Malware Analysis Report

2025-04-13 21:03

Sample ID 250103-fdks3ssqbj
Target f8c39a8b1e229d775328bffa40493c830607a6755fd7e77a875e13845b96302a.exe
SHA256 f8c39a8b1e229d775328bffa40493c830607a6755fd7e77a875e13845b96302a
Tags
xred backdoor discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f8c39a8b1e229d775328bffa40493c830607a6755fd7e77a875e13845b96302a

Threat Level: Known bad

The file f8c39a8b1e229d775328bffa40493c830607a6755fd7e77a875e13845b96302a.exe was found to be: Known bad.

Malicious Activity Summary

xred backdoor discovery persistence

Xred

Xred family

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-03 04:45

Signatures

Xred family

xred

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-03 04:45

Reported

2025-01-03 04:47

Platform

win7-20240903-en

Max time kernel

144s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f8c39a8b1e229d775328bffa40493c830607a6755fd7e77a875e13845b96302a.exe"

Signatures

Xred

backdoor xred

Xred family

xred

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\f8c39a8b1e229d775328bffa40493c830607a6755fd7e77a875e13845b96302a.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\441ff82e19e303face3755088f\Setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f8c39a8b1e229d775328bffa40493c830607a6755fd7e77a875e13845b96302a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\._cache_f8c39a8b1e229d775328bffa40493c830607a6755fd7e77a875e13845b96302a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Synaptics\Synaptics.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\a39f5e022d713bafe8504379\Setup.exe N/A

Office loads VBA resources, possible macro or embedded object present

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\a39f5e022d713bafe8504379\Setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\a39f5e022d713bafe8504379\Setup.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\441ff82e19e303face3755088f\Setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\441ff82e19e303face3755088f\Setup.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC} C:\a39f5e022d713bafe8504379\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9} C:\a39f5e022d713bafe8504379\Setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Mode = "4" C:\a39f5e022d713bafe8504379\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings C:\a39f5e022d713bafe8504379\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\a39f5e022d713bafe8504379\Setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\IconSize = "16" C:\a39f5e022d713bafe8504379\Setup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000 C:\a39f5e022d713bafe8504379\Setup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff C:\a39f5e022d713bafe8504379\Setup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\a39f5e022d713bafe8504379\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}" C:\a39f5e022d713bafe8504379\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}" C:\a39f5e022d713bafe8504379\Setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1092616257" C:\a39f5e022d713bafe8504379\Setup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\a39f5e022d713bafe8504379\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\a39f5e022d713bafe8504379\Setup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\a39f5e022d713bafe8504379\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy C:\a39f5e022d713bafe8504379\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders C:\a39f5e022d713bafe8504379\Setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\LogicalViewMode = "1" C:\a39f5e022d713bafe8504379\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\a39f5e022d713bafe8504379\Setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" C:\a39f5e022d713bafe8504379\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\a39f5e022d713bafe8504379\Setup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\a39f5e022d713bafe8504379\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\a39f5e022d713bafe8504379\Setup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Sort = 000000000000000000000000000000000200000030f125b7ef471a10a5f102608c9eebac0a0000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff C:\a39f5e022d713bafe8504379\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy C:\a39f5e022d713bafe8504379\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\a39f5e022d713bafe8504379\Setup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\a39f5e022d713bafe8504379\Setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\TV_TopViewVersion = "0" C:\a39f5e022d713bafe8504379\Setup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\a39f5e022d713bafe8504379\Setup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000 C:\a39f5e022d713bafe8504379\Setup.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\a39f5e022d713bafe8504379\Setup.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\441ff82e19e303face3755088f\Setup.exe N/A
N/A N/A C:\a39f5e022d713bafe8504379\Setup.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1684 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\f8c39a8b1e229d775328bffa40493c830607a6755fd7e77a875e13845b96302a.exe C:\Users\Admin\AppData\Local\Temp\._cache_f8c39a8b1e229d775328bffa40493c830607a6755fd7e77a875e13845b96302a.exe
PID 1684 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\f8c39a8b1e229d775328bffa40493c830607a6755fd7e77a875e13845b96302a.exe C:\Users\Admin\AppData\Local\Temp\._cache_f8c39a8b1e229d775328bffa40493c830607a6755fd7e77a875e13845b96302a.exe
PID 1684 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\f8c39a8b1e229d775328bffa40493c830607a6755fd7e77a875e13845b96302a.exe C:\Users\Admin\AppData\Local\Temp\._cache_f8c39a8b1e229d775328bffa40493c830607a6755fd7e77a875e13845b96302a.exe
PID 1684 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\f8c39a8b1e229d775328bffa40493c830607a6755fd7e77a875e13845b96302a.exe C:\Users\Admin\AppData\Local\Temp\._cache_f8c39a8b1e229d775328bffa40493c830607a6755fd7e77a875e13845b96302a.exe
PID 1684 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\f8c39a8b1e229d775328bffa40493c830607a6755fd7e77a875e13845b96302a.exe C:\Users\Admin\AppData\Local\Temp\._cache_f8c39a8b1e229d775328bffa40493c830607a6755fd7e77a875e13845b96302a.exe
PID 1684 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\f8c39a8b1e229d775328bffa40493c830607a6755fd7e77a875e13845b96302a.exe C:\Users\Admin\AppData\Local\Temp\._cache_f8c39a8b1e229d775328bffa40493c830607a6755fd7e77a875e13845b96302a.exe
PID 1684 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\f8c39a8b1e229d775328bffa40493c830607a6755fd7e77a875e13845b96302a.exe C:\Users\Admin\AppData\Local\Temp\._cache_f8c39a8b1e229d775328bffa40493c830607a6755fd7e77a875e13845b96302a.exe
PID 1684 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\f8c39a8b1e229d775328bffa40493c830607a6755fd7e77a875e13845b96302a.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 1684 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\f8c39a8b1e229d775328bffa40493c830607a6755fd7e77a875e13845b96302a.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 1684 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\f8c39a8b1e229d775328bffa40493c830607a6755fd7e77a875e13845b96302a.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 1684 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\f8c39a8b1e229d775328bffa40493c830607a6755fd7e77a875e13845b96302a.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2984 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\._cache_f8c39a8b1e229d775328bffa40493c830607a6755fd7e77a875e13845b96302a.exe C:\a39f5e022d713bafe8504379\Setup.exe
PID 2984 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\._cache_f8c39a8b1e229d775328bffa40493c830607a6755fd7e77a875e13845b96302a.exe C:\a39f5e022d713bafe8504379\Setup.exe
PID 2984 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\._cache_f8c39a8b1e229d775328bffa40493c830607a6755fd7e77a875e13845b96302a.exe C:\a39f5e022d713bafe8504379\Setup.exe
PID 2984 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\._cache_f8c39a8b1e229d775328bffa40493c830607a6755fd7e77a875e13845b96302a.exe C:\a39f5e022d713bafe8504379\Setup.exe
PID 2984 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\._cache_f8c39a8b1e229d775328bffa40493c830607a6755fd7e77a875e13845b96302a.exe C:\a39f5e022d713bafe8504379\Setup.exe
PID 2984 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\._cache_f8c39a8b1e229d775328bffa40493c830607a6755fd7e77a875e13845b96302a.exe C:\a39f5e022d713bafe8504379\Setup.exe
PID 2984 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\._cache_f8c39a8b1e229d775328bffa40493c830607a6755fd7e77a875e13845b96302a.exe C:\a39f5e022d713bafe8504379\Setup.exe
PID 536 wrote to memory of 444 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 536 wrote to memory of 444 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 536 wrote to memory of 444 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 536 wrote to memory of 444 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 536 wrote to memory of 444 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 536 wrote to memory of 444 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 536 wrote to memory of 444 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 444 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\441ff82e19e303face3755088f\Setup.exe
PID 444 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\441ff82e19e303face3755088f\Setup.exe
PID 444 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\441ff82e19e303face3755088f\Setup.exe
PID 444 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\441ff82e19e303face3755088f\Setup.exe
PID 444 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\441ff82e19e303face3755088f\Setup.exe
PID 444 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\441ff82e19e303face3755088f\Setup.exe
PID 444 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\441ff82e19e303face3755088f\Setup.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f8c39a8b1e229d775328bffa40493c830607a6755fd7e77a875e13845b96302a.exe

"C:\Users\Admin\AppData\Local\Temp\f8c39a8b1e229d775328bffa40493c830607a6755fd7e77a875e13845b96302a.exe"

C:\Users\Admin\AppData\Local\Temp\._cache_f8c39a8b1e229d775328bffa40493c830607a6755fd7e77a875e13845b96302a.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_f8c39a8b1e229d775328bffa40493c830607a6755fd7e77a875e13845b96302a.exe"

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\a39f5e022d713bafe8504379\Setup.exe

C:\a39f5e022d713bafe8504379\\Setup.exe /x86 /x64 /ia64 /web

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\441ff82e19e303face3755088f\Setup.exe

C:\441ff82e19e303face3755088f\\Setup.exe InjUpdate /x86 /x64 /ia64 /web

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 xred.mooo.com udp
US 8.8.8.8:53 freedns.afraid.org udp
US 69.42.215.252:80 freedns.afraid.org tcp
US 8.8.8.8:53 docs.google.com udp
FR 216.58.214.174:443 docs.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
FR 142.250.179.67:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
FR 142.250.179.67:80 o.pki.goog tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
FR 142.250.74.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 88.221.134.83:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 95.100.245.144:80 www.microsoft.com tcp

Files

memory/1684-0-0x00000000002A0000-0x00000000002A1000-memory.dmp

\Users\Admin\AppData\Local\Temp\._cache_f8c39a8b1e229d775328bffa40493c830607a6755fd7e77a875e13845b96302a.exe

MD5 53406e9988306cbd4537677c5336aba4
SHA1 06becadb92a5fcca2529c0b93687c2a0c6d0d610
SHA256 fa1afff978325f8818ce3a559d67a58297d9154674de7fd8eb03656d93104425
SHA512 4f89da81b5a3800aa16ff33cc4a42dbb17d4c698a5e2983b88c32738decb57e3088a1da444ad0ec0d745c3c6b6b8b9b86d3f19909142f9e51f513748c0274a99

C:\ProgramData\Synaptics\Synaptics.exe

MD5 69aa5d9727ab9d46699f4a623ac061fd
SHA1 84878f4db6e5bcc7a980819252d96f5f5de1ceaa
SHA256 f8c39a8b1e229d775328bffa40493c830607a6755fd7e77a875e13845b96302a
SHA512 0891aadd399a9938a8777e33419e93b64da8eded3facf14e6a76ae987d80bb04e533f0c5f72c5aaa3dfc64591701d85e1dbd39b13384ad40c91409ae9985bc31

memory/1684-126-0x0000000000400000-0x000000000059B000-memory.dmp

\a39f5e022d713bafe8504379\Setup.exe

MD5 006f8a615020a4a17f5e63801485df46
SHA1 78c82a80ebf9c8bf0c996dd8bc26087679f77fea
SHA256 d273460aa4d42f0b5764383e2ab852ab9af6fecb3ed866f1783869f2f155d8be
SHA512 c603ed6f3611eb7049a43a190ed223445a9f7bd5651100a825917198b50c70011e950fa968d3019439afa0a416752517b1c181ee9445e02da3904f4e4b73ce76

C:\a39f5e022d713bafe8504379\sqmapi.dll

MD5 3f0363b40376047eff6a9b97d633b750
SHA1 4eaf6650eca5ce931ee771181b04263c536a948b
SHA256 bd6395a58f55a8b1f4063e813ce7438f695b9b086bb965d8ac44e7a97d35a93c
SHA512 537be86e2f171e0b2b9f462ac7f62c4342beb5d00b68451228f28677d26a525014758672466ad15ed1fd073be38142dae478df67718908eae9e6266359e1f9e8

C:\Users\Admin\AppData\Local\Temp\HFI58FA.tmp.html

MD5 cd131d41791a543cc6f6ed1ea5bd257c
SHA1 f42a2708a0b42a13530d26515274d1fcdbfe8490
SHA256 e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb
SHA512 a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a

C:\a39f5e022d713bafe8504379\UiInfo.xml

MD5 8b8b0a935dc591799a0c6d52fdc33460
SHA1 ce2748bd469aad6e90b06d98531084d00611fb89
SHA256 57a9ccb84cae42e0d8d1a29cfe170ac3f27bdcae829d979cddfd5e757519b159
SHA512 93009b3045939b65a0c1d25e30a07a772bd73dda518529462f9ce1227a311a4d6fd7595f10b4255cc0b352e09c02026e89300a641492f14df908ad256a3c9d76

C:\a39f5e022d713bafe8504379\SplashScreen.bmp

MD5 0966fcd5a4ab0ddf71f46c01eff3cdd5
SHA1 8f4554f079edad23bcd1096e6501a61cf1f8ec34
SHA256 31c13ecfc0eb27f34036fb65cc0e735cd444eec75376eea2642f926ac162dcb3
SHA512 a9e70a2fb5a9899acf086474d71d0e180e2234c40e68bcadb9bf4fe145774680cb55584b39fe53cc75de445c6bf5741fc9b15b18385cbbe20fc595fe0ff86fce

C:\a39f5e022d713bafe8504379\3082\LocalizedData.xml

MD5 2d54fe70376db0218e8970b28c1c4518
SHA1 83ee9ac93142751f23d5bb858f7264e27ea2eab0
SHA256 d17c5b638e2a4d43212d21a2052548c8d4909eb6410e30b8a951a292bcdbbedd
SHA512 20c0fb9a046911bc2d702ab321c3992262ac0f80f33ddda5ec2ccafe9ef07611774223369e0dc7cb91c9cda1cbd65c598a7e1c914d6e6ca4b00205a16411be30

C:\a39f5e022d713bafe8504379\3076\LocalizedData.xml

MD5 967a6d769d849c5ed66d6f46b0b9c5a4
SHA1 c0ff5f094928b2fa8b61e97639c42782e95cc74f
SHA256 0bc010947bff6ec1ce9899623ccfdffd702eee6d2976f28d9e06cc98a79cf542
SHA512 219b13f1beeb7d690af9d9c7d98904494c878fbe9904f8cb7501b9bb4f48762f9d07c3440efa0546600ff62636ac34cb4b32e270cf90cb47a9e08f9cb473030c

C:\a39f5e022d713bafe8504379\2070\LocalizedData.xml

MD5 7fa9926a4bc678e32e5d676c39f8fb97
SHA1 bba4311dd30261a9b625046f8a6ea215516c9213
SHA256 a25ee75c78c24c50440ad7de9929c6a6e1cc0629009dc0d01b90cbac177dd404
SHA512 e06423bc1ea50a566d341dc513828608e9b6611fea81d33fca471a38f6b2b61b556ea07a5dec0830f3e87194975d87f267a5e5e1a2be5e6a86b07c5bb2bddcb6

C:\a39f5e022d713bafe8504379\2052\LocalizedData.xml

MD5 10da125eeabcbb45e0a272688b0e2151
SHA1 6c4124ec8ca2d03b5187ba567c922b6c3e5efc93
SHA256 1842f22c6fd4caf6ad217e331b74c6240b19991a82a1a030a6e57b1b8e9fd1ec
SHA512 d968abd74206a280f74bf6947757cca8dd9091b343203e5c2269af2e008d3bb0a17ff600eb961dbf69a93de4960133ade8d606fb9a99402d33b8889f2d0da710

C:\a39f5e022d713bafe8504379\1055\LocalizedData.xml

MD5 65e771fed28b924942a10452bbbf5c42
SHA1 586921b92d5fb297f35effc2216342dac1ae2355
SHA256 45e30569a756d9bcbc5f9dae78bda02751fd25e1c0aee471ce112cb4464a6ee2
SHA512 d014a2a96f3a5c487ef1caddd69599dbec15da5ad689d68009f1ca4d5cb694105a7903f508476d6ffec9d81386cb184df6fc428d34f056190cee30715514a8f7

C:\441ff82e19e303face3755088f\1028\eula.rtf

MD5 6f2f198b6d2f11c0cbce4541900bf75c
SHA1 75ec16813d55aaf41d4d6e3c8d4948e548996d96
SHA256 d7d3cfbe65fe62dfa343827811a8071ec54f68d72695c82bec9d9037d4b4d27a
SHA512 b1f5b812182c7a8bf1c1a8d0f616b44b0896f2ac455afee56c44522b458a8638f5c18200a8fb23b56dc1471e5ab7c66be1be9b794e12ec06f44beea4d9d03d6f

C:\a39f5e022d713bafe8504379\1053\LocalizedData.xml

MD5 b3b1a89458bec6af82c5386d26639b59
SHA1 d9320b8cc862f40c65668a40670081079b63cea1
SHA256 1ef312e8be9207466fbfdecee92bfc6c6b7e2da61979b0908eaf575464e7b7a0
SHA512 478ce08619490ed1ecdd8751b5f60da1ee4ac0d08d9a97468c3f595ac4376feca59e9c72dd9c83b00c8d78b298be757c6f24a422b7be8c041f780524844998bf

C:\a39f5e022d713bafe8504379\1033\SetupResources.dll

MD5 9547d24ac04b4d0d1dbf84f74f54faf7
SHA1 71af6001c931c3de7c98ddc337d89ab133fe48bb
SHA256 36d0159ed1a7d88000737e920375868765c0a1dd6f5a5acbb79cf7d97d9e7a34
SHA512 8b6048f4185a711567679e2de4789407077ce5bfe72102d3cb1f23051b8d3e6bfd5886c801d85b4e62f467dd12da1c79026a4bc20b17f54c693b2f24e499d40f

C:\a39f5e022d713bafe8504379\graphics\save.ico

MD5 7d62e82d960a938c98da02b1d5201bd5
SHA1 194e96b0440bf8631887e5e9d3cc485f8e90fbf5
SHA256 ae041c8764f56fd89277b34982145d16fc59a4754d261c861b19371c3271c6e5
SHA512 ab06b2605f0c1f6b71ef69563c0c977d06c6ea84d58ef7f2baecba566d6037d1458c2b58e6bfd70ddef47dccbdea6d9c2f2e46dea67ea9e92457f754d7042f67

\441ff82e19e303face3755088f\SetupEngine.dll

MD5 84c1daf5f30ff99895ecab3a55354bcf
SHA1 7e25ba36bcc7deed89f3c9568016ddb3156c9c5a
SHA256 7a0d281fa802d615ea1207bd2e9ebb98f3b74f9833bba3cb964ba7c7e0fb67fd
SHA512 e4fb7e4d39f094463fdcdc4895ab2ea500eb51a32b6909cec80a526bbf34d5c0eb98f47ee256c0f0865bf3169374937f047bf5c4d6762779c8ca3332b4103be3

C:\a39f5e022d713bafe8504379\graphics\print.ico

MD5 7e55ddc6d611176e697d01c90a1212cf
SHA1 e2620da05b8e4e2360da579a7be32c1b225deb1b
SHA256 ff542e32330b123486797b410621e19eafb39df3997e14701afa4c22096520ed
SHA512 283d381aa396820b7e15768b20099d67688da1f6315ec9f7938c2fcc3167777502cded0d1beddf015a34cc4e5d045bcb665ffd28ba2fbb6faf50fdd38b31d16e

C:\a39f5e022d713bafe8504379\graphics\warn.ico

MD5 b2b1d79591fca103959806a4bf27d036
SHA1 481fd13a0b58299c41b3e705cb085c533038caf5
SHA256 fe4d06c318701bf0842d4b87d1bad284c553baf7a40987a7451338099d840a11
SHA512 5fe232415a39e0055abb5250b120ccdcd565ab102aa602a3083d4a4705ac6775d45e1ef0c2b787b3252232e9d4673fc3a77aab19ec79a3ff8b13c4d7094530d2

C:\a39f5e022d713bafe8504379\graphics\setup.ico

MD5 3d25d679e0ff0b8c94273dcd8b07049d
SHA1 a517fc5e96bc68a02a44093673ee7e076ad57308
SHA256 288e9ad8f0201e45bc187839f15aca79d6b9f76a7d3c9274c80f5d4a4c219c0f
SHA512 3bde668004ca7e28390862d0ae9903c756c16255bdbb3f7e73a5b093ce6a57a3165d6797b0a643b254493149231aca7f7f03e0af15a0cbe28aff02f0071ec255

C:\441ff82e19e303face3755088f\1028\SetupResources.dll

MD5 7c136b92983cec25f85336056e45f3e8
SHA1 0bb527e7004601e920e2aac467518126e5352618
SHA256 f2e8ca58fa8d8e694d04e14404dec4e8ea5f231d3f2e5c2f915bd7914849eb2b
SHA512 06da50ddb2c5f83e6e4b4313cbdae14eed227eec85f94024a185c2d7f535b6a68e79337557727b2b40a39739c66d526968aaedbcfef04dab09dc0426cfbefbf4

C:\a39f5e022d713bafe8504379\Strings.xml

MD5 8a28b474f4849bee7354ba4c74087cea
SHA1 c17514dfc33dd14f57ff8660eb7b75af9b2b37b0
SHA256 2a7a44fb25476886617a1ec294a20a37552fd0824907f5284fade3e496ed609b
SHA512 a7927700d8050623bc5c761b215a97534c2c260fcab68469b7a61c85e2dff22ed9cf57e7cb5a6c8886422abe7ac89b5c71e569741db74daa2dcb4152f14c2369

C:\a39f5e022d713bafe8504379\SetupUi.xsd

MD5 2fadd9e618eff8175f2a6e8b95c0cacc
SHA1 9ab1710a217d15b192188b19467932d947b0a4f8
SHA256 222211e8f512edf97d78bc93e1f271c922d5e91fa899e092b4a096776a704093
SHA512 a3a934a8572ff9208d38cf381649bd83de227c44b735489fd2a9dc5a636ead9bb62459c9460ee53f61f0587a494877cd3a3c2611997be563f3137f8236ffc4ca

C:\a39f5e022d713bafe8504379\SetupUi.dll

MD5 eb881e3dddc84b20bd92abcec444455f
SHA1 e2c32b1c86d4f70e39de65e9ebc4f361b24ff4a1
SHA256 11565d97287c01d22ad2e46c78d8a822fa3e6524561d4c02dfc87e8d346c44e7
SHA512 5750cec73b36a3f19bfb055f880f3b6498a7ae589017333f6272d26f1c72c6f475a3308826268a098372bbb096b43fbd1e06e93eecc0a81046668228bc179a75

C:\a39f5e022d713bafe8504379\1049\LocalizedData.xml

MD5 349b52a81342a7afb8842459e537ecc6
SHA1 6268343e82fbbabe7618bd873335a8f9f84ed64d
SHA256 992bf5aeb06aa3701d50c23fa475b4b86d8997383c9f0e3425663cfbd6b8a2a5
SHA512 ef4cbd3f7f572a9f146a524cfbc2efbd084e6c70a65b96a42339adc088e3f0524bc202548340969481e7f3df3ac517ac34b200b56a3b9957802abd0efa951c49

C:\a39f5e022d713bafe8504379\1046\LocalizedData.xml

MD5 a03d2063d388fc7a1b4c36d85efa5a1a
SHA1 88bd5e2ff285ee421ccc523f7582e05a8c3323f8
SHA256 61d8339e89a9e48f8ae2d929900582bb8373f08d553ec72d5e38a0840b47c8a3
SHA512 3a219f36e57d90ca92e9faec4dfd34841c2c9244da4fe7e1d70608dde7857aa36325bdb46652a42922919f782bb7c97f567e69a9fc51942722b8fd66cd4ecaf0

C:\a39f5e022d713bafe8504379\1045\LocalizedData.xml

MD5 bdb583c7a48f811be3b0f01fcea40470
SHA1 e8453946a6b926e4f4ae5b02ba1d648daf23e133
SHA256 611b7b7352188adffd6380b9c8a85b8ff97c09a1c293bb7ac0ef5478a0e18ac8
SHA512 27b02226f8f86ca4d00789317c79e8ca0089f5b910bed14aa664eeab6be66e98de3bafd7670c895d70ab9c34ece5f05199f3556fddc1b165904e3432a51c008d

C:\a39f5e022d713bafe8504379\1044\LocalizedData.xml

MD5 120104fa24709c2a9d8efc84ff0786cd
SHA1 b513fa545efae045864d8527a5ec6b6cebe31bb9
SHA256 516525636b91c16a70aef8d6f6b424dc1ee7f747b8508b396ee88131b2bb0947
SHA512 1ea8eb2be9d5f4ef6f1f2c0d90cb228a9bb58d7143ccafe77e18ce52ec4aca25dde0ba18430fd4d3d7962d079ccbe7e2552b2c7090361e03c6fdfb7c2b9c7325

C:\a39f5e022d713bafe8504379\1043\LocalizedData.xml

MD5 6506b4e64ebf6121997fa227e762589f
SHA1 71bc1478c012d9ec57fc56a5266dd325b7801221
SHA256 415112ae783a87427c2fadd7b010ade4f1a7c23b27e4b714b7b507c16b572a1c
SHA512 39024ea9d42352f7c1bd6fefe0574054eceb4059f773cfaeb26c42faada2540ae95fb34718d30ccb6da157d2597f80d12a024461fbd0e8d510431ba6ffa81ec2

C:\a39f5e022d713bafe8504379\1042\LocalizedData.xml

MD5 78c16da54542c9ed8fa32fed3efaf10d
SHA1 ad8cfe972c8a418c54230d886e549e00c7e16c40
SHA256 e3e3a2288ff840ab0e7c5e8f7b4cfb1f26e597fb17cfc581b7728116bd739ed1
SHA512 d9d7bb82a1d752a424bf81be3d86abea484acbb63d35c90a8ee628e14cf34a7e8a02f37d2ea82aa2ce2c9aa4e8416a7a6232c632b7655f2033c4aaab208c60bf

C:\a39f5e022d713bafe8504379\1041\LocalizedData.xml

MD5 64ffa6ff8866a15aff326f11a892bead
SHA1 378201477564507a481ba06ea1bc0620b6254900
SHA256 7570390094c0a199f37b8f83758d09dd2cecd147132c724a810f9330499e0cbf
SHA512 ea5856617b82d13c9a312cb4f10673dbc4b42d9ac5703ad871e8bdfcc6549e262e61288737ab8ebcf77219d24c0822e7dacf043d1f2d94a97c9b7ec0a5917ef2

C:\a39f5e022d713bafe8504379\1040\LocalizedData.xml

MD5 eda1ec689d45c7faa97da4171b1b7493
SHA1 807fe12689c232ebd8364f48744c82ca278ea9e6
SHA256 80faa30a7592e8278533d3380dcb212e748c190aaeef62136897e09671059b36
SHA512 8385a5de4eb6b38169dd1eb03926bc6d4604545801f13d99cee3acede3d34ec9f9d96b828a23ae6246809dc666e67f77a163979679956297533da40f9365bf2c

C:\a39f5e022d713bafe8504379\1038\LocalizedData.xml

MD5 89d4356e0f226e75ca71d48690e8ec15
SHA1 2336caa971527977f47512bc74e88cec3f770c7d
SHA256 fcbb619deb2d57b791a78954b0342dbb2fef7ddd711066a0786c8ef669d2b385
SHA512 fa03d55a4aafe94cbf5c134a65bd809fc86c042bc1b8ffbc9a2a5412eb70a468551c05c44b6ce81f638df43cca599aa1dd6f42f2df3012c8a95a3612df7c821e

C:\a39f5e022d713bafe8504379\1037\LocalizedData.xml

MD5 16e6416756c1829238ef1814ebf48ad6
SHA1 c9236906317b3d806f419b7a98598dd21e27ad64
SHA256 c0ee256567ea26bbd646f019a1d12f3eced20b992718976514afa757adf15dea
SHA512 aa595ed0b3b1db280f94b29fa0cb9db25441a1ef54355abf760b6b837e8ce8e035537738e666d27dd2a8d295d7517c325a5684e16304887ccb17313ca4290ce6

C:\a39f5e022d713bafe8504379\1036\LocalizedData.xml

MD5 1dad88faed661db34eef535d36563ee2
SHA1 0525b2f97eddbd26325fddc561bf8a0cda3b0497
SHA256 9605468d426bcbbe00165339d84804e5eb2547bfe437d640320b7bfef0b399b6
SHA512 ccd0bffbf0538152cccd4b081c15079716a5ff9ad04cee8679b7f721441f89eb7c6f8004cff7e1dde9188f5201f573000d0c078474edf124cfa4c619e692d6bc

C:\a39f5e022d713bafe8504379\1035\LocalizedData.xml

MD5 1aa252256c895b806e4e55f3ea8d5ffb
SHA1 0322ee94c3d5ea26418a2fea3f7e62ec5d04b81d
SHA256 8a68b3b6522c30502202ecb8d16ae160856947254461ac845b39451a3f2db35f
SHA512 ce57784892c0be55a00ced0adc594a534d8a40819790ca483a29b6cd544c7a75ae4e9bde9b6dc6de489ceceb7883b7c2ea0e98a38fcc96d511157d61c8aa3e63

C:\a39f5e022d713bafe8504379\1032\LocalizedData.xml

MD5 3bf8da35b14fbcc564e03f6342bb71f2
SHA1 8f9139f0bb813bf95f8c437548738d32848d8940
SHA256 39efe12c689edfea041613b0e4d6ec78afec8fe38a0e4adc656591ffef8f415d
SHA512 31b050647ba4bd0c2762d77307e1ed2a324e9b152c06ed496b86ea063cdc18bf2bb1f08d2e9b4af3429a2bc333d7891338d7535487c83495304a5f78776dbc03

C:\a39f5e022d713bafe8504379\1031\LocalizedData.xml

MD5 8505219c0a8d950ff07dc699d8208309
SHA1 7a557356c57f1fa6d689ea4c411e727438ac46df
SHA256 c48986cdb7fe3401234e0a6540eb394c1201846b5beb1f12f83dc6e14674873a
SHA512 7bcdad0cb4b478068434f4ebd554474b69562dc83df9a423b54c1701ca3b43c3b92de09ee195a86c0d244aa5ef96c77b1a08e73f1f2918c8ac7019f8df27b419

C:\a39f5e022d713bafe8504379\1030\LocalizedData.xml

MD5 69925e463a6fedce8c8e1b68404502fb
SHA1 76341e490a432a636ed721f0c964fd9026773dd7
SHA256 5f370d2ccdd5fa316bce095bf22670123c09de175b7801d0a77cdb68174ac6b7
SHA512 5f61abec49e1f9cc44c26b83aa5b32c217ebeba63ed90d25836f51f810c59f71ec7430dc5338efba9be720f800204891e5ab9a5f5ec1ff51ef46c629482e5220

C:\a39f5e022d713bafe8504379\1029\LocalizedData.xml

MD5 0b6ed582eb557573e959e37ebe2fca6a
SHA1 82c19c7eafb28593f453341eca225873fb011d4c
SHA256 8a0da440261940ed89bad7cd65bbc941cc56001d9aa94515e346d57b7b0838fc
SHA512 aba3d19f408bd74f010ec49b31a2658e0884661d2efda7d999558c90a4589b500570cc80410ba1c323853ca960e7844845729fff708e3a52ea25f597fad90759

C:\a39f5e022d713bafe8504379\1025\LocalizedData.xml

MD5 c5bf74c96a711b3f7004ca6bddecc491
SHA1 4c4d42ff69455f267ce98f1db8f2c5d76a1046da
SHA256 6b67c8a77c1a637b72736595afdf77bdb3910aa9fe48d959775806a0683ffa66
SHA512 2f2071bf9966bffe64c90263f4b9bd5efcac4f976c4e42fbdeaa5d6a6dee51c33f4902cf5e3d0897e1c841e9182e25c86d42e392887bc3ce3d9ed3d780d96ac9

C:\a39f5e022d713bafe8504379\1033\LocalizedData.xml

MD5 326518603d85acd79a6258886fc85456
SHA1 f1cef14bc4671a132225d22a1385936ad9505348
SHA256 665797c7840b86379019e5a46227f888fa1a36a593ea41f9170ef018c337b577
SHA512 f8a514efd70e81d0f2f983282d69040bca6e42f29aa5df554e6874922a61f112e311ad5d2b719b6ca90012f69965447fb91e8cd4103efb2453ff160a9062e5d3

C:\a39f5e022d713bafe8504379\ParameterInfo.xml

MD5 7213da83e0f0b8ae4fea44ae1cb7f62b
SHA1 f2e3fcc77a1ad4d042253bd2e0010bcb40b68ed3
SHA256 59e67e4fb46e5490eee63d8b725324f1372720ade7345c74c6138c4a76ea73d9
SHA512 86186ab0f2cb38e520dd1284042eced157f96874846eb9061be9cf56b84a1cab5901a4879e105a8b04b336bbc43b03f4bdf198d43af868be188602347db829e0

memory/536-617-0x0000000000400000-0x000000000059B000-memory.dmp

memory/2908-618-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ogdDh8ov.xlsm

MD5 588cc165c60d68f4602e1e82534a241c
SHA1 db0100f62bf43496c30e04638ece308101dad61c
SHA256 49a265d196359d2ddc187929ebf5a002833f54b6a7a169d0a4c38978f0573472
SHA512 33179c5c5e2d3ec160badd69b4534838fcbde88c8e0b1eb61b6ebc510123919f11e51298c656ba62456a66571234e76c32484fa1d9d2c04bf4380c4dc91d9ce4

C:\Users\Admin\AppData\Local\Temp\ogdDh8ov.xlsm

MD5 a21d0c54155ad310474ca45883e04a73
SHA1 90526dc6e0b7e2e1d0ec7b01b39075c49db4578f
SHA256 87bcdf624aefbb73d5aeb4662507dc710796a2826ce7e2a178e58c288a9704f9
SHA512 21baa27ff2c3389a5bdb9b2c35ba2dff127a7d9b9f88fd12e004720605eed9d30f1019741958aa71802968249742c944519949966d0734100e4aa00fcc23abe6

C:\Users\Admin\AppData\Local\Temp\ogdDh8ov.xlsm

MD5 d3099801437b1f2658aeec53428338f1
SHA1 e35348a43f9bcb2ee552472f36f60e7a837dc886
SHA256 033bcebbec6d52b41d3e0cad6f279367f18f9cacf7348665fe5cd0c184b1b5af
SHA512 6e82133fdbcdf28a32ebcdf4b5508c1fb0935405e71d7aee907d7befd94fe5ff979d6555ce1a73c1094603d9451d3194b7a6fb7d2a116fb756e8f796b3e6eceb

memory/2908-679-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2888-681-0x0000000003450000-0x0000000003452000-memory.dmp

memory/536-680-0x0000000000400000-0x000000000059B000-memory.dmp

memory/536-682-0x0000000000400000-0x000000000059B000-memory.dmp

memory/536-707-0x0000000000400000-0x000000000059B000-memory.dmp

memory/536-718-0x0000000000400000-0x000000000059B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-03 04:45

Reported

2025-01-03 04:47

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f8c39a8b1e229d775328bffa40493c830607a6755fd7e77a875e13845b96302a.exe"

Signatures

Xred

backdoor xred

Xred family

xred

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f8c39a8b1e229d775328bffa40493c830607a6755fd7e77a875e13845b96302a.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\ProgramData\Synaptics\Synaptics.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\f8c39a8b1e229d775328bffa40493c830607a6755fd7e77a875e13845b96302a.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\39c7534da45e56710f27\Setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\be158bd5cbe590f3c2ed326120ed30\Setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f8c39a8b1e229d775328bffa40493c830607a6755fd7e77a875e13845b96302a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\._cache_f8c39a8b1e229d775328bffa40493c830607a6755fd7e77a875e13845b96302a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Synaptics\Synaptics.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\39c7534da45e56710f27\Setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\39c7534da45e56710f27\Setup.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\be158bd5cbe590f3c2ed326120ed30\Setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\be158bd5cbe590f3c2ed326120ed30\Setup.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\39c7534da45e56710f27\Setup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\39c7534da45e56710f27\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\39c7534da45e56710f27\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\39c7534da45e56710f27\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\39c7534da45e56710f27\Setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" C:\39c7534da45e56710f27\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\39c7534da45e56710f27\Setup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\39c7534da45e56710f27\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy C:\39c7534da45e56710f27\Setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" C:\39c7534da45e56710f27\Setup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\39c7534da45e56710f27\Setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" C:\39c7534da45e56710f27\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\39c7534da45e56710f27\Setup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\39c7534da45e56710f27\Setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" C:\39c7534da45e56710f27\Setup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 C:\39c7534da45e56710f27\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" C:\39c7534da45e56710f27\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\f8c39a8b1e229d775328bffa40493c830607a6755fd7e77a875e13845b96302a.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\39c7534da45e56710f27\Setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" C:\39c7534da45e56710f27\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\39c7534da45e56710f27\Setup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\39c7534da45e56710f27\Setup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff C:\39c7534da45e56710f27\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656} C:\39c7534da45e56710f27\Setup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 C:\39c7534da45e56710f27\Setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" C:\39c7534da45e56710f27\Setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" C:\39c7534da45e56710f27\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\39c7534da45e56710f27\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\ProgramData\Synaptics\Synaptics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\39c7534da45e56710f27\Setup.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\39c7534da45e56710f27\Setup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" C:\39c7534da45e56710f27\Setup.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\39c7534da45e56710f27\Setup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4580 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\f8c39a8b1e229d775328bffa40493c830607a6755fd7e77a875e13845b96302a.exe C:\Users\Admin\AppData\Local\Temp\._cache_f8c39a8b1e229d775328bffa40493c830607a6755fd7e77a875e13845b96302a.exe
PID 4580 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\f8c39a8b1e229d775328bffa40493c830607a6755fd7e77a875e13845b96302a.exe C:\Users\Admin\AppData\Local\Temp\._cache_f8c39a8b1e229d775328bffa40493c830607a6755fd7e77a875e13845b96302a.exe
PID 4580 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\f8c39a8b1e229d775328bffa40493c830607a6755fd7e77a875e13845b96302a.exe C:\Users\Admin\AppData\Local\Temp\._cache_f8c39a8b1e229d775328bffa40493c830607a6755fd7e77a875e13845b96302a.exe
PID 4580 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\f8c39a8b1e229d775328bffa40493c830607a6755fd7e77a875e13845b96302a.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 4580 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\f8c39a8b1e229d775328bffa40493c830607a6755fd7e77a875e13845b96302a.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 4580 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\f8c39a8b1e229d775328bffa40493c830607a6755fd7e77a875e13845b96302a.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 3964 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\._cache_f8c39a8b1e229d775328bffa40493c830607a6755fd7e77a875e13845b96302a.exe C:\39c7534da45e56710f27\Setup.exe
PID 3964 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\._cache_f8c39a8b1e229d775328bffa40493c830607a6755fd7e77a875e13845b96302a.exe C:\39c7534da45e56710f27\Setup.exe
PID 3964 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\._cache_f8c39a8b1e229d775328bffa40493c830607a6755fd7e77a875e13845b96302a.exe C:\39c7534da45e56710f27\Setup.exe
PID 800 wrote to memory of 184 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 800 wrote to memory of 184 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 800 wrote to memory of 184 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 184 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\be158bd5cbe590f3c2ed326120ed30\Setup.exe
PID 184 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\be158bd5cbe590f3c2ed326120ed30\Setup.exe
PID 184 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\be158bd5cbe590f3c2ed326120ed30\Setup.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f8c39a8b1e229d775328bffa40493c830607a6755fd7e77a875e13845b96302a.exe

"C:\Users\Admin\AppData\Local\Temp\f8c39a8b1e229d775328bffa40493c830607a6755fd7e77a875e13845b96302a.exe"

C:\Users\Admin\AppData\Local\Temp\._cache_f8c39a8b1e229d775328bffa40493c830607a6755fd7e77a875e13845b96302a.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_f8c39a8b1e229d775328bffa40493c830607a6755fd7e77a875e13845b96302a.exe"

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\39c7534da45e56710f27\Setup.exe

C:\39c7534da45e56710f27\\Setup.exe /x86 /x64 /ia64 /web

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\be158bd5cbe590f3c2ed326120ed30\Setup.exe

C:\be158bd5cbe590f3c2ed326120ed30\\Setup.exe InjUpdate /x86 /x64 /ia64 /web

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 134.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 18.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 xred.mooo.com udp
US 8.8.8.8:53 freedns.afraid.org udp
US 69.42.215.252:80 freedns.afraid.org tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 252.215.42.69.in-addr.arpa udp
US 8.8.8.8:53 11.73.50.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 docs.google.com udp
FR 216.58.214.174:443 docs.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
FR 142.250.179.67:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
FR 142.250.179.67:80 o.pki.goog tcp
US 8.8.8.8:53 174.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 67.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 drive.usercontent.google.com udp
FR 142.250.74.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 225.74.250.142.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/4580-0-0x0000000000890000-0x0000000000891000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\._cache_f8c39a8b1e229d775328bffa40493c830607a6755fd7e77a875e13845b96302a.exe

MD5 53406e9988306cbd4537677c5336aba4
SHA1 06becadb92a5fcca2529c0b93687c2a0c6d0d610
SHA256 fa1afff978325f8818ce3a559d67a58297d9154674de7fd8eb03656d93104425
SHA512 4f89da81b5a3800aa16ff33cc4a42dbb17d4c698a5e2983b88c32738decb57e3088a1da444ad0ec0d745c3c6b6b8b9b86d3f19909142f9e51f513748c0274a99

C:\ProgramData\Synaptics\Synaptics.exe

MD5 69aa5d9727ab9d46699f4a623ac061fd
SHA1 84878f4db6e5bcc7a980819252d96f5f5de1ceaa
SHA256 f8c39a8b1e229d775328bffa40493c830607a6755fd7e77a875e13845b96302a
SHA512 0891aadd399a9938a8777e33419e93b64da8eded3facf14e6a76ae987d80bb04e533f0c5f72c5aaa3dfc64591701d85e1dbd39b13384ad40c91409ae9985bc31

memory/4580-128-0x0000000000400000-0x000000000059B000-memory.dmp

memory/800-129-0x0000000002300000-0x0000000002301000-memory.dmp

C:\39c7534da45e56710f27\Setup.exe

MD5 006f8a615020a4a17f5e63801485df46
SHA1 78c82a80ebf9c8bf0c996dd8bc26087679f77fea
SHA256 d273460aa4d42f0b5764383e2ab852ab9af6fecb3ed866f1783869f2f155d8be
SHA512 c603ed6f3611eb7049a43a190ed223445a9f7bd5651100a825917198b50c70011e950fa968d3019439afa0a416752517b1c181ee9445e02da3904f4e4b73ce76

C:\39c7534da45e56710f27\SetupEngine.dll

MD5 84c1daf5f30ff99895ecab3a55354bcf
SHA1 7e25ba36bcc7deed89f3c9568016ddb3156c9c5a
SHA256 7a0d281fa802d615ea1207bd2e9ebb98f3b74f9833bba3cb964ba7c7e0fb67fd
SHA512 e4fb7e4d39f094463fdcdc4895ab2ea500eb51a32b6909cec80a526bbf34d5c0eb98f47ee256c0f0865bf3169374937f047bf5c4d6762779c8ca3332b4103be3

C:\39c7534da45e56710f27\sqmapi.dll

MD5 3f0363b40376047eff6a9b97d633b750
SHA1 4eaf6650eca5ce931ee771181b04263c536a948b
SHA256 bd6395a58f55a8b1f4063e813ce7438f695b9b086bb965d8ac44e7a97d35a93c
SHA512 537be86e2f171e0b2b9f462ac7f62c4342beb5d00b68451228f28677d26a525014758672466ad15ed1fd073be38142dae478df67718908eae9e6266359e1f9e8

C:\Users\Admin\AppData\Local\Temp\HFI7F81.tmp.html

MD5 ce5414b03d5670fe5e1f61d91a8152fe
SHA1 5c301c6165919af71e5c17e8a82810bafd4783f4
SHA256 fe2f019a97c322ee921aba1122dbaf31aec3fc112b9c2a0d05a6644b7989cf1c
SHA512 409547f8db9ea8fdf2480ede79ba603afa44583ae29a6f452ca90b061c8591a3823b79183fd42902a27c21cb6c563ca69055208c6cdb0e5c36470d39e4ff04dd

C:\39c7534da45e56710f27\DHTMLHeader.html

MD5 cd131d41791a543cc6f6ed1ea5bd257c
SHA1 f42a2708a0b42a13530d26515274d1fcdbfe8490
SHA256 e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb
SHA512 a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a

C:\39c7534da45e56710f27\UiInfo.xml

MD5 8b8b0a935dc591799a0c6d52fdc33460
SHA1 ce2748bd469aad6e90b06d98531084d00611fb89
SHA256 57a9ccb84cae42e0d8d1a29cfe170ac3f27bdcae829d979cddfd5e757519b159
SHA512 93009b3045939b65a0c1d25e30a07a772bd73dda518529462f9ce1227a311a4d6fd7595f10b4255cc0b352e09c02026e89300a641492f14df908ad256a3c9d76

C:\39c7534da45e56710f27\ParameterInfo.xml

MD5 7213da83e0f0b8ae4fea44ae1cb7f62b
SHA1 f2e3fcc77a1ad4d042253bd2e0010bcb40b68ed3
SHA256 59e67e4fb46e5490eee63d8b725324f1372720ade7345c74c6138c4a76ea73d9
SHA512 86186ab0f2cb38e520dd1284042eced157f96874846eb9061be9cf56b84a1cab5901a4879e105a8b04b336bbc43b03f4bdf198d43af868be188602347db829e0

C:\39c7534da45e56710f27\1033\LocalizedData.xml

MD5 326518603d85acd79a6258886fc85456
SHA1 f1cef14bc4671a132225d22a1385936ad9505348
SHA256 665797c7840b86379019e5a46227f888fa1a36a593ea41f9170ef018c337b577
SHA512 f8a514efd70e81d0f2f983282d69040bca6e42f29aa5df554e6874922a61f112e311ad5d2b719b6ca90012f69965447fb91e8cd4103efb2453ff160a9062e5d3

C:\39c7534da45e56710f27\1038\LocalizedData.xml

MD5 89d4356e0f226e75ca71d48690e8ec15
SHA1 2336caa971527977f47512bc74e88cec3f770c7d
SHA256 fcbb619deb2d57b791a78954b0342dbb2fef7ddd711066a0786c8ef669d2b385
SHA512 fa03d55a4aafe94cbf5c134a65bd809fc86c042bc1b8ffbc9a2a5412eb70a468551c05c44b6ce81f638df43cca599aa1dd6f42f2df3012c8a95a3612df7c821e

memory/4200-445-0x00007FFD60470000-0x00007FFD60480000-memory.dmp

memory/4200-444-0x00007FFD60470000-0x00007FFD60480000-memory.dmp

C:\39c7534da45e56710f27\1044\LocalizedData.xml

MD5 120104fa24709c2a9d8efc84ff0786cd
SHA1 b513fa545efae045864d8527a5ec6b6cebe31bb9
SHA256 516525636b91c16a70aef8d6f6b424dc1ee7f747b8508b396ee88131b2bb0947
SHA512 1ea8eb2be9d5f4ef6f1f2c0d90cb228a9bb58d7143ccafe77e18ce52ec4aca25dde0ba18430fd4d3d7962d079ccbe7e2552b2c7090361e03c6fdfb7c2b9c7325

C:\39c7534da45e56710f27\1043\LocalizedData.xml

MD5 6506b4e64ebf6121997fa227e762589f
SHA1 71bc1478c012d9ec57fc56a5266dd325b7801221
SHA256 415112ae783a87427c2fadd7b010ade4f1a7c23b27e4b714b7b507c16b572a1c
SHA512 39024ea9d42352f7c1bd6fefe0574054eceb4059f773cfaeb26c42faada2540ae95fb34718d30ccb6da157d2597f80d12a024461fbd0e8d510431ba6ffa81ec2

C:\39c7534da45e56710f27\1042\LocalizedData.xml

MD5 78c16da54542c9ed8fa32fed3efaf10d
SHA1 ad8cfe972c8a418c54230d886e549e00c7e16c40
SHA256 e3e3a2288ff840ab0e7c5e8f7b4cfb1f26e597fb17cfc581b7728116bd739ed1
SHA512 d9d7bb82a1d752a424bf81be3d86abea484acbb63d35c90a8ee628e14cf34a7e8a02f37d2ea82aa2ce2c9aa4e8416a7a6232c632b7655f2033c4aaab208c60bf

C:\39c7534da45e56710f27\1041\LocalizedData.xml

MD5 64ffa6ff8866a15aff326f11a892bead
SHA1 378201477564507a481ba06ea1bc0620b6254900
SHA256 7570390094c0a199f37b8f83758d09dd2cecd147132c724a810f9330499e0cbf
SHA512 ea5856617b82d13c9a312cb4f10673dbc4b42d9ac5703ad871e8bdfcc6549e262e61288737ab8ebcf77219d24c0822e7dacf043d1f2d94a97c9b7ec0a5917ef2

memory/4200-435-0x00007FFD60470000-0x00007FFD60480000-memory.dmp

C:\39c7534da45e56710f27\1040\LocalizedData.xml

MD5 eda1ec689d45c7faa97da4171b1b7493
SHA1 807fe12689c232ebd8364f48744c82ca278ea9e6
SHA256 80faa30a7592e8278533d3380dcb212e748c190aaeef62136897e09671059b36
SHA512 8385a5de4eb6b38169dd1eb03926bc6d4604545801f13d99cee3acede3d34ec9f9d96b828a23ae6246809dc666e67f77a163979679956297533da40f9365bf2c

C:\39c7534da45e56710f27\1037\LocalizedData.xml

MD5 16e6416756c1829238ef1814ebf48ad6
SHA1 c9236906317b3d806f419b7a98598dd21e27ad64
SHA256 c0ee256567ea26bbd646f019a1d12f3eced20b992718976514afa757adf15dea
SHA512 aa595ed0b3b1db280f94b29fa0cb9db25441a1ef54355abf760b6b837e8ce8e035537738e666d27dd2a8d295d7517c325a5684e16304887ccb17313ca4290ce6

C:\39c7534da45e56710f27\1036\LocalizedData.xml

MD5 1dad88faed661db34eef535d36563ee2
SHA1 0525b2f97eddbd26325fddc561bf8a0cda3b0497
SHA256 9605468d426bcbbe00165339d84804e5eb2547bfe437d640320b7bfef0b399b6
SHA512 ccd0bffbf0538152cccd4b081c15079716a5ff9ad04cee8679b7f721441f89eb7c6f8004cff7e1dde9188f5201f573000d0c078474edf124cfa4c619e692d6bc

C:\39c7534da45e56710f27\1035\LocalizedData.xml

MD5 1aa252256c895b806e4e55f3ea8d5ffb
SHA1 0322ee94c3d5ea26418a2fea3f7e62ec5d04b81d
SHA256 8a68b3b6522c30502202ecb8d16ae160856947254461ac845b39451a3f2db35f
SHA512 ce57784892c0be55a00ced0adc594a534d8a40819790ca483a29b6cd544c7a75ae4e9bde9b6dc6de489ceceb7883b7c2ea0e98a38fcc96d511157d61c8aa3e63

C:\39c7534da45e56710f27\1032\LocalizedData.xml

MD5 3bf8da35b14fbcc564e03f6342bb71f2
SHA1 8f9139f0bb813bf95f8c437548738d32848d8940
SHA256 39efe12c689edfea041613b0e4d6ec78afec8fe38a0e4adc656591ffef8f415d
SHA512 31b050647ba4bd0c2762d77307e1ed2a324e9b152c06ed496b86ea063cdc18bf2bb1f08d2e9b4af3429a2bc333d7891338d7535487c83495304a5f78776dbc03

C:\39c7534da45e56710f27\1031\LocalizedData.xml

MD5 8505219c0a8d950ff07dc699d8208309
SHA1 7a557356c57f1fa6d689ea4c411e727438ac46df
SHA256 c48986cdb7fe3401234e0a6540eb394c1201846b5beb1f12f83dc6e14674873a
SHA512 7bcdad0cb4b478068434f4ebd554474b69562dc83df9a423b54c1701ca3b43c3b92de09ee195a86c0d244aa5ef96c77b1a08e73f1f2918c8ac7019f8df27b419

C:\39c7534da45e56710f27\1030\LocalizedData.xml

MD5 69925e463a6fedce8c8e1b68404502fb
SHA1 76341e490a432a636ed721f0c964fd9026773dd7
SHA256 5f370d2ccdd5fa316bce095bf22670123c09de175b7801d0a77cdb68174ac6b7
SHA512 5f61abec49e1f9cc44c26b83aa5b32c217ebeba63ed90d25836f51f810c59f71ec7430dc5338efba9be720f800204891e5ab9a5f5ec1ff51ef46c629482e5220

C:\39c7534da45e56710f27\1029\LocalizedData.xml

MD5 0b6ed582eb557573e959e37ebe2fca6a
SHA1 82c19c7eafb28593f453341eca225873fb011d4c
SHA256 8a0da440261940ed89bad7cd65bbc941cc56001d9aa94515e346d57b7b0838fc
SHA512 aba3d19f408bd74f010ec49b31a2658e0884661d2efda7d999558c90a4589b500570cc80410ba1c323853ca960e7844845729fff708e3a52ea25f597fad90759

C:\39c7534da45e56710f27\1045\LocalizedData.xml

MD5 bdb583c7a48f811be3b0f01fcea40470
SHA1 e8453946a6b926e4f4ae5b02ba1d648daf23e133
SHA256 611b7b7352188adffd6380b9c8a85b8ff97c09a1c293bb7ac0ef5478a0e18ac8
SHA512 27b02226f8f86ca4d00789317c79e8ca0089f5b910bed14aa664eeab6be66e98de3bafd7670c895d70ab9c34ece5f05199f3556fddc1b165904e3432a51c008d

C:\39c7534da45e56710f27\1028\LocalizedData.xml

MD5 967a6d769d849c5ed66d6f46b0b9c5a4
SHA1 c0ff5f094928b2fa8b61e97639c42782e95cc74f
SHA256 0bc010947bff6ec1ce9899623ccfdffd702eee6d2976f28d9e06cc98a79cf542
SHA512 219b13f1beeb7d690af9d9c7d98904494c878fbe9904f8cb7501b9bb4f48762f9d07c3440efa0546600ff62636ac34cb4b32e270cf90cb47a9e08f9cb473030c

C:\39c7534da45e56710f27\1025\LocalizedData.xml

MD5 c5bf74c96a711b3f7004ca6bddecc491
SHA1 4c4d42ff69455f267ce98f1db8f2c5d76a1046da
SHA256 6b67c8a77c1a637b72736595afdf77bdb3910aa9fe48d959775806a0683ffa66
SHA512 2f2071bf9966bffe64c90263f4b9bd5efcac4f976c4e42fbdeaa5d6a6dee51c33f4902cf5e3d0897e1c841e9182e25c86d42e392887bc3ce3d9ed3d780d96ac9

C:\39c7534da45e56710f27\SplashScreen.bmp

MD5 0966fcd5a4ab0ddf71f46c01eff3cdd5
SHA1 8f4554f079edad23bcd1096e6501a61cf1f8ec34
SHA256 31c13ecfc0eb27f34036fb65cc0e735cd444eec75376eea2642f926ac162dcb3
SHA512 a9e70a2fb5a9899acf086474d71d0e180e2234c40e68bcadb9bf4fe145774680cb55584b39fe53cc75de445c6bf5741fc9b15b18385cbbe20fc595fe0ff86fce

C:\39c7534da45e56710f27\1046\LocalizedData.xml

MD5 a03d2063d388fc7a1b4c36d85efa5a1a
SHA1 88bd5e2ff285ee421ccc523f7582e05a8c3323f8
SHA256 61d8339e89a9e48f8ae2d929900582bb8373f08d553ec72d5e38a0840b47c8a3
SHA512 3a219f36e57d90ca92e9faec4dfd34841c2c9244da4fe7e1d70608dde7857aa36325bdb46652a42922919f782bb7c97f567e69a9fc51942722b8fd66cd4ecaf0

C:\39c7534da45e56710f27\3082\LocalizedData.xml

MD5 2d54fe70376db0218e8970b28c1c4518
SHA1 83ee9ac93142751f23d5bb858f7264e27ea2eab0
SHA256 d17c5b638e2a4d43212d21a2052548c8d4909eb6410e30b8a951a292bcdbbedd
SHA512 20c0fb9a046911bc2d702ab321c3992262ac0f80f33ddda5ec2ccafe9ef07611774223369e0dc7cb91c9cda1cbd65c598a7e1c914d6e6ca4b00205a16411be30

memory/4200-456-0x00007FFD60470000-0x00007FFD60480000-memory.dmp

memory/4200-464-0x00007FFD60470000-0x00007FFD60480000-memory.dmp

C:\39c7534da45e56710f27\2070\LocalizedData.xml

MD5 7fa9926a4bc678e32e5d676c39f8fb97
SHA1 bba4311dd30261a9b625046f8a6ea215516c9213
SHA256 a25ee75c78c24c50440ad7de9929c6a6e1cc0629009dc0d01b90cbac177dd404
SHA512 e06423bc1ea50a566d341dc513828608e9b6611fea81d33fca471a38f6b2b61b556ea07a5dec0830f3e87194975d87f267a5e5e1a2be5e6a86b07c5bb2bddcb6

C:\be158bd5cbe590f3c2ed326120ed30\1028\SetupResources.dll

MD5 7c136b92983cec25f85336056e45f3e8
SHA1 0bb527e7004601e920e2aac467518126e5352618
SHA256 f2e8ca58fa8d8e694d04e14404dec4e8ea5f231d3f2e5c2f915bd7914849eb2b
SHA512 06da50ddb2c5f83e6e4b4313cbdae14eed227eec85f94024a185c2d7f535b6a68e79337557727b2b40a39739c66d526968aaedbcfef04dab09dc0426cfbefbf4

C:\39c7534da45e56710f27\Strings.xml

MD5 8a28b474f4849bee7354ba4c74087cea
SHA1 c17514dfc33dd14f57ff8660eb7b75af9b2b37b0
SHA256 2a7a44fb25476886617a1ec294a20a37552fd0824907f5284fade3e496ed609b
SHA512 a7927700d8050623bc5c761b215a97534c2c260fcab68469b7a61c85e2dff22ed9cf57e7cb5a6c8886422abe7ac89b5c71e569741db74daa2dcb4152f14c2369

C:\39c7534da45e56710f27\1033\SetupResources.dll

MD5 9547d24ac04b4d0d1dbf84f74f54faf7
SHA1 71af6001c931c3de7c98ddc337d89ab133fe48bb
SHA256 36d0159ed1a7d88000737e920375868765c0a1dd6f5a5acbb79cf7d97d9e7a34
SHA512 8b6048f4185a711567679e2de4789407077ce5bfe72102d3cb1f23051b8d3e6bfd5886c801d85b4e62f467dd12da1c79026a4bc20b17f54c693b2f24e499d40f

C:\be158bd5cbe590f3c2ed326120ed30\1028\eula.rtf

MD5 6f2f198b6d2f11c0cbce4541900bf75c
SHA1 75ec16813d55aaf41d4d6e3c8d4948e548996d96
SHA256 d7d3cfbe65fe62dfa343827811a8071ec54f68d72695c82bec9d9037d4b4d27a
SHA512 b1f5b812182c7a8bf1c1a8d0f616b44b0896f2ac455afee56c44522b458a8638f5c18200a8fb23b56dc1471e5ab7c66be1be9b794e12ec06f44beea4d9d03d6f

C:\39c7534da45e56710f27\SetupUi.dll

MD5 eb881e3dddc84b20bd92abcec444455f
SHA1 e2c32b1c86d4f70e39de65e9ebc4f361b24ff4a1
SHA256 11565d97287c01d22ad2e46c78d8a822fa3e6524561d4c02dfc87e8d346c44e7
SHA512 5750cec73b36a3f19bfb055f880f3b6498a7ae589017333f6272d26f1c72c6f475a3308826268a098372bbb096b43fbd1e06e93eecc0a81046668228bc179a75

C:\39c7534da45e56710f27\SetupUi.xsd

MD5 2fadd9e618eff8175f2a6e8b95c0cacc
SHA1 9ab1710a217d15b192188b19467932d947b0a4f8
SHA256 222211e8f512edf97d78bc93e1f271c922d5e91fa899e092b4a096776a704093
SHA512 a3a934a8572ff9208d38cf381649bd83de227c44b735489fd2a9dc5a636ead9bb62459c9460ee53f61f0587a494877cd3a3c2611997be563f3137f8236ffc4ca

C:\39c7534da45e56710f27\2052\LocalizedData.xml

MD5 10da125eeabcbb45e0a272688b0e2151
SHA1 6c4124ec8ca2d03b5187ba567c922b6c3e5efc93
SHA256 1842f22c6fd4caf6ad217e331b74c6240b19991a82a1a030a6e57b1b8e9fd1ec
SHA512 d968abd74206a280f74bf6947757cca8dd9091b343203e5c2269af2e008d3bb0a17ff600eb961dbf69a93de4960133ade8d606fb9a99402d33b8889f2d0da710

C:\39c7534da45e56710f27\1055\LocalizedData.xml

MD5 65e771fed28b924942a10452bbbf5c42
SHA1 586921b92d5fb297f35effc2216342dac1ae2355
SHA256 45e30569a756d9bcbc5f9dae78bda02751fd25e1c0aee471ce112cb4464a6ee2
SHA512 d014a2a96f3a5c487ef1caddd69599dbec15da5ad689d68009f1ca4d5cb694105a7903f508476d6ffec9d81386cb184df6fc428d34f056190cee30715514a8f7

C:\39c7534da45e56710f27\1053\LocalizedData.xml

MD5 b3b1a89458bec6af82c5386d26639b59
SHA1 d9320b8cc862f40c65668a40670081079b63cea1
SHA256 1ef312e8be9207466fbfdecee92bfc6c6b7e2da61979b0908eaf575464e7b7a0
SHA512 478ce08619490ed1ecdd8751b5f60da1ee4ac0d08d9a97468c3f595ac4376feca59e9c72dd9c83b00c8d78b298be757c6f24a422b7be8c041f780524844998bf

C:\39c7534da45e56710f27\1049\LocalizedData.xml

MD5 349b52a81342a7afb8842459e537ecc6
SHA1 6268343e82fbbabe7618bd873335a8f9f84ed64d
SHA256 992bf5aeb06aa3701d50c23fa475b4b86d8997383c9f0e3425663cfbd6b8a2a5
SHA512 ef4cbd3f7f572a9f146a524cfbc2efbd084e6c70a65b96a42339adc088e3f0524bc202548340969481e7f3df3ac517ac34b200b56a3b9957802abd0efa951c49

memory/4200-678-0x00007FFD5E220000-0x00007FFD5E230000-memory.dmp

C:\39c7534da45e56710f27\graphics\save.ico

MD5 7d62e82d960a938c98da02b1d5201bd5
SHA1 194e96b0440bf8631887e5e9d3cc485f8e90fbf5
SHA256 ae041c8764f56fd89277b34982145d16fc59a4754d261c861b19371c3271c6e5
SHA512 ab06b2605f0c1f6b71ef69563c0c977d06c6ea84d58ef7f2baecba566d6037d1458c2b58e6bfd70ddef47dccbdea6d9c2f2e46dea67ea9e92457f754d7042f67

C:\39c7534da45e56710f27\graphics\print.ico

MD5 7e55ddc6d611176e697d01c90a1212cf
SHA1 e2620da05b8e4e2360da579a7be32c1b225deb1b
SHA256 ff542e32330b123486797b410621e19eafb39df3997e14701afa4c22096520ed
SHA512 283d381aa396820b7e15768b20099d67688da1f6315ec9f7938c2fcc3167777502cded0d1beddf015a34cc4e5d045bcb665ffd28ba2fbb6faf50fdd38b31d16e

C:\39c7534da45e56710f27\graphics\setup.ico

MD5 3d25d679e0ff0b8c94273dcd8b07049d
SHA1 a517fc5e96bc68a02a44093673ee7e076ad57308
SHA256 288e9ad8f0201e45bc187839f15aca79d6b9f76a7d3c9274c80f5d4a4c219c0f
SHA512 3bde668004ca7e28390862d0ae9903c756c16255bdbb3f7e73a5b093ce6a57a3165d6797b0a643b254493149231aca7f7f03e0af15a0cbe28aff02f0071ec255

C:\39c7534da45e56710f27\graphics\warn.ico

MD5 b2b1d79591fca103959806a4bf27d036
SHA1 481fd13a0b58299c41b3e705cb085c533038caf5
SHA256 fe4d06c318701bf0842d4b87d1bad284c553baf7a40987a7451338099d840a11
SHA512 5fe232415a39e0055abb5250b120ccdcd565ab102aa602a3083d4a4705ac6775d45e1ef0c2b787b3252232e9d4673fc3a77aab19ec79a3ff8b13c4d7094530d2

memory/4200-702-0x00007FFD5E220000-0x00007FFD5E230000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5B875E00

MD5 e94891e80f40c0712ab449ec81e575a9
SHA1 e51628ff3fe610d1dad293d57be6cbaaba93a3c0
SHA256 abae6201b59c93203e8dbe1fb591e945a7e60096d63a3e47bebf51e18df7d9ca
SHA512 303bf0f1f833425a5ce6c623caa1121c3c0f1a8184c2f27b7c0bb8c472bf4113296b5acc70618d33dd00217091e0e61d51b6dbb06f58a50af0b34a14b8d6f181

memory/800-826-0x0000000002300000-0x0000000002301000-memory.dmp

memory/800-825-0x0000000000400000-0x000000000059B000-memory.dmp

memory/800-858-0x0000000000400000-0x000000000059B000-memory.dmp