xred | 05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-01-2025 03:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe
Size

6.2MB
MD5

e819c37952e89ff0f473fa9b59cd771d
SHA1

de2a344ed3a2b1f4e0fbd4e684170db56903763e
SHA256

05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012
SHA512

1e3eff7391308a5161b75ab47ef29178a53ce08693c63fd08f5f1443ceeed87c3b4d3779265d669a91af0192eb556913bcbf77b825678580e44fceeb3c76d148
SSDEEP

196608:jLb7wqheSVYK/bua/BlWWnuVhsus8nm+q42:j/8qgSmIbr/Asb8nmFD

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 5 IoCs

pid	Process
3536	._cache_05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe
3460	Synaptics.exe
4776	Setup.exe
1600	._cache_Synaptics.exe
1256	Setup.exe

Loads dropped DLL 10 IoCs

pid	Process
4776	Setup.exe
4776	Setup.exe
4776	Setup.exe
4776	Setup.exe
4776	Setup.exe
1256	Setup.exe
1256	Setup.exe
1256	Setup.exe
1256	Setup.exe
1256	Setup.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Setup.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Modifies registry class 32 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	Setup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	Setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	Setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Setup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Setup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	Setup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	Setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Setup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	Setup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Setup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy	Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Setup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	Setup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Setup.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4028	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4776	Setup.exe
4776	Setup.exe
4776	Setup.exe
4776	Setup.exe
4776	Setup.exe
4776	Setup.exe
4776	Setup.exe
4776	Setup.exe
1256	Setup.exe
1256	Setup.exe
1256	Setup.exe
1256	Setup.exe
1256	Setup.exe
1256	Setup.exe
1256	Setup.exe
1256	Setup.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4776	Setup.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
4028	EXCEL.EXE
1256	Setup.exe
4028	EXCEL.EXE
4028	EXCEL.EXE
4028	EXCEL.EXE
4028	EXCEL.EXE
4028	EXCEL.EXE
4028	EXCEL.EXE
4028	EXCEL.EXE
4776	Setup.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 684 wrote to memory of 3536	684	05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe	83
PID 684 wrote to memory of 3536	684	05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe	83
PID 684 wrote to memory of 3536	684	05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe	83
PID 684 wrote to memory of 3460	684	05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe	84
PID 684 wrote to memory of 3460	684	05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe	84
PID 684 wrote to memory of 3460	684	05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe	84
PID 3536 wrote to memory of 4776	3536	._cache_05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe	85
PID 3536 wrote to memory of 4776	3536	._cache_05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe	85
PID 3536 wrote to memory of 4776	3536	._cache_05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe	85
PID 3460 wrote to memory of 1600	3460	Synaptics.exe	86
PID 3460 wrote to memory of 1600	3460	Synaptics.exe	86
PID 3460 wrote to memory of 1600	3460	Synaptics.exe	86
PID 1600 wrote to memory of 1256	1600	._cache_Synaptics.exe	88
PID 1600 wrote to memory of 1256	1600	._cache_Synaptics.exe	88
PID 1600 wrote to memory of 1256	1600	._cache_Synaptics.exe	88

C:\Users\Admin\AppData\Local\Temp\05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe
"C:\Users\Admin\AppData\Local\Temp\05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:684
- C:\Users\Admin\AppData\Local\Temp\._cache_05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3536
- - \??\c:\a4418a06e9eec4d56d1edb9e34\Setup.exe
    c:\a4418a06e9eec4d56d1edb9e34\Setup.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:4776
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3460
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1600
  - - \??\c:\5a63ffa58a638df007f391\Setup.exe
      c:\5a63ffa58a638df007f391\Setup.exe InjUpdate
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:1256

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
6.2MB

MD5
e819c37952e89ff0f473fa9b59cd771d

SHA1
de2a344ed3a2b1f4e0fbd4e684170db56903763e

SHA256
05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012

SHA512
1e3eff7391308a5161b75ab47ef29178a53ce08693c63fd08f5f1443ceeed87c3b4d3779265d669a91af0192eb556913bcbf77b825678580e44fceeb3c76d148

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe

Filesize
5.5MB

MD5
630d75210b325a280c3352f879297ed5

SHA1
b330b760a8f16d5a31c2dc815627f5eb40861008

SHA256
b06546ddc8ca1e3d532f3f2593e88a6f49e81b66a9c2051d58508cc97b6a2023

SHA512
b6e107fa34764d336c9b59802c858845df9f8661a1beb41436fd638a044580557921e69883ed32737f853e203f0083358f642f3efe0a80fae7932c5e6137331f

Download Submit
C:\Users\Admin\AppData\Local\Temp\B2975E00

Filesize
22KB

MD5
7acc01ff04c4abe9524d9ea8fa2a24ff

SHA1
2fb8adb0bc3a8521b23bc8e08225c604849072d0

SHA256
6be33028db9fcf4d11558e58f2ab465d789b8366e1cf45b55756a645cb2e96b6

SHA512
b54fdb2c85c345e11be8f1a5af05b9079d67502a179ca6d1a27b51323f6cf1c5dac7cf7666db48968c16ecdd7de258e05a6a5d4b6e23b0e108d69e03e0fe6d17

Download Submit
C:\Users\Admin\AppData\Local\Temp\HFI8A5F.tmp.html

Filesize
19KB

MD5
292e299db36f7da07936b50a63af4153

SHA1
13e27743fe406a7294ebe6f0d33fa2d03233d785

SHA256
485f3f608cbbfe77b8a2d3cbb3037cac7fa3865984ac1127fb825d45f7138541

SHA512
efbd82440b540285815094472291e3bd2a68d4ea70f58d4697a038c029305cb85a4832e51dfc26783051046b73be2372713867bad3f600bea3a1297041b450c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\dX3N2yof.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\a4418a06e9eec4d56d1edb9e34\sqmapi.dll

Filesize
141KB

MD5
3f0363b40376047eff6a9b97d633b750

SHA1
4eaf6650eca5ce931ee771181b04263c536a948b

SHA256
bd6395a58f55a8b1f4063e813ce7438f695b9b086bb965d8ac44e7a97d35a93c

SHA512
537be86e2f171e0b2b9f462ac7f62c4342beb5d00b68451228f28677d26a525014758672466ad15ed1fd073be38142dae478df67718908eae9e6266359e1f9e8

Download Submit
\??\c:\a4418a06e9eec4d56d1edb9e34\1028\LocalizedData.xml

Filesize
29KB

MD5
12df3535e4c4ef95a8cb03fd509b5874

SHA1
90b1f87ba02c1c89c159ebf0e1e700892b85dc39

SHA256
1c8132747dc33ccdb02345cbe706e65089a88fe32cf040684ca0d72bb9105119

SHA512
c6c8887e7023c4c1cbf849eebd17b6ad68fc14607d1c32c0d384f951e07bfaf6b61e0639f4e5978c9e3e1d52ef8a383b62622018a26fa4066eb620f584030808

Download Submit
\??\c:\a4418a06e9eec4d56d1edb9e34\1031\LocalizedData.xml

Filesize
40KB

MD5
b13ff959adc5c3e9c4ba4c4a76244464

SHA1
4df793626f41b92a5bc7c54757658ce30fdaeeb1

SHA256
44945bc0ba4be653d07f53e736557c51164224c8ec4e4672dfae1280260ba73b

SHA512
de78542d3bbc4c46871a8afb50fb408a59a76f6ed67e8be3cba8ba41724ea08df36400e233551b329277a7a0fe6168c5556abe9d9a735f41b29a941250bfc4d6

Download Submit
\??\c:\a4418a06e9eec4d56d1edb9e34\1033\LocalizedData.xml

Filesize
38KB

MD5
5486ff60b072102ee3231fd743b290a1

SHA1
d8d8a1d6bf6adf1095158b3c9b0a296a037632d0

SHA256
5ca3ecaa12ca56f955d403ca93c4cb36a7d3dcdea779fc9bdaa0cdd429dab706

SHA512
ae240eaac32edb18fd76982fc01e03bd9c8e40a9ec1b9c42d7ebd225570b7517949e045942dbb9e40e620aa9dcc9fbe0182c6cf207ac0a44d7358ad33ba81472

Download Submit
\??\c:\a4418a06e9eec4d56d1edb9e34\1033\SetupResources.dll

Filesize
16KB

MD5
9547d24ac04b4d0d1dbf84f74f54faf7

SHA1
71af6001c931c3de7c98ddc337d89ab133fe48bb

SHA256
36d0159ed1a7d88000737e920375868765c0a1dd6f5a5acbb79cf7d97d9e7a34

SHA512
8b6048f4185a711567679e2de4789407077ce5bfe72102d3cb1f23051b8d3e6bfd5886c801d85b4e62f467dd12da1c79026a4bc20b17f54c693b2f24e499d40f

Download Submit
\??\c:\a4418a06e9eec4d56d1edb9e34\1036\LocalizedData.xml

Filesize
40KB

MD5
4ce519f7e9754ec03768edeedaeed926

SHA1
213ae458992bf2c5a255991441653c5141f41b89

SHA256
bc4ca5ad609f0dd961263715e1f824524c43e73b744e55f90c703b759cae4d31

SHA512
8f2ff08a234d8e2e6ba85de3cd1c19a0b372d9fca4ff0fc1bba7fe7c5a165e933e2af5f93fc587e9230a066b70fb55d9f58256db509cc95a3b31d349f860f510

Download Submit
\??\c:\a4418a06e9eec4d56d1edb9e34\1040\LocalizedData.xml

Filesize
39KB

MD5
fe6b23186c2d77f7612bf7b1018a9b2a

SHA1
1528ec7633e998f040d2d4c37ac8a7dc87f99817

SHA256
03bbe1a39c6716f07703d20ed7539d8bf13b87870c2c83ddda5445c82953a80a

SHA512
40c9c9f3607cab24655593fc4766829516de33f13060be09f5ee65578824ac600cc1c07fe71cdd48bff7f52b447ff37c0d161d755a69ac7db7df118da6db7649

Download Submit
\??\c:\a4418a06e9eec4d56d1edb9e34\1041\LocalizedData.xml

Filesize
33KB

MD5
6f86b79dbf15e810331df2ca77f1043a

SHA1
875ed8498c21f396cc96b638911c23858ece5b88

SHA256
f0f9dd1a9f164f4d2e73b4d23cc5742da2c39549b9c4db692283839c5313e04f

SHA512
ca233a6bf55e253ebf1e8180a326667438e1124f6559054b87021095ef16ffc6b0c87361e0922087be4ca9cabd10828be3b6cc12c4032cb7f2a317fdbd76f818

Download Submit
\??\c:\a4418a06e9eec4d56d1edb9e34\1042\LocalizedData.xml

Filesize
32KB

MD5
e87ad0b3bf73f3e76500f28e195f7dc0

SHA1
716b842f6fbf6c68dc9c4e599c8182bfbb1354dc

SHA256
43b351419b73ac266c4b056a9c3a92f6dfa654328163814d17833a837577c070

SHA512
d3ea8655d42a2b0938c2189ceeab25c29939c302c2e2205e05d6059afc2a9b2039b21c083a7c17da1ce5eebdc934ff327a452034e2e715e497bcd6239395774c

Download Submit
\??\c:\a4418a06e9eec4d56d1edb9e34\1049\LocalizedData.xml

Filesize
39KB

MD5
1290be72ed991a3a800a6b2a124073b2

SHA1
dac09f9f2ccb3b273893b653f822e3dfc556d498

SHA256
6ba9a2e4a6a58f5bb792947990e51babd9d5151a7057e1a051cb007fea2eb41c

SHA512
c0b8b4421fcb2aabe2c8c8773fd03842e3523bf2b75d6262fd8bd952adc12c06541bdae0219e89f9f9f8d79567a4fe4dff99529366c4a7c5bf66c218431f3217

Download Submit
\??\c:\a4418a06e9eec4d56d1edb9e34\2052\LocalizedData.xml

Filesize
30KB

MD5
150b5c3d1b452dccbe8f1313fda1b18c

SHA1
7128b6b9e84d69c415808f1d325dd969b17914cc

SHA256
6d4eb9dca1cbcd3c2b39a993133731750b9fdf5988411f4a6da143b9204c01f2

SHA512
a45a1f4f19a27558e08939c7f63894ff5754e6840db86b8c8c68d400a36fb23179caff164d8b839898321030469b56446b5a8efc5765096dee5e8a746351e949

Download Submit
\??\c:\a4418a06e9eec4d56d1edb9e34\3082\LocalizedData.xml

Filesize
39KB

MD5
05a95593c61c744759e52caf5e13502e

SHA1
0054833d8a7a395a832e4c188c4d012301dd4090

SHA256
1a3e5e49da88393a71ea00d73fee7570e40edb816b72622e39c7fcd09c95ead1

SHA512
00aee4c02f9d6374560f7d2b826503aab332e1c4bc3203f88fe82e905471ec43f92f4af4fc52e46f377e4d297c2be99daf94980df2ce7664c169552800264fd3

Download Submit
\??\c:\a4418a06e9eec4d56d1edb9e34\DHTMLHeader.html

Filesize
15KB

MD5
cd131d41791a543cc6f6ed1ea5bd257c

SHA1
f42a2708a0b42a13530d26515274d1fcdbfe8490

SHA256
e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb

SHA512
a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a

Download Submit
\??\c:\a4418a06e9eec4d56d1edb9e34\ParameterInfo.xml

Filesize
9KB

MD5
03e01a43300d94a371458e14d5e41781

SHA1
c5ac3cd50fae588ff1c258edae864040a200653c

SHA256
19de712560e5a25c5d67348996e7d4f95e8e3db6843086f52cb7209f2098200a

SHA512
e271d52264ff979ae429a4053c945d7e7288f41e9fc6c64309f0ab805cec166c825c2273073c4ef9ca5ab33f00802457b17df103a06cbc35c54642d146571bbb

Download Submit
\??\c:\a4418a06e9eec4d56d1edb9e34\Setup.exe

Filesize
76KB

MD5
006f8a615020a4a17f5e63801485df46

SHA1
78c82a80ebf9c8bf0c996dd8bc26087679f77fea

SHA256
d273460aa4d42f0b5764383e2ab852ab9af6fecb3ed866f1783869f2f155d8be

SHA512
c603ed6f3611eb7049a43a190ed223445a9f7bd5651100a825917198b50c70011e950fa968d3019439afa0a416752517b1c181ee9445e02da3904f4e4b73ce76

Download Submit
\??\c:\a4418a06e9eec4d56d1edb9e34\SetupEngine.dll

Filesize
788KB

MD5
84c1daf5f30ff99895ecab3a55354bcf

SHA1
7e25ba36bcc7deed89f3c9568016ddb3156c9c5a

SHA256
7a0d281fa802d615ea1207bd2e9ebb98f3b74f9833bba3cb964ba7c7e0fb67fd

SHA512
e4fb7e4d39f094463fdcdc4895ab2ea500eb51a32b6909cec80a526bbf34d5c0eb98f47ee256c0f0865bf3169374937f047bf5c4d6762779c8ca3332b4103be3

Download Submit
\??\c:\a4418a06e9eec4d56d1edb9e34\SetupUi.dll

Filesize
288KB

MD5
eb881e3dddc84b20bd92abcec444455f

SHA1
e2c32b1c86d4f70e39de65e9ebc4f361b24ff4a1

SHA256
11565d97287c01d22ad2e46c78d8a822fa3e6524561d4c02dfc87e8d346c44e7

SHA512
5750cec73b36a3f19bfb055f880f3b6498a7ae589017333f6272d26f1c72c6f475a3308826268a098372bbb096b43fbd1e06e93eecc0a81046668228bc179a75

Download Submit
\??\c:\a4418a06e9eec4d56d1edb9e34\SetupUi.xsd

Filesize
29KB

MD5
2fadd9e618eff8175f2a6e8b95c0cacc

SHA1
9ab1710a217d15b192188b19467932d947b0a4f8

SHA256
222211e8f512edf97d78bc93e1f271c922d5e91fa899e092b4a096776a704093

SHA512
a3a934a8572ff9208d38cf381649bd83de227c44b735489fd2a9dc5a636ead9bb62459c9460ee53f61f0587a494877cd3a3c2611997be563f3137f8236ffc4ca

Download Submit
\??\c:\a4418a06e9eec4d56d1edb9e34\Strings.xml

Filesize
13KB

MD5
332adf643747297b9bfa9527eaefe084

SHA1
670f933d778eca39938a515a39106551185205e9

SHA256
e49545feeae22198728ad04236e31e02035af7cc4d68e10cbecffd08669cbeca

SHA512
bea95ce35c4c37b4b2e36cc1e81fc297cc4a8e17b93f10423a02b015ddb593064541b5eb7003560fbeee512ed52869a113a6fb439c1133af01f884a0db0344b0

Download Submit
\??\c:\a4418a06e9eec4d56d1edb9e34\UiInfo.xml

Filesize
35KB

MD5
812f8d2e53f076366fa3a214bb4cf558

SHA1
35ae734cfb99bb139906b5f4e8efbf950762f6f0

SHA256
0d36a884a8381778bea71f5f9f0fc60cacadebd3f814679cb13414b8e7dbc283

SHA512
1dcc3ef8c390ca49fbcd50c02accd8cc5700db3594428e2129f79feb81e4cbbeef1b4a10628b2cd66edf31a69ed39ca2f4e252ad8aa13d2f793fca5b9a1eaf23

Download Submit
\??\c:\a4418a06e9eec4d56d1edb9e34\graphics\print.ico

Filesize
1KB

MD5
7e55ddc6d611176e697d01c90a1212cf

SHA1
e2620da05b8e4e2360da579a7be32c1b225deb1b

SHA256
ff542e32330b123486797b410621e19eafb39df3997e14701afa4c22096520ed

SHA512
283d381aa396820b7e15768b20099d67688da1f6315ec9f7938c2fcc3167777502cded0d1beddf015a34cc4e5d045bcb665ffd28ba2fbb6faf50fdd38b31d16e

Download Submit
\??\c:\a4418a06e9eec4d56d1edb9e34\graphics\save.ico

Filesize
1KB

MD5
7d62e82d960a938c98da02b1d5201bd5

SHA1
194e96b0440bf8631887e5e9d3cc485f8e90fbf5

SHA256
ae041c8764f56fd89277b34982145d16fc59a4754d261c861b19371c3271c6e5

SHA512
ab06b2605f0c1f6b71ef69563c0c977d06c6ea84d58ef7f2baecba566d6037d1458c2b58e6bfd70ddef47dccbdea6d9c2f2e46dea67ea9e92457f754d7042f67

Download Submit
\??\c:\a4418a06e9eec4d56d1edb9e34\graphics\setup.ico

Filesize
35KB

MD5
3d25d679e0ff0b8c94273dcd8b07049d

SHA1
a517fc5e96bc68a02a44093673ee7e076ad57308

SHA256
288e9ad8f0201e45bc187839f15aca79d6b9f76a7d3c9274c80f5d4a4c219c0f

SHA512
3bde668004ca7e28390862d0ae9903c756c16255bdbb3f7e73a5b093ce6a57a3165d6797b0a643b254493149231aca7f7f03e0af15a0cbe28aff02f0071ec255

Download Submit
\??\c:\a4418a06e9eec4d56d1edb9e34\graphics\stop.ico

Filesize
9KB

MD5
5dfa8d3abcf4962d9ec41cfc7c0f75e3

SHA1
4196b0878c6c66b6fa260ab765a0e79f7aec0d24

SHA256
b499e1b21091b539d4906e45b6fdf490d5445256b72871aece2f5b2562c11793

SHA512
69a13d4348384f134ba93c9a846c6760b342e3a7a2e9df9c7062088105ac0b77b8a524f179efb1724c0ce168e01ba8bb46f2d6fae39cabe32cab9a34fc293e4a

Download Submit
memory/684-0-0x00000000027E0000-0x00000000027E1000-memory.dmp

Filesize
4KB

Download
memory/684-168-0x0000000000400000-0x0000000000A37000-memory.dmp

Filesize
6.2MB

Download
memory/3460-209-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/3460-520-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/3460-519-0x0000000000400000-0x0000000000A37000-memory.dmp

Filesize
6.2MB

Download
memory/3460-553-0x0000000000400000-0x0000000000A37000-memory.dmp

Filesize
6.2MB

Download
memory/4028-351-0x00007FFB074D0000-0x00007FFB074E0000-memory.dmp

Filesize
64KB

Download
memory/4028-366-0x00007FFB074D0000-0x00007FFB074E0000-memory.dmp

Filesize
64KB

Download
memory/4028-380-0x00007FFB074D0000-0x00007FFB074E0000-memory.dmp

Filesize
64KB

Download
memory/4028-408-0x00007FFB04E40000-0x00007FFB04E50000-memory.dmp

Filesize
64KB

Download
memory/4028-421-0x00007FFB04E40000-0x00007FFB04E50000-memory.dmp

Filesize
64KB

Download
memory/4028-353-0x00007FFB074D0000-0x00007FFB074E0000-memory.dmp

Filesize
64KB

Download
memory/4028-354-0x00007FFB074D0000-0x00007FFB074E0000-memory.dmp

Filesize
64KB

Download