Malware Analysis Report

2025-04-13 21:02

Sample ID 250102-kkc42atnby
Target 7462017ee68af1179cbbc185bc2fd116f0b154cc49575fe5d7619ddb271950e6N.exe
SHA256 7462017ee68af1179cbbc185bc2fd116f0b154cc49575fe5d7619ddb271950e6
Tags
xred backdoor discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7462017ee68af1179cbbc185bc2fd116f0b154cc49575fe5d7619ddb271950e6

Threat Level: Known bad

The file 7462017ee68af1179cbbc185bc2fd116f0b154cc49575fe5d7619ddb271950e6N.exe was found to be: Known bad.

Malicious Activity Summary

xred backdoor discovery persistence

Xred

Xred family

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-02 08:39

Signatures

Xred family

xred

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-02 08:39

Reported

2025-01-02 08:41

Platform

win7-20240903-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7462017ee68af1179cbbc185bc2fd116f0b154cc49575fe5d7619ddb271950e6N.exe"

Signatures

Xred

backdoor xred

Xred family

xred

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\7462017ee68af1179cbbc185bc2fd116f0b154cc49575fe5d7619ddb271950e6N.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7462017ee68af1179cbbc185bc2fd116f0b154cc49575fe5d7619ddb271950e6N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\._cache_7462017ee68af1179cbbc185bc2fd116f0b154cc49575fe5d7619ddb271950e6N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Synaptics\Synaptics.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2532 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\7462017ee68af1179cbbc185bc2fd116f0b154cc49575fe5d7619ddb271950e6N.exe C:\Users\Admin\AppData\Local\Temp\._cache_7462017ee68af1179cbbc185bc2fd116f0b154cc49575fe5d7619ddb271950e6N.exe
PID 2532 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\7462017ee68af1179cbbc185bc2fd116f0b154cc49575fe5d7619ddb271950e6N.exe C:\Users\Admin\AppData\Local\Temp\._cache_7462017ee68af1179cbbc185bc2fd116f0b154cc49575fe5d7619ddb271950e6N.exe
PID 2532 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\7462017ee68af1179cbbc185bc2fd116f0b154cc49575fe5d7619ddb271950e6N.exe C:\Users\Admin\AppData\Local\Temp\._cache_7462017ee68af1179cbbc185bc2fd116f0b154cc49575fe5d7619ddb271950e6N.exe
PID 2532 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\7462017ee68af1179cbbc185bc2fd116f0b154cc49575fe5d7619ddb271950e6N.exe C:\Users\Admin\AppData\Local\Temp\._cache_7462017ee68af1179cbbc185bc2fd116f0b154cc49575fe5d7619ddb271950e6N.exe
PID 2532 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\7462017ee68af1179cbbc185bc2fd116f0b154cc49575fe5d7619ddb271950e6N.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2532 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\7462017ee68af1179cbbc185bc2fd116f0b154cc49575fe5d7619ddb271950e6N.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2532 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\7462017ee68af1179cbbc185bc2fd116f0b154cc49575fe5d7619ddb271950e6N.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2532 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\7462017ee68af1179cbbc185bc2fd116f0b154cc49575fe5d7619ddb271950e6N.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2700 wrote to memory of 2620 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2700 wrote to memory of 2620 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2700 wrote to memory of 2620 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2700 wrote to memory of 2620 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7462017ee68af1179cbbc185bc2fd116f0b154cc49575fe5d7619ddb271950e6N.exe

"C:\Users\Admin\AppData\Local\Temp\7462017ee68af1179cbbc185bc2fd116f0b154cc49575fe5d7619ddb271950e6N.exe"

C:\Users\Admin\AppData\Local\Temp\._cache_7462017ee68af1179cbbc185bc2fd116f0b154cc49575fe5d7619ddb271950e6N.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_7462017ee68af1179cbbc185bc2fd116f0b154cc49575fe5d7619ddb271950e6N.exe"

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 xred.mooo.com udp
US 8.8.8.8:53 freedns.afraid.org udp
US 69.42.215.252:80 freedns.afraid.org tcp
US 8.8.8.8:53 docs.google.com udp
FR 216.58.214.174:443 docs.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
FR 142.250.179.67:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
FR 142.250.179.67:80 o.pki.goog tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
FR 142.250.74.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 88.221.134.146:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 184.25.193.234:80 www.microsoft.com tcp

Files

memory/2532-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

\Users\Admin\AppData\Local\Temp\._cache_7462017ee68af1179cbbc185bc2fd116f0b154cc49575fe5d7619ddb271950e6N.exe

MD5 466706bcff4e3e71697bce07edf9ed83
SHA1 6b9282bd8d78cc40f8cc054e12a072db714a62c3
SHA256 3b72ae100898d89fd006594b1a3ce9d0e1df868b056d3499eb6e5aa75831a568
SHA512 88c3d7ab900ca0c7b16532d9cae5753f83af4d4b7df96a2701628967a24073a9d166d4c9430e8bbc487cb209c74cd5ea332e562dcedd38fe0087eb3bcb4aeef2

memory/2532-5-0x0000000004010000-0x0000000004029000-memory.dmp

C:\ProgramData\Synaptics\Synaptics.exe

MD5 73f94454b13bd719321492c704fae0d0
SHA1 72d558c5158aeabbd056983aa550c604222cb0f4
SHA256 7462017ee68af1179cbbc185bc2fd116f0b154cc49575fe5d7619ddb271950e6
SHA512 6a47115c9f88ebc97255d8215914e0dc4bb36ba4f9c34fc7eba04ca6a042523523732b698004a9598d529668a8bf1dacea438a94fa8eb90db5f7d5ba375a2439

memory/2532-27-0x0000000004010000-0x0000000004029000-memory.dmp

memory/2532-26-0x0000000000400000-0x00000000004CB000-memory.dmp

memory/2620-37-0x0000000000400000-0x0000000000419000-memory.dmp

memory/2708-38-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MSSlspTz.xlsm

MD5 e566fc53051035e1e6fd0ed1823de0f9
SHA1 00bc96c48b98676ecd67e81a6f1d7754e4156044
SHA256 8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512 a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

C:\Users\Admin\AppData\Local\Temp\MSSlspTz.xlsm

MD5 e36d1de5ce2e7e6795ba67a23c47d289
SHA1 189df28eece1e7c234654f771700a170a6604078
SHA256 28123710ec91344af81958a0fd86e1a93381dae394b0ad72f956352ef2d87c91
SHA512 e20d1b4c01720433d86c4d558347a3efc91140fee1bfee2f408865dd349684693536bb7fe981a0c4f5804bfd19338a15f745a3cdcc271808ad724707dd32f61b

memory/2620-81-0x0000000000400000-0x0000000000419000-memory.dmp

memory/1932-82-0x0000000000400000-0x0000000000419000-memory.dmp

memory/2700-84-0x0000000000400000-0x00000000004CB000-memory.dmp

memory/1932-86-0x0000000000400000-0x0000000000419000-memory.dmp

memory/2700-87-0x0000000000400000-0x00000000004CB000-memory.dmp

memory/2700-119-0x0000000000400000-0x00000000004CB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-02 08:39

Reported

2025-01-02 08:41

Platform

win10v2004-20241007-en

Max time kernel

112s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7462017ee68af1179cbbc185bc2fd116f0b154cc49575fe5d7619ddb271950e6N.exe"

Signatures

Xred

backdoor xred

Xred family

xred

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7462017ee68af1179cbbc185bc2fd116f0b154cc49575fe5d7619ddb271950e6N.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\ProgramData\Synaptics\Synaptics.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\7462017ee68af1179cbbc185bc2fd116f0b154cc49575fe5d7619ddb271950e6N.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7462017ee68af1179cbbc185bc2fd116f0b154cc49575fe5d7619ddb271950e6N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\._cache_7462017ee68af1179cbbc185bc2fd116f0b154cc49575fe5d7619ddb271950e6N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Synaptics\Synaptics.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\7462017ee68af1179cbbc185bc2fd116f0b154cc49575fe5d7619ddb271950e6N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\ProgramData\Synaptics\Synaptics.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4572 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\7462017ee68af1179cbbc185bc2fd116f0b154cc49575fe5d7619ddb271950e6N.exe C:\Users\Admin\AppData\Local\Temp\._cache_7462017ee68af1179cbbc185bc2fd116f0b154cc49575fe5d7619ddb271950e6N.exe
PID 4572 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\7462017ee68af1179cbbc185bc2fd116f0b154cc49575fe5d7619ddb271950e6N.exe C:\Users\Admin\AppData\Local\Temp\._cache_7462017ee68af1179cbbc185bc2fd116f0b154cc49575fe5d7619ddb271950e6N.exe
PID 4572 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\7462017ee68af1179cbbc185bc2fd116f0b154cc49575fe5d7619ddb271950e6N.exe C:\Users\Admin\AppData\Local\Temp\._cache_7462017ee68af1179cbbc185bc2fd116f0b154cc49575fe5d7619ddb271950e6N.exe
PID 4572 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\7462017ee68af1179cbbc185bc2fd116f0b154cc49575fe5d7619ddb271950e6N.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 4572 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\7462017ee68af1179cbbc185bc2fd116f0b154cc49575fe5d7619ddb271950e6N.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 4572 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\7462017ee68af1179cbbc185bc2fd116f0b154cc49575fe5d7619ddb271950e6N.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2988 wrote to memory of 3128 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2988 wrote to memory of 3128 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2988 wrote to memory of 3128 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7462017ee68af1179cbbc185bc2fd116f0b154cc49575fe5d7619ddb271950e6N.exe

"C:\Users\Admin\AppData\Local\Temp\7462017ee68af1179cbbc185bc2fd116f0b154cc49575fe5d7619ddb271950e6N.exe"

C:\Users\Admin\AppData\Local\Temp\._cache_7462017ee68af1179cbbc185bc2fd116f0b154cc49575fe5d7619ddb271950e6N.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_7462017ee68af1179cbbc185bc2fd116f0b154cc49575fe5d7619ddb271950e6N.exe"

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 xred.mooo.com udp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 freedns.afraid.org udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 69.42.215.252:80 freedns.afraid.org tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 252.215.42.69.in-addr.arpa udp
US 8.8.8.8:53 xred.mooo.com udp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 docs.google.com udp
FR 216.58.214.174:443 docs.google.com tcp
US 8.8.8.8:53 174.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 c.pki.goog udp
FR 142.250.179.67:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
FR 142.250.179.67:80 o.pki.goog tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
FR 142.250.74.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 67.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 225.74.250.142.in-addr.arpa udp

Files

memory/4572-0-0x0000000000600000-0x0000000000601000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\._cache_7462017ee68af1179cbbc185bc2fd116f0b154cc49575fe5d7619ddb271950e6N.exe

MD5 466706bcff4e3e71697bce07edf9ed83
SHA1 6b9282bd8d78cc40f8cc054e12a072db714a62c3
SHA256 3b72ae100898d89fd006594b1a3ce9d0e1df868b056d3499eb6e5aa75831a568
SHA512 88c3d7ab900ca0c7b16532d9cae5753f83af4d4b7df96a2701628967a24073a9d166d4c9430e8bbc487cb209c74cd5ea332e562dcedd38fe0087eb3bcb4aeef2

memory/5040-33-0x0000000000400000-0x0000000000419000-memory.dmp

C:\ProgramData\Synaptics\Synaptics.exe

MD5 73f94454b13bd719321492c704fae0d0
SHA1 72d558c5158aeabbd056983aa550c604222cb0f4
SHA256 7462017ee68af1179cbbc185bc2fd116f0b154cc49575fe5d7619ddb271950e6
SHA512 6a47115c9f88ebc97255d8215914e0dc4bb36ba4f9c34fc7eba04ca6a042523523732b698004a9598d529668a8bf1dacea438a94fa8eb90db5f7d5ba375a2439

memory/4572-102-0x0000000000400000-0x00000000004CB000-memory.dmp

memory/2988-103-0x0000000002130000-0x0000000002131000-memory.dmp

memory/3128-137-0x0000000000400000-0x0000000000419000-memory.dmp

memory/4952-140-0x00007FFED4850000-0x00007FFED4860000-memory.dmp

memory/4952-139-0x00007FFED4850000-0x00007FFED4860000-memory.dmp

memory/4952-141-0x00007FFED4850000-0x00007FFED4860000-memory.dmp

memory/4952-138-0x00007FFED4850000-0x00007FFED4860000-memory.dmp

memory/4952-142-0x00007FFED4850000-0x00007FFED4860000-memory.dmp

memory/4952-143-0x00007FFED2240000-0x00007FFED2250000-memory.dmp

memory/4952-144-0x00007FFED2240000-0x00007FFED2250000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Kv2PixzO.xlsm

MD5 e566fc53051035e1e6fd0ed1823de0f9
SHA1 00bc96c48b98676ecd67e81a6f1d7754e4156044
SHA256 8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512 a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

memory/3128-158-0x0000000000400000-0x0000000000419000-memory.dmp

memory/5040-159-0x0000000000400000-0x0000000000419000-memory.dmp

memory/2988-161-0x0000000002130000-0x0000000002131000-memory.dmp

memory/2988-162-0x0000000000400000-0x00000000004CB000-memory.dmp

memory/5040-166-0x0000000000400000-0x0000000000419000-memory.dmp

memory/2988-194-0x0000000000400000-0x00000000004CB000-memory.dmp