Overview

overview

10

Static

static

10

b80e8a9412...1N.exe

windows7-x64

10

b80e8a9412...1N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250207-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-02-2025 22:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b80e8a9412e0aa8906b0ae15361b0e25ab21844496d188e7d8aafd7fdd9357f1N.exe

  • Size

    764KB

  • MD5

    c851a8c7be1f1760b144272b4bf5ffe0

  • SHA1

    14fade27cd4debd4817c676ad04e60a4d8741ea7

  • SHA256

    b80e8a9412e0aa8906b0ae15361b0e25ab21844496d188e7d8aafd7fdd9357f1

  • SHA512

    166bf8729e28c2d1da5fd5dbafc49ef23a2ca96c4af9e03da4fe7223ad761fc60abcac1b0a3e59e0e16f06460f2ff4fa1d864ec949d29f0b05ca2291f49ca3ba

  • SSDEEP

    12288:6MSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9URtj:6nsJ39LyjbJkQFMhmC+6GD9E

Score
10/10
xredadwarebackdoordiscoverypersistenceprivilege_escalationstealer

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Downloads MZ/PE file 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Executes dropped EXE 13 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 26 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs
  • System policy modification 1 TTPs 4 IoCs
    defense_evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\b80e8a9412e0aa8906b0ae15361b0e25ab21844496d188e7d8aafd7fdd9357f1N.exe
    "C:\Users\Admin\AppData\Local\Temp\b80e8a9412e0aa8906b0ae15361b0e25ab21844496d188e7d8aafd7fdd9357f1N.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3604
    • C:\Users\Admin\AppData\Local\Temp\._cache_b80e8a9412e0aa8906b0ae15361b0e25ab21844496d188e7d8aafd7fdd9357f1N.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_b80e8a9412e0aa8906b0ae15361b0e25ab21844496d188e7d8aafd7fdd9357f1N.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4272
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4272 -s 848
        3⤵
        • Program crash
        PID:980
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4556
      • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1744
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 852
          4⤵
          • Program crash
          PID:4796
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4272 -ip 4272
    1⤵
      PID:740
    • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
      1⤵
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:2392
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1744 -ip 1744
      1⤵
        PID:1648
      • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QjlCRjAxREYtMzY4Qi00Nzk2LUFGRTEtRjBERjJBOUIzOEFEfSIgdXNlcmlkPSJ7MDE3NEY0MkYtMkU1Qy00NDkxLUI4MTEtMTY2RDYxQUI5MTg1fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NEY3NUJFOEItNDg1Ni00NEQzLUIzREQtREMwRTBDNUEwM0M4fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI5IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDY0MzMiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODc1OTU2NTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0ODAzMjM2NTE3Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
        1⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        PID:2960
      • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{79FA39DA-F518-4BBF-BE53-A0FF44E517A0}\MicrosoftEdge_X64_133.0.3065.69.exe
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{79FA39DA-F518-4BBF-BE53-A0FF44E517A0}\MicrosoftEdge_X64_133.0.3065.69.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:220
        • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{79FA39DA-F518-4BBF-BE53-A0FF44E517A0}\EDGEMITMP_69FA9.tmp\setup.exe
          "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{79FA39DA-F518-4BBF-BE53-A0FF44E517A0}\EDGEMITMP_69FA9.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{79FA39DA-F518-4BBF-BE53-A0FF44E517A0}\MicrosoftEdge_X64_133.0.3065.69.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
          2⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Installs/modifies Browser Helper Object
          • Drops file in Program Files directory
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:3892
          • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{79FA39DA-F518-4BBF-BE53-A0FF44E517A0}\EDGEMITMP_69FA9.tmp\setup.exe
            "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{79FA39DA-F518-4BBF-BE53-A0FF44E517A0}\EDGEMITMP_69FA9.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{79FA39DA-F518-4BBF-BE53-A0FF44E517A0}\EDGEMITMP_69FA9.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff654696a68,0x7ff654696a74,0x7ff654696a80
            3⤵
            • Executes dropped EXE
            PID:3352
          • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{79FA39DA-F518-4BBF-BE53-A0FF44E517A0}\EDGEMITMP_69FA9.tmp\setup.exe
            "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{79FA39DA-F518-4BBF-BE53-A0FF44E517A0}\EDGEMITMP_69FA9.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
            3⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • Drops file in Program Files directory
            • Modifies data under HKEY_USERS
            • Suspicious use of WriteProcessMemory
            PID:4244
            • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{79FA39DA-F518-4BBF-BE53-A0FF44E517A0}\EDGEMITMP_69FA9.tmp\setup.exe
              "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{79FA39DA-F518-4BBF-BE53-A0FF44E517A0}\EDGEMITMP_69FA9.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{79FA39DA-F518-4BBF-BE53-A0FF44E517A0}\EDGEMITMP_69FA9.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff654696a68,0x7ff654696a74,0x7ff654696a80
              4⤵
              • Executes dropped EXE
              PID:3784
          • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level
            3⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:4704
            • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff71d326a68,0x7ff71d326a74,0x7ff71d326a80
              4⤵
              • Executes dropped EXE
              PID:232
          • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level
            3⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:3300
            • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff71d326a68,0x7ff71d326a74,0x7ff71d326a80
              4⤵
              • Executes dropped EXE
              PID:4336
          • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level
            3⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:2700
            • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff71d326a68,0x7ff71d326a74,0x7ff71d326a80
              4⤵
              • Executes dropped EXE
              PID:4624
      • C:\Windows\System32\svchost.exe
        C:\Windows\System32\svchost.exe -k AppReadiness -p -s AppReadiness
        1⤵
          PID:3324
        • C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe
          "C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe" /InvokerPRAID: Microsoft.MicrosoftOfficeHub prelaunch
          1⤵
            PID:672
          • C:\Windows\system32\wwahost.exe
            "C:\Windows\system32\wwahost.exe" -ServerName:Microsoft.MicrosoftOfficeHub.wwa
            1⤵
            • Modifies Internet Explorer settings
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:2460

          Network

          MITRE ATT&CK Enterprise v15

          Reconnaissance

          Resource Development

          Initial Access

          Execution

          Persistence

          Boot or Logon Autostart Execution

          2
          T1547

          Active Setup

          1
          T1547.014

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Browser Extensions

          1
          T1176

          Event Triggered Execution

          1
          T1546

          Component Object Model Hijacking

          1
          T1546.015

          Privilege Escalation

          Boot or Logon Autostart Execution

          2
          T1547

          Active Setup

          1
          T1547.014

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Event Triggered Execution

          1
          T1546

          Component Object Model Hijacking

          1
          T1546.015

          Defense Evasion

          Modify Registry

          5
          T1112

          Credential Access

          Discovery

          Query Registry

          5
          T1012

          System Information Discovery

          4
          T1082

          System Location Discovery

          1
          T1614

          System Language Discovery

          1
          T1614.001

          System Network Configuration Discovery

          1
          T1016

          Internet Connection Discovery

          1
          T1016.001

          Lateral Movement

          Collection

          Command and Control

          Exfiltration

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{79FA39DA-F518-4BBF-BE53-A0FF44E517A0}\EDGEMITMP_69FA9.tmp\setup.exe
            Filesize

            6.8MB

            MD5

            bdb1aecedc15fc82a63083452dad45c2

            SHA1

            a074fcd78665ff90ee3e50ffcccad5f6c3e7ddcb

            SHA256

            4ea0907c3fc2c2f6a4259002312671c82e008846d49957bb3b9915612e35b99f

            SHA512

            50909640c2957fc35dd5bcac3b51797aa5daa2fb95364e69df95d3577482e13f0c36a70ae098959cb9c2aaeb4cfe43025c1d8d55b5f8858b474bcb702609749d

            Download Submit

          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            Filesize

            3.9MB

            MD5

            4aaa893417cccc147989f876c6a7b295

            SHA1

            b1e35c83518bb275924ead0cd6206bf0c982d30f

            SHA256

            2c38e3c3f18e2d3fb7f04336356b9b5186cabe06b3343beec318ef0def1a9eeb

            SHA512

            109e0c88977fae65a4950fc38393ca32a70d68ef41aeb75b28e6566e0fa626e32e31be38308e7ed5b6a8ba1f56fb5f2133a07aa8bb643224c3dbb089ce9cfd0e

            Download Submit

          • C:\Program Files\msedge_installer.log
            Filesize

            73KB

            MD5

            62f29d79d388cb3d402556cd987c981d

            SHA1

            51f12341e3b7a578ad653bcbb8573bdfe49c0878

            SHA256

            c269558550e7d8b50ae774a8beddf9f5a0162da99fc866843db9614a8f47cc14

            SHA512

            aa6a52cbad58fd035bb16d64a4cac991f04f5946261c3f00f80583b27b914ca28a832023a1646a7e3f0e3c51bc0d15dd1ffe0959ab42e586e246dd5d4b162d88

            Download Submit

          • C:\Program Files\msedge_installer.log
            Filesize

            98KB

            MD5

            e1ff0f58a7c2911a35d20d602bda5d8c

            SHA1

            bddc89a1283d62fd5546787aace795c543c35a18

            SHA256

            b5f19a6d3e4c49663df904706bc1567d5d390b5e43c2e37f0f83a7838cccdd77

            SHA512

            cbe9a4c51368bb657e40008f1ba34d57a528ba09cfbb2bdd918c80772a2fd60be33e6da032c87f6d27fc899adf12d17f23c68f8ec3d3c55ffcda35a5a726d4b6

            Download Submit

          • C:\Program Files\msedge_installer.log
            Filesize

            102KB

            MD5

            444147d5cd3c5631c113061897692c15

            SHA1

            3cb3a8063541e732f6ea2eeb80449b332c2e3442

            SHA256

            1214cbd9378133d83c548fa43fad6b451f7a22fe8eea5db1b7aff104d47bbe67

            SHA512

            0c6bb0791938a554819916cec78a6aaa92331cd1ee5775efb23598e4655ae17622d35ba089d19eb6ab5feb7cfb08715415656df72790adfcb66d9c756a1d8b17

            Download Submit

          • C:\Program Files\msedge_installer.log
            Filesize

            104KB

            MD5

            171cd846ef6c11c9c54a133d002bd1d2

            SHA1

            93268d2361396f3ba4cbb0e2e6636bfee063c899

            SHA256

            16392d9ba4c7268c89fbf143d70c60d69662f998cfb0654bd71f5e022a099815

            SHA512

            e92c774bfe567c3a3d32f9f04cfb1462b656bcecd9a5f13aefb95004e8fbe164a57aba3a814c940991bad183fb8e179238ead19394e6fbb0ebcd715bd5e67a1b

            Download Submit

          • C:\ProgramData\Synaptics\Synaptics.exe
            Filesize

            764KB

            MD5

            c851a8c7be1f1760b144272b4bf5ffe0

            SHA1

            14fade27cd4debd4817c676ad04e60a4d8741ea7

            SHA256

            b80e8a9412e0aa8906b0ae15361b0e25ab21844496d188e7d8aafd7fdd9357f1

            SHA512

            166bf8729e28c2d1da5fd5dbafc49ef23a2ca96c4af9e03da4fe7223ad761fc60abcac1b0a3e59e0e16f06460f2ff4fa1d864ec949d29f0b05ca2291f49ca3ba

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\._cache_b80e8a9412e0aa8906b0ae15361b0e25ab21844496d188e7d8aafd7fdd9357f1N.exe
            Filesize

            10KB

            MD5

            38b8fc55b6eca86475be26980355905c

            SHA1

            8160a8e2384f40f74e4794a232ec97481a7d3b55

            SHA256

            5f5548d6a67e5f00e64f72847a8199375445de4f49b4cd1942275ce59981e8eb

            SHA512

            fd27013843c9132ede633ddb0626022702a6d834bfa36830a96a37394a2a425968223725978edfbac674d75dcee27961759e0007c7cca52cf3cb7b49ffbcea5b

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\6AA75E00
            Filesize

            24KB

            MD5

            d974a38eaba3a39571db153fa06ae26d

            SHA1

            dbf36744794c2f0fa13d134af49c3e3e2fd0d563

            SHA256

            0c012c4892d3beefb3a5a8debdb6a668d0df7a94b40814b45bfe6d70d6a94690

            SHA512

            b716ff738a80eb2f5164e6826ea9097c42bb10d40ee2a4481c332e1cfc410714a1fc7977c7bc94add19328287ad1e0d5b4875cfafe97543aaa735785aec7f468

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\GS3jfzPp.xlsm
            Filesize

            17KB

            MD5

            e566fc53051035e1e6fd0ed1823de0f9

            SHA1

            00bc96c48b98676ecd67e81a6f1d7754e4156044

            SHA256

            8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

            SHA512

            a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

            Download Submit

          • memory/672-356-0x0000016F75A00000-0x0000016F75C49000-memory.dmp

            Filesize

            2.3MB

            Download

          • memory/672-353-0x0000016F730C0000-0x0000016F730CE000-memory.dmp

            Filesize

            56KB

            Download

          • memory/672-354-0x0000016F73570000-0x0000016F7357A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/672-355-0x0000016F735A0000-0x0000016F735A8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2392-193-0x00007FF7C4390000-0x00007FF7C43A0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2392-196-0x00007FF7C4390000-0x00007FF7C43A0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2392-194-0x00007FF7C4390000-0x00007FF7C43A0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2392-198-0x00007FF7C2140000-0x00007FF7C2150000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2392-197-0x00007FF7C2140000-0x00007FF7C2150000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2392-192-0x00007FF7C4390000-0x00007FF7C43A0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2392-195-0x00007FF7C4390000-0x00007FF7C43A0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3604-127-0x0000000000400000-0x00000000004C5000-memory.dmp

            Filesize

            788KB

            Download

          • memory/3604-0-0x0000000002250000-0x0000000002251000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4272-181-0x0000000000240000-0x0000000000248000-memory.dmp

            Filesize

            32KB

            Download

          • memory/4272-132-0x00000000733EE000-0x00000000733EF000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4556-290-0x0000000000400000-0x00000000004C5000-memory.dmp

            Filesize

            788KB

            Download

          • memory/4556-263-0x0000000000400000-0x00000000004C5000-memory.dmp

            Filesize

            788KB

            Download

          • memory/4556-352-0x0000000000400000-0x00000000004C5000-memory.dmp

            Filesize

            788KB

            Download

          • memory/4556-246-0x0000000002110000-0x0000000002111000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4556-129-0x0000000002110000-0x0000000002111000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4556-247-0x0000000000400000-0x00000000004C5000-memory.dmp

            Filesize

            788KB

            Download