7354ba4c74087cea

SHA1
c17514dfc33dd14f57ff8660eb7b75af9b2b37b0

SHA256
2a7a44fb25476886617a1ec294a20a37552fd0824907f5284fade3e496ed609b

SHA512
a7927700d8050623bc5c761b215a97534c2c260fcab68469b7a61c85e2dff22ed9cf57e7cb5a6c8886422abe7ac89b5c71e569741db74daa2dcb4152f14c2369

Download Submit
C:\649da6be39494bd640b24a1d0c\UiInfo.xml

Filesize
38KB

MD5
99d84c216c450b4bf9e8b18af8a0bebe

SHA1
6613178bbaca0d9d6e3771f488fc2e3b013daeab

SHA256
a6241e78507a8fcee9215c7ce241dc7141e7a38d4b5fb0587b6178fdeea05fa3

SHA512
15831d239bc6290958aa360c9312a6aed51442f5a5977b16ddfe48b931f1071a6c55703ccc16b76a12f3b53789148c41910e6530b0c622ac3c28158bebe92301

Download Submit
C:\649da6be39494bd640b24a1d0c\graphics\print.ico

Filesize
1KB

MD5
7e55ddc6d611176e697d01c90a1212cf

SHA1
e2620da05b8e4e2360da579a7be32c1b225deb1b

SHA256
ff542e32330b123486797b410621e19eafb39df3997e14701afa4c22096520ed

SHA512
283d381aa396820b7e15768b20099d67688da1f6315ec9f7938c2fcc3167777502cded0d1beddf015a34cc4e5d045bcb665ffd28ba2fbb6faf50fdd38b31d16e

Download Submit
C:\649da6be39494bd640b24a1d0c\graphics\save.ico

Filesize
1KB

MD5
7d62e82d960a938c98da02b1d5201bd5

SHA1
194e96b0440bf8631887e5e9d3cc485f8e90fbf5

SHA256
ae041c8764f56fd89277b34982145d16fc59a4754d261c861b19371c3271c6e5

SHA512
ab06b2605f0c1f6b71ef69563c0c977d06c6ea84d58ef7f2baecba566d6037d1458c2b58e6bfd70ddef47dccbdea6d9c2f2e46dea67ea9e92457f754d7042f67

Download Submit
C:\649da6be39494bd640b24a1d0c\graphics\setup.ico

Filesize
35KB

MD5
3d25d679e0ff0b8c94273dcd8b07049d

SHA1
a517fc5e96bc68a02a44093673ee7e076ad57308

SHA256
288e9ad8f0201e45bc187839f15aca79d6b9f76a7d3c9274c80f5d4a4c219c0f

SHA512
3bde668004ca7e28390862d0ae9903c756c16255bdbb3f7e73a5b093ce6a57a3165d6797b0a643b254493149231aca7f7f03e0af15a0cbe28aff02f0071ec255

Download Submit
C:\649da6be39494bd640b24a1d0c\header.bmp

Filesize
3KB

MD5
514bfcd8da66722a9639eb41ed3988b7

SHA1
cf11618e3a3c790cd5239ee749a5ae513b4205cd

SHA256
6b8201ed10ce18ffade072b77c6d1fcaccf1d29acb47d86f553d9beebd991290

SHA512
89f01c3361ba874015325007ea24e83ae6e73700996d0912695a4e7cb3f8a611494ba9d63f004dcd4f358821e756be114bcf0137ed9b130776a6e26a95382c7b

Download Submit
C:\649da6be39494bd640b24a1d0c\sqmapi.dll

Filesize
141KB

MD5
3f0363b40376047eff6a9b97d633b750

SHA1
4eaf6650eca5ce931ee771181b04263c536a948b

SHA256
bd6395a58f55a8b1f4063e813ce7438f695b9b086bb965d8ac44e7a97d35a93c

SHA512
537be86e2f171e0b2b9f462ac7f62c4342beb5d00b68451228f28677d26a525014758672466ad15ed1fd073be38142dae478df67718908eae9e6266359e1f9e8

Download Submit
C:\649da6be39494bd640b24a1d0c\watermark.bmp

Filesize
101KB

MD5
b0075cee80173d764c0237e840ba5879

SHA1
b4cf45cd5bb036f4f210dfcba6ac16665a7c56a8

SHA256
ab18374b3aab10e5979e080d0410579f9771db888ba1b80a5d81ba8896e2d33a

SHA512
71a748c82cc8b0b42ef5a823bac4819d290da2eddbb042646682bccc7eb7ab320afdcfdfe08b1d9eebe149792b1259982e619f8e33845e33eec808c546e5c829

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
2.9MB

MD5
3f3e0a24cfb5d4bcda0d2661e74fe237

SHA1
40f8c95cb8d6f24f6d8719ded45561c54c7f2d87

SHA256
bbd2b1d3ca9473ed3302becfece035c4547c0ad38737688b051ba492eac3aca3

SHA512
eb8c0e1082c39025620d546440167768fe2c4148906db91f02abf4fe1ecdc2d2ef77e9de961c46d2f101be96e3454bc8066ae488f42a392465ae44f0be1bdec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\HFI7F4E.tmp.html

Filesize
18KB

MD5
5636b48f0d857c6e0d6d87bae2938bb8

SHA1
bbaaaaab692e4cb000ab13f57f4b7cd3eb312bcf

SHA256
2ac63f14d58ef56d06e51d86e959f68d9a1bf9b65601c4b5521e49edca72edab

SHA512
03a634ad5d069ce781a90a1c5a6ec215739a1e61d821375cebb576657dbda1c02efed44075a14c8a879e505f3cc176b852ef7c82bfc37ce0cf41754b3f51eab8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cFAlgEYj.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\cFAlgEYj.xlsm

Filesize
23KB

MD5
ed8b0f5b27cd10feec16963f4d49952a

SHA1
7c8ca81f079075074f07885750e83c19d2d78628

SHA256
8f6e10837777a041df3f6d944a6b3f611c868681ee75f462830151394a12cb06

SHA512
8ed0e63cd14a0ddb951467a76bfab8252d52a0f8841114be78c470f42980203a0ef478d64db9e9dd4ad3f2b155c7404f0e4fd6e682ca1e510efd1e24c93f80fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\cFAlgEYj.xlsm

Filesize
24KB

MD5
e350e30fd2bbd7d853672535f33e0eef

SHA1
b7f856795f6de64eb50986842cb3db108d8bcf11

SHA256
06dbee75dc3d614868dc64da04da0b805c74e737b3e4f878b6806c152f46ee3d

SHA512
d3ff20513dcd740004c3c5e6cd303b52d99dd3541ef39ffc15759a4030d57077b21304d62559688f378ae636a2fa8f9538a8adbec153c092738127ddf30090dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\cFAlgEYj.xlsm

Filesize
26KB

MD5
e92cc6d6be8a62ef642ae580bb6a9d07

SHA1
68113c3877f097df4a6c5acd8c5ee289e3fd5419

SHA256
98a5d26b4edbfa49ff102edc2c7f54a0637ab6f758818f85f04f0fc59a1fb0c6

SHA512
892f942221a1a6d30802ee2db2a2986bf5ef6378e9fa1f5515e6911336eb13307c0b2670f19da15cab934c7a4d8e702986b87f4c2c22f6610eb6f712b2a9108f

Download Submit
\649da6be39494bd640b24a1d0c\2052\SetupResources.dll

Filesize
13KB

MD5
bc3bc99d2b9db2ec02257514cf97109b

SHA1
8b2986cfa809b055a664f7fdbe9f54adf248cb4a

SHA256
edd482f8b218af997219123348f2012999d857872bc111d6ebc14fd1a39ec12b

SHA512
0cb60aa19d73f37bea7b7cfc03a8df712848aafc36a54eab52cb89625198e60864ca87d95540efdd85033e18b2472e4826aa6685d59a65120e4637e3c4fc2ddb

Download Submit
\649da6be39494bd640b24a1d0c\Setup.exe

Filesize
76KB

MD5
006f8a615020a4a17f5e63801485df46

SHA1
78c82a80ebf9c8bf0c996dd8bc26087679f77fea

SHA256
d273460aa4d42f0b5764383e2ab852ab9af6fecb3ed866f1783869f2f155d8be

SHA512
c603ed6f3611eb7049a43a190ed223445a9f7bd5651100a825917198b50c70011e950fa968d3019439afa0a416752517b1c181ee9445e02da3904f4e4b73ce76

Download Submit
\649da6be39494bd640b24a1d0c\SetupEngine.dll

Filesize
788KB

MD5
84c1daf5f30ff99895ecab3a55354bcf

SHA1
7e25ba36bcc7deed89f3c9568016ddb3156c9c5a

SHA256
7a0d281fa802d615ea1207bd2e9ebb98f3b74f9833bba3cb964ba7c7e0fb67fd

SHA512
e4fb7e4d39f094463fdcdc4895ab2ea500eb51a32b6909cec80a526bbf34d5c0eb98f47ee256c0f0865bf3169374937f047bf5c4d6762779c8ca3332b4103be3

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_bbd2b1d3ca9473ed3302becfece035c4547c0ad38737688b051ba492eac3aca3.exe

Filesize
2.2MB

MD5
3da0093e9b403b92418316ce5fb049e0

SHA1
c303765acf4011183627d70327f290d37a11a7ef

SHA256
28f6a87b3699f1e250a0def1b7ca3d51db1c96692a1c323379dce01cd8ffe41d

SHA512
aaafa5b8ffb8207586ecb3e23d41bb95952592fa55fd3b75055bdf92c7174c216e7f21187f711153ad21059946a400c46fbffc80a957f4c04b433d818e7e5f5d

Download Submit
memory/332-359-0x0000000000400000-0x00000000006F6000-memory.dmp

Filesize
3.0MB

Download
memory/332-360-0x0000000000400000-0x00000000006F6000-memory.dmp

Filesize
3.0MB

Download
memory/332-394-0x0000000000400000-0x00000000006F6000-memory.dmp

Filesize
3.0MB

Download
memory/568-155-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/568-328-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2772-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2772-108-0x0000000000400000-0x00000000006F6000-memory.dmp

Filesize
3.0MB

Download