gh0strat | f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-11-2024 21:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe
Size

1.5MB
MD5

a3007093692d237b7c65f833bddf18d5
SHA1

f7c2841e1a51c7329d673e956f01b04d83db0eaf
SHA256

f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1
SHA512

1c3acd7a7495a1358951bf704dbfa19d38258adca20954f83e0352d109ed0a518c25864201e0b9283133c3f8bfca6e78e586180836b49bfbcb63307cf7381115
SSDEEP

24576:7i2Tro2H2HESq2eWJ6MQjySjylCnsJ39LyjbJkQFMhmC+6GD9QzF1lU6A:7xTc2H2tFvduySQCnsHyjtk2MYC5GDmY

Score

10^/10

gh0strat purplefox xred backdoor discovery persistence rat rootkit trojan upx

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Detect PurpleFox Rootkit 6 IoCs

Detect PurpleFox Rootkit.

rootkit

Processes:

resource	yara_rule
behavioral1/memory/2252-24-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2252-23-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2252-22-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2324-56-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2324-59-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2324-61-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2252-24-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2252-23-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2252-22-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2324-56-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2324-59-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2324-61-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Purplefox family
purplefox
Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred
Drops file in Drivers directory 1 IoCs

Processes:

TXPlatforn.exe

description ioc process

File created C:\Windows\system32\drivers\QAssist.sys TXPlatforn.exe

description	ioc	process
File created	C:\Windows\system32\drivers\QAssist.sys	TXPlatforn.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

TXPlatforn.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	TXPlatforn.exe

Executes dropped EXE 7 IoCs

Processes:

HD_f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exeRVN.exeTXPlatforn.exeTXPlatforn.exe._cache_HD_f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exeSynaptics.exe._cache_Synaptics.exe

pid	process
2424	HD_f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe
2252	RVN.exe
2240	TXPlatforn.exe
2324	TXPlatforn.exe
2752	._cache_HD_f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe
2772	Synaptics.exe
864	._cache_Synaptics.exe

Loads dropped DLL 11 IoCs

Processes:

f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exeTXPlatforn.exeHD_f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exeSynaptics.exe

pid	process
1856	f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe
1856	f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe
1856	f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe
2240	TXPlatforn.exe
2424	HD_f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe
2424	HD_f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe
2424	HD_f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe
2424	HD_f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe
2772	Synaptics.exe
2772	Synaptics.exe
2772	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

HD_f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	HD_f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe

Drops file in System32 directory 2 IoCs

Processes:

RVN.exe

description ioc process

File created C:\Windows\SysWOW64\TXPlatforn.exe RVN.exe
File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe RVN.exe

description	ioc	process
File created	C:\Windows\SysWOW64\TXPlatforn.exe	RVN.exe
File opened for modification	C:\Windows\SysWOW64\TXPlatforn.exe	RVN.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2252-24-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2252-23-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2252-22-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2252-20-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2324-56-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2324-59-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2324-61-0x0000000010000000-0x00000000101B6000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

PING.EXEf3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exeRVN.execmd.exeSynaptics.exe._cache_Synaptics.exeEXCEL.EXEHD_f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exeTXPlatforn.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RVN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HD_f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TXPlatforn.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

cmd.exePING.EXE

pid process

2012 cmd.exe
2620 PING.EXE
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2620 PING.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2084 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe

pid process

1856 f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

TXPlatforn.exe

pid process

2324 TXPlatforn.exe

pid	process
2012	cmd.exe
2620	PING.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
2620	PING.EXE

pid	process
2084	EXCEL.EXE

pid	process
2324	TXPlatforn.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

RVN.exeTXPlatforn.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2252	RVN.exe
Token: SeLoadDriverPrivilege	2324	TXPlatforn.exe
Token: 33	2324	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	2324	TXPlatforn.exe
Token: 33	2324	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	2324	TXPlatforn.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exeEXCEL.EXE

pid process

1856 f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe
2084 EXCEL.EXE

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exeRVN.exeTXPlatforn.exeHD_f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.execmd.exeSynaptics.exe

description	pid	process	target process
PID 1856 wrote to memory of 2252	1856	f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe	RVN.exe
PID 1856 wrote to memory of 2252	1856	f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe	RVN.exe
PID 1856 wrote to memory of 2252	1856	f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe	RVN.exe
PID 1856 wrote to memory of 2252	1856	f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe	RVN.exe
PID 1856 wrote to memory of 2252	1856	f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe	RVN.exe
PID 1856 wrote to memory of 2252	1856	f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe	RVN.exe
PID 1856 wrote to memory of 2252	1856	f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe	RVN.exe
PID 1856 wrote to memory of 2424	1856	f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe	HD_f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe
PID 1856 wrote to memory of 2424	1856	f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe	HD_f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe
PID 1856 wrote to memory of 2424	1856	f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe	HD_f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe
PID 1856 wrote to memory of 2424	1856	f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe	HD_f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe
PID 2252 wrote to memory of 2012	2252	RVN.exe	cmd.exe
PID 2252 wrote to memory of 2012	2252	RVN.exe	cmd.exe
PID 2252 wrote to memory of 2012	2252	RVN.exe	cmd.exe
PID 2252 wrote to memory of 2012	2252	RVN.exe	cmd.exe
PID 2240 wrote to memory of 2324	2240	TXPlatforn.exe	TXPlatforn.exe
PID 2240 wrote to memory of 2324	2240	TXPlatforn.exe	TXPlatforn.exe
PID 2240 wrote to memory of 2324	2240	TXPlatforn.exe	TXPlatforn.exe
PID 2240 wrote to memory of 2324	2240	TXPlatforn.exe	TXPlatforn.exe
PID 2240 wrote to memory of 2324	2240	TXPlatforn.exe	TXPlatforn.exe
PID 2240 wrote to memory of 2324	2240	TXPlatforn.exe	TXPlatforn.exe
PID 2240 wrote to memory of 2324	2240	TXPlatforn.exe	TXPlatforn.exe
PID 2424 wrote to memory of 2752	2424	HD_f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe	._cache_HD_f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe
PID 2424 wrote to memory of 2752	2424	HD_f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe	._cache_HD_f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe
PID 2424 wrote to memory of 2752	2424	HD_f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe	._cache_HD_f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe
PID 2424 wrote to memory of 2752	2424	HD_f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe	._cache_HD_f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe
PID 2424 wrote to memory of 2772	2424	HD_f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe	Synaptics.exe
PID 2424 wrote to memory of 2772	2424	HD_f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe	Synaptics.exe
PID 2424 wrote to memory of 2772	2424	HD_f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe	Synaptics.exe
PID 2424 wrote to memory of 2772	2424	HD_f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe	Synaptics.exe
PID 2012 wrote to memory of 2620	2012	cmd.exe	PING.EXE
PID 2012 wrote to memory of 2620	2012	cmd.exe	PING.EXE
PID 2012 wrote to memory of 2620	2012	cmd.exe	PING.EXE
PID 2012 wrote to memory of 2620	2012	cmd.exe	PING.EXE
PID 2772 wrote to memory of 864	2772	Synaptics.exe	._cache_Synaptics.exe
PID 2772 wrote to memory of 864	2772	Synaptics.exe	._cache_Synaptics.exe
PID 2772 wrote to memory of 864	2772	Synaptics.exe	._cache_Synaptics.exe
PID 2772 wrote to memory of 864	2772	Synaptics.exe	._cache_Synaptics.exe

C:\Users\Admin\AppData\Local\Temp\f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe
"C:\Users\Admin\AppData\Local\Temp\f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Users\Admin\AppData\Local\Temp\RVN.exe
  C:\Users\Admin\AppData\Local\Temp\\RVN.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2252
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:2012
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2620
- C:\Users\Admin\AppData\Local\Temp\HD_f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe
  C:\Users\Admin\AppData\Local\Temp\HD_f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2424
- - C:\Users\Admin\AppData\Local\Temp\._cache_HD_f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_HD_f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe"
    3⤵
    - Executes dropped EXE
    PID:2752
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:864

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Windows\SysWOW64\TXPlatforn.exe
  C:\Windows\SysWOW64\TXPlatforn.exe -acsi
  2⤵
  - Drops file in Drivers directory
  - Sets service image path in registry
  - Executes dropped EXE
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:2324

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4r5MXvdT.xlsm

Filesize
21KB

MD5
869176b72c884c0fb2c7c2096cbe81f0

SHA1
a58ed2f14624003f2c90dabca0613788f6f42626

SHA256
58d9729b2c830b10c6b97ac0d1fe4839d3c09c5ce1e50b93198c1522b7c7dc8b

SHA512
4dec08bb5139374bdf87725c84ef451860820a0b3706173cc3b47479acab3a6b3d89b3ceb5fb089f3472ceae7f6806c183b00fe7a70248f2b0209e635b22d76b

Download Submit
C:\Users\Admin\AppData\Local\Temp\4r5MXvdT.xlsm

Filesize
21KB

MD5
72ce4fc280e6b6515779f73083331102

SHA1
44026359db9d03e6db4bc10c98bb542882f5cf4a

SHA256
15885bf67f95645e5af58eaf23c1b731699c14db3594fb324362b9b1ea5e5841

SHA512
e3a90817364309da743734d602911cc871a54d7fcd27ce931e5eb7dc02b313ff2bbee0e4e0d35305e98ec6b0e99f7b4494197c6717b0996cada01bc97391584c

Download Submit
C:\Users\Admin\AppData\Local\Temp\4r5MXvdT.xlsm

Filesize
25KB

MD5
02ae29eb25fa3148884ca1191e4bfb34

SHA1
fc090d73afedb2a26e4d2736f870dc64fd8f1da9

SHA256
56b67eba681465bb28d9ba946d89617ca0eccc550206c360ced2a8d2a31034da

SHA512
66897b2c059f485c68cce50068fa37d03c5aa1b33467a3a0054440c67cff61207aea719a8219f330c62be7043d4736ed4098c5442910f06f624ff34dc969378f

Download Submit
C:\Users\Admin\AppData\Local\Temp\4r5MXvdT.xlsm

Filesize
23KB

MD5
3bc893a707e062765329bac89edb29ba

SHA1
9cd03213882d4266dc8d028fe25859d52dc13bd5

SHA256
dc6172f91a7f33355bfb6fd1d7df9d12deee905ac9ce17d0e5d14864d3fa23b8

SHA512
dc38fd6abddb6ed387f3bd117f8f5248a1e80d315f736bfd0f485223e8a436585f2c9dc9e3083ad390813803a8572e0d57052e8e7b7e64b3aeda359dcda6bc4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\4r5MXvdT.xlsm

Filesize
26KB

MD5
bfb54f88a42c3ba17c73d660261b3c38

SHA1
acd7f31cf61559a319f08740781392a7ba275755

SHA256
369951d76de17bd1a116f94003c358948a126bd8c669b9068e9d057797b66a5e

SHA512
d238c3ca29bbfd5bf03824313228a84aa765cdfa61b0eb33ddfd1de1e097c575dd180b65e3b6b5f46d4f9a84208b0d676b50af7934b2bc5d2bdff614615ceaae

Download Submit
C:\Users\Admin\AppData\Local\Temp\4r5MXvdT.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_X.dat

Filesize
576KB

MD5
62fac9ef099447024ed09c067fdd1b80

SHA1
cd1dfc25ef79de7a0afd47d8e37fd5eba6082dcf

SHA256
2b2975b8e2903a9e180241773e84979d1c85aacd269c2805495bf544cfe188af

SHA512
9661c42bf688de8bdad615cf270ae55869b543b63afdc883a4b3e6c0a20325d11c3da7de3bd4483428a9a733cfe97d45cc122b87f2f70c71d51794c5388f804a

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe

Filesize
924KB

MD5
fc69db50ed849673c9bf40e214cbb6e4

SHA1
a04ac9871d08e8a0ed6b79f78fc0d6eae609ee11

SHA256
29ae1062e2b89180992283737193e0793df2feda365f8ba59a7037d4f13f1563

SHA512
de8039e86738ea8d189dc25b2a9256691a31cbe0c56f50e34bafa7ac0fb339369ded2eeeee53497d6f3d03510cb4f11a917e6b3af7962eced969ed4f524a3c42

Download Submit
C:\Users\Admin\Desktop\~$OpenBackup.xlsx

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_HD_f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe

Filesize
170KB

MD5
65aa3807b36baa10d03a373eb33d7879

SHA1
badfb2b05a202805fdd884e1a4560d7c4c624998

SHA256
dbf5530ba4bb1b78336a70c5697dce50627263626ce9d3df11e89aa6ffbea737

SHA512
8081c0c2053b33eab6a0eb7bbdf187c00b6ab7b5c5e675d741a565b29aaed12f54d8ab52fe94c6ea2a8add27697f65af92b9f3e0dbd67c2b7737f197b44c958a

Download Submit
\Users\Admin\AppData\Local\Temp\RVN.exe

Filesize
377KB

MD5
80ade1893dec9cab7f2e63538a464fcc

SHA1
c06614da33a65eddb506db00a124a3fc3f5be02e

SHA256
57a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd

SHA512
fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4

Download Submit
\Users\Admin\Desktop\BlockFind.exe

Filesize
1.4MB

MD5
8d5ed30bedd5a7888ced3c1edc38cabd

SHA1
bccb09ff05893bd44a465b52e6c0faf3bbcfa5b0

SHA256
78e23d78c122f0702a1f64c5b7f618d661ec81af5ad43151a91109b8e1eb4948

SHA512
d858870ad72a40b54bdc841e2ffa385cc5511b3d06f5153fd22e38372ed922198c3e095b0938efa10c7706157212d01e087837f63c34198018dfeb8dad341195

Download Submit
memory/2084-172-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2084-85-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2252-22-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2252-20-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2252-23-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2252-24-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2324-59-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2324-56-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2324-61-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2424-69-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/2424-17-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2772-173-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/2772-174-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/2772-208-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download