Analysis Overview
SHA256
f8c39a8b1e229d775328bffa40493c830607a6755fd7e77a875e13845b96302a
Threat Level: Known bad
The file file.exe was found to be: Known bad.
Malicious Activity Summary
Xred family
Xred
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: GetForegroundWindowSpam
Modifies registry class
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-02 19:13
Signatures
Xred family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-02 19:13
Reported
2025-01-02 19:15
Platform
win7-20240903-en
Max time kernel
144s
Max time network
147s
Command Line
Signatures
Xred
Xred family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\._cache_file.exe | N/A |
| N/A | N/A | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| N/A | N/A | C:\a2d4be30508034dbfc2440\Setup.exe | N/A |
| N/A | N/A | C:\2cd51ab35ca4e0e67afaca7628\Setup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| N/A | N/A | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\._cache_file.exe | N/A |
| N/A | N/A | C:\a2d4be30508034dbfc2440\Setup.exe | N/A |
| N/A | N/A | C:\a2d4be30508034dbfc2440\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| N/A | N/A | C:\2cd51ab35ca4e0e67afaca7628\Setup.exe | N/A |
| N/A | N/A | C:\2cd51ab35ca4e0e67afaca7628\Setup.exe | N/A |
| N/A | N/A | C:\a2d4be30508034dbfc2440\Setup.exe | N/A |
| N/A | N/A | C:\a2d4be30508034dbfc2440\Setup.exe | N/A |
| N/A | N/A | C:\2cd51ab35ca4e0e67afaca7628\Setup.exe | N/A |
| N/A | N/A | C:\2cd51ab35ca4e0e67afaca7628\Setup.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico | C:\a2d4be30508034dbfc2440\Setup.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\2cd51ab35ca4e0e67afaca7628\Setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\._cache_file.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\a2d4be30508034dbfc2440\Setup.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\a2d4be30508034dbfc2440\Setup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\a2d4be30508034dbfc2440\Setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\2cd51ab35ca4e0e67afaca7628\Setup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\2cd51ab35ca4e0e67afaca7628\Setup.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | C:\a2d4be30508034dbfc2440\Setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 | C:\a2d4be30508034dbfc2440\Setup.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff | C:\a2d4be30508034dbfc2440\Setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\a2d4be30508034dbfc2440\Setup.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Sort = 000000000000000000000000000000000200000030f125b7ef471a10a5f102608c9eebac0a0000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff | C:\a2d4be30508034dbfc2440\Setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_Classes\Local Settings | C:\a2d4be30508034dbfc2440\Setup.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\IconSize = "16" | C:\a2d4be30508034dbfc2440\Setup.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\a2d4be30508034dbfc2440\Setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC} | C:\a2d4be30508034dbfc2440\Setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders | C:\a2d4be30508034dbfc2440\Setup.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Mode = "4" | C:\a2d4be30508034dbfc2440\Setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell | C:\a2d4be30508034dbfc2440\Setup.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000 | C:\a2d4be30508034dbfc2440\Setup.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | C:\a2d4be30508034dbfc2440\Setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy | C:\a2d4be30508034dbfc2440\Setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 | C:\a2d4be30508034dbfc2440\Setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\a2d4be30508034dbfc2440\Setup.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 | C:\a2d4be30508034dbfc2440\Setup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}" | C:\a2d4be30508034dbfc2440\Setup.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff | C:\a2d4be30508034dbfc2440\Setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy | C:\a2d4be30508034dbfc2440\Setup.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\TV_TopViewVersion = "0" | C:\a2d4be30508034dbfc2440\Setup.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\a2d4be30508034dbfc2440\Setup.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000 | C:\a2d4be30508034dbfc2440\Setup.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" | C:\a2d4be30508034dbfc2440\Setup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}" | C:\a2d4be30508034dbfc2440\Setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9} | C:\a2d4be30508034dbfc2440\Setup.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\LogicalViewMode = "1" | C:\a2d4be30508034dbfc2440\Setup.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1092616257" | C:\a2d4be30508034dbfc2440\Setup.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\a2d4be30508034dbfc2440\Setup.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\a2d4be30508034dbfc2440\Setup.exe | N/A |
| N/A | N/A | C:\a2d4be30508034dbfc2440\Setup.exe | N/A |
| N/A | N/A | C:\a2d4be30508034dbfc2440\Setup.exe | N/A |
| N/A | N/A | C:\a2d4be30508034dbfc2440\Setup.exe | N/A |
| N/A | N/A | C:\2cd51ab35ca4e0e67afaca7628\Setup.exe | N/A |
| N/A | N/A | C:\2cd51ab35ca4e0e67afaca7628\Setup.exe | N/A |
| N/A | N/A | C:\2cd51ab35ca4e0e67afaca7628\Setup.exe | N/A |
| N/A | N/A | C:\2cd51ab35ca4e0e67afaca7628\Setup.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\a2d4be30508034dbfc2440\Setup.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\2cd51ab35ca4e0e67afaca7628\Setup.exe | N/A |
| N/A | N/A | C:\a2d4be30508034dbfc2440\Setup.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Users\Admin\AppData\Local\Temp\._cache_file.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_file.exe"
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
C:\a2d4be30508034dbfc2440\Setup.exe
C:\a2d4be30508034dbfc2440\\Setup.exe /x86 /x64 /ia64 /web
C:\2cd51ab35ca4e0e67afaca7628\Setup.exe
C:\2cd51ab35ca4e0e67afaca7628\\Setup.exe InjUpdate /x86 /x64 /ia64 /web
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xred.mooo.com | udp |
| US | 8.8.8.8:53 | freedns.afraid.org | udp |
| US | 69.42.215.252:80 | freedns.afraid.org | tcp |
| US | 8.8.8.8:53 | docs.google.com | udp |
| FR | 216.58.214.174:443 | docs.google.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| FR | 142.250.179.67:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| FR | 142.250.179.67:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| FR | 142.250.74.225:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.252.143:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 95.100.245.144:80 | www.microsoft.com | tcp |
Files
memory/2644-0-0x00000000003A0000-0x00000000003A1000-memory.dmp
\Users\Admin\AppData\Local\Temp\._cache_file.exe
| MD5 | 53406e9988306cbd4537677c5336aba4 |
| SHA1 | 06becadb92a5fcca2529c0b93687c2a0c6d0d610 |
| SHA256 | fa1afff978325f8818ce3a559d67a58297d9154674de7fd8eb03656d93104425 |
| SHA512 | 4f89da81b5a3800aa16ff33cc4a42dbb17d4c698a5e2983b88c32738decb57e3088a1da444ad0ec0d745c3c6b6b8b9b86d3f19909142f9e51f513748c0274a99 |
C:\ProgramData\Synaptics\Synaptics.exe
| MD5 | 69aa5d9727ab9d46699f4a623ac061fd |
| SHA1 | 84878f4db6e5bcc7a980819252d96f5f5de1ceaa |
| SHA256 | f8c39a8b1e229d775328bffa40493c830607a6755fd7e77a875e13845b96302a |
| SHA512 | 0891aadd399a9938a8777e33419e93b64da8eded3facf14e6a76ae987d80bb04e533f0c5f72c5aaa3dfc64591701d85e1dbd39b13384ad40c91409ae9985bc31 |
memory/2644-26-0x0000000000400000-0x000000000059B000-memory.dmp
\a2d4be30508034dbfc2440\Setup.exe
| MD5 | 006f8a615020a4a17f5e63801485df46 |
| SHA1 | 78c82a80ebf9c8bf0c996dd8bc26087679f77fea |
| SHA256 | d273460aa4d42f0b5764383e2ab852ab9af6fecb3ed866f1783869f2f155d8be |
| SHA512 | c603ed6f3611eb7049a43a190ed223445a9f7bd5651100a825917198b50c70011e950fa968d3019439afa0a416752517b1c181ee9445e02da3904f4e4b73ce76 |
memory/2032-281-0x000000005FFF0000-0x0000000060000000-memory.dmp
C:\a2d4be30508034dbfc2440\SetupEngine.dll
| MD5 | 84c1daf5f30ff99895ecab3a55354bcf |
| SHA1 | 7e25ba36bcc7deed89f3c9568016ddb3156c9c5a |
| SHA256 | 7a0d281fa802d615ea1207bd2e9ebb98f3b74f9833bba3cb964ba7c7e0fb67fd |
| SHA512 | e4fb7e4d39f094463fdcdc4895ab2ea500eb51a32b6909cec80a526bbf34d5c0eb98f47ee256c0f0865bf3169374937f047bf5c4d6762779c8ca3332b4103be3 |
C:\a2d4be30508034dbfc2440\sqmapi.dll
| MD5 | 3f0363b40376047eff6a9b97d633b750 |
| SHA1 | 4eaf6650eca5ce931ee771181b04263c536a948b |
| SHA256 | bd6395a58f55a8b1f4063e813ce7438f695b9b086bb965d8ac44e7a97d35a93c |
| SHA512 | 537be86e2f171e0b2b9f462ac7f62c4342beb5d00b68451228f28677d26a525014758672466ad15ed1fd073be38142dae478df67718908eae9e6266359e1f9e8 |
C:\2cd51ab35ca4e0e67afaca7628\1028\LocalizedData.xml
| MD5 | 967a6d769d849c5ed66d6f46b0b9c5a4 |
| SHA1 | c0ff5f094928b2fa8b61e97639c42782e95cc74f |
| SHA256 | 0bc010947bff6ec1ce9899623ccfdffd702eee6d2976f28d9e06cc98a79cf542 |
| SHA512 | 219b13f1beeb7d690af9d9c7d98904494c878fbe9904f8cb7501b9bb4f48762f9d07c3440efa0546600ff62636ac34cb4b32e270cf90cb47a9e08f9cb473030c |
C:\a2d4be30508034dbfc2440\DHTMLHeader.html
| MD5 | cd131d41791a543cc6f6ed1ea5bd257c |
| SHA1 | f42a2708a0b42a13530d26515274d1fcdbfe8490 |
| SHA256 | e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb |
| SHA512 | a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a |
C:\Users\Admin\AppData\Local\Temp\HFIFEE9.tmp.html
| MD5 | 4293bec1f7a97dbffbbe85006bfc1fa1 |
| SHA1 | b5e2c862cedf6767344ed996eb5b8ebbdf346b8f |
| SHA256 | cca0a7d5c7132e4d0e6c3085ef7ee572a915dfc81f1e47c6b3990e0d54d0edfe |
| SHA512 | c24432544051a980edd5d17c46d5cba0dad9b5c966e05d563a3d1479191053bfac5bf8ce3717400496439e7dae2c0105b8687a89cad5a1acd254ae37930f1107 |
C:\2cd51ab35ca4e0e67afaca7628\1028\eula.rtf
| MD5 | 6f2f198b6d2f11c0cbce4541900bf75c |
| SHA1 | 75ec16813d55aaf41d4d6e3c8d4948e548996d96 |
| SHA256 | d7d3cfbe65fe62dfa343827811a8071ec54f68d72695c82bec9d9037d4b4d27a |
| SHA512 | b1f5b812182c7a8bf1c1a8d0f616b44b0896f2ac455afee56c44522b458a8638f5c18200a8fb23b56dc1471e5ab7c66be1be9b794e12ec06f44beea4d9d03d6f |
C:\a2d4be30508034dbfc2440\UiInfo.xml
| MD5 | 8b8b0a935dc591799a0c6d52fdc33460 |
| SHA1 | ce2748bd469aad6e90b06d98531084d00611fb89 |
| SHA256 | 57a9ccb84cae42e0d8d1a29cfe170ac3f27bdcae829d979cddfd5e757519b159 |
| SHA512 | 93009b3045939b65a0c1d25e30a07a772bd73dda518529462f9ce1227a311a4d6fd7595f10b4255cc0b352e09c02026e89300a641492f14df908ad256a3c9d76 |
C:\a2d4be30508034dbfc2440\ParameterInfo.xml
| MD5 | 7213da83e0f0b8ae4fea44ae1cb7f62b |
| SHA1 | f2e3fcc77a1ad4d042253bd2e0010bcb40b68ed3 |
| SHA256 | 59e67e4fb46e5490eee63d8b725324f1372720ade7345c74c6138c4a76ea73d9 |
| SHA512 | 86186ab0f2cb38e520dd1284042eced157f96874846eb9061be9cf56b84a1cab5901a4879e105a8b04b336bbc43b03f4bdf198d43af868be188602347db829e0 |
C:\Users\Admin\AppData\Local\Temp\U7NHW1kV.xlsm
| MD5 | e566fc53051035e1e6fd0ed1823de0f9 |
| SHA1 | 00bc96c48b98676ecd67e81a6f1d7754e4156044 |
| SHA256 | 8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15 |
| SHA512 | a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04 |
C:\2cd51ab35ca4e0e67afaca7628\1028\SetupResources.dll
| MD5 | 7c136b92983cec25f85336056e45f3e8 |
| SHA1 | 0bb527e7004601e920e2aac467518126e5352618 |
| SHA256 | f2e8ca58fa8d8e694d04e14404dec4e8ea5f231d3f2e5c2f915bd7914849eb2b |
| SHA512 | 06da50ddb2c5f83e6e4b4313cbdae14eed227eec85f94024a185c2d7f535b6a68e79337557727b2b40a39739c66d526968aaedbcfef04dab09dc0426cfbefbf4 |
C:\a2d4be30508034dbfc2440\1033\LocalizedData.xml
| MD5 | 326518603d85acd79a6258886fc85456 |
| SHA1 | f1cef14bc4671a132225d22a1385936ad9505348 |
| SHA256 | 665797c7840b86379019e5a46227f888fa1a36a593ea41f9170ef018c337b577 |
| SHA512 | f8a514efd70e81d0f2f983282d69040bca6e42f29aa5df554e6874922a61f112e311ad5d2b719b6ca90012f69965447fb91e8cd4103efb2453ff160a9062e5d3 |
C:\a2d4be30508034dbfc2440\SplashScreen.bmp
| MD5 | 0966fcd5a4ab0ddf71f46c01eff3cdd5 |
| SHA1 | 8f4554f079edad23bcd1096e6501a61cf1f8ec34 |
| SHA256 | 31c13ecfc0eb27f34036fb65cc0e735cd444eec75376eea2642f926ac162dcb3 |
| SHA512 | a9e70a2fb5a9899acf086474d71d0e180e2234c40e68bcadb9bf4fe145774680cb55584b39fe53cc75de445c6bf5741fc9b15b18385cbbe20fc595fe0ff86fce |
C:\a2d4be30508034dbfc2440\1025\LocalizedData.xml
| MD5 | c5bf74c96a711b3f7004ca6bddecc491 |
| SHA1 | 4c4d42ff69455f267ce98f1db8f2c5d76a1046da |
| SHA256 | 6b67c8a77c1a637b72736595afdf77bdb3910aa9fe48d959775806a0683ffa66 |
| SHA512 | 2f2071bf9966bffe64c90263f4b9bd5efcac4f976c4e42fbdeaa5d6a6dee51c33f4902cf5e3d0897e1c841e9182e25c86d42e392887bc3ce3d9ed3d780d96ac9 |
C:\a2d4be30508034dbfc2440\3082\LocalizedData.xml
| MD5 | 2d54fe70376db0218e8970b28c1c4518 |
| SHA1 | 83ee9ac93142751f23d5bb858f7264e27ea2eab0 |
| SHA256 | d17c5b638e2a4d43212d21a2052548c8d4909eb6410e30b8a951a292bcdbbedd |
| SHA512 | 20c0fb9a046911bc2d702ab321c3992262ac0f80f33ddda5ec2ccafe9ef07611774223369e0dc7cb91c9cda1cbd65c598a7e1c914d6e6ca4b00205a16411be30 |
C:\a2d4be30508034dbfc2440\1032\LocalizedData.xml
| MD5 | 3bf8da35b14fbcc564e03f6342bb71f2 |
| SHA1 | 8f9139f0bb813bf95f8c437548738d32848d8940 |
| SHA256 | 39efe12c689edfea041613b0e4d6ec78afec8fe38a0e4adc656591ffef8f415d |
| SHA512 | 31b050647ba4bd0c2762d77307e1ed2a324e9b152c06ed496b86ea063cdc18bf2bb1f08d2e9b4af3429a2bc333d7891338d7535487c83495304a5f78776dbc03 |
C:\a2d4be30508034dbfc2440\1045\LocalizedData.xml
| MD5 | bdb583c7a48f811be3b0f01fcea40470 |
| SHA1 | e8453946a6b926e4f4ae5b02ba1d648daf23e133 |
| SHA256 | 611b7b7352188adffd6380b9c8a85b8ff97c09a1c293bb7ac0ef5478a0e18ac8 |
| SHA512 | 27b02226f8f86ca4d00789317c79e8ca0089f5b910bed14aa664eeab6be66e98de3bafd7670c895d70ab9c34ece5f05199f3556fddc1b165904e3432a51c008d |
C:\a2d4be30508034dbfc2440\1044\LocalizedData.xml
| MD5 | 120104fa24709c2a9d8efc84ff0786cd |
| SHA1 | b513fa545efae045864d8527a5ec6b6cebe31bb9 |
| SHA256 | 516525636b91c16a70aef8d6f6b424dc1ee7f747b8508b396ee88131b2bb0947 |
| SHA512 | 1ea8eb2be9d5f4ef6f1f2c0d90cb228a9bb58d7143ccafe77e18ce52ec4aca25dde0ba18430fd4d3d7962d079ccbe7e2552b2c7090361e03c6fdfb7c2b9c7325 |
C:\a2d4be30508034dbfc2440\1043\LocalizedData.xml
| MD5 | 6506b4e64ebf6121997fa227e762589f |
| SHA1 | 71bc1478c012d9ec57fc56a5266dd325b7801221 |
| SHA256 | 415112ae783a87427c2fadd7b010ade4f1a7c23b27e4b714b7b507c16b572a1c |
| SHA512 | 39024ea9d42352f7c1bd6fefe0574054eceb4059f773cfaeb26c42faada2540ae95fb34718d30ccb6da157d2597f80d12a024461fbd0e8d510431ba6ffa81ec2 |
C:\a2d4be30508034dbfc2440\1042\LocalizedData.xml
| MD5 | 78c16da54542c9ed8fa32fed3efaf10d |
| SHA1 | ad8cfe972c8a418c54230d886e549e00c7e16c40 |
| SHA256 | e3e3a2288ff840ab0e7c5e8f7b4cfb1f26e597fb17cfc581b7728116bd739ed1 |
| SHA512 | d9d7bb82a1d752a424bf81be3d86abea484acbb63d35c90a8ee628e14cf34a7e8a02f37d2ea82aa2ce2c9aa4e8416a7a6232c632b7655f2033c4aaab208c60bf |
C:\a2d4be30508034dbfc2440\1041\LocalizedData.xml
| MD5 | 64ffa6ff8866a15aff326f11a892bead |
| SHA1 | 378201477564507a481ba06ea1bc0620b6254900 |
| SHA256 | 7570390094c0a199f37b8f83758d09dd2cecd147132c724a810f9330499e0cbf |
| SHA512 | ea5856617b82d13c9a312cb4f10673dbc4b42d9ac5703ad871e8bdfcc6549e262e61288737ab8ebcf77219d24c0822e7dacf043d1f2d94a97c9b7ec0a5917ef2 |
C:\a2d4be30508034dbfc2440\1040\LocalizedData.xml
| MD5 | eda1ec689d45c7faa97da4171b1b7493 |
| SHA1 | 807fe12689c232ebd8364f48744c82ca278ea9e6 |
| SHA256 | 80faa30a7592e8278533d3380dcb212e748c190aaeef62136897e09671059b36 |
| SHA512 | 8385a5de4eb6b38169dd1eb03926bc6d4604545801f13d99cee3acede3d34ec9f9d96b828a23ae6246809dc666e67f77a163979679956297533da40f9365bf2c |
C:\a2d4be30508034dbfc2440\1038\LocalizedData.xml
| MD5 | 89d4356e0f226e75ca71d48690e8ec15 |
| SHA1 | 2336caa971527977f47512bc74e88cec3f770c7d |
| SHA256 | fcbb619deb2d57b791a78954b0342dbb2fef7ddd711066a0786c8ef669d2b385 |
| SHA512 | fa03d55a4aafe94cbf5c134a65bd809fc86c042bc1b8ffbc9a2a5412eb70a468551c05c44b6ce81f638df43cca599aa1dd6f42f2df3012c8a95a3612df7c821e |
C:\a2d4be30508034dbfc2440\1037\LocalizedData.xml
| MD5 | 16e6416756c1829238ef1814ebf48ad6 |
| SHA1 | c9236906317b3d806f419b7a98598dd21e27ad64 |
| SHA256 | c0ee256567ea26bbd646f019a1d12f3eced20b992718976514afa757adf15dea |
| SHA512 | aa595ed0b3b1db280f94b29fa0cb9db25441a1ef54355abf760b6b837e8ce8e035537738e666d27dd2a8d295d7517c325a5684e16304887ccb17313ca4290ce6 |
C:\a2d4be30508034dbfc2440\1036\LocalizedData.xml
| MD5 | 1dad88faed661db34eef535d36563ee2 |
| SHA1 | 0525b2f97eddbd26325fddc561bf8a0cda3b0497 |
| SHA256 | 9605468d426bcbbe00165339d84804e5eb2547bfe437d640320b7bfef0b399b6 |
| SHA512 | ccd0bffbf0538152cccd4b081c15079716a5ff9ad04cee8679b7f721441f89eb7c6f8004cff7e1dde9188f5201f573000d0c078474edf124cfa4c619e692d6bc |
C:\a2d4be30508034dbfc2440\1035\LocalizedData.xml
| MD5 | 1aa252256c895b806e4e55f3ea8d5ffb |
| SHA1 | 0322ee94c3d5ea26418a2fea3f7e62ec5d04b81d |
| SHA256 | 8a68b3b6522c30502202ecb8d16ae160856947254461ac845b39451a3f2db35f |
| SHA512 | ce57784892c0be55a00ced0adc594a534d8a40819790ca483a29b6cd544c7a75ae4e9bde9b6dc6de489ceceb7883b7c2ea0e98a38fcc96d511157d61c8aa3e63 |
C:\a2d4be30508034dbfc2440\1031\LocalizedData.xml
| MD5 | 8505219c0a8d950ff07dc699d8208309 |
| SHA1 | 7a557356c57f1fa6d689ea4c411e727438ac46df |
| SHA256 | c48986cdb7fe3401234e0a6540eb394c1201846b5beb1f12f83dc6e14674873a |
| SHA512 | 7bcdad0cb4b478068434f4ebd554474b69562dc83df9a423b54c1701ca3b43c3b92de09ee195a86c0d244aa5ef96c77b1a08e73f1f2918c8ac7019f8df27b419 |
C:\a2d4be30508034dbfc2440\2070\LocalizedData.xml
| MD5 | 7fa9926a4bc678e32e5d676c39f8fb97 |
| SHA1 | bba4311dd30261a9b625046f8a6ea215516c9213 |
| SHA256 | a25ee75c78c24c50440ad7de9929c6a6e1cc0629009dc0d01b90cbac177dd404 |
| SHA512 | e06423bc1ea50a566d341dc513828608e9b6611fea81d33fca471a38f6b2b61b556ea07a5dec0830f3e87194975d87f267a5e5e1a2be5e6a86b07c5bb2bddcb6 |
C:\a2d4be30508034dbfc2440\2052\LocalizedData.xml
| MD5 | 10da125eeabcbb45e0a272688b0e2151 |
| SHA1 | 6c4124ec8ca2d03b5187ba567c922b6c3e5efc93 |
| SHA256 | 1842f22c6fd4caf6ad217e331b74c6240b19991a82a1a030a6e57b1b8e9fd1ec |
| SHA512 | d968abd74206a280f74bf6947757cca8dd9091b343203e5c2269af2e008d3bb0a17ff600eb961dbf69a93de4960133ade8d606fb9a99402d33b8889f2d0da710 |
C:\a2d4be30508034dbfc2440\1055\LocalizedData.xml
| MD5 | 65e771fed28b924942a10452bbbf5c42 |
| SHA1 | 586921b92d5fb297f35effc2216342dac1ae2355 |
| SHA256 | 45e30569a756d9bcbc5f9dae78bda02751fd25e1c0aee471ce112cb4464a6ee2 |
| SHA512 | d014a2a96f3a5c487ef1caddd69599dbec15da5ad689d68009f1ca4d5cb694105a7903f508476d6ffec9d81386cb184df6fc428d34f056190cee30715514a8f7 |
C:\a2d4be30508034dbfc2440\1053\LocalizedData.xml
| MD5 | b3b1a89458bec6af82c5386d26639b59 |
| SHA1 | d9320b8cc862f40c65668a40670081079b63cea1 |
| SHA256 | 1ef312e8be9207466fbfdecee92bfc6c6b7e2da61979b0908eaf575464e7b7a0 |
| SHA512 | 478ce08619490ed1ecdd8751b5f60da1ee4ac0d08d9a97468c3f595ac4376feca59e9c72dd9c83b00c8d78b298be757c6f24a422b7be8c041f780524844998bf |
C:\a2d4be30508034dbfc2440\1049\LocalizedData.xml
| MD5 | 349b52a81342a7afb8842459e537ecc6 |
| SHA1 | 6268343e82fbbabe7618bd873335a8f9f84ed64d |
| SHA256 | 992bf5aeb06aa3701d50c23fa475b4b86d8997383c9f0e3425663cfbd6b8a2a5 |
| SHA512 | ef4cbd3f7f572a9f146a524cfbc2efbd084e6c70a65b96a42339adc088e3f0524bc202548340969481e7f3df3ac517ac34b200b56a3b9957802abd0efa951c49 |
C:\a2d4be30508034dbfc2440\1046\LocalizedData.xml
| MD5 | a03d2063d388fc7a1b4c36d85efa5a1a |
| SHA1 | 88bd5e2ff285ee421ccc523f7582e05a8c3323f8 |
| SHA256 | 61d8339e89a9e48f8ae2d929900582bb8373f08d553ec72d5e38a0840b47c8a3 |
| SHA512 | 3a219f36e57d90ca92e9faec4dfd34841c2c9244da4fe7e1d70608dde7857aa36325bdb46652a42922919f782bb7c97f567e69a9fc51942722b8fd66cd4ecaf0 |
C:\a2d4be30508034dbfc2440\1030\LocalizedData.xml
| MD5 | 69925e463a6fedce8c8e1b68404502fb |
| SHA1 | 76341e490a432a636ed721f0c964fd9026773dd7 |
| SHA256 | 5f370d2ccdd5fa316bce095bf22670123c09de175b7801d0a77cdb68174ac6b7 |
| SHA512 | 5f61abec49e1f9cc44c26b83aa5b32c217ebeba63ed90d25836f51f810c59f71ec7430dc5338efba9be720f800204891e5ab9a5f5ec1ff51ef46c629482e5220 |
C:\a2d4be30508034dbfc2440\1029\LocalizedData.xml
| MD5 | 0b6ed582eb557573e959e37ebe2fca6a |
| SHA1 | 82c19c7eafb28593f453341eca225873fb011d4c |
| SHA256 | 8a0da440261940ed89bad7cd65bbc941cc56001d9aa94515e346d57b7b0838fc |
| SHA512 | aba3d19f408bd74f010ec49b31a2658e0884661d2efda7d999558c90a4589b500570cc80410ba1c323853ca960e7844845729fff708e3a52ea25f597fad90759 |
C:\Users\Admin\AppData\Local\Temp\U7NHW1kV.xlsm
| MD5 | 06a6e82cdc175c7c51b449156931b831 |
| SHA1 | a227711c73a8a21d97d40b29a11058f7faa436fe |
| SHA256 | d01f149ed112dd966d7bfbd9a49eb391c6cf613f9c9d1607649aee64e85115fc |
| SHA512 | 94c9d5476e8cb7c70c96347092c7b5de9f0d7b6b0048f942d24ba599c24cb6566c0ed10040004fe62da52dc372ae5528913f120e115e1de58f9c222d7790d989 |
C:\Users\Admin\AppData\Local\Temp\U7NHW1kV.xlsm
| MD5 | 084674a59c977dd51210ca1fa5118e49 |
| SHA1 | 3f6bf76425eeaa4b890124a3c97eed8f17ae1257 |
| SHA256 | cb7041456837f7dec6b3e667fdf401a941672d9a2d92343193e99813563695df |
| SHA512 | d92281dff04c41b3db02cb154f76492ed43e4da8e201521e4d0a3cbc3425156c36a7ac7c6b7d8f10bb9a1f4a5f0e3a288d9a2828e0dccba268742751d02c0d76 |
C:\Users\Admin\AppData\Local\Temp\U7NHW1kV.xlsm
| MD5 | 1935f80e26b8e4e9352bdd1866f6c74d |
| SHA1 | 597a7480896973d6e807a75805c93e638cf316dc |
| SHA256 | 23ed1fac06e5fa3b8c29a922fa18a9cc4b4e7c2019a70983165931559fb391f6 |
| SHA512 | 06b8510c0570656353bc5a8efdf8f4c716533a662e8c5609ed8643e92e04223ce300595fffb5018d87ae9f2a81ee00588760446bc6f4c92408db0f3b6aa1e752 |
C:\Users\Admin\AppData\Local\Temp\U7NHW1kV.xlsm
| MD5 | 8727e01ffc7cd66ad2cc89a52f9e6519 |
| SHA1 | 44820df864fe8bc9dc8fac5b3bb94f6c27f0e19c |
| SHA256 | 6e07c68be8934e6f13a7ce3b44b25c95d1484c88664fa54551877c2ee9dbb7a5 |
| SHA512 | 0dd251cc54889efdae4feafde8ed717c94fe4cc9afba61e92c1fea8af01bc4c3fab350e6382c9a72c529b4ab15ad85005308dc73f7816ed88cc25e22228f8741 |
C:\Users\Admin\Desktop\~$ConvertFromExpand.xlsx
| MD5 | ff09371174f7c701e75f357a187c06e8 |
| SHA1 | 57f9a638fd652922d7eb23236c80055a91724503 |
| SHA256 | e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8 |
| SHA512 | e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882 |
C:\Users\Admin\AppData\Local\Temp\U7NHW1kV.xlsm
| MD5 | 8c1415610aa5123f1308f05835ecfed6 |
| SHA1 | f7405772b0500a986d9c28f673b4c8b6a2eaff11 |
| SHA256 | e657de3f6f23c5755abd8dbee757289a6e9005194e0e84c82e70e084d9cc2d54 |
| SHA512 | d04c814eae056d46206df43f35f71fb128589611dc1e4fba3c928bb6ea96c578f72d29001d9081f2675916a3e3189d70552dfa24536ff18e2160f832c910fed4 |
C:\Users\Admin\AppData\Local\Temp\U7NHW1kV.xlsm
| MD5 | 5672e44bad68f8430b826c90d56ca4a3 |
| SHA1 | 9b628b3362986d3b1295aa871b3178167a49455a |
| SHA256 | a1248351e93d27f1bd382e54cef3e29b0aed049c42e81899541df362d0fbc4ef |
| SHA512 | 4fac72649b5ab9b52573516db0b5f4b4f3dd7d90f12490413a889b7b4c50a42dc07ab7336dd441ec3dfd9c354d8d3fe92337c7afa2b35b55102e4c8634a59e82 |
memory/2032-633-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/2916-709-0x0000000000400000-0x000000000059B000-memory.dmp
memory/2916-710-0x0000000000400000-0x000000000059B000-memory.dmp
memory/2916-745-0x0000000000400000-0x000000000059B000-memory.dmp
memory/1644-753-0x0000000002FC0000-0x0000000002FC2000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-02 19:13
Reported
2025-01-02 19:15
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
143s
Command Line
Signatures
Xred
Xred family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\._cache_file.exe | N/A |
| N/A | N/A | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| N/A | N/A | C:\6881d905eea1a6ba05\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| N/A | N/A | C:\1aaf88b6f9e9330cabd208\Setup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\6881d905eea1a6ba05\Setup.exe | N/A |
| N/A | N/A | C:\6881d905eea1a6ba05\Setup.exe | N/A |
| N/A | N/A | C:\6881d905eea1a6ba05\Setup.exe | N/A |
| N/A | N/A | C:\6881d905eea1a6ba05\Setup.exe | N/A |
| N/A | N/A | C:\6881d905eea1a6ba05\Setup.exe | N/A |
| N/A | N/A | C:\1aaf88b6f9e9330cabd208\Setup.exe | N/A |
| N/A | N/A | C:\1aaf88b6f9e9330cabd208\Setup.exe | N/A |
| N/A | N/A | C:\1aaf88b6f9e9330cabd208\Setup.exe | N/A |
| N/A | N/A | C:\1aaf88b6f9e9330cabd208\Setup.exe | N/A |
| N/A | N/A | C:\1aaf88b6f9e9330cabd208\Setup.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\._cache_file.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\6881d905eea1a6ba05\Setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\1aaf88b6f9e9330cabd208\Setup.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\6881d905eea1a6ba05\Setup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\6881d905eea1a6ba05\Setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\1aaf88b6f9e9330cabd208\Setup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\1aaf88b6f9e9330cabd208\Setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 | C:\6881d905eea1a6ba05\Setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\6881d905eea1a6ba05\Setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 | C:\6881d905eea1a6ba05\Setup.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\6881d905eea1a6ba05\Setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | C:\6881d905eea1a6ba05\Setup.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | C:\6881d905eea1a6ba05\Setup.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff | C:\6881d905eea1a6ba05\Setup.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" | C:\6881d905eea1a6ba05\Setup.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" | C:\6881d905eea1a6ba05\Setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings | C:\6881d905eea1a6ba05\Setup.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 | C:\6881d905eea1a6ba05\Setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656} | C:\6881d905eea1a6ba05\Setup.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" | C:\6881d905eea1a6ba05\Setup.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" | C:\6881d905eea1a6ba05\Setup.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\6881d905eea1a6ba05\Setup.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 | C:\6881d905eea1a6ba05\Setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell | C:\6881d905eea1a6ba05\Setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy | C:\6881d905eea1a6ba05\Setup.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\6881d905eea1a6ba05\Setup.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" | C:\6881d905eea1a6ba05\Setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\6881d905eea1a6ba05\Setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 | C:\6881d905eea1a6ba05\Setup.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff | C:\6881d905eea1a6ba05\Setup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" | C:\6881d905eea1a6ba05\Setup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\6881d905eea1a6ba05\Setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\6881d905eea1a6ba05\Setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" | C:\6881d905eea1a6ba05\Setup.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" | C:\6881d905eea1a6ba05\Setup.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" | C:\6881d905eea1a6ba05\Setup.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\6881d905eea1a6ba05\Setup.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\6881d905eea1a6ba05\Setup.exe | N/A |
| N/A | N/A | C:\6881d905eea1a6ba05\Setup.exe | N/A |
| N/A | N/A | C:\6881d905eea1a6ba05\Setup.exe | N/A |
| N/A | N/A | C:\6881d905eea1a6ba05\Setup.exe | N/A |
| N/A | N/A | C:\6881d905eea1a6ba05\Setup.exe | N/A |
| N/A | N/A | C:\6881d905eea1a6ba05\Setup.exe | N/A |
| N/A | N/A | C:\6881d905eea1a6ba05\Setup.exe | N/A |
| N/A | N/A | C:\6881d905eea1a6ba05\Setup.exe | N/A |
| N/A | N/A | C:\1aaf88b6f9e9330cabd208\Setup.exe | N/A |
| N/A | N/A | C:\1aaf88b6f9e9330cabd208\Setup.exe | N/A |
| N/A | N/A | C:\1aaf88b6f9e9330cabd208\Setup.exe | N/A |
| N/A | N/A | C:\1aaf88b6f9e9330cabd208\Setup.exe | N/A |
| N/A | N/A | C:\1aaf88b6f9e9330cabd208\Setup.exe | N/A |
| N/A | N/A | C:\1aaf88b6f9e9330cabd208\Setup.exe | N/A |
| N/A | N/A | C:\1aaf88b6f9e9330cabd208\Setup.exe | N/A |
| N/A | N/A | C:\1aaf88b6f9e9330cabd208\Setup.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\6881d905eea1a6ba05\Setup.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\1aaf88b6f9e9330cabd208\Setup.exe | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\6881d905eea1a6ba05\Setup.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Users\Admin\AppData\Local\Temp\._cache_file.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_file.exe"
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\6881d905eea1a6ba05\Setup.exe
C:\6881d905eea1a6ba05\\Setup.exe /x86 /x64 /ia64 /web
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
C:\1aaf88b6f9e9330cabd208\Setup.exe
C:\1aaf88b6f9e9330cabd208\\Setup.exe InjUpdate /x86 /x64 /ia64 /web
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.130.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.32.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xred.mooo.com | udp |
| US | 8.8.8.8:53 | freedns.afraid.org | udp |
| US | 69.42.215.252:80 | freedns.afraid.org | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 252.215.42.69.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.179.89.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | docs.google.com | udp |
| FR | 216.58.214.174:443 | docs.google.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| FR | 142.250.179.67:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| FR | 142.250.179.67:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | 174.214.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| FR | 142.250.74.225:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | 225.74.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
Files
memory/1320-0-0x0000000002330000-0x0000000002331000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\._cache_file.exe
| MD5 | 53406e9988306cbd4537677c5336aba4 |
| SHA1 | 06becadb92a5fcca2529c0b93687c2a0c6d0d610 |
| SHA256 | fa1afff978325f8818ce3a559d67a58297d9154674de7fd8eb03656d93104425 |
| SHA512 | 4f89da81b5a3800aa16ff33cc4a42dbb17d4c698a5e2983b88c32738decb57e3088a1da444ad0ec0d745c3c6b6b8b9b86d3f19909142f9e51f513748c0274a99 |
C:\ProgramData\Synaptics\Synaptics.exe
| MD5 | 69aa5d9727ab9d46699f4a623ac061fd |
| SHA1 | 84878f4db6e5bcc7a980819252d96f5f5de1ceaa |
| SHA256 | f8c39a8b1e229d775328bffa40493c830607a6755fd7e77a875e13845b96302a |
| SHA512 | 0891aadd399a9938a8777e33419e93b64da8eded3facf14e6a76ae987d80bb04e533f0c5f72c5aaa3dfc64591701d85e1dbd39b13384ad40c91409ae9985bc31 |
memory/1320-128-0x0000000000400000-0x000000000059B000-memory.dmp
memory/4928-131-0x0000000000680000-0x0000000000681000-memory.dmp
C:\6881d905eea1a6ba05\Setup.exe
| MD5 | 006f8a615020a4a17f5e63801485df46 |
| SHA1 | 78c82a80ebf9c8bf0c996dd8bc26087679f77fea |
| SHA256 | d273460aa4d42f0b5764383e2ab852ab9af6fecb3ed866f1783869f2f155d8be |
| SHA512 | c603ed6f3611eb7049a43a190ed223445a9f7bd5651100a825917198b50c70011e950fa968d3019439afa0a416752517b1c181ee9445e02da3904f4e4b73ce76 |
C:\6881d905eea1a6ba05\SetupEngine.dll
| MD5 | 84c1daf5f30ff99895ecab3a55354bcf |
| SHA1 | 7e25ba36bcc7deed89f3c9568016ddb3156c9c5a |
| SHA256 | 7a0d281fa802d615ea1207bd2e9ebb98f3b74f9833bba3cb964ba7c7e0fb67fd |
| SHA512 | e4fb7e4d39f094463fdcdc4895ab2ea500eb51a32b6909cec80a526bbf34d5c0eb98f47ee256c0f0865bf3169374937f047bf5c4d6762779c8ca3332b4103be3 |
C:\6881d905eea1a6ba05\sqmapi.dll
| MD5 | 3f0363b40376047eff6a9b97d633b750 |
| SHA1 | 4eaf6650eca5ce931ee771181b04263c536a948b |
| SHA256 | bd6395a58f55a8b1f4063e813ce7438f695b9b086bb965d8ac44e7a97d35a93c |
| SHA512 | 537be86e2f171e0b2b9f462ac7f62c4342beb5d00b68451228f28677d26a525014758672466ad15ed1fd073be38142dae478df67718908eae9e6266359e1f9e8 |
C:\6881d905eea1a6ba05\DHTMLHeader.html
| MD5 | cd131d41791a543cc6f6ed1ea5bd257c |
| SHA1 | f42a2708a0b42a13530d26515274d1fcdbfe8490 |
| SHA256 | e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb |
| SHA512 | a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a |
C:\Users\Admin\AppData\Local\Temp\Setup_20250102_191310074.html
| MD5 | 52463c8cee1b8a77f7f3f58d2dada1f0 |
| SHA1 | a5fea9e9b1431d3c95fac2f650bc7b4f7ec67d0b |
| SHA256 | 450642d7c1b8d7d08ed2a0ac2f5a15608620557e0aac044dd5611e2ca30c56fd |
| SHA512 | def6b137411c6bcfc1ba6ffb73c0ca7c4f2c0dd15492d9c32a9761f0842bad7a367dad0753677dcf5e859d814ee6ca1c1d54dfa7e160d4d454066119567957f7 |
C:\6881d905eea1a6ba05\UiInfo.xml
| MD5 | 8b8b0a935dc591799a0c6d52fdc33460 |
| SHA1 | ce2748bd469aad6e90b06d98531084d00611fb89 |
| SHA256 | 57a9ccb84cae42e0d8d1a29cfe170ac3f27bdcae829d979cddfd5e757519b159 |
| SHA512 | 93009b3045939b65a0c1d25e30a07a772bd73dda518529462f9ce1227a311a4d6fd7595f10b4255cc0b352e09c02026e89300a641492f14df908ad256a3c9d76 |
C:\6881d905eea1a6ba05\ParameterInfo.xml
| MD5 | 7213da83e0f0b8ae4fea44ae1cb7f62b |
| SHA1 | f2e3fcc77a1ad4d042253bd2e0010bcb40b68ed3 |
| SHA256 | 59e67e4fb46e5490eee63d8b725324f1372720ade7345c74c6138c4a76ea73d9 |
| SHA512 | 86186ab0f2cb38e520dd1284042eced157f96874846eb9061be9cf56b84a1cab5901a4879e105a8b04b336bbc43b03f4bdf198d43af868be188602347db829e0 |
C:\6881d905eea1a6ba05\SplashScreen.bmp
| MD5 | 0966fcd5a4ab0ddf71f46c01eff3cdd5 |
| SHA1 | 8f4554f079edad23bcd1096e6501a61cf1f8ec34 |
| SHA256 | 31c13ecfc0eb27f34036fb65cc0e735cd444eec75376eea2642f926ac162dcb3 |
| SHA512 | a9e70a2fb5a9899acf086474d71d0e180e2234c40e68bcadb9bf4fe145774680cb55584b39fe53cc75de445c6bf5741fc9b15b18385cbbe20fc595fe0ff86fce |
C:\6881d905eea1a6ba05\1044\LocalizedData.xml
| MD5 | 120104fa24709c2a9d8efc84ff0786cd |
| SHA1 | b513fa545efae045864d8527a5ec6b6cebe31bb9 |
| SHA256 | 516525636b91c16a70aef8d6f6b424dc1ee7f747b8508b396ee88131b2bb0947 |
| SHA512 | 1ea8eb2be9d5f4ef6f1f2c0d90cb228a9bb58d7143ccafe77e18ce52ec4aca25dde0ba18430fd4d3d7962d079ccbe7e2552b2c7090361e03c6fdfb7c2b9c7325 |
C:\6881d905eea1a6ba05\3082\LocalizedData.xml
| MD5 | 2d54fe70376db0218e8970b28c1c4518 |
| SHA1 | 83ee9ac93142751f23d5bb858f7264e27ea2eab0 |
| SHA256 | d17c5b638e2a4d43212d21a2052548c8d4909eb6410e30b8a951a292bcdbbedd |
| SHA512 | 20c0fb9a046911bc2d702ab321c3992262ac0f80f33ddda5ec2ccafe9ef07611774223369e0dc7cb91c9cda1cbd65c598a7e1c914d6e6ca4b00205a16411be30 |
C:\6881d905eea1a6ba05\3076\LocalizedData.xml
| MD5 | 967a6d769d849c5ed66d6f46b0b9c5a4 |
| SHA1 | c0ff5f094928b2fa8b61e97639c42782e95cc74f |
| SHA256 | 0bc010947bff6ec1ce9899623ccfdffd702eee6d2976f28d9e06cc98a79cf542 |
| SHA512 | 219b13f1beeb7d690af9d9c7d98904494c878fbe9904f8cb7501b9bb4f48762f9d07c3440efa0546600ff62636ac34cb4b32e270cf90cb47a9e08f9cb473030c |
C:\6881d905eea1a6ba05\2070\LocalizedData.xml
| MD5 | 7fa9926a4bc678e32e5d676c39f8fb97 |
| SHA1 | bba4311dd30261a9b625046f8a6ea215516c9213 |
| SHA256 | a25ee75c78c24c50440ad7de9929c6a6e1cc0629009dc0d01b90cbac177dd404 |
| SHA512 | e06423bc1ea50a566d341dc513828608e9b6611fea81d33fca471a38f6b2b61b556ea07a5dec0830f3e87194975d87f267a5e5e1a2be5e6a86b07c5bb2bddcb6 |
C:\6881d905eea1a6ba05\2052\LocalizedData.xml
| MD5 | 10da125eeabcbb45e0a272688b0e2151 |
| SHA1 | 6c4124ec8ca2d03b5187ba567c922b6c3e5efc93 |
| SHA256 | 1842f22c6fd4caf6ad217e331b74c6240b19991a82a1a030a6e57b1b8e9fd1ec |
| SHA512 | d968abd74206a280f74bf6947757cca8dd9091b343203e5c2269af2e008d3bb0a17ff600eb961dbf69a93de4960133ade8d606fb9a99402d33b8889f2d0da710 |
C:\6881d905eea1a6ba05\1055\LocalizedData.xml
| MD5 | 65e771fed28b924942a10452bbbf5c42 |
| SHA1 | 586921b92d5fb297f35effc2216342dac1ae2355 |
| SHA256 | 45e30569a756d9bcbc5f9dae78bda02751fd25e1c0aee471ce112cb4464a6ee2 |
| SHA512 | d014a2a96f3a5c487ef1caddd69599dbec15da5ad689d68009f1ca4d5cb694105a7903f508476d6ffec9d81386cb184df6fc428d34f056190cee30715514a8f7 |
C:\6881d905eea1a6ba05\1053\LocalizedData.xml
| MD5 | b3b1a89458bec6af82c5386d26639b59 |
| SHA1 | d9320b8cc862f40c65668a40670081079b63cea1 |
| SHA256 | 1ef312e8be9207466fbfdecee92bfc6c6b7e2da61979b0908eaf575464e7b7a0 |
| SHA512 | 478ce08619490ed1ecdd8751b5f60da1ee4ac0d08d9a97468c3f595ac4376feca59e9c72dd9c83b00c8d78b298be757c6f24a422b7be8c041f780524844998bf |
C:\6881d905eea1a6ba05\1049\LocalizedData.xml
| MD5 | 349b52a81342a7afb8842459e537ecc6 |
| SHA1 | 6268343e82fbbabe7618bd873335a8f9f84ed64d |
| SHA256 | 992bf5aeb06aa3701d50c23fa475b4b86d8997383c9f0e3425663cfbd6b8a2a5 |
| SHA512 | ef4cbd3f7f572a9f146a524cfbc2efbd084e6c70a65b96a42339adc088e3f0524bc202548340969481e7f3df3ac517ac34b200b56a3b9957802abd0efa951c49 |
C:\6881d905eea1a6ba05\1046\LocalizedData.xml
| MD5 | a03d2063d388fc7a1b4c36d85efa5a1a |
| SHA1 | 88bd5e2ff285ee421ccc523f7582e05a8c3323f8 |
| SHA256 | 61d8339e89a9e48f8ae2d929900582bb8373f08d553ec72d5e38a0840b47c8a3 |
| SHA512 | 3a219f36e57d90ca92e9faec4dfd34841c2c9244da4fe7e1d70608dde7857aa36325bdb46652a42922919f782bb7c97f567e69a9fc51942722b8fd66cd4ecaf0 |
C:\6881d905eea1a6ba05\1045\LocalizedData.xml
| MD5 | bdb583c7a48f811be3b0f01fcea40470 |
| SHA1 | e8453946a6b926e4f4ae5b02ba1d648daf23e133 |
| SHA256 | 611b7b7352188adffd6380b9c8a85b8ff97c09a1c293bb7ac0ef5478a0e18ac8 |
| SHA512 | 27b02226f8f86ca4d00789317c79e8ca0089f5b910bed14aa664eeab6be66e98de3bafd7670c895d70ab9c34ece5f05199f3556fddc1b165904e3432a51c008d |
C:\6881d905eea1a6ba05\1043\LocalizedData.xml
| MD5 | 6506b4e64ebf6121997fa227e762589f |
| SHA1 | 71bc1478c012d9ec57fc56a5266dd325b7801221 |
| SHA256 | 415112ae783a87427c2fadd7b010ade4f1a7c23b27e4b714b7b507c16b572a1c |
| SHA512 | 39024ea9d42352f7c1bd6fefe0574054eceb4059f773cfaeb26c42faada2540ae95fb34718d30ccb6da157d2597f80d12a024461fbd0e8d510431ba6ffa81ec2 |
C:\6881d905eea1a6ba05\1042\LocalizedData.xml
| MD5 | 78c16da54542c9ed8fa32fed3efaf10d |
| SHA1 | ad8cfe972c8a418c54230d886e549e00c7e16c40 |
| SHA256 | e3e3a2288ff840ab0e7c5e8f7b4cfb1f26e597fb17cfc581b7728116bd739ed1 |
| SHA512 | d9d7bb82a1d752a424bf81be3d86abea484acbb63d35c90a8ee628e14cf34a7e8a02f37d2ea82aa2ce2c9aa4e8416a7a6232c632b7655f2033c4aaab208c60bf |
C:\6881d905eea1a6ba05\1041\LocalizedData.xml
| MD5 | 64ffa6ff8866a15aff326f11a892bead |
| SHA1 | 378201477564507a481ba06ea1bc0620b6254900 |
| SHA256 | 7570390094c0a199f37b8f83758d09dd2cecd147132c724a810f9330499e0cbf |
| SHA512 | ea5856617b82d13c9a312cb4f10673dbc4b42d9ac5703ad871e8bdfcc6549e262e61288737ab8ebcf77219d24c0822e7dacf043d1f2d94a97c9b7ec0a5917ef2 |
C:\6881d905eea1a6ba05\1040\LocalizedData.xml
| MD5 | eda1ec689d45c7faa97da4171b1b7493 |
| SHA1 | 807fe12689c232ebd8364f48744c82ca278ea9e6 |
| SHA256 | 80faa30a7592e8278533d3380dcb212e748c190aaeef62136897e09671059b36 |
| SHA512 | 8385a5de4eb6b38169dd1eb03926bc6d4604545801f13d99cee3acede3d34ec9f9d96b828a23ae6246809dc666e67f77a163979679956297533da40f9365bf2c |
C:\6881d905eea1a6ba05\1038\LocalizedData.xml
| MD5 | 89d4356e0f226e75ca71d48690e8ec15 |
| SHA1 | 2336caa971527977f47512bc74e88cec3f770c7d |
| SHA256 | fcbb619deb2d57b791a78954b0342dbb2fef7ddd711066a0786c8ef669d2b385 |
| SHA512 | fa03d55a4aafe94cbf5c134a65bd809fc86c042bc1b8ffbc9a2a5412eb70a468551c05c44b6ce81f638df43cca599aa1dd6f42f2df3012c8a95a3612df7c821e |
C:\6881d905eea1a6ba05\1037\LocalizedData.xml
| MD5 | 16e6416756c1829238ef1814ebf48ad6 |
| SHA1 | c9236906317b3d806f419b7a98598dd21e27ad64 |
| SHA256 | c0ee256567ea26bbd646f019a1d12f3eced20b992718976514afa757adf15dea |
| SHA512 | aa595ed0b3b1db280f94b29fa0cb9db25441a1ef54355abf760b6b837e8ce8e035537738e666d27dd2a8d295d7517c325a5684e16304887ccb17313ca4290ce6 |
C:\6881d905eea1a6ba05\1036\LocalizedData.xml
| MD5 | 1dad88faed661db34eef535d36563ee2 |
| SHA1 | 0525b2f97eddbd26325fddc561bf8a0cda3b0497 |
| SHA256 | 9605468d426bcbbe00165339d84804e5eb2547bfe437d640320b7bfef0b399b6 |
| SHA512 | ccd0bffbf0538152cccd4b081c15079716a5ff9ad04cee8679b7f721441f89eb7c6f8004cff7e1dde9188f5201f573000d0c078474edf124cfa4c619e692d6bc |
C:\6881d905eea1a6ba05\1035\LocalizedData.xml
| MD5 | 1aa252256c895b806e4e55f3ea8d5ffb |
| SHA1 | 0322ee94c3d5ea26418a2fea3f7e62ec5d04b81d |
| SHA256 | 8a68b3b6522c30502202ecb8d16ae160856947254461ac845b39451a3f2db35f |
| SHA512 | ce57784892c0be55a00ced0adc594a534d8a40819790ca483a29b6cd544c7a75ae4e9bde9b6dc6de489ceceb7883b7c2ea0e98a38fcc96d511157d61c8aa3e63 |
C:\6881d905eea1a6ba05\1032\LocalizedData.xml
| MD5 | 3bf8da35b14fbcc564e03f6342bb71f2 |
| SHA1 | 8f9139f0bb813bf95f8c437548738d32848d8940 |
| SHA256 | 39efe12c689edfea041613b0e4d6ec78afec8fe38a0e4adc656591ffef8f415d |
| SHA512 | 31b050647ba4bd0c2762d77307e1ed2a324e9b152c06ed496b86ea063cdc18bf2bb1f08d2e9b4af3429a2bc333d7891338d7535487c83495304a5f78776dbc03 |
C:\6881d905eea1a6ba05\1031\LocalizedData.xml
| MD5 | 8505219c0a8d950ff07dc699d8208309 |
| SHA1 | 7a557356c57f1fa6d689ea4c411e727438ac46df |
| SHA256 | c48986cdb7fe3401234e0a6540eb394c1201846b5beb1f12f83dc6e14674873a |
| SHA512 | 7bcdad0cb4b478068434f4ebd554474b69562dc83df9a423b54c1701ca3b43c3b92de09ee195a86c0d244aa5ef96c77b1a08e73f1f2918c8ac7019f8df27b419 |
C:\6881d905eea1a6ba05\1030\LocalizedData.xml
| MD5 | 69925e463a6fedce8c8e1b68404502fb |
| SHA1 | 76341e490a432a636ed721f0c964fd9026773dd7 |
| SHA256 | 5f370d2ccdd5fa316bce095bf22670123c09de175b7801d0a77cdb68174ac6b7 |
| SHA512 | 5f61abec49e1f9cc44c26b83aa5b32c217ebeba63ed90d25836f51f810c59f71ec7430dc5338efba9be720f800204891e5ab9a5f5ec1ff51ef46c629482e5220 |
C:\6881d905eea1a6ba05\1029\LocalizedData.xml
| MD5 | 0b6ed582eb557573e959e37ebe2fca6a |
| SHA1 | 82c19c7eafb28593f453341eca225873fb011d4c |
| SHA256 | 8a0da440261940ed89bad7cd65bbc941cc56001d9aa94515e346d57b7b0838fc |
| SHA512 | aba3d19f408bd74f010ec49b31a2658e0884661d2efda7d999558c90a4589b500570cc80410ba1c323853ca960e7844845729fff708e3a52ea25f597fad90759 |
C:\6881d905eea1a6ba05\SetupUi.dll
| MD5 | eb881e3dddc84b20bd92abcec444455f |
| SHA1 | e2c32b1c86d4f70e39de65e9ebc4f361b24ff4a1 |
| SHA256 | 11565d97287c01d22ad2e46c78d8a822fa3e6524561d4c02dfc87e8d346c44e7 |
| SHA512 | 5750cec73b36a3f19bfb055f880f3b6498a7ae589017333f6272d26f1c72c6f475a3308826268a098372bbb096b43fbd1e06e93eecc0a81046668228bc179a75 |
C:\6881d905eea1a6ba05\1033\LocalizedData.xml
| MD5 | 326518603d85acd79a6258886fc85456 |
| SHA1 | f1cef14bc4671a132225d22a1385936ad9505348 |
| SHA256 | 665797c7840b86379019e5a46227f888fa1a36a593ea41f9170ef018c337b577 |
| SHA512 | f8a514efd70e81d0f2f983282d69040bca6e42f29aa5df554e6874922a61f112e311ad5d2b719b6ca90012f69965447fb91e8cd4103efb2453ff160a9062e5d3 |
C:\6881d905eea1a6ba05\1033\SetupResources.dll
| MD5 | 9547d24ac04b4d0d1dbf84f74f54faf7 |
| SHA1 | 71af6001c931c3de7c98ddc337d89ab133fe48bb |
| SHA256 | 36d0159ed1a7d88000737e920375868765c0a1dd6f5a5acbb79cf7d97d9e7a34 |
| SHA512 | 8b6048f4185a711567679e2de4789407077ce5bfe72102d3cb1f23051b8d3e6bfd5886c801d85b4e62f467dd12da1c79026a4bc20b17f54c693b2f24e499d40f |
C:\6881d905eea1a6ba05\Strings.xml
| MD5 | 8a28b474f4849bee7354ba4c74087cea |
| SHA1 | c17514dfc33dd14f57ff8660eb7b75af9b2b37b0 |
| SHA256 | 2a7a44fb25476886617a1ec294a20a37552fd0824907f5284fade3e496ed609b |
| SHA512 | a7927700d8050623bc5c761b215a97534c2c260fcab68469b7a61c85e2dff22ed9cf57e7cb5a6c8886422abe7ac89b5c71e569741db74daa2dcb4152f14c2369 |
C:\6881d905eea1a6ba05\SetupUi.xsd
| MD5 | 2fadd9e618eff8175f2a6e8b95c0cacc |
| SHA1 | 9ab1710a217d15b192188b19467932d947b0a4f8 |
| SHA256 | 222211e8f512edf97d78bc93e1f271c922d5e91fa899e092b4a096776a704093 |
| SHA512 | a3a934a8572ff9208d38cf381649bd83de227c44b735489fd2a9dc5a636ead9bb62459c9460ee53f61f0587a494877cd3a3c2611997be563f3137f8236ffc4ca |
C:\6881d905eea1a6ba05\graphics\save.ico
| MD5 | 7d62e82d960a938c98da02b1d5201bd5 |
| SHA1 | 194e96b0440bf8631887e5e9d3cc485f8e90fbf5 |
| SHA256 | ae041c8764f56fd89277b34982145d16fc59a4754d261c861b19371c3271c6e5 |
| SHA512 | ab06b2605f0c1f6b71ef69563c0c977d06c6ea84d58ef7f2baecba566d6037d1458c2b58e6bfd70ddef47dccbdea6d9c2f2e46dea67ea9e92457f754d7042f67 |
C:\6881d905eea1a6ba05\graphics\print.ico
| MD5 | 7e55ddc6d611176e697d01c90a1212cf |
| SHA1 | e2620da05b8e4e2360da579a7be32c1b225deb1b |
| SHA256 | ff542e32330b123486797b410621e19eafb39df3997e14701afa4c22096520ed |
| SHA512 | 283d381aa396820b7e15768b20099d67688da1f6315ec9f7938c2fcc3167777502cded0d1beddf015a34cc4e5d045bcb665ffd28ba2fbb6faf50fdd38b31d16e |
C:\6881d905eea1a6ba05\graphics\warn.ico
| MD5 | b2b1d79591fca103959806a4bf27d036 |
| SHA1 | 481fd13a0b58299c41b3e705cb085c533038caf5 |
| SHA256 | fe4d06c318701bf0842d4b87d1bad284c553baf7a40987a7451338099d840a11 |
| SHA512 | 5fe232415a39e0055abb5250b120ccdcd565ab102aa602a3083d4a4705ac6775d45e1ef0c2b787b3252232e9d4673fc3a77aab19ec79a3ff8b13c4d7094530d2 |
C:\6881d905eea1a6ba05\graphics\setup.ico
| MD5 | 3d25d679e0ff0b8c94273dcd8b07049d |
| SHA1 | a517fc5e96bc68a02a44093673ee7e076ad57308 |
| SHA256 | 288e9ad8f0201e45bc187839f15aca79d6b9f76a7d3c9274c80f5d4a4c219c0f |
| SHA512 | 3bde668004ca7e28390862d0ae9903c756c16255bdbb3f7e73a5b093ce6a57a3165d6797b0a643b254493149231aca7f7f03e0af15a0cbe28aff02f0071ec255 |
C:\6881d905eea1a6ba05\1025\LocalizedData.xml
| MD5 | c5bf74c96a711b3f7004ca6bddecc491 |
| SHA1 | 4c4d42ff69455f267ce98f1db8f2c5d76a1046da |
| SHA256 | 6b67c8a77c1a637b72736595afdf77bdb3910aa9fe48d959775806a0683ffa66 |
| SHA512 | 2f2071bf9966bffe64c90263f4b9bd5efcac4f976c4e42fbdeaa5d6a6dee51c33f4902cf5e3d0897e1c841e9182e25c86d42e392887bc3ce3d9ed3d780d96ac9 |
memory/3744-461-0x00007FFFBF410000-0x00007FFFBF420000-memory.dmp
memory/3744-464-0x00007FFFBF410000-0x00007FFFBF420000-memory.dmp
memory/3744-465-0x00007FFFBF410000-0x00007FFFBF420000-memory.dmp
memory/3744-463-0x00007FFFBF410000-0x00007FFFBF420000-memory.dmp
memory/3744-462-0x00007FFFBF410000-0x00007FFFBF420000-memory.dmp
C:\1aaf88b6f9e9330cabd208\1028\eula.rtf
| MD5 | 6f2f198b6d2f11c0cbce4541900bf75c |
| SHA1 | 75ec16813d55aaf41d4d6e3c8d4948e548996d96 |
| SHA256 | d7d3cfbe65fe62dfa343827811a8071ec54f68d72695c82bec9d9037d4b4d27a |
| SHA512 | b1f5b812182c7a8bf1c1a8d0f616b44b0896f2ac455afee56c44522b458a8638f5c18200a8fb23b56dc1471e5ab7c66be1be9b794e12ec06f44beea4d9d03d6f |
memory/3744-599-0x00007FFFBCF40000-0x00007FFFBCF50000-memory.dmp
C:\1aaf88b6f9e9330cabd208\1028\SetupResources.dll
| MD5 | 7c136b92983cec25f85336056e45f3e8 |
| SHA1 | 0bb527e7004601e920e2aac467518126e5352618 |
| SHA256 | f2e8ca58fa8d8e694d04e14404dec4e8ea5f231d3f2e5c2f915bd7914849eb2b |
| SHA512 | 06da50ddb2c5f83e6e4b4313cbdae14eed227eec85f94024a185c2d7f535b6a68e79337557727b2b40a39739c66d526968aaedbcfef04dab09dc0426cfbefbf4 |
memory/3744-686-0x00007FFFBCF40000-0x00007FFFBCF50000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B8C75E00
| MD5 | 3d0a17bdd22d1d1db84b34fdd5d5a8d7 |
| SHA1 | 1cc9ef2225b1064bfcab2d25fb072f430dd9245b |
| SHA256 | b2373d65dcfcfb5af0d59fe439861ed05dc44d522c671f782cdfe21e2a211a85 |
| SHA512 | 5c91342fa95d037b448b6d66ba833a968216ce1a29b6d59bb67f6c34f0f7e63d21e215d7c7812ddb369a8354e54f0536d6dbe86c2494b8b915ce8aff2fe7304a |
memory/4928-824-0x0000000000680000-0x0000000000681000-memory.dmp
memory/4928-823-0x0000000000400000-0x000000000059B000-memory.dmp
memory/4928-856-0x0000000000400000-0x000000000059B000-memory.dmp