Malware Analysis Report

2025-04-13 21:02

Sample ID 250103-dpeebsxjgx
Target 05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe
SHA256 05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012
Tags
xred backdoor discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012

Threat Level: Known bad

The file 05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe was found to be: Known bad.

Malicious Activity Summary

xred backdoor discovery persistence

Xred family

Xred

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Office loads VBA resources, possible macro or embedded object present

Checks processor information in registry

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-03 03:10

Signatures

Xred family

xred

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-03 03:10

Reported

2025-01-03 03:13

Platform

win7-20241023-en

Max time kernel

144s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe"

Signatures

Xred

backdoor xred

Xred family

xred

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\._cache_05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Synaptics\Synaptics.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\9a564db664c60c3adf377c\Setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\b2ea6d50632af1ae33e68b\Setup.exe N/A

Office loads VBA resources, possible macro or embedded object present

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz \??\c:\9a564db664c60c3adf377c\Setup.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\b2ea6d50632af1ae33e68b\Setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz \??\c:\b2ea6d50632af1ae33e68b\Setup.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\9a564db664c60c3adf377c\Setup.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots \??\c:\9a564db664c60c3adf377c\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}" \??\c:\9a564db664c60c3adf377c\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9} \??\c:\9a564db664c60c3adf377c\Setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1092616257" \??\c:\9a564db664c60c3adf377c\Setup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000 \??\c:\9a564db664c60c3adf377c\Setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" \??\c:\9a564db664c60c3adf377c\Setup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff \??\c:\9a564db664c60c3adf377c\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags \??\c:\9a564db664c60c3adf377c\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC} \??\c:\9a564db664c60c3adf377c\Setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\IconSize = "16" \??\c:\9a564db664c60c3adf377c\Setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Mode = "4" \??\c:\9a564db664c60c3adf377c\Setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\LogicalViewMode = "1" \??\c:\9a564db664c60c3adf377c\Setup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Sort = 000000000000000000000000000000000200000030f125b7ef471a10a5f102608c9eebac0a0000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff \??\c:\9a564db664c60c3adf377c\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_Classes\Local Settings \??\c:\9a564db664c60c3adf377c\Setup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff \??\c:\9a564db664c60c3adf377c\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 \??\c:\9a564db664c60c3adf377c\Setup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000 \??\c:\9a564db664c60c3adf377c\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}" \??\c:\9a564db664c60c3adf377c\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU \??\c:\9a564db664c60c3adf377c\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders \??\c:\9a564db664c60c3adf377c\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy \??\c:\9a564db664c60c3adf377c\Setup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 \??\c:\9a564db664c60c3adf377c\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 \??\c:\9a564db664c60c3adf377c\Setup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff \??\c:\9a564db664c60c3adf377c\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy \??\c:\9a564db664c60c3adf377c\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell \??\c:\9a564db664c60c3adf377c\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 \??\c:\9a564db664c60c3adf377c\Setup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff \??\c:\9a564db664c60c3adf377c\Setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\TV_TopViewVersion = "0" \??\c:\9a564db664c60c3adf377c\Setup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 \??\c:\9a564db664c60c3adf377c\Setup.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\9a564db664c60c3adf377c\Setup.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A \??\c:\b2ea6d50632af1ae33e68b\Setup.exe N/A
N/A N/A \??\c:\9a564db664c60c3adf377c\Setup.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1240 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe C:\Users\Admin\AppData\Local\Temp\._cache_05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe
PID 1240 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe C:\Users\Admin\AppData\Local\Temp\._cache_05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe
PID 1240 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe C:\Users\Admin\AppData\Local\Temp\._cache_05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe
PID 1240 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe C:\Users\Admin\AppData\Local\Temp\._cache_05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe
PID 1240 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe C:\Users\Admin\AppData\Local\Temp\._cache_05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe
PID 1240 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe C:\Users\Admin\AppData\Local\Temp\._cache_05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe
PID 1240 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe C:\Users\Admin\AppData\Local\Temp\._cache_05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe
PID 1240 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 1240 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 1240 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 1240 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2616 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\._cache_05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe \??\c:\9a564db664c60c3adf377c\Setup.exe
PID 2616 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\._cache_05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe \??\c:\9a564db664c60c3adf377c\Setup.exe
PID 2616 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\._cache_05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe \??\c:\9a564db664c60c3adf377c\Setup.exe
PID 2616 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\._cache_05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe \??\c:\9a564db664c60c3adf377c\Setup.exe
PID 2616 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\._cache_05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe \??\c:\9a564db664c60c3adf377c\Setup.exe
PID 2616 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\._cache_05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe \??\c:\9a564db664c60c3adf377c\Setup.exe
PID 2616 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\._cache_05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe \??\c:\9a564db664c60c3adf377c\Setup.exe
PID 3044 wrote to memory of 1280 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 3044 wrote to memory of 1280 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 3044 wrote to memory of 1280 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 3044 wrote to memory of 1280 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 3044 wrote to memory of 1280 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 3044 wrote to memory of 1280 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 3044 wrote to memory of 1280 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 1280 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe \??\c:\b2ea6d50632af1ae33e68b\Setup.exe
PID 1280 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe \??\c:\b2ea6d50632af1ae33e68b\Setup.exe
PID 1280 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe \??\c:\b2ea6d50632af1ae33e68b\Setup.exe
PID 1280 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe \??\c:\b2ea6d50632af1ae33e68b\Setup.exe
PID 1280 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe \??\c:\b2ea6d50632af1ae33e68b\Setup.exe
PID 1280 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe \??\c:\b2ea6d50632af1ae33e68b\Setup.exe
PID 1280 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe \??\c:\b2ea6d50632af1ae33e68b\Setup.exe

Processes

C:\Users\Admin\AppData\Local\Temp\05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe

"C:\Users\Admin\AppData\Local\Temp\05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe"

C:\Users\Admin\AppData\Local\Temp\._cache_05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe"

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

\??\c:\9a564db664c60c3adf377c\Setup.exe

c:\9a564db664c60c3adf377c\Setup.exe

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

\??\c:\b2ea6d50632af1ae33e68b\Setup.exe

c:\b2ea6d50632af1ae33e68b\Setup.exe InjUpdate

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 xred.mooo.com udp
US 8.8.8.8:53 freedns.afraid.org udp
US 69.42.215.252:80 freedns.afraid.org tcp
US 8.8.8.8:53 docs.google.com udp
FR 216.58.214.174:443 docs.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
FR 142.250.179.67:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
FR 142.250.179.67:80 o.pki.goog tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
FR 142.250.74.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 23.192.26.94:80 www.microsoft.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 88.221.134.146:80 crl.microsoft.com tcp

Files

memory/1240-0-0x0000000000220000-0x0000000000221000-memory.dmp

\Users\Admin\AppData\Local\Temp\._cache_05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe

MD5 630d75210b325a280c3352f879297ed5
SHA1 b330b760a8f16d5a31c2dc815627f5eb40861008
SHA256 b06546ddc8ca1e3d532f3f2593e88a6f49e81b66a9c2051d58508cc97b6a2023
SHA512 b6e107fa34764d336c9b59802c858845df9f8661a1beb41436fd638a044580557921e69883ed32737f853e203f0083358f642f3efe0a80fae7932c5e6137331f

C:\ProgramData\Synaptics\Synaptics.exe

MD5 e819c37952e89ff0f473fa9b59cd771d
SHA1 de2a344ed3a2b1f4e0fbd4e684170db56903763e
SHA256 05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012
SHA512 1e3eff7391308a5161b75ab47ef29178a53ce08693c63fd08f5f1443ceeed87c3b4d3779265d669a91af0192eb556913bcbf77b825678580e44fceeb3c76d148

\9a564db664c60c3adf377c\Setup.exe

MD5 006f8a615020a4a17f5e63801485df46
SHA1 78c82a80ebf9c8bf0c996dd8bc26087679f77fea
SHA256 d273460aa4d42f0b5764383e2ab852ab9af6fecb3ed866f1783869f2f155d8be
SHA512 c603ed6f3611eb7049a43a190ed223445a9f7bd5651100a825917198b50c70011e950fa968d3019439afa0a416752517b1c181ee9445e02da3904f4e4b73ce76

\9a564db664c60c3adf377c\SetupEngine.dll

MD5 84c1daf5f30ff99895ecab3a55354bcf
SHA1 7e25ba36bcc7deed89f3c9568016ddb3156c9c5a
SHA256 7a0d281fa802d615ea1207bd2e9ebb98f3b74f9833bba3cb964ba7c7e0fb67fd
SHA512 e4fb7e4d39f094463fdcdc4895ab2ea500eb51a32b6909cec80a526bbf34d5c0eb98f47ee256c0f0865bf3169374937f047bf5c4d6762779c8ca3332b4103be3

memory/1240-73-0x0000000000400000-0x0000000000A37000-memory.dmp

\9a564db664c60c3adf377c\sqmapi.dll

MD5 3f0363b40376047eff6a9b97d633b750
SHA1 4eaf6650eca5ce931ee771181b04263c536a948b
SHA256 bd6395a58f55a8b1f4063e813ce7438f695b9b086bb965d8ac44e7a97d35a93c
SHA512 537be86e2f171e0b2b9f462ac7f62c4342beb5d00b68451228f28677d26a525014758672466ad15ed1fd073be38142dae478df67718908eae9e6266359e1f9e8

\??\c:\9a564db664c60c3adf377c\DHTMLHeader.html

MD5 cd131d41791a543cc6f6ed1ea5bd257c
SHA1 f42a2708a0b42a13530d26515274d1fcdbfe8490
SHA256 e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb
SHA512 a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a

C:\Users\Admin\AppData\Local\Temp\HFIC14D.tmp.html

MD5 eefeb7e17b598234661e648c23af4886
SHA1 0baf35f987e02ea3aa8f91cdf29551cff700476f
SHA256 34ef555c8a686a8a2abc8fe4039b2b2e1539d7a211b57de8480d3e4170cf3e05
SHA512 311c8b4f3b8564eb394934f70170e3f08be6407bd819d9253a1d5af9352370776dfef90a21c83347289b74002b9d3b21d3d0d0a11f8ce59be1e69fbad2ff1153

\??\c:\9a564db664c60c3adf377c\UiInfo.xml

MD5 812f8d2e53f076366fa3a214bb4cf558
SHA1 35ae734cfb99bb139906b5f4e8efbf950762f6f0
SHA256 0d36a884a8381778bea71f5f9f0fc60cacadebd3f814679cb13414b8e7dbc283
SHA512 1dcc3ef8c390ca49fbcd50c02accd8cc5700db3594428e2129f79feb81e4cbbeef1b4a10628b2cd66edf31a69ed39ca2f4e252ad8aa13d2f793fca5b9a1eaf23

\??\c:\9a564db664c60c3adf377c\ParameterInfo.xml

MD5 03e01a43300d94a371458e14d5e41781
SHA1 c5ac3cd50fae588ff1c258edae864040a200653c
SHA256 19de712560e5a25c5d67348996e7d4f95e8e3db6843086f52cb7209f2098200a
SHA512 e271d52264ff979ae429a4053c945d7e7288f41e9fc6c64309f0ab805cec166c825c2273073c4ef9ca5ab33f00802457b17df103a06cbc35c54642d146571bbb

\??\c:\9a564db664c60c3adf377c\1031\LocalizedData.xml

MD5 b13ff959adc5c3e9c4ba4c4a76244464
SHA1 4df793626f41b92a5bc7c54757658ce30fdaeeb1
SHA256 44945bc0ba4be653d07f53e736557c51164224c8ec4e4672dfae1280260ba73b
SHA512 de78542d3bbc4c46871a8afb50fb408a59a76f6ed67e8be3cba8ba41724ea08df36400e233551b329277a7a0fe6168c5556abe9d9a735f41b29a941250bfc4d6

\??\c:\9a564db664c60c3adf377c\1042\LocalizedData.xml

MD5 e87ad0b3bf73f3e76500f28e195f7dc0
SHA1 716b842f6fbf6c68dc9c4e599c8182bfbb1354dc
SHA256 43b351419b73ac266c4b056a9c3a92f6dfa654328163814d17833a837577c070
SHA512 d3ea8655d42a2b0938c2189ceeab25c29939c302c2e2205e05d6059afc2a9b2039b21c083a7c17da1ce5eebdc934ff327a452034e2e715e497bcd6239395774c

\??\c:\b2ea6d50632af1ae33e68b\3082\LocalizedData.xml

MD5 05a95593c61c744759e52caf5e13502e
SHA1 0054833d8a7a395a832e4c188c4d012301dd4090
SHA256 1a3e5e49da88393a71ea00d73fee7570e40edb816b72622e39c7fcd09c95ead1
SHA512 00aee4c02f9d6374560f7d2b826503aab332e1c4bc3203f88fe82e905471ec43f92f4af4fc52e46f377e4d297c2be99daf94980df2ce7664c169552800264fd3

\??\c:\b2ea6d50632af1ae33e68b\2052\LocalizedData.xml

MD5 150b5c3d1b452dccbe8f1313fda1b18c
SHA1 7128b6b9e84d69c415808f1d325dd969b17914cc
SHA256 6d4eb9dca1cbcd3c2b39a993133731750b9fdf5988411f4a6da143b9204c01f2
SHA512 a45a1f4f19a27558e08939c7f63894ff5754e6840db86b8c8c68d400a36fb23179caff164d8b839898321030469b56446b5a8efc5765096dee5e8a746351e949

\??\c:\b2ea6d50632af1ae33e68b\1049\LocalizedData.xml

MD5 1290be72ed991a3a800a6b2a124073b2
SHA1 dac09f9f2ccb3b273893b653f822e3dfc556d498
SHA256 6ba9a2e4a6a58f5bb792947990e51babd9d5151a7057e1a051cb007fea2eb41c
SHA512 c0b8b4421fcb2aabe2c8c8773fd03842e3523bf2b75d6262fd8bd952adc12c06541bdae0219e89f9f9f8d79567a4fe4dff99529366c4a7c5bf66c218431f3217

\??\c:\b2ea6d50632af1ae33e68b\1041\LocalizedData.xml

MD5 6f86b79dbf15e810331df2ca77f1043a
SHA1 875ed8498c21f396cc96b638911c23858ece5b88
SHA256 f0f9dd1a9f164f4d2e73b4d23cc5742da2c39549b9c4db692283839c5313e04f
SHA512 ca233a6bf55e253ebf1e8180a326667438e1124f6559054b87021095ef16ffc6b0c87361e0922087be4ca9cabd10828be3b6cc12c4032cb7f2a317fdbd76f818

\??\c:\b2ea6d50632af1ae33e68b\1040\LocalizedData.xml

MD5 fe6b23186c2d77f7612bf7b1018a9b2a
SHA1 1528ec7633e998f040d2d4c37ac8a7dc87f99817
SHA256 03bbe1a39c6716f07703d20ed7539d8bf13b87870c2c83ddda5445c82953a80a
SHA512 40c9c9f3607cab24655593fc4766829516de33f13060be09f5ee65578824ac600cc1c07fe71cdd48bff7f52b447ff37c0d161d755a69ac7db7df118da6db7649

\??\c:\b2ea6d50632af1ae33e68b\1036\LocalizedData.xml

MD5 4ce519f7e9754ec03768edeedaeed926
SHA1 213ae458992bf2c5a255991441653c5141f41b89
SHA256 bc4ca5ad609f0dd961263715e1f824524c43e73b744e55f90c703b759cae4d31
SHA512 8f2ff08a234d8e2e6ba85de3cd1c19a0b372d9fca4ff0fc1bba7fe7c5a165e933e2af5f93fc587e9230a066b70fb55d9f58256db509cc95a3b31d349f860f510

\b2ea6d50632af1ae33e68b\SetupUi.dll

MD5 eb881e3dddc84b20bd92abcec444455f
SHA1 e2c32b1c86d4f70e39de65e9ebc4f361b24ff4a1
SHA256 11565d97287c01d22ad2e46c78d8a822fa3e6524561d4c02dfc87e8d346c44e7
SHA512 5750cec73b36a3f19bfb055f880f3b6498a7ae589017333f6272d26f1c72c6f475a3308826268a098372bbb096b43fbd1e06e93eecc0a81046668228bc179a75

\??\c:\9a564db664c60c3adf377c\Strings.xml

MD5 332adf643747297b9bfa9527eaefe084
SHA1 670f933d778eca39938a515a39106551185205e9
SHA256 e49545feeae22198728ad04236e31e02035af7cc4d68e10cbecffd08669cbeca
SHA512 bea95ce35c4c37b4b2e36cc1e81fc297cc4a8e17b93f10423a02b015ddb593064541b5eb7003560fbeee512ed52869a113a6fb439c1133af01f884a0db0344b0

\9a564db664c60c3adf377c\1033\SetupResources.dll

MD5 9547d24ac04b4d0d1dbf84f74f54faf7
SHA1 71af6001c931c3de7c98ddc337d89ab133fe48bb
SHA256 36d0159ed1a7d88000737e920375868765c0a1dd6f5a5acbb79cf7d97d9e7a34
SHA512 8b6048f4185a711567679e2de4789407077ce5bfe72102d3cb1f23051b8d3e6bfd5886c801d85b4e62f467dd12da1c79026a4bc20b17f54c693b2f24e499d40f

\??\c:\b2ea6d50632af1ae33e68b\SetupUi.xsd

MD5 2fadd9e618eff8175f2a6e8b95c0cacc
SHA1 9ab1710a217d15b192188b19467932d947b0a4f8
SHA256 222211e8f512edf97d78bc93e1f271c922d5e91fa899e092b4a096776a704093
SHA512 a3a934a8572ff9208d38cf381649bd83de227c44b735489fd2a9dc5a636ead9bb62459c9460ee53f61f0587a494877cd3a3c2611997be563f3137f8236ffc4ca

\??\c:\b2ea6d50632af1ae33e68b\1028\LocalizedData.xml

MD5 12df3535e4c4ef95a8cb03fd509b5874
SHA1 90b1f87ba02c1c89c159ebf0e1e700892b85dc39
SHA256 1c8132747dc33ccdb02345cbe706e65089a88fe32cf040684ca0d72bb9105119
SHA512 c6c8887e7023c4c1cbf849eebd17b6ad68fc14607d1c32c0d384f951e07bfaf6b61e0639f4e5978c9e3e1d52ef8a383b62622018a26fa4066eb620f584030808

\??\c:\b2ea6d50632af1ae33e68b\1033\LocalizedData.xml

MD5 5486ff60b072102ee3231fd743b290a1
SHA1 d8d8a1d6bf6adf1095158b3c9b0a296a037632d0
SHA256 5ca3ecaa12ca56f955d403ca93c4cb36a7d3dcdea779fc9bdaa0cdd429dab706
SHA512 ae240eaac32edb18fd76982fc01e03bd9c8e40a9ec1b9c42d7ebd225570b7517949e045942dbb9e40e620aa9dcc9fbe0182c6cf207ac0a44d7358ad33ba81472

\??\c:\9a564db664c60c3adf377c\graphics\setup.ico

MD5 3d25d679e0ff0b8c94273dcd8b07049d
SHA1 a517fc5e96bc68a02a44093673ee7e076ad57308
SHA256 288e9ad8f0201e45bc187839f15aca79d6b9f76a7d3c9274c80f5d4a4c219c0f
SHA512 3bde668004ca7e28390862d0ae9903c756c16255bdbb3f7e73a5b093ce6a57a3165d6797b0a643b254493149231aca7f7f03e0af15a0cbe28aff02f0071ec255

memory/3044-234-0x0000000000400000-0x0000000000A37000-memory.dmp

memory/2244-277-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\34z8k3TR.xlsm

MD5 70dc2f11a60d3ece8d72cc23e7def33d
SHA1 6ea6956bf9d5cd23b06eeab48274b7cd6454d507
SHA256 dbeeb670467dba0a26c34188bc74acd2da5d734ddabbafbc0bfb7457e17b495f
SHA512 be7115c4a3b0fa8641bd577177aee8e4cb53121e9a00bd40be1a9f23c049a39d7b15cee5edd6aa5b85dd140f2ab84e9175e29f75d1f4807fb37593ba701adf28

memory/1648-318-0x0000000002F10000-0x0000000002F12000-memory.dmp

memory/3044-319-0x0000000000400000-0x0000000000A37000-memory.dmp

memory/3044-320-0x0000000000400000-0x0000000000A37000-memory.dmp

memory/3044-353-0x0000000000400000-0x0000000000A37000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-03 03:10

Reported

2025-01-03 03:13

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe"

Signatures

Xred

backdoor xred

Xred family

xred

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\ProgramData\Synaptics\Synaptics.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\5a63ffa58a638df007f391\Setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\._cache_05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Synaptics\Synaptics.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\a4418a06e9eec4d56d1edb9e34\Setup.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\a4418a06e9eec4d56d1edb9e34\Setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz \??\c:\a4418a06e9eec4d56d1edb9e34\Setup.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\5a63ffa58a638df007f391\Setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz \??\c:\5a63ffa58a638df007f391\Setup.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" \??\c:\a4418a06e9eec4d56d1edb9e34\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\ProgramData\Synaptics\Synaptics.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff \??\c:\a4418a06e9eec4d56d1edb9e34\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags \??\c:\a4418a06e9eec4d56d1edb9e34\Setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" \??\c:\a4418a06e9eec4d56d1edb9e34\Setup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 \??\c:\a4418a06e9eec4d56d1edb9e34\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 \??\c:\a4418a06e9eec4d56d1edb9e34\Setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" \??\c:\a4418a06e9eec4d56d1edb9e34\Setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" \??\c:\a4418a06e9eec4d56d1edb9e34\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 \??\c:\a4418a06e9eec4d56d1edb9e34\Setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" \??\c:\a4418a06e9eec4d56d1edb9e34\Setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" \??\c:\a4418a06e9eec4d56d1edb9e34\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell \??\c:\a4418a06e9eec4d56d1edb9e34\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU \??\c:\a4418a06e9eec4d56d1edb9e34\Setup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff \??\c:\a4418a06e9eec4d56d1edb9e34\Setup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 \??\c:\a4418a06e9eec4d56d1edb9e34\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell \??\c:\a4418a06e9eec4d56d1edb9e34\Setup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff \??\c:\a4418a06e9eec4d56d1edb9e34\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656} \??\c:\a4418a06e9eec4d56d1edb9e34\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" \??\c:\a4418a06e9eec4d56d1edb9e34\Setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" \??\c:\a4418a06e9eec4d56d1edb9e34\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" \??\c:\a4418a06e9eec4d56d1edb9e34\Setup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 \??\c:\a4418a06e9eec4d56d1edb9e34\Setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" \??\c:\a4418a06e9eec4d56d1edb9e34\Setup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots \??\c:\a4418a06e9eec4d56d1edb9e34\Setup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff \??\c:\a4418a06e9eec4d56d1edb9e34\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy \??\c:\a4418a06e9eec4d56d1edb9e34\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings \??\c:\a4418a06e9eec4d56d1edb9e34\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 \??\c:\a4418a06e9eec4d56d1edb9e34\Setup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 \??\c:\a4418a06e9eec4d56d1edb9e34\Setup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 \??\c:\a4418a06e9eec4d56d1edb9e34\Setup.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\a4418a06e9eec4d56d1edb9e34\Setup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 684 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe C:\Users\Admin\AppData\Local\Temp\._cache_05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe
PID 684 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe C:\Users\Admin\AppData\Local\Temp\._cache_05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe
PID 684 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe C:\Users\Admin\AppData\Local\Temp\._cache_05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe
PID 684 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 684 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 684 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 3536 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\._cache_05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe \??\c:\a4418a06e9eec4d56d1edb9e34\Setup.exe
PID 3536 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\._cache_05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe \??\c:\a4418a06e9eec4d56d1edb9e34\Setup.exe
PID 3536 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\._cache_05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe \??\c:\a4418a06e9eec4d56d1edb9e34\Setup.exe
PID 3460 wrote to memory of 1600 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 3460 wrote to memory of 1600 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 3460 wrote to memory of 1600 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 1600 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe \??\c:\5a63ffa58a638df007f391\Setup.exe
PID 1600 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe \??\c:\5a63ffa58a638df007f391\Setup.exe
PID 1600 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe \??\c:\5a63ffa58a638df007f391\Setup.exe

Processes

C:\Users\Admin\AppData\Local\Temp\05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe

"C:\Users\Admin\AppData\Local\Temp\05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe"

C:\Users\Admin\AppData\Local\Temp\._cache_05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe"

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

\??\c:\a4418a06e9eec4d56d1edb9e34\Setup.exe

c:\a4418a06e9eec4d56d1edb9e34\Setup.exe

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

\??\c:\5a63ffa58a638df007f391\Setup.exe

c:\5a63ffa58a638df007f391\Setup.exe InjUpdate

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 60.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 xred.mooo.com udp
US 8.8.8.8:53 freedns.afraid.org udp
US 69.42.215.252:80 freedns.afraid.org tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 252.215.42.69.in-addr.arpa udp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 docs.google.com udp
FR 216.58.214.174:443 docs.google.com tcp
US 8.8.8.8:53 174.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 67.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 c.pki.goog udp
FR 142.250.179.67:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
FR 142.250.179.67:80 o.pki.goog tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 drive.usercontent.google.com udp
FR 142.250.74.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 225.74.250.142.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/684-0-0x00000000027E0000-0x00000000027E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\._cache_05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012.exe

MD5 630d75210b325a280c3352f879297ed5
SHA1 b330b760a8f16d5a31c2dc815627f5eb40861008
SHA256 b06546ddc8ca1e3d532f3f2593e88a6f49e81b66a9c2051d58508cc97b6a2023
SHA512 b6e107fa34764d336c9b59802c858845df9f8661a1beb41436fd638a044580557921e69883ed32737f853e203f0083358f642f3efe0a80fae7932c5e6137331f

C:\ProgramData\Synaptics\Synaptics.exe

MD5 e819c37952e89ff0f473fa9b59cd771d
SHA1 de2a344ed3a2b1f4e0fbd4e684170db56903763e
SHA256 05f954e37982086a48a222726b8134fbef0caa78dbe1b66a3d4479b712d12012
SHA512 1e3eff7391308a5161b75ab47ef29178a53ce08693c63fd08f5f1443ceeed87c3b4d3779265d669a91af0192eb556913bcbf77b825678580e44fceeb3c76d148

memory/684-168-0x0000000000400000-0x0000000000A37000-memory.dmp

\??\c:\a4418a06e9eec4d56d1edb9e34\Setup.exe

MD5 006f8a615020a4a17f5e63801485df46
SHA1 78c82a80ebf9c8bf0c996dd8bc26087679f77fea
SHA256 d273460aa4d42f0b5764383e2ab852ab9af6fecb3ed866f1783869f2f155d8be
SHA512 c603ed6f3611eb7049a43a190ed223445a9f7bd5651100a825917198b50c70011e950fa968d3019439afa0a416752517b1c181ee9445e02da3904f4e4b73ce76

\??\c:\a4418a06e9eec4d56d1edb9e34\SetupEngine.dll

MD5 84c1daf5f30ff99895ecab3a55354bcf
SHA1 7e25ba36bcc7deed89f3c9568016ddb3156c9c5a
SHA256 7a0d281fa802d615ea1207bd2e9ebb98f3b74f9833bba3cb964ba7c7e0fb67fd
SHA512 e4fb7e4d39f094463fdcdc4895ab2ea500eb51a32b6909cec80a526bbf34d5c0eb98f47ee256c0f0865bf3169374937f047bf5c4d6762779c8ca3332b4103be3

C:\a4418a06e9eec4d56d1edb9e34\sqmapi.dll

MD5 3f0363b40376047eff6a9b97d633b750
SHA1 4eaf6650eca5ce931ee771181b04263c536a948b
SHA256 bd6395a58f55a8b1f4063e813ce7438f695b9b086bb965d8ac44e7a97d35a93c
SHA512 537be86e2f171e0b2b9f462ac7f62c4342beb5d00b68451228f28677d26a525014758672466ad15ed1fd073be38142dae478df67718908eae9e6266359e1f9e8

\??\c:\a4418a06e9eec4d56d1edb9e34\DHTMLHeader.html

MD5 cd131d41791a543cc6f6ed1ea5bd257c
SHA1 f42a2708a0b42a13530d26515274d1fcdbfe8490
SHA256 e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb
SHA512 a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a

\??\c:\a4418a06e9eec4d56d1edb9e34\ParameterInfo.xml

MD5 03e01a43300d94a371458e14d5e41781
SHA1 c5ac3cd50fae588ff1c258edae864040a200653c
SHA256 19de712560e5a25c5d67348996e7d4f95e8e3db6843086f52cb7209f2098200a
SHA512 e271d52264ff979ae429a4053c945d7e7288f41e9fc6c64309f0ab805cec166c825c2273073c4ef9ca5ab33f00802457b17df103a06cbc35c54642d146571bbb

\??\c:\a4418a06e9eec4d56d1edb9e34\1041\LocalizedData.xml

MD5 6f86b79dbf15e810331df2ca77f1043a
SHA1 875ed8498c21f396cc96b638911c23858ece5b88
SHA256 f0f9dd1a9f164f4d2e73b4d23cc5742da2c39549b9c4db692283839c5313e04f
SHA512 ca233a6bf55e253ebf1e8180a326667438e1124f6559054b87021095ef16ffc6b0c87361e0922087be4ca9cabd10828be3b6cc12c4032cb7f2a317fdbd76f818

\??\c:\a4418a06e9eec4d56d1edb9e34\1049\LocalizedData.xml

MD5 1290be72ed991a3a800a6b2a124073b2
SHA1 dac09f9f2ccb3b273893b653f822e3dfc556d498
SHA256 6ba9a2e4a6a58f5bb792947990e51babd9d5151a7057e1a051cb007fea2eb41c
SHA512 c0b8b4421fcb2aabe2c8c8773fd03842e3523bf2b75d6262fd8bd952adc12c06541bdae0219e89f9f9f8d79567a4fe4dff99529366c4a7c5bf66c218431f3217

\??\c:\a4418a06e9eec4d56d1edb9e34\1042\LocalizedData.xml

MD5 e87ad0b3bf73f3e76500f28e195f7dc0
SHA1 716b842f6fbf6c68dc9c4e599c8182bfbb1354dc
SHA256 43b351419b73ac266c4b056a9c3a92f6dfa654328163814d17833a837577c070
SHA512 d3ea8655d42a2b0938c2189ceeab25c29939c302c2e2205e05d6059afc2a9b2039b21c083a7c17da1ce5eebdc934ff327a452034e2e715e497bcd6239395774c

\??\c:\a4418a06e9eec4d56d1edb9e34\2052\LocalizedData.xml

MD5 150b5c3d1b452dccbe8f1313fda1b18c
SHA1 7128b6b9e84d69c415808f1d325dd969b17914cc
SHA256 6d4eb9dca1cbcd3c2b39a993133731750b9fdf5988411f4a6da143b9204c01f2
SHA512 a45a1f4f19a27558e08939c7f63894ff5754e6840db86b8c8c68d400a36fb23179caff164d8b839898321030469b56446b5a8efc5765096dee5e8a746351e949

\??\c:\a4418a06e9eec4d56d1edb9e34\1040\LocalizedData.xml

MD5 fe6b23186c2d77f7612bf7b1018a9b2a
SHA1 1528ec7633e998f040d2d4c37ac8a7dc87f99817
SHA256 03bbe1a39c6716f07703d20ed7539d8bf13b87870c2c83ddda5445c82953a80a
SHA512 40c9c9f3607cab24655593fc4766829516de33f13060be09f5ee65578824ac600cc1c07fe71cdd48bff7f52b447ff37c0d161d755a69ac7db7df118da6db7649

\??\c:\a4418a06e9eec4d56d1edb9e34\1036\LocalizedData.xml

MD5 4ce519f7e9754ec03768edeedaeed926
SHA1 213ae458992bf2c5a255991441653c5141f41b89
SHA256 bc4ca5ad609f0dd961263715e1f824524c43e73b744e55f90c703b759cae4d31
SHA512 8f2ff08a234d8e2e6ba85de3cd1c19a0b372d9fca4ff0fc1bba7fe7c5a165e933e2af5f93fc587e9230a066b70fb55d9f58256db509cc95a3b31d349f860f510

\??\c:\a4418a06e9eec4d56d1edb9e34\1031\LocalizedData.xml

MD5 b13ff959adc5c3e9c4ba4c4a76244464
SHA1 4df793626f41b92a5bc7c54757658ce30fdaeeb1
SHA256 44945bc0ba4be653d07f53e736557c51164224c8ec4e4672dfae1280260ba73b
SHA512 de78542d3bbc4c46871a8afb50fb408a59a76f6ed67e8be3cba8ba41724ea08df36400e233551b329277a7a0fe6168c5556abe9d9a735f41b29a941250bfc4d6

\??\c:\a4418a06e9eec4d56d1edb9e34\1028\LocalizedData.xml

MD5 12df3535e4c4ef95a8cb03fd509b5874
SHA1 90b1f87ba02c1c89c159ebf0e1e700892b85dc39
SHA256 1c8132747dc33ccdb02345cbe706e65089a88fe32cf040684ca0d72bb9105119
SHA512 c6c8887e7023c4c1cbf849eebd17b6ad68fc14607d1c32c0d384f951e07bfaf6b61e0639f4e5978c9e3e1d52ef8a383b62622018a26fa4066eb620f584030808

\??\c:\a4418a06e9eec4d56d1edb9e34\1033\LocalizedData.xml

MD5 5486ff60b072102ee3231fd743b290a1
SHA1 d8d8a1d6bf6adf1095158b3c9b0a296a037632d0
SHA256 5ca3ecaa12ca56f955d403ca93c4cb36a7d3dcdea779fc9bdaa0cdd429dab706
SHA512 ae240eaac32edb18fd76982fc01e03bd9c8e40a9ec1b9c42d7ebd225570b7517949e045942dbb9e40e620aa9dcc9fbe0182c6cf207ac0a44d7358ad33ba81472

\??\c:\a4418a06e9eec4d56d1edb9e34\3082\LocalizedData.xml

MD5 05a95593c61c744759e52caf5e13502e
SHA1 0054833d8a7a395a832e4c188c4d012301dd4090
SHA256 1a3e5e49da88393a71ea00d73fee7570e40edb816b72622e39c7fcd09c95ead1
SHA512 00aee4c02f9d6374560f7d2b826503aab332e1c4bc3203f88fe82e905471ec43f92f4af4fc52e46f377e4d297c2be99daf94980df2ce7664c169552800264fd3

\??\c:\a4418a06e9eec4d56d1edb9e34\UiInfo.xml

MD5 812f8d2e53f076366fa3a214bb4cf558
SHA1 35ae734cfb99bb139906b5f4e8efbf950762f6f0
SHA256 0d36a884a8381778bea71f5f9f0fc60cacadebd3f814679cb13414b8e7dbc283
SHA512 1dcc3ef8c390ca49fbcd50c02accd8cc5700db3594428e2129f79feb81e4cbbeef1b4a10628b2cd66edf31a69ed39ca2f4e252ad8aa13d2f793fca5b9a1eaf23

C:\Users\Admin\AppData\Local\Temp\HFI8A5F.tmp.html

MD5 292e299db36f7da07936b50a63af4153
SHA1 13e27743fe406a7294ebe6f0d33fa2d03233d785
SHA256 485f3f608cbbfe77b8a2d3cbb3037cac7fa3865984ac1127fb825d45f7138541
SHA512 efbd82440b540285815094472291e3bd2a68d4ea70f58d4697a038c029305cb85a4832e51dfc26783051046b73be2372713867bad3f600bea3a1297041b450c0

memory/3460-209-0x0000000002590000-0x0000000002591000-memory.dmp

\??\c:\a4418a06e9eec4d56d1edb9e34\SetupUi.dll

MD5 eb881e3dddc84b20bd92abcec444455f
SHA1 e2c32b1c86d4f70e39de65e9ebc4f361b24ff4a1
SHA256 11565d97287c01d22ad2e46c78d8a822fa3e6524561d4c02dfc87e8d346c44e7
SHA512 5750cec73b36a3f19bfb055f880f3b6498a7ae589017333f6272d26f1c72c6f475a3308826268a098372bbb096b43fbd1e06e93eecc0a81046668228bc179a75

\??\c:\a4418a06e9eec4d56d1edb9e34\SetupUi.xsd

MD5 2fadd9e618eff8175f2a6e8b95c0cacc
SHA1 9ab1710a217d15b192188b19467932d947b0a4f8
SHA256 222211e8f512edf97d78bc93e1f271c922d5e91fa899e092b4a096776a704093
SHA512 a3a934a8572ff9208d38cf381649bd83de227c44b735489fd2a9dc5a636ead9bb62459c9460ee53f61f0587a494877cd3a3c2611997be563f3137f8236ffc4ca

\??\c:\a4418a06e9eec4d56d1edb9e34\1033\SetupResources.dll

MD5 9547d24ac04b4d0d1dbf84f74f54faf7
SHA1 71af6001c931c3de7c98ddc337d89ab133fe48bb
SHA256 36d0159ed1a7d88000737e920375868765c0a1dd6f5a5acbb79cf7d97d9e7a34
SHA512 8b6048f4185a711567679e2de4789407077ce5bfe72102d3cb1f23051b8d3e6bfd5886c801d85b4e62f467dd12da1c79026a4bc20b17f54c693b2f24e499d40f

\??\c:\a4418a06e9eec4d56d1edb9e34\Strings.xml

MD5 332adf643747297b9bfa9527eaefe084
SHA1 670f933d778eca39938a515a39106551185205e9
SHA256 e49545feeae22198728ad04236e31e02035af7cc4d68e10cbecffd08669cbeca
SHA512 bea95ce35c4c37b4b2e36cc1e81fc297cc4a8e17b93f10423a02b015ddb593064541b5eb7003560fbeee512ed52869a113a6fb439c1133af01f884a0db0344b0

\??\c:\a4418a06e9eec4d56d1edb9e34\graphics\print.ico

MD5 7e55ddc6d611176e697d01c90a1212cf
SHA1 e2620da05b8e4e2360da579a7be32c1b225deb1b
SHA256 ff542e32330b123486797b410621e19eafb39df3997e14701afa4c22096520ed
SHA512 283d381aa396820b7e15768b20099d67688da1f6315ec9f7938c2fcc3167777502cded0d1beddf015a34cc4e5d045bcb665ffd28ba2fbb6faf50fdd38b31d16e

\??\c:\a4418a06e9eec4d56d1edb9e34\graphics\save.ico

MD5 7d62e82d960a938c98da02b1d5201bd5
SHA1 194e96b0440bf8631887e5e9d3cc485f8e90fbf5
SHA256 ae041c8764f56fd89277b34982145d16fc59a4754d261c861b19371c3271c6e5
SHA512 ab06b2605f0c1f6b71ef69563c0c977d06c6ea84d58ef7f2baecba566d6037d1458c2b58e6bfd70ddef47dccbdea6d9c2f2e46dea67ea9e92457f754d7042f67

\??\c:\a4418a06e9eec4d56d1edb9e34\graphics\stop.ico

MD5 5dfa8d3abcf4962d9ec41cfc7c0f75e3
SHA1 4196b0878c6c66b6fa260ab765a0e79f7aec0d24
SHA256 b499e1b21091b539d4906e45b6fdf490d5445256b72871aece2f5b2562c11793
SHA512 69a13d4348384f134ba93c9a846c6760b342e3a7a2e9df9c7062088105ac0b77b8a524f179efb1724c0ce168e01ba8bb46f2d6fae39cabe32cab9a34fc293e4a

\??\c:\a4418a06e9eec4d56d1edb9e34\graphics\setup.ico

MD5 3d25d679e0ff0b8c94273dcd8b07049d
SHA1 a517fc5e96bc68a02a44093673ee7e076ad57308
SHA256 288e9ad8f0201e45bc187839f15aca79d6b9f76a7d3c9274c80f5d4a4c219c0f
SHA512 3bde668004ca7e28390862d0ae9903c756c16255bdbb3f7e73a5b093ce6a57a3165d6797b0a643b254493149231aca7f7f03e0af15a0cbe28aff02f0071ec255

memory/4028-354-0x00007FFB074D0000-0x00007FFB074E0000-memory.dmp

memory/4028-353-0x00007FFB074D0000-0x00007FFB074E0000-memory.dmp

memory/4028-351-0x00007FFB074D0000-0x00007FFB074E0000-memory.dmp

memory/4028-366-0x00007FFB074D0000-0x00007FFB074E0000-memory.dmp

memory/4028-380-0x00007FFB074D0000-0x00007FFB074E0000-memory.dmp

memory/4028-408-0x00007FFB04E40000-0x00007FFB04E50000-memory.dmp

memory/4028-421-0x00007FFB04E40000-0x00007FFB04E50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dX3N2yof.xlsm

MD5 e566fc53051035e1e6fd0ed1823de0f9
SHA1 00bc96c48b98676ecd67e81a6f1d7754e4156044
SHA256 8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512 a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

C:\Users\Admin\AppData\Local\Temp\B2975E00

MD5 7acc01ff04c4abe9524d9ea8fa2a24ff
SHA1 2fb8adb0bc3a8521b23bc8e08225c604849072d0
SHA256 6be33028db9fcf4d11558e58f2ab465d789b8366e1cf45b55756a645cb2e96b6
SHA512 b54fdb2c85c345e11be8f1a5af05b9079d67502a179ca6d1a27b51323f6cf1c5dac7cf7666db48968c16ecdd7de258e05a6a5d4b6e23b0e108d69e03e0fe6d17

memory/3460-520-0x0000000002590000-0x0000000002591000-memory.dmp

memory/3460-519-0x0000000000400000-0x0000000000A37000-memory.dmp

memory/3460-553-0x0000000000400000-0x0000000000A37000-memory.dmp