xred | 35f873a09d5330e0c8c0e0bdabac9640e606ac7955b6e2082d9d1ca3d9880492

Analysis

max time kernel
122s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-12-2024 10:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VKKDXE.exe
Size

1.6MB
MD5

31ba582dde7c48214dfc929a8c5d5662
SHA1

39497422641176cb4b6f8828b43805cbd1258d53
SHA256

35f873a09d5330e0c8c0e0bdabac9640e606ac7955b6e2082d9d1ca3d9880492
SHA512

1357ffa717079a422ac2510f010722ec464c1f595fbba3a1df847ff3370f30d5b6adb393f846838c565de7b669c6e0968236c6ed8ce079da3281531373aa849e
SSDEEP

24576:snsJ39LyjbJkQFMhmC+6GD9ChloDX0XOf4f/mlhxQfnmrAL4bHpZlF:snsHyjtk2MYC5GD4hloJfY/mlT/rLL

Score

10^/10

xred backdoor discovery macro persistence upx

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Suspicious Office macro 1 IoCs

Office document equipped with macros.

macro

resource
behavioral1/files/0x0008000000019611-134.dat

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CXNFQD.lnk	._cache_VKKDXE.exe

Executes dropped EXE 5 IoCs

pid	Process
2120	._cache_VKKDXE.exe
2712	Synaptics.exe
2648	._cache_Synaptics.exe
564	ZTCKPI.exe
2680	ZTCKPI.exe

Loads dropped DLL 6 IoCs

pid	Process
2208	VKKDXE.exe
2208	VKKDXE.exe
2208	VKKDXE.exe
2712	Synaptics.exe
2712	Synaptics.exe
2120	._cache_VKKDXE.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	VKKDXE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\CXNFQD = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windata\\ZTCKPI.exe\""	._cache_VKKDXE.exe

AutoIT Executable 17 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2648-43-0x0000000000B40000-0x0000000000D2F000-memory.dmp	autoit_exe
behavioral1/memory/2120-139-0x00000000001E0000-0x00000000003CF000-memory.dmp	autoit_exe
behavioral1/memory/2120-141-0x00000000001E0000-0x00000000003CF000-memory.dmp	autoit_exe
behavioral1/memory/2120-143-0x00000000001E0000-0x00000000003CF000-memory.dmp	autoit_exe
behavioral1/memory/2120-145-0x00000000001E0000-0x00000000003CF000-memory.dmp	autoit_exe
behavioral1/memory/2120-147-0x00000000001E0000-0x00000000003CF000-memory.dmp	autoit_exe
behavioral1/memory/2120-149-0x00000000001E0000-0x00000000003CF000-memory.dmp	autoit_exe
behavioral1/memory/564-154-0x0000000000FA0000-0x000000000118F000-memory.dmp	autoit_exe
behavioral1/memory/2120-156-0x00000000001E0000-0x00000000003CF000-memory.dmp	autoit_exe
behavioral1/memory/2120-187-0x00000000001E0000-0x00000000003CF000-memory.dmp	autoit_exe
behavioral1/memory/2120-189-0x00000000001E0000-0x00000000003CF000-memory.dmp	autoit_exe
behavioral1/memory/2120-191-0x00000000001E0000-0x00000000003CF000-memory.dmp	autoit_exe
behavioral1/memory/2120-193-0x00000000001E0000-0x00000000003CF000-memory.dmp	autoit_exe
behavioral1/memory/2680-198-0x00000000011A0000-0x000000000138F000-memory.dmp	autoit_exe
behavioral1/memory/2120-199-0x00000000001E0000-0x00000000003CF000-memory.dmp	autoit_exe
behavioral1/memory/2120-201-0x00000000001E0000-0x00000000003CF000-memory.dmp	autoit_exe
behavioral1/memory/2120-203-0x00000000001E0000-0x00000000003CF000-memory.dmp	autoit_exe

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000012116-4.dat	upx
behavioral1/memory/2120-18-0x00000000001E0000-0x00000000003CF000-memory.dmp	upx
behavioral1/memory/2648-39-0x0000000000B40000-0x0000000000D2F000-memory.dmp	upx
behavioral1/memory/2648-43-0x0000000000B40000-0x0000000000D2F000-memory.dmp	upx
behavioral1/memory/2120-139-0x00000000001E0000-0x00000000003CF000-memory.dmp	upx
behavioral1/memory/2120-141-0x00000000001E0000-0x00000000003CF000-memory.dmp	upx
behavioral1/memory/2120-143-0x00000000001E0000-0x00000000003CF000-memory.dmp	upx
behavioral1/memory/2120-145-0x00000000001E0000-0x00000000003CF000-memory.dmp	upx
behavioral1/memory/2120-147-0x00000000001E0000-0x00000000003CF000-memory.dmp	upx
behavioral1/memory/2120-149-0x00000000001E0000-0x00000000003CF000-memory.dmp	upx
behavioral1/memory/564-153-0x0000000000FA0000-0x000000000118F000-memory.dmp	upx
behavioral1/memory/564-154-0x0000000000FA0000-0x000000000118F000-memory.dmp	upx
behavioral1/memory/2120-156-0x00000000001E0000-0x00000000003CF000-memory.dmp	upx
behavioral1/memory/2120-187-0x00000000001E0000-0x00000000003CF000-memory.dmp	upx
behavioral1/memory/2120-189-0x00000000001E0000-0x00000000003CF000-memory.dmp	upx
behavioral1/memory/2120-191-0x00000000001E0000-0x00000000003CF000-memory.dmp	upx
behavioral1/memory/2120-193-0x00000000001E0000-0x00000000003CF000-memory.dmp	upx
behavioral1/memory/2680-196-0x00000000011A0000-0x000000000138F000-memory.dmp	upx
behavioral1/memory/2680-198-0x00000000011A0000-0x000000000138F000-memory.dmp	upx
behavioral1/memory/2120-199-0x00000000001E0000-0x00000000003CF000-memory.dmp	upx
behavioral1/memory/2120-201-0x00000000001E0000-0x00000000003CF000-memory.dmp	upx
behavioral1/memory/2120-203-0x00000000001E0000-0x00000000003CF000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ZTCKPI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ZTCKPI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WSCript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VKKDXE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_VKKDXE.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\root\SecurityCenter2	._cache_VKKDXE.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2028	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2792	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2120	._cache_VKKDXE.exe
2120	._cache_VKKDXE.exe
2120	._cache_VKKDXE.exe
2120	._cache_VKKDXE.exe
2120	._cache_VKKDXE.exe
2120	._cache_VKKDXE.exe
2120	._cache_VKKDXE.exe
2120	._cache_VKKDXE.exe
2120	._cache_VKKDXE.exe
2120	._cache_VKKDXE.exe
2120	._cache_VKKDXE.exe
2120	._cache_VKKDXE.exe
2120	._cache_VKKDXE.exe
2120	._cache_VKKDXE.exe
2120	._cache_VKKDXE.exe
2120	._cache_VKKDXE.exe
2120	._cache_VKKDXE.exe
2120	._cache_VKKDXE.exe
2120	._cache_VKKDXE.exe
2120	._cache_VKKDXE.exe
2120	._cache_VKKDXE.exe
2120	._cache_VKKDXE.exe
2120	._cache_VKKDXE.exe
2120	._cache_VKKDXE.exe
2120	._cache_VKKDXE.exe
2120	._cache_VKKDXE.exe
2120	._cache_VKKDXE.exe
2120	._cache_VKKDXE.exe
2120	._cache_VKKDXE.exe
2120	._cache_VKKDXE.exe
2120	._cache_VKKDXE.exe
2120	._cache_VKKDXE.exe
2120	._cache_VKKDXE.exe
2120	._cache_VKKDXE.exe
2120	._cache_VKKDXE.exe
2120	._cache_VKKDXE.exe
2120	._cache_VKKDXE.exe
2120	._cache_VKKDXE.exe
2120	._cache_VKKDXE.exe
2120	._cache_VKKDXE.exe
2120	._cache_VKKDXE.exe
2120	._cache_VKKDXE.exe
2120	._cache_VKKDXE.exe
2120	._cache_VKKDXE.exe
2120	._cache_VKKDXE.exe
2120	._cache_VKKDXE.exe
2120	._cache_VKKDXE.exe
2120	._cache_VKKDXE.exe
2120	._cache_VKKDXE.exe
2120	._cache_VKKDXE.exe
2120	._cache_VKKDXE.exe
2120	._cache_VKKDXE.exe
2120	._cache_VKKDXE.exe
2120	._cache_VKKDXE.exe
2120	._cache_VKKDXE.exe
2120	._cache_VKKDXE.exe
2120	._cache_VKKDXE.exe
2120	._cache_VKKDXE.exe
2120	._cache_VKKDXE.exe
2120	._cache_VKKDXE.exe
2120	._cache_VKKDXE.exe
2120	._cache_VKKDXE.exe
2120	._cache_VKKDXE.exe
2120	._cache_VKKDXE.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2120	._cache_VKKDXE.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2792	EXCEL.EXE

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2120	2208	VKKDXE.exe	30
PID 2208 wrote to memory of 2120	2208	VKKDXE.exe	30
PID 2208 wrote to memory of 2120	2208	VKKDXE.exe	30
PID 2208 wrote to memory of 2120	2208	VKKDXE.exe	30
PID 2208 wrote to memory of 2712	2208	VKKDXE.exe	31
PID 2208 wrote to memory of 2712	2208	VKKDXE.exe	31
PID 2208 wrote to memory of 2712	2208	VKKDXE.exe	31
PID 2208 wrote to memory of 2712	2208	VKKDXE.exe	31
PID 2712 wrote to memory of 2648	2712	Synaptics.exe	32
PID 2712 wrote to memory of 2648	2712	Synaptics.exe	32
PID 2712 wrote to memory of 2648	2712	Synaptics.exe	32
PID 2712 wrote to memory of 2648	2712	Synaptics.exe	32
PID 2120 wrote to memory of 2624	2120	._cache_VKKDXE.exe	34
PID 2120 wrote to memory of 2624	2120	._cache_VKKDXE.exe	34
PID 2120 wrote to memory of 2624	2120	._cache_VKKDXE.exe	34
PID 2120 wrote to memory of 2624	2120	._cache_VKKDXE.exe	34
PID 2120 wrote to memory of 980	2120	._cache_VKKDXE.exe	36
PID 2120 wrote to memory of 980	2120	._cache_VKKDXE.exe	36
PID 2120 wrote to memory of 980	2120	._cache_VKKDXE.exe	36
PID 2120 wrote to memory of 980	2120	._cache_VKKDXE.exe	36
PID 2624 wrote to memory of 2028	2624	cmd.exe	37
PID 2624 wrote to memory of 2028	2624	cmd.exe	37
PID 2624 wrote to memory of 2028	2624	cmd.exe	37
PID 2624 wrote to memory of 2028	2624	cmd.exe	37
PID 992 wrote to memory of 564	992	taskeng.exe	43
PID 992 wrote to memory of 564	992	taskeng.exe	43
PID 992 wrote to memory of 564	992	taskeng.exe	43
PID 992 wrote to memory of 564	992	taskeng.exe	43
PID 992 wrote to memory of 2680	992	taskeng.exe	44
PID 992 wrote to memory of 2680	992	taskeng.exe	44
PID 992 wrote to memory of 2680	992	taskeng.exe	44
PID 992 wrote to memory of 2680	992	taskeng.exe	44

C:\Users\Admin\AppData\Local\Temp\VKKDXE.exe
"C:\Users\Admin\AppData\Local\Temp\VKKDXE.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Users\Admin\AppData\Local\Temp\._cache_VKKDXE.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_VKKDXE.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c schtasks /create /tn CXNFQD.exe /tr C:\Users\Admin\AppData\Roaming\Windata\ZTCKPI.exe /sc minute /mo 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn CXNFQD.exe /tr C:\Users\Admin\AppData\Roaming\Windata\ZTCKPI.exe /sc minute /mo 1
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2028
- - C:\Windows\SysWOW64\WSCript.exe
    WSCript C:\Users\Admin\AppData\Local\Temp\CXNFQD.vbs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:980
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2648

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2792

C:\Windows\system32\taskeng.exe
taskeng.exe {2529727D-E1A9-4FA9-8E1B-00CE3CF97905} S-1-5-21-2872745919-2748461613-2989606286-1000:CCJBVTGQ\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:992
- C:\Users\Admin\AppData\Roaming\Windata\ZTCKPI.exe
  C:\Users\Admin\AppData\Roaming\Windata\ZTCKPI.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:564
- C:\Users\Admin\AppData\Roaming\Windata\ZTCKPI.exe
  C:\Users\Admin\AppData\Roaming\Windata\ZTCKPI.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.6MB

MD5
31ba582dde7c48214dfc929a8c5d5662

SHA1
39497422641176cb4b6f8828b43805cbd1258d53

SHA256
35f873a09d5330e0c8c0e0bdabac9640e606ac7955b6e2082d9d1ca3d9880492

SHA512
1357ffa717079a422ac2510f010722ec464c1f595fbba3a1df847ff3370f30d5b6adb393f846838c565de7b669c6e0968236c6ed8ce079da3281531373aa849e

Download Submit
C:\Users\Admin\AppData\Local\Temp\3tpK1dSS.xlsm

Filesize
23KB

MD5
d999ffef8716a214b54c4ddf81194f15

SHA1
6c2200d3d8454b8e14f753b07e15d7609be186aa

SHA256
84cc323b44b6735bb2d774054b5a8b2c23046db50371985f148e5d697b0b948f

SHA512
6e15548fc51fa2f177093eaf2539d12a4b66b5391c6609633000b8471eed046826837709dc0f06243840f19f59f0a73c8214bef8a3094316caebd07a8f3ba3a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\3tpK1dSS.xlsm

Filesize
24KB

MD5
a5d5fefdd2f164188f7d32843ac00bf7

SHA1
4a205c93e2117e6d896df6b1cc83f1decdf8e0dd

SHA256
5e99981cec40d4ee614b10cc038836dc3904f911456bdaec06558be161cc3737

SHA512
80f2a7163bc4b15be54322a1095ade3a9e4d359a6d917bbfdaf69a83572ea7e52419c7f30d47e13a670ad6bad102fbe3823c9652a7801bcec83c0eaac22d7834

Download Submit
C:\Users\Admin\AppData\Local\Temp\3tpK1dSS.xlsm

Filesize
24KB

MD5
d0a0e01ccfeb9681c9e1a12f8ca4597a

SHA1
000f617ade34e6ed947215bb57eea4c8fcd70043

SHA256
f0000a5c05b96f78cae9d0ff2be41ba34294488136e540ee6aeb39324fe9cc78

SHA512
c00d9a1bdfca76c5499693f4a4f4df36f9c5010faefa9a282f2a99cfb769991fecfffb2056abe18e1693debda7731210a81577afcf46080d18afdc523322de01

Download Submit
C:\Users\Admin\AppData\Local\Temp\3tpK1dSS.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\3tpK1dSS.xlsm

Filesize
24KB

MD5
a5fa6546bd8f9ffc002fcab869e12603

SHA1
7957ed2119e005150264be5b49533f32c6de7584

SHA256
3f2e7b6516b66f4f81b9cf57e3b8d3104b18ffed6452eb6012d42dc816bcf5b8

SHA512
7d9e3336b4cd97b9cc1abb811b10b38f256a00cb8b90670c5eaa6d8fad6c969469c34d0f63379d921652df445881c6e7f91ca4e5e15f1bc176cf1f02cd3156ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\3tpK1dSS.xlsm

Filesize
25KB

MD5
0442d6095b22b367c2517d822c30497e

SHA1
2e153beb0810f3d198ba2cc3a3e628c463bbc9b9

SHA256
7d14a4f3ec4264749c3ad921a2239f40b1c2a650310177471011d4bc60c958b5

SHA512
67295d5c88bd59cd1a95974f7b565c0fb232848eea2fe3aebaf144175e0fdd9743bceb22ce6bebb6f68d639d12557a14975ccc35f0d24fc4d4b9a0d1c1e2b735

Download Submit
C:\Users\Admin\AppData\Local\Temp\CXNFQD.vbs

Filesize
848B

MD5
4bbfeb98827b4a04b61e377474754224

SHA1
af659a2f70ec62acd94690a7bc0a8177f6e0d0f4

SHA256
a0839710938d4ac042eaa6d485291f05a773ac673d02fc87ec29d9549a639381

SHA512
d1aab3c978fdab922e36ac5b9142eb3f97f852269f9f868d1fed86129689524d6d87dea10a726bdbf30edd9ca75adab8fc5596f676540badaf4330273ab1b50f

Download Submit
C:\Users\Admin\Desktop\~$UnblockPublish.xlsx

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_VKKDXE.exe

Filesize
894KB

MD5
fe8fbb45f71518a33c161e70f6ee1037

SHA1
613ae22860d3e15053eea1343b6ca7cd817ee404

SHA256
0ee0aa62c8788b17ea2834a427c7a2e6f69b9bd9a8881a72397d35ad162fce1e

SHA512
1f9e0851d292fa65c60609796ec9f43e88b994e096171786805c608d924f65ca37cb655047d0717fa0d7c669e86b871fef15e68156c4e6a91bf4b3dc0dd6369b

Download Submit
memory/564-153-0x0000000000FA0000-0x000000000118F000-memory.dmp

Filesize
1.9MB

Download
memory/564-154-0x0000000000FA0000-0x000000000118F000-memory.dmp

Filesize
1.9MB

Download
memory/2120-49-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2120-191-0x00000000001E0000-0x00000000003CF000-memory.dmp

Filesize
1.9MB

Download
memory/2120-203-0x00000000001E0000-0x00000000003CF000-memory.dmp

Filesize
1.9MB

Download
memory/2120-201-0x00000000001E0000-0x00000000003CF000-memory.dmp

Filesize
1.9MB

Download
memory/2120-199-0x00000000001E0000-0x00000000003CF000-memory.dmp

Filesize
1.9MB

Download
memory/2120-193-0x00000000001E0000-0x00000000003CF000-memory.dmp

Filesize
1.9MB

Download
memory/2120-189-0x00000000001E0000-0x00000000003CF000-memory.dmp

Filesize
1.9MB

Download
memory/2120-139-0x00000000001E0000-0x00000000003CF000-memory.dmp

Filesize
1.9MB

Download
memory/2120-187-0x00000000001E0000-0x00000000003CF000-memory.dmp

Filesize
1.9MB

Download
memory/2120-156-0x00000000001E0000-0x00000000003CF000-memory.dmp

Filesize
1.9MB

Download
memory/2120-141-0x00000000001E0000-0x00000000003CF000-memory.dmp

Filesize
1.9MB

Download
memory/2120-143-0x00000000001E0000-0x00000000003CF000-memory.dmp

Filesize
1.9MB

Download
memory/2120-18-0x00000000001E0000-0x00000000003CF000-memory.dmp

Filesize
1.9MB

Download
memory/2120-145-0x00000000001E0000-0x00000000003CF000-memory.dmp

Filesize
1.9MB

Download
memory/2120-147-0x00000000001E0000-0x00000000003CF000-memory.dmp

Filesize
1.9MB

Download
memory/2120-149-0x00000000001E0000-0x00000000003CF000-memory.dmp

Filesize
1.9MB

Download
memory/2208-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2208-17-0x0000000005540000-0x000000000572F000-memory.dmp

Filesize
1.9MB

Download
memory/2208-27-0x0000000000400000-0x00000000005A2000-memory.dmp

Filesize
1.6MB

Download
memory/2648-43-0x0000000000B40000-0x0000000000D2F000-memory.dmp

Filesize
1.9MB

Download
memory/2648-39-0x0000000000B40000-0x0000000000D2F000-memory.dmp

Filesize
1.9MB

Download
memory/2680-198-0x00000000011A0000-0x000000000138F000-memory.dmp

Filesize
1.9MB

Download
memory/2680-196-0x00000000011A0000-0x000000000138F000-memory.dmp

Filesize
1.9MB

Download
memory/2712-140-0x0000000005770000-0x000000000595F000-memory.dmp

Filesize
1.9MB

Download
memory/2712-186-0x0000000000400000-0x00000000005A2000-memory.dmp

Filesize
1.6MB

Download
memory/2712-142-0x0000000000400000-0x00000000005A2000-memory.dmp

Filesize
1.6MB

Download
memory/2712-144-0x0000000000400000-0x00000000005A2000-memory.dmp

Filesize
1.6MB

Download
memory/2792-138-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2792-41-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download