xred | bbd2b1d3ca9473ed3302becfece035c4547c0ad38737688b051ba492eac3aca3

Analysis

max time kernel
141s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2024 23:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bbd2b1d3ca9473ed3302becfece035c4547c0ad38737688b051ba492eac3aca3.exe
Size

2.9MB
MD5

3f3e0a24cfb5d4bcda0d2661e74fe237
SHA1

40f8c95cb8d6f24f6d8719ded45561c54c7f2d87
SHA256

bbd2b1d3ca9473ed3302becfece035c4547c0ad38737688b051ba492eac3aca3
SHA512

eb8c0e1082c39025620d546440167768fe2c4148906db91f02abf4fe1ecdc2d2ef77e9de961c46d2f101be96e3454bc8066ae488f42a392465ae44f0be1bdec8
SSDEEP

49152:PnsHyjtk2MYC5GD+4x8xfNOOWXT6bUWfCKfwHiEGq2LGZRvKKpgd52F2k2:Pnsmtk2ap4x8xfNnWBnCwHiEGLsRvKKC

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	bbd2b1d3ca9473ed3302becfece035c4547c0ad38737688b051ba492eac3aca3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 5 IoCs

pid	Process
3500	._cache_bbd2b1d3ca9473ed3302becfece035c4547c0ad38737688b051ba492eac3aca3.exe
116	Synaptics.exe
3796	Setup.exe
2180	._cache_Synaptics.exe
1540	Setup.exe

Loads dropped DLL 10 IoCs

pid	Process
3796	Setup.exe
3796	Setup.exe
3796	Setup.exe
3796	Setup.exe
3796	Setup.exe
1540	Setup.exe
1540	Setup.exe
1540	Setup.exe
1540	Setup.exe
1540	Setup.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	bbd2b1d3ca9473ed3302becfece035c4547c0ad38737688b051ba492eac3aca3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bbd2b1d3ca9473ed3302becfece035c4547c0ad38737688b051ba492eac3aca3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_bbd2b1d3ca9473ed3302becfece035c4547c0ad38737688b051ba492eac3aca3.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Setup.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	bbd2b1d3ca9473ed3302becfece035c4547c0ad38737688b051ba492eac3aca3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
452	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3796	Setup.exe
3796	Setup.exe
3796	Setup.exe
3796	Setup.exe
3796	Setup.exe
3796	Setup.exe
3796	Setup.exe
3796	Setup.exe
1540	Setup.exe
1540	Setup.exe
1540	Setup.exe
1540	Setup.exe
1540	Setup.exe
1540	Setup.exe
1540	Setup.exe
1540	Setup.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
452	EXCEL.EXE
452	EXCEL.EXE
1540	Setup.exe
452	EXCEL.EXE
452	EXCEL.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1576 wrote to memory of 3500	1576	bbd2b1d3ca9473ed3302becfece035c4547c0ad38737688b051ba492eac3aca3.exe	84
PID 1576 wrote to memory of 3500	1576	bbd2b1d3ca9473ed3302becfece035c4547c0ad38737688b051ba492eac3aca3.exe	84
PID 1576 wrote to memory of 3500	1576	bbd2b1d3ca9473ed3302becfece035c4547c0ad38737688b051ba492eac3aca3.exe	84
PID 1576 wrote to memory of 116	1576	bbd2b1d3ca9473ed3302becfece035c4547c0ad38737688b051ba492eac3aca3.exe	85
PID 1576 wrote to memory of 116	1576	bbd2b1d3ca9473ed3302becfece035c4547c0ad38737688b051ba492eac3aca3.exe	85
PID 1576 wrote to memory of 116	1576	bbd2b1d3ca9473ed3302becfece035c4547c0ad38737688b051ba492eac3aca3.exe	85
PID 3500 wrote to memory of 3796	3500	._cache_bbd2b1d3ca9473ed3302becfece035c4547c0ad38737688b051ba492eac3aca3.exe	86
PID 3500 wrote to memory of 3796	3500	._cache_bbd2b1d3ca9473ed3302becfece035c4547c0ad38737688b051ba492eac3aca3.exe	86
PID 3500 wrote to memory of 3796	3500	._cache_bbd2b1d3ca9473ed3302becfece035c4547c0ad38737688b051ba492eac3aca3.exe	86
PID 116 wrote to memory of 2180	116	Synaptics.exe	87
PID 116 wrote to memory of 2180	116	Synaptics.exe	87
PID 116 wrote to memory of 2180	116	Synaptics.exe	87
PID 2180 wrote to memory of 1540	2180	._cache_Synaptics.exe	90
PID 2180 wrote to memory of 1540	2180	._cache_Synaptics.exe	90
PID 2180 wrote to memory of 1540	2180	._cache_Synaptics.exe	90

C:\Users\Admin\AppData\Local\Temp\bbd2b1d3ca9473ed3302becfece035c4547c0ad38737688b051ba492eac3aca3.exe
"C:\Users\Admin\AppData\Local\Temp\bbd2b1d3ca9473ed3302becfece035c4547c0ad38737688b051ba492eac3aca3.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1576
- C:\Users\Admin\AppData\Local\Temp\._cache_bbd2b1d3ca9473ed3302becfece035c4547c0ad38737688b051ba492eac3aca3.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_bbd2b1d3ca9473ed3302becfece035c4547c0ad38737688b051ba492eac3aca3.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3500
- - C:\3a375576ce2a362f9d168f\Setup.exe
    C:\3a375576ce2a362f9d168f\\Setup.exe /x86 /x64 /lcid 2052
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:3796
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:116
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2180
  - - C:\ba642fa84e45040d987ec9\Setup.exe
      C:\ba642fa84e45040d987ec9\\Setup.exe InjUpdate /x86 /x64 /lcid 2052
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:1540

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\3a375576ce2a362f9d168f\1033\LocalizedData.xml

Filesize
75KB

MD5
326518603d85acd79a6258886fc85456

SHA1
f1cef14bc4671a132225d22a1385936ad9505348

SHA256
665797c7840b86379019e5a46227f888fa1a36a593ea41f9170ef018c337b577

SHA512
f8a514efd70e81d0f2f983282d69040bca6e42f29aa5df554e6874922a61f112e311ad5d2b719b6ca90012f69965447fb91e8cd4103efb2453ff160a9062e5d3

Download Submit
C:\3a375576ce2a362f9d168f\2052\LocalizedData.xml

Filesize
59KB

MD5
10da125eeabcbb45e0a272688b0e2151

SHA1
6c4124ec8ca2d03b5187ba567c922b6c3e5efc93

SHA256
1842f22c6fd4caf6ad217e331b74c6240b19991a82a1a030a6e57b1b8e9fd1ec

SHA512
d968abd74206a280f74bf6947757cca8dd9091b343203e5c2269af2e008d3bb0a17ff600eb961dbf69a93de4960133ade8d606fb9a99402d33b8889f2d0da710

Download Submit
C:\3a375576ce2a362f9d168f\2052\SetupResources.dll

Filesize
13KB

MD5
bc3bc99d2b9db2ec02257514cf97109b

SHA1
8b2986cfa809b055a664f7fdbe9f54adf248cb4a

SHA256
edd482f8b218af997219123348f2012999d857872bc111d6ebc14fd1a39ec12b

SHA512
0cb60aa19d73f37bea7b7cfc03a8df712848aafc36a54eab52cb89625198e60864ca87d95540efdd85033e18b2472e4826aa6685d59a65120e4637e3c4fc2ddb

Download Submit
C:\3a375576ce2a362f9d168f\DHTMLHeader.html

Filesize
15KB

MD5
cd131d41791a543cc6f6ed1ea5bd257c

SHA1
f42a2708a0b42a13530d26515274d1fcdbfe8490

SHA256
e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb

SHA512
a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a

Download Submit
C:\3a375576ce2a362f9d168f\ParameterInfo.xml

Filesize
82KB

MD5
caa527d7170cfe3cd339c539ff8390d9

SHA1
862c632e9d59c2ccb265d9193249a9cdee3942ea

SHA256
1f90c21884ac058ade44e7bb8ef4a3c0ea67b7eb6cef3731bb07396ed4253a84

SHA512
78187beb7d7db2e0959154aa9969c05e465c4ee0e808b3485a650d6c3f871b9956ace0c7084ae67a0be905294b5f706d102c49fb7936693accda08e1a07872c9

Download Submit
C:\3a375576ce2a362f9d168f\Setup.exe

Filesize
76KB

MD5
006f8a615020a4a17f5e63801485df46

SHA1
78c82a80ebf9c8bf0c996dd8bc26087679f77fea

SHA256
d273460aa4d42f0b5764383e2ab852ab9af6fecb3ed866f1783869f2f155d8be

SHA512
c603ed6f3611eb7049a43a190ed223445a9f7bd5651100a825917198b50c70011e950fa968d3019439afa0a416752517b1c181ee9445e02da3904f4e4b73ce76

Download Submit
C:\3a375576ce2a362f9d168f\SetupEngine.dll

Filesize
788KB

MD5
84c1daf5f30ff99895ecab3a55354bcf

SHA1
7e25ba36bcc7deed89f3c9568016ddb3156c9c5a

SHA256
7a0d281fa802d615ea1207bd2e9ebb98f3b74f9833bba3cb964ba7c7e0fb67fd

SHA512
e4fb7e4d39f094463fdcdc4895ab2ea500eb51a32b6909cec80a526bbf34d5c0eb98f47ee256c0f0865bf3169374937f047bf5c4d6762779c8ca3332b4103be3

Download Submit
C:\3a375576ce2a362f9d168f\SetupUi.dll

Filesize
288KB

MD5
eb881e3dddc84b20bd92abcec444455f

SHA1
e2c32b1c86d4f70e39de65e9ebc4f361b24ff4a1

SHA256
11565d97287c01d22ad2e46c78d8a822fa3e6524561d4c02dfc87e8d346c44e7

SHA512
5750cec73b36a3f19bfb055f880f3b6498a7ae589017333f6272d26f1c72c6f475a3308826268a098372bbb096b43fbd1e06e93eecc0a81046668228bc179a75

Download Submit
C:\3a375576ce2a362f9d168f\SetupUi.xsd

Filesize
29KB

MD5
2fadd9e618eff8175f2a6e8b95c0cacc

SHA1
9ab1710a217d15b192188b19467932d947b0a4f8

SHA256
222211e8f512edf97d78bc93e1f271c922d5e91fa899e092b4a096776a704093

SHA512
a3a934a8572ff9208d38cf381649bd83de227c44b735489fd2a9dc5a636ead9bb62459c9460ee53f61f0587a494877cd3a3c2611997be563f3137f8236ffc4ca

Download Submit
C:\3a375576ce2a362f9d168f\SplashScreen.bmp

Filesize
40KB

MD5
0966fcd5a4ab0ddf71f46c01eff3cdd5

SHA1
8f4554f079edad23bcd1096e6501a61cf1f8ec34

SHA256
31c13ecfc0eb27f34036fb65cc0e735cd444eec75376eea2642f926ac162dcb3

SHA512
a9e70a2fb5a9899acf086474d71d0e180e2234c40e68bcadb9bf4fe145774680cb55584b39fe53cc75de445c6bf5741fc9b15b18385cbbe20fc595fe0ff86fce

Download Submit
C:\3a375576ce2a362f9d168f\Strings.xml

Filesize
13KB

MD5
8a28b474f4849bee7354ba4c74087cea

SHA1
c17514dfc33dd14f57ff8660eb7b75af9b2b37b0

SHA256
2a7a44fb25476886617a1ec294a20a37552fd0824907f5284fade3e496ed609b

SHA512
a7927700d8050623bc5c761b215a97534c2c260fcab68469b7a61c85e2dff22ed9cf57e7cb5a6c8886422abe7ac89b5c71e569741db74daa2dcb4152f14c2369

Download Submit
C:\3a375576ce2a362f9d168f\UiInfo.xml

Filesize
38KB

MD5
99d84c216c450b4bf9e8b18af8a0bebe

SHA1
6613178bbaca0d9d6e3771f488fc2e3b013daeab

SHA256
a6241e78507a8fcee9215c7ce241dc7141e7a38d4b5fb0587b6178fdeea05fa3

SHA512
15831d239bc6290958aa360c9312a6aed51442f5a5977b16ddfe48b931f1071a6c55703ccc16b76a12f3b53789148c41910e6530b0c622ac3c28158bebe92301

Download Submit
C:\3a375576ce2a362f9d168f\graphics\print.ico

Filesize
1KB

MD5
7e55ddc6d611176e697d01c90a1212cf

SHA1
e2620da05b8e4e2360da579a7be32c1b225deb1b

SHA256
ff542e32330b123486797b410621e19eafb39df3997e14701afa4c22096520ed

SHA512
283d381aa396820b7e15768b20099d67688da1f6315ec9f7938c2fcc3167777502cded0d1beddf015a34cc4e5d045bcb665ffd28ba2fbb6faf50fdd38b31d16e

Download Submit
C:\3a375576ce2a362f9d168f\graphics\save.ico

Filesize
1KB

MD5
7d62e82d960a938c98da02b1d5201bd5

SHA1
194e96b0440bf8631887e5e9d3cc485f8e90fbf5

SHA256
ae041c8764f56fd89277b34982145d16fc59a4754d261c861b19371c3271c6e5

SHA512
ab06b2605f0c1f6b71ef69563c0c977d06c6ea84d58ef7f2baecba566d6037d1458c2b58e6bfd70ddef47dccbdea6d9c2f2e46dea67ea9e92457f754d7042f67

Download Submit
C:\3a375576ce2a362f9d168f\graphics\setup.ico

Filesize
35KB

MD5
3d25d679e0ff0b8c94273dcd8b07049d

SHA1
a517fc5e96bc68a02a44093673ee7e076ad57308

SHA256
288e9ad8f0201e45bc187839f15aca79d6b9f76a7d3c9274c80f5d4a4c219c0f

SHA512
3bde668004ca7e28390862d0ae9903c756c16255bdbb3f7e73a5b093ce6a57a3165d6797b0a643b254493149231aca7f7f03e0af15a0cbe28aff02f0071ec255

Download Submit
C:\3a375576ce2a362f9d168f\graphics\warn.ico

Filesize
9KB

MD5
b2b1d79591fca103959806a4bf27d036

SHA1
481fd13a0b58299c41b3e705cb085c533038caf5

SHA256
fe4d06c318701bf0842d4b87d1bad284c553baf7a40987a7451338099d840a11

SHA512
5fe232415a39e0055abb5250b120ccdcd565ab102aa602a3083d4a4705ac6775d45e1ef0c2b787b3252232e9d4673fc3a77aab19ec79a3ff8b13c4d7094530d2

Download Submit
C:\3a375576ce2a362f9d168f\sqmapi.dll

Filesize
141KB

MD5
3f0363b40376047eff6a9b97d633b750

SHA1
4eaf6650eca5ce931ee771181b04263c536a948b

SHA256
bd6395a58f55a8b1f4063e813ce7438f695b9b086bb965d8ac44e7a97d35a93c

SHA512
537be86e2f171e0b2b9f462ac7f62c4342beb5d00b68451228f28677d26a525014758672466ad15ed1fd073be38142dae478df67718908eae9e6266359e1f9e8

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
2.9MB

MD5
3f3e0a24cfb5d4bcda0d2661e74fe237

SHA1
40f8c95cb8d6f24f6d8719ded45561c54c7f2d87

SHA256
bbd2b1d3ca9473ed3302becfece035c4547c0ad38737688b051ba492eac3aca3

SHA512
eb8c0e1082c39025620d546440167768fe2c4148906db91f02abf4fe1ecdc2d2ef77e9de961c46d2f101be96e3454bc8066ae488f42a392465ae44f0be1bdec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_bbd2b1d3ca9473ed3302becfece035c4547c0ad38737688b051ba492eac3aca3.exe

Filesize
2.2MB

MD5
3da0093e9b403b92418316ce5fb049e0

SHA1
c303765acf4011183627d70327f290d37a11a7ef

SHA256
28f6a87b3699f1e250a0def1b7ca3d51db1c96692a1c323379dce01cd8ffe41d

SHA512
aaafa5b8ffb8207586ecb3e23d41bb95952592fa55fd3b75055bdf92c7174c216e7f21187f711153ad21059946a400c46fbffc80a957f4c04b433d818e7e5f5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\HFI9413.tmp.html

Filesize
16KB

MD5
955a0984f09ad95d8bd07b91b91ccced

SHA1
734bda20376c7c6751b63728bd0450706408dd71

SHA256
ae69dad99e13d09e2b60f4e976e814ebb09dbf5d2e5e0cd8d08f802b76d53e8f

SHA512
7ba8dc60d03cabf717d3c83de82f32bd7d5eb22aab00c559489f72d9dfe7bbacb905cf39f3723a5d91e4f4a6bc6b6f9d143410fcd9df62db9efde88fae580b80

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZzHrhZP6.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
memory/116-129-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/116-462-0x0000000000400000-0x00000000006F6000-memory.dmp

Filesize
3.0MB

Download
memory/116-430-0x0000000000400000-0x00000000006F6000-memory.dmp

Filesize
3.0MB

Download
memory/116-431-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/452-301-0x00007FFE8EC50000-0x00007FFE8EC60000-memory.dmp

Filesize
64KB

Download
memory/452-306-0x00007FFE8EC50000-0x00007FFE8EC60000-memory.dmp

Filesize
64KB

Download
memory/452-307-0x00007FFE8C2F0000-0x00007FFE8C300000-memory.dmp

Filesize
64KB

Download
memory/452-318-0x00007FFE8C2F0000-0x00007FFE8C300000-memory.dmp

Filesize
64KB

Download
memory/452-298-0x00007FFE8EC50000-0x00007FFE8EC60000-memory.dmp

Filesize
64KB

Download
memory/452-299-0x00007FFE8EC50000-0x00007FFE8EC60000-memory.dmp

Filesize
64KB

Download
memory/452-300-0x00007FFE8EC50000-0x00007FFE8EC60000-memory.dmp

Filesize
64KB

Download
memory/1576-128-0x0000000000400000-0x00000000006F6000-memory.dmp

Filesize
3.0MB

Download
memory/1576-0-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download