Analysis Overview
SHA256
05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012
Threat Level: Known bad
The file file.exe was found to be: Known bad.
Malicious Activity Summary
Xred
Xred family
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Adds Run key to start application
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Office loads VBA resources, possible macro or embedded object present
Suspicious use of SetWindowsHookEx
Checks processor information in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Modifies registry class
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-02 19:14
Signatures
Xred family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-02 19:14
Reported
2025-01-02 19:16
Platform
win7-20241010-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Xred
Xred family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\._cache_file.exe | N/A |
| N/A | N/A | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| N/A | N/A | \??\c:\d10d19a1c4274c3c293f\Setup.exe | N/A |
| N/A | N/A | \??\c:\520f482d1276dfd3c31966\Setup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\._cache_file.exe | N/A |
| N/A | N/A | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| N/A | N/A | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| N/A | N/A | \??\c:\d10d19a1c4274c3c293f\Setup.exe | N/A |
| N/A | N/A | \??\c:\d10d19a1c4274c3c293f\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| N/A | N/A | \??\c:\520f482d1276dfd3c31966\Setup.exe | N/A |
| N/A | N/A | \??\c:\520f482d1276dfd3c31966\Setup.exe | N/A |
| N/A | N/A | \??\c:\520f482d1276dfd3c31966\Setup.exe | N/A |
| N/A | N/A | \??\c:\d10d19a1c4274c3c293f\Setup.exe | N/A |
| N/A | N/A | \??\c:\d10d19a1c4274c3c293f\Setup.exe | N/A |
| N/A | N/A | \??\c:\520f482d1276dfd3c31966\Setup.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\._cache_file.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\d10d19a1c4274c3c293f\Setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\520f482d1276dfd3c31966\Setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Office loads VBA resources, possible macro or embedded object present
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | \??\c:\d10d19a1c4274c3c293f\Setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | \??\c:\520f482d1276dfd3c31966\Setup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | \??\c:\520f482d1276dfd3c31966\Setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | \??\c:\d10d19a1c4274c3c293f\Setup.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | \??\c:\520f482d1276dfd3c31966\Setup.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Sort = 000000000000000000000000000000000200000030f125b7ef471a10a5f102608c9eebac0a0000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff | \??\c:\520f482d1276dfd3c31966\Setup.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | \??\c:\520f482d1276dfd3c31966\Setup.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff | \??\c:\520f482d1276dfd3c31966\Setup.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\TV_TopViewVersion = "0" | \??\c:\520f482d1276dfd3c31966\Setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 | \??\c:\520f482d1276dfd3c31966\Setup.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\LogicalViewMode = "1" | \??\c:\520f482d1276dfd3c31966\Setup.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1092616257" | \??\c:\520f482d1276dfd3c31966\Setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings | \??\c:\520f482d1276dfd3c31966\Setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell | \??\c:\520f482d1276dfd3c31966\Setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy | \??\c:\520f482d1276dfd3c31966\Setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders | \??\c:\520f482d1276dfd3c31966\Setup.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Mode = "4" | \??\c:\520f482d1276dfd3c31966\Setup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}" | \??\c:\520f482d1276dfd3c31966\Setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC} | \??\c:\520f482d1276dfd3c31966\Setup.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | \??\c:\520f482d1276dfd3c31966\Setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy | \??\c:\520f482d1276dfd3c31966\Setup.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\IconSize = "16" | \??\c:\520f482d1276dfd3c31966\Setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | \??\c:\520f482d1276dfd3c31966\Setup.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | \??\c:\520f482d1276dfd3c31966\Setup.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000 | \??\c:\520f482d1276dfd3c31966\Setup.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff | \??\c:\520f482d1276dfd3c31966\Setup.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 | \??\c:\520f482d1276dfd3c31966\Setup.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" | \??\c:\520f482d1276dfd3c31966\Setup.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | \??\c:\520f482d1276dfd3c31966\Setup.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000 | \??\c:\520f482d1276dfd3c31966\Setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 | \??\c:\520f482d1276dfd3c31966\Setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags | \??\c:\520f482d1276dfd3c31966\Setup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}" | \??\c:\520f482d1276dfd3c31966\Setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9} | \??\c:\520f482d1276dfd3c31966\Setup.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\520f482d1276dfd3c31966\Setup.exe | N/A |
| N/A | N/A | \??\c:\520f482d1276dfd3c31966\Setup.exe | N/A |
| N/A | N/A | \??\c:\d10d19a1c4274c3c293f\Setup.exe | N/A |
| N/A | N/A | \??\c:\d10d19a1c4274c3c293f\Setup.exe | N/A |
| N/A | N/A | \??\c:\520f482d1276dfd3c31966\Setup.exe | N/A |
| N/A | N/A | \??\c:\d10d19a1c4274c3c293f\Setup.exe | N/A |
| N/A | N/A | \??\c:\d10d19a1c4274c3c293f\Setup.exe | N/A |
| N/A | N/A | \??\c:\520f482d1276dfd3c31966\Setup.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\520f482d1276dfd3c31966\Setup.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\d10d19a1c4274c3c293f\Setup.exe | N/A |
| N/A | N/A | \??\c:\520f482d1276dfd3c31966\Setup.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Users\Admin\AppData\Local\Temp\._cache_file.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_file.exe"
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
\??\c:\d10d19a1c4274c3c293f\Setup.exe
c:\d10d19a1c4274c3c293f\Setup.exe
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
\??\c:\520f482d1276dfd3c31966\Setup.exe
c:\520f482d1276dfd3c31966\Setup.exe InjUpdate
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xred.mooo.com | udp |
| US | 8.8.8.8:53 | freedns.afraid.org | udp |
| US | 69.42.215.252:80 | freedns.afraid.org | tcp |
| US | 8.8.8.8:53 | docs.google.com | udp |
| FR | 216.58.214.174:443 | docs.google.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| FR | 142.250.179.67:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| FR | 142.250.179.67:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| FR | 142.250.74.225:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 95.100.245.144:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.252.157:80 | crl.microsoft.com | tcp |
Files
memory/1228-0-0x0000000000220000-0x0000000000221000-memory.dmp
\Users\Admin\AppData\Local\Temp\._cache_file.exe
| MD5 | 630d75210b325a280c3352f879297ed5 |
| SHA1 | b330b760a8f16d5a31c2dc815627f5eb40861008 |
| SHA256 | b06546ddc8ca1e3d532f3f2593e88a6f49e81b66a9c2051d58508cc97b6a2023 |
| SHA512 | b6e107fa34764d336c9b59802c858845df9f8661a1beb41436fd638a044580557921e69883ed32737f853e203f0083358f642f3efe0a80fae7932c5e6137331f |
C:\ProgramData\Synaptics\Synaptics.exe
| MD5 | e819c37952e89ff0f473fa9b59cd771d |
| SHA1 | de2a344ed3a2b1f4e0fbd4e684170db56903763e |
| SHA256 | 05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012 |
| SHA512 | 1e3eff7391308a5161b75ab47ef29178a53ce08693c63fd08f5f1443ceeed87c3b4d3779265d669a91af0192eb556913bcbf77b825678580e44fceeb3c76d148 |
memory/1228-72-0x0000000000400000-0x0000000000A37000-memory.dmp
\d10d19a1c4274c3c293f\Setup.exe
| MD5 | 006f8a615020a4a17f5e63801485df46 |
| SHA1 | 78c82a80ebf9c8bf0c996dd8bc26087679f77fea |
| SHA256 | d273460aa4d42f0b5764383e2ab852ab9af6fecb3ed866f1783869f2f155d8be |
| SHA512 | c603ed6f3611eb7049a43a190ed223445a9f7bd5651100a825917198b50c70011e950fa968d3019439afa0a416752517b1c181ee9445e02da3904f4e4b73ce76 |
\d10d19a1c4274c3c293f\sqmapi.dll
| MD5 | 3f0363b40376047eff6a9b97d633b750 |
| SHA1 | 4eaf6650eca5ce931ee771181b04263c536a948b |
| SHA256 | bd6395a58f55a8b1f4063e813ce7438f695b9b086bb965d8ac44e7a97d35a93c |
| SHA512 | 537be86e2f171e0b2b9f462ac7f62c4342beb5d00b68451228f28677d26a525014758672466ad15ed1fd073be38142dae478df67718908eae9e6266359e1f9e8 |
\d10d19a1c4274c3c293f\SetupEngine.dll
| MD5 | 84c1daf5f30ff99895ecab3a55354bcf |
| SHA1 | 7e25ba36bcc7deed89f3c9568016ddb3156c9c5a |
| SHA256 | 7a0d281fa802d615ea1207bd2e9ebb98f3b74f9833bba3cb964ba7c7e0fb67fd |
| SHA512 | e4fb7e4d39f094463fdcdc4895ab2ea500eb51a32b6909cec80a526bbf34d5c0eb98f47ee256c0f0865bf3169374937f047bf5c4d6762779c8ca3332b4103be3 |
\??\c:\d10d19a1c4274c3c293f\DHTMLHeader.html
| MD5 | cd131d41791a543cc6f6ed1ea5bd257c |
| SHA1 | f42a2708a0b42a13530d26515274d1fcdbfe8490 |
| SHA256 | e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb |
| SHA512 | a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a |
C:\Users\Admin\AppData\Local\Temp\HFI9A8C.tmp.html
| MD5 | b6e6e4e44c51c89f60d6db130c163b96 |
| SHA1 | a69da4052d508b9c1221e658e4aa77b003eb4bf3 |
| SHA256 | 9e08ee9fc4cdd6e6a1ee9e2733141d5aa9d37e625e1f00e897eaaa7b2958f526 |
| SHA512 | ddd622eb26babeabdd21c58f46e3198bfb2df0045d1884dd9e35762a93348ff03d6a24fb0a0259a0d5bdcb73a5a7f904fbc838994bb0ba248f1cd7f1fbee0527 |
\??\c:\d10d19a1c4274c3c293f\UiInfo.xml
| MD5 | 812f8d2e53f076366fa3a214bb4cf558 |
| SHA1 | 35ae734cfb99bb139906b5f4e8efbf950762f6f0 |
| SHA256 | 0d36a884a8381778bea71f5f9f0fc60cacadebd3f814679cb13414b8e7dbc283 |
| SHA512 | 1dcc3ef8c390ca49fbcd50c02accd8cc5700db3594428e2129f79feb81e4cbbeef1b4a10628b2cd66edf31a69ed39ca2f4e252ad8aa13d2f793fca5b9a1eaf23 |
\??\c:\d10d19a1c4274c3c293f\ParameterInfo.xml
| MD5 | 03e01a43300d94a371458e14d5e41781 |
| SHA1 | c5ac3cd50fae588ff1c258edae864040a200653c |
| SHA256 | 19de712560e5a25c5d67348996e7d4f95e8e3db6843086f52cb7209f2098200a |
| SHA512 | e271d52264ff979ae429a4053c945d7e7288f41e9fc6c64309f0ab805cec166c825c2273073c4ef9ca5ab33f00802457b17df103a06cbc35c54642d146571bbb |
\??\c:\d10d19a1c4274c3c293f\1033\LocalizedData.xml
| MD5 | 5486ff60b072102ee3231fd743b290a1 |
| SHA1 | d8d8a1d6bf6adf1095158b3c9b0a296a037632d0 |
| SHA256 | 5ca3ecaa12ca56f955d403ca93c4cb36a7d3dcdea779fc9bdaa0cdd429dab706 |
| SHA512 | ae240eaac32edb18fd76982fc01e03bd9c8e40a9ec1b9c42d7ebd225570b7517949e045942dbb9e40e620aa9dcc9fbe0182c6cf207ac0a44d7358ad33ba81472 |
\??\c:\520f482d1276dfd3c31966\1031\LocalizedData.xml
| MD5 | b13ff959adc5c3e9c4ba4c4a76244464 |
| SHA1 | 4df793626f41b92a5bc7c54757658ce30fdaeeb1 |
| SHA256 | 44945bc0ba4be653d07f53e736557c51164224c8ec4e4672dfae1280260ba73b |
| SHA512 | de78542d3bbc4c46871a8afb50fb408a59a76f6ed67e8be3cba8ba41724ea08df36400e233551b329277a7a0fe6168c5556abe9d9a735f41b29a941250bfc4d6 |
\??\c:\520f482d1276dfd3c31966\1040\LocalizedData.xml
| MD5 | fe6b23186c2d77f7612bf7b1018a9b2a |
| SHA1 | 1528ec7633e998f040d2d4c37ac8a7dc87f99817 |
| SHA256 | 03bbe1a39c6716f07703d20ed7539d8bf13b87870c2c83ddda5445c82953a80a |
| SHA512 | 40c9c9f3607cab24655593fc4766829516de33f13060be09f5ee65578824ac600cc1c07fe71cdd48bff7f52b447ff37c0d161d755a69ac7db7df118da6db7649 |
\??\c:\d10d19a1c4274c3c293f\3082\LocalizedData.xml
| MD5 | 05a95593c61c744759e52caf5e13502e |
| SHA1 | 0054833d8a7a395a832e4c188c4d012301dd4090 |
| SHA256 | 1a3e5e49da88393a71ea00d73fee7570e40edb816b72622e39c7fcd09c95ead1 |
| SHA512 | 00aee4c02f9d6374560f7d2b826503aab332e1c4bc3203f88fe82e905471ec43f92f4af4fc52e46f377e4d297c2be99daf94980df2ce7664c169552800264fd3 |
\??\c:\d10d19a1c4274c3c293f\2052\LocalizedData.xml
| MD5 | 150b5c3d1b452dccbe8f1313fda1b18c |
| SHA1 | 7128b6b9e84d69c415808f1d325dd969b17914cc |
| SHA256 | 6d4eb9dca1cbcd3c2b39a993133731750b9fdf5988411f4a6da143b9204c01f2 |
| SHA512 | a45a1f4f19a27558e08939c7f63894ff5754e6840db86b8c8c68d400a36fb23179caff164d8b839898321030469b56446b5a8efc5765096dee5e8a746351e949 |
\??\c:\d10d19a1c4274c3c293f\1049\LocalizedData.xml
| MD5 | 1290be72ed991a3a800a6b2a124073b2 |
| SHA1 | dac09f9f2ccb3b273893b653f822e3dfc556d498 |
| SHA256 | 6ba9a2e4a6a58f5bb792947990e51babd9d5151a7057e1a051cb007fea2eb41c |
| SHA512 | c0b8b4421fcb2aabe2c8c8773fd03842e3523bf2b75d6262fd8bd952adc12c06541bdae0219e89f9f9f8d79567a4fe4dff99529366c4a7c5bf66c218431f3217 |
\??\c:\d10d19a1c4274c3c293f\1042\LocalizedData.xml
| MD5 | e87ad0b3bf73f3e76500f28e195f7dc0 |
| SHA1 | 716b842f6fbf6c68dc9c4e599c8182bfbb1354dc |
| SHA256 | 43b351419b73ac266c4b056a9c3a92f6dfa654328163814d17833a837577c070 |
| SHA512 | d3ea8655d42a2b0938c2189ceeab25c29939c302c2e2205e05d6059afc2a9b2039b21c083a7c17da1ce5eebdc934ff327a452034e2e715e497bcd6239395774c |
\??\c:\520f482d1276dfd3c31966\SetupUi.dll
| MD5 | eb881e3dddc84b20bd92abcec444455f |
| SHA1 | e2c32b1c86d4f70e39de65e9ebc4f361b24ff4a1 |
| SHA256 | 11565d97287c01d22ad2e46c78d8a822fa3e6524561d4c02dfc87e8d346c44e7 |
| SHA512 | 5750cec73b36a3f19bfb055f880f3b6498a7ae589017333f6272d26f1c72c6f475a3308826268a098372bbb096b43fbd1e06e93eecc0a81046668228bc179a75 |
\??\c:\d10d19a1c4274c3c293f\1041\LocalizedData.xml
| MD5 | 6f86b79dbf15e810331df2ca77f1043a |
| SHA1 | 875ed8498c21f396cc96b638911c23858ece5b88 |
| SHA256 | f0f9dd1a9f164f4d2e73b4d23cc5742da2c39549b9c4db692283839c5313e04f |
| SHA512 | ca233a6bf55e253ebf1e8180a326667438e1124f6559054b87021095ef16ffc6b0c87361e0922087be4ca9cabd10828be3b6cc12c4032cb7f2a317fdbd76f818 |
\??\c:\d10d19a1c4274c3c293f\SetupUi.xsd
| MD5 | 2fadd9e618eff8175f2a6e8b95c0cacc |
| SHA1 | 9ab1710a217d15b192188b19467932d947b0a4f8 |
| SHA256 | 222211e8f512edf97d78bc93e1f271c922d5e91fa899e092b4a096776a704093 |
| SHA512 | a3a934a8572ff9208d38cf381649bd83de227c44b735489fd2a9dc5a636ead9bb62459c9460ee53f61f0587a494877cd3a3c2611997be563f3137f8236ffc4ca |
\d10d19a1c4274c3c293f\1033\SetupResources.dll
| MD5 | 9547d24ac04b4d0d1dbf84f74f54faf7 |
| SHA1 | 71af6001c931c3de7c98ddc337d89ab133fe48bb |
| SHA256 | 36d0159ed1a7d88000737e920375868765c0a1dd6f5a5acbb79cf7d97d9e7a34 |
| SHA512 | 8b6048f4185a711567679e2de4789407077ce5bfe72102d3cb1f23051b8d3e6bfd5886c801d85b4e62f467dd12da1c79026a4bc20b17f54c693b2f24e499d40f |
\??\c:\d10d19a1c4274c3c293f\Strings.xml
| MD5 | 332adf643747297b9bfa9527eaefe084 |
| SHA1 | 670f933d778eca39938a515a39106551185205e9 |
| SHA256 | e49545feeae22198728ad04236e31e02035af7cc4d68e10cbecffd08669cbeca |
| SHA512 | bea95ce35c4c37b4b2e36cc1e81fc297cc4a8e17b93f10423a02b015ddb593064541b5eb7003560fbeee512ed52869a113a6fb439c1133af01f884a0db0344b0 |
\??\c:\d10d19a1c4274c3c293f\1036\LocalizedData.xml
| MD5 | 4ce519f7e9754ec03768edeedaeed926 |
| SHA1 | 213ae458992bf2c5a255991441653c5141f41b89 |
| SHA256 | bc4ca5ad609f0dd961263715e1f824524c43e73b744e55f90c703b759cae4d31 |
| SHA512 | 8f2ff08a234d8e2e6ba85de3cd1c19a0b372d9fca4ff0fc1bba7fe7c5a165e933e2af5f93fc587e9230a066b70fb55d9f58256db509cc95a3b31d349f860f510 |
\??\c:\d10d19a1c4274c3c293f\1028\LocalizedData.xml
| MD5 | 12df3535e4c4ef95a8cb03fd509b5874 |
| SHA1 | 90b1f87ba02c1c89c159ebf0e1e700892b85dc39 |
| SHA256 | 1c8132747dc33ccdb02345cbe706e65089a88fe32cf040684ca0d72bb9105119 |
| SHA512 | c6c8887e7023c4c1cbf849eebd17b6ad68fc14607d1c32c0d384f951e07bfaf6b61e0639f4e5978c9e3e1d52ef8a383b62622018a26fa4066eb620f584030808 |
\??\c:\520f482d1276dfd3c31966\graphics\setup.ico
| MD5 | 3d25d679e0ff0b8c94273dcd8b07049d |
| SHA1 | a517fc5e96bc68a02a44093673ee7e076ad57308 |
| SHA256 | 288e9ad8f0201e45bc187839f15aca79d6b9f76a7d3c9274c80f5d4a4c219c0f |
| SHA512 | 3bde668004ca7e28390862d0ae9903c756c16255bdbb3f7e73a5b093ce6a57a3165d6797b0a643b254493149231aca7f7f03e0af15a0cbe28aff02f0071ec255 |
memory/1476-276-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/1680-277-0x0000000000400000-0x0000000000A37000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\X4VRfXG7.xlsm
| MD5 | 42ff5905122d2fb0a2e6946fc0c59212 |
| SHA1 | 641add43215edab319156e018d1000ff2b177465 |
| SHA256 | 2166aed22b80fd9a35264f0ba4864cddc9bcc5e7ef39ca9f816e6358ab05002a |
| SHA512 | a65f5c67e31cfce01b80a5d80ef4ccf8dc9afd0c5746834a90d8f3aa601c20b9d834ff687a241854a52070d92362311288968094a2a29a5b443ce9b983594644 |
C:\Users\Admin\AppData\Local\Temp\X4VRfXG7.xlsm
| MD5 | 1adf8060635908b245bc45f5755b7129 |
| SHA1 | 26d3974f5d7cc783b5655751af6682a7f12312e5 |
| SHA256 | 683951479553c7fb48a53d27832f8aedcfe00f5f53e52f774cda6e84a069ea02 |
| SHA512 | 7697cfdaa8bd988202c783e9f1bd4ee9f0b4e1ff21bf1225fbd85bc25178ef198816db1362295f0f9a0e6a45d08b7759c090cc772b2c0e8c58aca02bb8b4bd5b |
C:\Users\Admin\AppData\Local\Temp\X4VRfXG7.xlsm
| MD5 | a2728f0eff606cf035a8c230cf6d7482 |
| SHA1 | 01b10f16126168cb4b2d3305c0771dd1a823ceba |
| SHA256 | db6dd39f3390b26dcf8a295cea0a956bb1a7354d08719aa37e52b53d29efb365 |
| SHA512 | 7d83a138ed97d8cb6a091d6c14fcbc16b0837da3e03afd46b2899f9d58efb6ff7718a48bbbde8238e0e6d16bcf3a0968fd8f69bd9669744614b5395cc47b2128 |
memory/2372-340-0x0000000002A90000-0x0000000002A92000-memory.dmp
memory/1680-341-0x0000000000400000-0x0000000000A37000-memory.dmp
memory/1680-342-0x0000000000400000-0x0000000000A37000-memory.dmp
memory/1680-377-0x0000000000400000-0x0000000000A37000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-02 19:14
Reported
2025-01-02 19:16
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Xred
Xred family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\._cache_file.exe | N/A |
| N/A | N/A | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| N/A | N/A | \??\c:\329fe8b457c081dd09aa98\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| N/A | N/A | \??\c:\00e6d2584aecf49d91\Setup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\329fe8b457c081dd09aa98\Setup.exe | N/A |
| N/A | N/A | \??\c:\329fe8b457c081dd09aa98\Setup.exe | N/A |
| N/A | N/A | \??\c:\329fe8b457c081dd09aa98\Setup.exe | N/A |
| N/A | N/A | \??\c:\00e6d2584aecf49d91\Setup.exe | N/A |
| N/A | N/A | \??\c:\00e6d2584aecf49d91\Setup.exe | N/A |
| N/A | N/A | \??\c:\329fe8b457c081dd09aa98\Setup.exe | N/A |
| N/A | N/A | \??\c:\329fe8b457c081dd09aa98\Setup.exe | N/A |
| N/A | N/A | \??\c:\00e6d2584aecf49d91\Setup.exe | N/A |
| N/A | N/A | \??\c:\00e6d2584aecf49d91\Setup.exe | N/A |
| N/A | N/A | \??\c:\00e6d2584aecf49d91\Setup.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\._cache_file.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\329fe8b457c081dd09aa98\Setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\00e6d2584aecf49d91\Setup.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | \??\c:\329fe8b457c081dd09aa98\Setup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | \??\c:\329fe8b457c081dd09aa98\Setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | \??\c:\00e6d2584aecf49d91\Setup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | \??\c:\00e6d2584aecf49d91\Setup.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | \??\c:\329fe8b457c081dd09aa98\Setup.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" | \??\c:\329fe8b457c081dd09aa98\Setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell | \??\c:\329fe8b457c081dd09aa98\Setup.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 | \??\c:\329fe8b457c081dd09aa98\Setup.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff | \??\c:\329fe8b457c081dd09aa98\Setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656} | \??\c:\329fe8b457c081dd09aa98\Setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" | \??\c:\329fe8b457c081dd09aa98\Setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\ProgramData\Synaptics\Synaptics.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | \??\c:\329fe8b457c081dd09aa98\Setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | \??\c:\329fe8b457c081dd09aa98\Setup.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" | \??\c:\329fe8b457c081dd09aa98\Setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 | \??\c:\329fe8b457c081dd09aa98\Setup.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" | \??\c:\329fe8b457c081dd09aa98\Setup.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" | \??\c:\329fe8b457c081dd09aa98\Setup.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" | \??\c:\329fe8b457c081dd09aa98\Setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings | \??\c:\329fe8b457c081dd09aa98\Setup.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | \??\c:\329fe8b457c081dd09aa98\Setup.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 | \??\c:\329fe8b457c081dd09aa98\Setup.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff | \??\c:\329fe8b457c081dd09aa98\Setup.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" | \??\c:\329fe8b457c081dd09aa98\Setup.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" | \??\c:\329fe8b457c081dd09aa98\Setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | \??\c:\329fe8b457c081dd09aa98\Setup.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 | \??\c:\329fe8b457c081dd09aa98\Setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy | \??\c:\329fe8b457c081dd09aa98\Setup.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" | \??\c:\329fe8b457c081dd09aa98\Setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | \??\c:\329fe8b457c081dd09aa98\Setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 | \??\c:\329fe8b457c081dd09aa98\Setup.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | \??\c:\329fe8b457c081dd09aa98\Setup.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | \??\c:\329fe8b457c081dd09aa98\Setup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | \??\c:\329fe8b457c081dd09aa98\Setup.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | \??\c:\329fe8b457c081dd09aa98\Setup.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\329fe8b457c081dd09aa98\Setup.exe | N/A |
| N/A | N/A | \??\c:\329fe8b457c081dd09aa98\Setup.exe | N/A |
| N/A | N/A | \??\c:\329fe8b457c081dd09aa98\Setup.exe | N/A |
| N/A | N/A | \??\c:\329fe8b457c081dd09aa98\Setup.exe | N/A |
| N/A | N/A | \??\c:\329fe8b457c081dd09aa98\Setup.exe | N/A |
| N/A | N/A | \??\c:\329fe8b457c081dd09aa98\Setup.exe | N/A |
| N/A | N/A | \??\c:\329fe8b457c081dd09aa98\Setup.exe | N/A |
| N/A | N/A | \??\c:\329fe8b457c081dd09aa98\Setup.exe | N/A |
| N/A | N/A | \??\c:\00e6d2584aecf49d91\Setup.exe | N/A |
| N/A | N/A | \??\c:\00e6d2584aecf49d91\Setup.exe | N/A |
| N/A | N/A | \??\c:\00e6d2584aecf49d91\Setup.exe | N/A |
| N/A | N/A | \??\c:\00e6d2584aecf49d91\Setup.exe | N/A |
| N/A | N/A | \??\c:\00e6d2584aecf49d91\Setup.exe | N/A |
| N/A | N/A | \??\c:\00e6d2584aecf49d91\Setup.exe | N/A |
| N/A | N/A | \??\c:\00e6d2584aecf49d91\Setup.exe | N/A |
| N/A | N/A | \??\c:\00e6d2584aecf49d91\Setup.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\329fe8b457c081dd09aa98\Setup.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\00e6d2584aecf49d91\Setup.exe | N/A |
| N/A | N/A | \??\c:\329fe8b457c081dd09aa98\Setup.exe | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Users\Admin\AppData\Local\Temp\._cache_file.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_file.exe"
C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
\??\c:\329fe8b457c081dd09aa98\Setup.exe
c:\329fe8b457c081dd09aa98\Setup.exe
\??\c:\00e6d2584aecf49d91\Setup.exe
c:\00e6d2584aecf49d91\Setup.exe InjUpdate
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.89.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xred.mooo.com | udp |
| US | 8.8.8.8:53 | freedns.afraid.org | udp |
| US | 69.42.215.252:80 | freedns.afraid.org | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 252.215.42.69.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.179.89.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | docs.google.com | udp |
| FR | 216.58.214.174:443 | docs.google.com | tcp |
| US | 8.8.8.8:53 | 174.214.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| FR | 142.250.179.67:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| FR | 142.250.179.67:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| FR | 142.250.74.225:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | 67.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.74.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.130.81.91.in-addr.arpa | udp |
Files
memory/2384-0-0x00000000027D0000-0x00000000027D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\._cache_file.exe
| MD5 | 630d75210b325a280c3352f879297ed5 |
| SHA1 | b330b760a8f16d5a31c2dc815627f5eb40861008 |
| SHA256 | b06546ddc8ca1e3d532f3f2593e88a6f49e81b66a9c2051d58508cc97b6a2023 |
| SHA512 | b6e107fa34764d336c9b59802c858845df9f8661a1beb41436fd638a044580557921e69883ed32737f853e203f0083358f642f3efe0a80fae7932c5e6137331f |
C:\ProgramData\Synaptics\Synaptics.exe
| MD5 | e819c37952e89ff0f473fa9b59cd771d |
| SHA1 | de2a344ed3a2b1f4e0fbd4e684170db56903763e |
| SHA256 | 05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012 |
| SHA512 | 1e3eff7391308a5161b75ab47ef29178a53ce08693c63fd08f5f1443ceeed87c3b4d3779265d669a91af0192eb556913bcbf77b825678580e44fceeb3c76d148 |
memory/4472-146-0x0000000000BF0000-0x0000000000BF1000-memory.dmp
memory/2384-147-0x0000000000400000-0x0000000000A37000-memory.dmp
C:\329fe8b457c081dd09aa98\Setup.exe
| MD5 | 006f8a615020a4a17f5e63801485df46 |
| SHA1 | 78c82a80ebf9c8bf0c996dd8bc26087679f77fea |
| SHA256 | d273460aa4d42f0b5764383e2ab852ab9af6fecb3ed866f1783869f2f155d8be |
| SHA512 | c603ed6f3611eb7049a43a190ed223445a9f7bd5651100a825917198b50c70011e950fa968d3019439afa0a416752517b1c181ee9445e02da3904f4e4b73ce76 |
\??\c:\329fe8b457c081dd09aa98\SetupEngine.dll
| MD5 | 84c1daf5f30ff99895ecab3a55354bcf |
| SHA1 | 7e25ba36bcc7deed89f3c9568016ddb3156c9c5a |
| SHA256 | 7a0d281fa802d615ea1207bd2e9ebb98f3b74f9833bba3cb964ba7c7e0fb67fd |
| SHA512 | e4fb7e4d39f094463fdcdc4895ab2ea500eb51a32b6909cec80a526bbf34d5c0eb98f47ee256c0f0865bf3169374937f047bf5c4d6762779c8ca3332b4103be3 |
\??\c:\329fe8b457c081dd09aa98\sqmapi.dll
| MD5 | 3f0363b40376047eff6a9b97d633b750 |
| SHA1 | 4eaf6650eca5ce931ee771181b04263c536a948b |
| SHA256 | bd6395a58f55a8b1f4063e813ce7438f695b9b086bb965d8ac44e7a97d35a93c |
| SHA512 | 537be86e2f171e0b2b9f462ac7f62c4342beb5d00b68451228f28677d26a525014758672466ad15ed1fd073be38142dae478df67718908eae9e6266359e1f9e8 |
\??\c:\329fe8b457c081dd09aa98\DHTMLHeader.html
| MD5 | cd131d41791a543cc6f6ed1ea5bd257c |
| SHA1 | f42a2708a0b42a13530d26515274d1fcdbfe8490 |
| SHA256 | e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb |
| SHA512 | a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a |
C:\Users\Admin\AppData\Local\Temp\HFIC99A.tmp.html
| MD5 | 8ea02b6db82f4189ec761dc3baa842cb |
| SHA1 | 5ac6fa7e8d6b6e34f0941fd235506a71d954fcf4 |
| SHA256 | fb415ee412c8e0b6a7622aec4baf1e02b5727c4e854ff99e0cb18ca3196e14d9 |
| SHA512 | 81c0e570776ec3c72ed942c64757e3817f9aeb71cebcfb319d96720a3d9298a2a2f8eb1a2f06e3948bd35dde1b5f9270f43bcd14a5de0e3084ab9db8391a22ee |
\??\c:\329fe8b457c081dd09aa98\UiInfo.xml
| MD5 | 812f8d2e53f076366fa3a214bb4cf558 |
| SHA1 | 35ae734cfb99bb139906b5f4e8efbf950762f6f0 |
| SHA256 | 0d36a884a8381778bea71f5f9f0fc60cacadebd3f814679cb13414b8e7dbc283 |
| SHA512 | 1dcc3ef8c390ca49fbcd50c02accd8cc5700db3594428e2129f79feb81e4cbbeef1b4a10628b2cd66edf31a69ed39ca2f4e252ad8aa13d2f793fca5b9a1eaf23 |
\??\c:\329fe8b457c081dd09aa98\ParameterInfo.xml
| MD5 | 03e01a43300d94a371458e14d5e41781 |
| SHA1 | c5ac3cd50fae588ff1c258edae864040a200653c |
| SHA256 | 19de712560e5a25c5d67348996e7d4f95e8e3db6843086f52cb7209f2098200a |
| SHA512 | e271d52264ff979ae429a4053c945d7e7288f41e9fc6c64309f0ab805cec166c825c2273073c4ef9ca5ab33f00802457b17df103a06cbc35c54642d146571bbb |
\??\c:\329fe8b457c081dd09aa98\1033\LocalizedData.xml
| MD5 | 5486ff60b072102ee3231fd743b290a1 |
| SHA1 | d8d8a1d6bf6adf1095158b3c9b0a296a037632d0 |
| SHA256 | 5ca3ecaa12ca56f955d403ca93c4cb36a7d3dcdea779fc9bdaa0cdd429dab706 |
| SHA512 | ae240eaac32edb18fd76982fc01e03bd9c8e40a9ec1b9c42d7ebd225570b7517949e045942dbb9e40e620aa9dcc9fbe0182c6cf207ac0a44d7358ad33ba81472 |
\??\c:\329fe8b457c081dd09aa98\1028\LocalizedData.xml
| MD5 | 12df3535e4c4ef95a8cb03fd509b5874 |
| SHA1 | 90b1f87ba02c1c89c159ebf0e1e700892b85dc39 |
| SHA256 | 1c8132747dc33ccdb02345cbe706e65089a88fe32cf040684ca0d72bb9105119 |
| SHA512 | c6c8887e7023c4c1cbf849eebd17b6ad68fc14607d1c32c0d384f951e07bfaf6b61e0639f4e5978c9e3e1d52ef8a383b62622018a26fa4066eb620f584030808 |
\??\c:\329fe8b457c081dd09aa98\1031\LocalizedData.xml
| MD5 | b13ff959adc5c3e9c4ba4c4a76244464 |
| SHA1 | 4df793626f41b92a5bc7c54757658ce30fdaeeb1 |
| SHA256 | 44945bc0ba4be653d07f53e736557c51164224c8ec4e4672dfae1280260ba73b |
| SHA512 | de78542d3bbc4c46871a8afb50fb408a59a76f6ed67e8be3cba8ba41724ea08df36400e233551b329277a7a0fe6168c5556abe9d9a735f41b29a941250bfc4d6 |
\??\c:\329fe8b457c081dd09aa98\1036\LocalizedData.xml
| MD5 | 4ce519f7e9754ec03768edeedaeed926 |
| SHA1 | 213ae458992bf2c5a255991441653c5141f41b89 |
| SHA256 | bc4ca5ad609f0dd961263715e1f824524c43e73b744e55f90c703b759cae4d31 |
| SHA512 | 8f2ff08a234d8e2e6ba85de3cd1c19a0b372d9fca4ff0fc1bba7fe7c5a165e933e2af5f93fc587e9230a066b70fb55d9f58256db509cc95a3b31d349f860f510 |
\??\c:\329fe8b457c081dd09aa98\3082\LocalizedData.xml
| MD5 | 05a95593c61c744759e52caf5e13502e |
| SHA1 | 0054833d8a7a395a832e4c188c4d012301dd4090 |
| SHA256 | 1a3e5e49da88393a71ea00d73fee7570e40edb816b72622e39c7fcd09c95ead1 |
| SHA512 | 00aee4c02f9d6374560f7d2b826503aab332e1c4bc3203f88fe82e905471ec43f92f4af4fc52e46f377e4d297c2be99daf94980df2ce7664c169552800264fd3 |
\??\c:\329fe8b457c081dd09aa98\2052\LocalizedData.xml
| MD5 | 150b5c3d1b452dccbe8f1313fda1b18c |
| SHA1 | 7128b6b9e84d69c415808f1d325dd969b17914cc |
| SHA256 | 6d4eb9dca1cbcd3c2b39a993133731750b9fdf5988411f4a6da143b9204c01f2 |
| SHA512 | a45a1f4f19a27558e08939c7f63894ff5754e6840db86b8c8c68d400a36fb23179caff164d8b839898321030469b56446b5a8efc5765096dee5e8a746351e949 |
\??\c:\329fe8b457c081dd09aa98\1049\LocalizedData.xml
| MD5 | 1290be72ed991a3a800a6b2a124073b2 |
| SHA1 | dac09f9f2ccb3b273893b653f822e3dfc556d498 |
| SHA256 | 6ba9a2e4a6a58f5bb792947990e51babd9d5151a7057e1a051cb007fea2eb41c |
| SHA512 | c0b8b4421fcb2aabe2c8c8773fd03842e3523bf2b75d6262fd8bd952adc12c06541bdae0219e89f9f9f8d79567a4fe4dff99529366c4a7c5bf66c218431f3217 |
\??\c:\329fe8b457c081dd09aa98\1042\LocalizedData.xml
| MD5 | e87ad0b3bf73f3e76500f28e195f7dc0 |
| SHA1 | 716b842f6fbf6c68dc9c4e599c8182bfbb1354dc |
| SHA256 | 43b351419b73ac266c4b056a9c3a92f6dfa654328163814d17833a837577c070 |
| SHA512 | d3ea8655d42a2b0938c2189ceeab25c29939c302c2e2205e05d6059afc2a9b2039b21c083a7c17da1ce5eebdc934ff327a452034e2e715e497bcd6239395774c |
\??\c:\329fe8b457c081dd09aa98\1041\LocalizedData.xml
| MD5 | 6f86b79dbf15e810331df2ca77f1043a |
| SHA1 | 875ed8498c21f396cc96b638911c23858ece5b88 |
| SHA256 | f0f9dd1a9f164f4d2e73b4d23cc5742da2c39549b9c4db692283839c5313e04f |
| SHA512 | ca233a6bf55e253ebf1e8180a326667438e1124f6559054b87021095ef16ffc6b0c87361e0922087be4ca9cabd10828be3b6cc12c4032cb7f2a317fdbd76f818 |
\??\c:\329fe8b457c081dd09aa98\1040\LocalizedData.xml
| MD5 | fe6b23186c2d77f7612bf7b1018a9b2a |
| SHA1 | 1528ec7633e998f040d2d4c37ac8a7dc87f99817 |
| SHA256 | 03bbe1a39c6716f07703d20ed7539d8bf13b87870c2c83ddda5445c82953a80a |
| SHA512 | 40c9c9f3607cab24655593fc4766829516de33f13060be09f5ee65578824ac600cc1c07fe71cdd48bff7f52b447ff37c0d161d755a69ac7db7df118da6db7649 |
\??\c:\329fe8b457c081dd09aa98\SetupUi.dll
| MD5 | eb881e3dddc84b20bd92abcec444455f |
| SHA1 | e2c32b1c86d4f70e39de65e9ebc4f361b24ff4a1 |
| SHA256 | 11565d97287c01d22ad2e46c78d8a822fa3e6524561d4c02dfc87e8d346c44e7 |
| SHA512 | 5750cec73b36a3f19bfb055f880f3b6498a7ae589017333f6272d26f1c72c6f475a3308826268a098372bbb096b43fbd1e06e93eecc0a81046668228bc179a75 |
\??\c:\329fe8b457c081dd09aa98\SetupUi.xsd
| MD5 | 2fadd9e618eff8175f2a6e8b95c0cacc |
| SHA1 | 9ab1710a217d15b192188b19467932d947b0a4f8 |
| SHA256 | 222211e8f512edf97d78bc93e1f271c922d5e91fa899e092b4a096776a704093 |
| SHA512 | a3a934a8572ff9208d38cf381649bd83de227c44b735489fd2a9dc5a636ead9bb62459c9460ee53f61f0587a494877cd3a3c2611997be563f3137f8236ffc4ca |
\??\c:\329fe8b457c081dd09aa98\Strings.xml
| MD5 | 332adf643747297b9bfa9527eaefe084 |
| SHA1 | 670f933d778eca39938a515a39106551185205e9 |
| SHA256 | e49545feeae22198728ad04236e31e02035af7cc4d68e10cbecffd08669cbeca |
| SHA512 | bea95ce35c4c37b4b2e36cc1e81fc297cc4a8e17b93f10423a02b015ddb593064541b5eb7003560fbeee512ed52869a113a6fb439c1133af01f884a0db0344b0 |
C:\329fe8b457c081dd09aa98\1033\SetupResources.dll
| MD5 | 9547d24ac04b4d0d1dbf84f74f54faf7 |
| SHA1 | 71af6001c931c3de7c98ddc337d89ab133fe48bb |
| SHA256 | 36d0159ed1a7d88000737e920375868765c0a1dd6f5a5acbb79cf7d97d9e7a34 |
| SHA512 | 8b6048f4185a711567679e2de4789407077ce5bfe72102d3cb1f23051b8d3e6bfd5886c801d85b4e62f467dd12da1c79026a4bc20b17f54c693b2f24e499d40f |
\??\c:\329fe8b457c081dd09aa98\graphics\print.ico
| MD5 | 7e55ddc6d611176e697d01c90a1212cf |
| SHA1 | e2620da05b8e4e2360da579a7be32c1b225deb1b |
| SHA256 | ff542e32330b123486797b410621e19eafb39df3997e14701afa4c22096520ed |
| SHA512 | 283d381aa396820b7e15768b20099d67688da1f6315ec9f7938c2fcc3167777502cded0d1beddf015a34cc4e5d045bcb665ffd28ba2fbb6faf50fdd38b31d16e |
\??\c:\329fe8b457c081dd09aa98\graphics\save.ico
| MD5 | 7d62e82d960a938c98da02b1d5201bd5 |
| SHA1 | 194e96b0440bf8631887e5e9d3cc485f8e90fbf5 |
| SHA256 | ae041c8764f56fd89277b34982145d16fc59a4754d261c861b19371c3271c6e5 |
| SHA512 | ab06b2605f0c1f6b71ef69563c0c977d06c6ea84d58ef7f2baecba566d6037d1458c2b58e6bfd70ddef47dccbdea6d9c2f2e46dea67ea9e92457f754d7042f67 |
\??\c:\329fe8b457c081dd09aa98\graphics\stop.ico
| MD5 | 5dfa8d3abcf4962d9ec41cfc7c0f75e3 |
| SHA1 | 4196b0878c6c66b6fa260ab765a0e79f7aec0d24 |
| SHA256 | b499e1b21091b539d4906e45b6fdf490d5445256b72871aece2f5b2562c11793 |
| SHA512 | 69a13d4348384f134ba93c9a846c6760b342e3a7a2e9df9c7062088105ac0b77b8a524f179efb1724c0ce168e01ba8bb46f2d6fae39cabe32cab9a34fc293e4a |
\??\c:\329fe8b457c081dd09aa98\graphics\setup.ico
| MD5 | 3d25d679e0ff0b8c94273dcd8b07049d |
| SHA1 | a517fc5e96bc68a02a44093673ee7e076ad57308 |
| SHA256 | 288e9ad8f0201e45bc187839f15aca79d6b9f76a7d3c9274c80f5d4a4c219c0f |
| SHA512 | 3bde668004ca7e28390862d0ae9903c756c16255bdbb3f7e73a5b093ce6a57a3165d6797b0a643b254493149231aca7f7f03e0af15a0cbe28aff02f0071ec255 |
memory/4472-467-0x0000000000BF0000-0x0000000000BF1000-memory.dmp
memory/4472-466-0x0000000000400000-0x0000000000A37000-memory.dmp
memory/4972-471-0x00007FF800230000-0x00007FF800240000-memory.dmp
memory/4972-470-0x00007FF800230000-0x00007FF800240000-memory.dmp
memory/4972-472-0x00007FF800230000-0x00007FF800240000-memory.dmp
memory/4972-469-0x00007FF800230000-0x00007FF800240000-memory.dmp
memory/4972-468-0x00007FF800230000-0x00007FF800240000-memory.dmp
memory/4972-473-0x00007FF7FDD30000-0x00007FF7FDD40000-memory.dmp
memory/4972-474-0x00007FF7FDD30000-0x00007FF7FDD40000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BG9EGxoD.xlsm
| MD5 | e566fc53051035e1e6fd0ed1823de0f9 |
| SHA1 | 00bc96c48b98676ecd67e81a6f1d7754e4156044 |
| SHA256 | 8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15 |
| SHA512 | a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04 |
C:\Users\Admin\AppData\Local\Temp\7F085E00
| MD5 | 71f9e8dba22ec8ad8a94658579b7d0a4 |
| SHA1 | 69a04a17f0d2d391c81f4ba72cb272cc5ab2c7a0 |
| SHA256 | 5bda00a9a897ab9752c7159bfe110548493f9aa6f21e7ede9231d2dda6cf9fea |
| SHA512 | 457abbb5f18deb93f6e7c37dd487dbd7d2a8890bd301113e1de16f5b6dbb3da24b67487b58d9d20d3b74fcac8995c291b08e8c5c92b3749c66bbdee0ce222199 |
memory/4472-520-0x0000000000400000-0x0000000000A37000-memory.dmp
memory/4472-524-0x0000000000400000-0x0000000000A37000-memory.dmp
memory/4472-542-0x0000000000400000-0x0000000000A37000-memory.dmp
memory/4472-554-0x0000000000400000-0x0000000000A37000-memory.dmp