xred | 7036d9af1685face5a42401a29a3f0ae3316e069aba73480f59f6fb590fdaa0c

Analysis

max time kernel
142s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2024 23:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7036d9af1685face5a42401a29a3f0ae3316e069aba73480f59f6fb590fdaa0c.exe
Size

1.7MB
MD5

48b681e25b5f9c82adbfc2eed4e644cf
SHA1

7c4be41399eee4e5357356240b5b84a302d7bbd0
SHA256

7036d9af1685face5a42401a29a3f0ae3316e069aba73480f59f6fb590fdaa0c
SHA512

23558f8d287ed4cfa4ac5e441d26998e4b89f77c63814a67002c47234df111123403392842c7c80aceb583f0d87bd57366fd53cf88dc6b073b8fec4cf47694bf
SSDEEP

24576:2nsJ39LyjbJkQFMhmC+6GD9DGQB+2DR7BWYpcyo44u0aPVBWYpzW:2nsHyjtk2MYC5GDr7Vh102Ti

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	7036d9af1685face5a42401a29a3f0ae3316e069aba73480f59f6fb590fdaa0c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	._cache_7036d9af1685face5a42401a29a3f0ae3316e069aba73480f59f6fb590fdaa0c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	._cache_Synaptics.exe

Executes dropped EXE 3 IoCs

pid	Process
1080	._cache_7036d9af1685face5a42401a29a3f0ae3316e069aba73480f59f6fb590fdaa0c.exe
4964	Synaptics.exe
3812	._cache_Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	7036d9af1685face5a42401a29a3f0ae3316e069aba73480f59f6fb590fdaa0c.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7036d9af1685face5a42401a29a3f0ae3316e069aba73480f59f6fb590fdaa0c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	7036d9af1685face5a42401a29a3f0ae3316e069aba73480f59f6fb590fdaa0c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4196	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4220	msedge.exe
4220	msedge.exe
3320	msedge.exe
3320	msedge.exe
2380	identity_helper.exe
2380	identity_helper.exe
1096	msedge.exe
1096	msedge.exe
1096	msedge.exe
1096	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1080	._cache_7036d9af1685face5a42401a29a3f0ae3316e069aba73480f59f6fb590fdaa0c.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe
3320	msedge.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4196	EXCEL.EXE
4196	EXCEL.EXE
4196	EXCEL.EXE
4196	EXCEL.EXE
4196	EXCEL.EXE
4196	EXCEL.EXE
4196	EXCEL.EXE
4196	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3676 wrote to memory of 1080	3676	7036d9af1685face5a42401a29a3f0ae3316e069aba73480f59f6fb590fdaa0c.exe	85
PID 3676 wrote to memory of 1080	3676	7036d9af1685face5a42401a29a3f0ae3316e069aba73480f59f6fb590fdaa0c.exe	85
PID 3676 wrote to memory of 4964	3676	7036d9af1685face5a42401a29a3f0ae3316e069aba73480f59f6fb590fdaa0c.exe	86
PID 3676 wrote to memory of 4964	3676	7036d9af1685face5a42401a29a3f0ae3316e069aba73480f59f6fb590fdaa0c.exe	86
PID 3676 wrote to memory of 4964	3676	7036d9af1685face5a42401a29a3f0ae3316e069aba73480f59f6fb590fdaa0c.exe	86
PID 4964 wrote to memory of 3812	4964	Synaptics.exe	87
PID 4964 wrote to memory of 3812	4964	Synaptics.exe	87
PID 1080 wrote to memory of 3320	1080	._cache_7036d9af1685face5a42401a29a3f0ae3316e069aba73480f59f6fb590fdaa0c.exe	95
PID 1080 wrote to memory of 3320	1080	._cache_7036d9af1685face5a42401a29a3f0ae3316e069aba73480f59f6fb590fdaa0c.exe	95
PID 3320 wrote to memory of 1652	3320	msedge.exe	96
PID 3320 wrote to memory of 1652	3320	msedge.exe	96
PID 3320 wrote to memory of 4924	3320	msedge.exe	97
PID 3320 wrote to memory of 4924	3320	msedge.exe	97
PID 3320 wrote to memory of 4924	3320	msedge.exe	97
PID 3320 wrote to memory of 4924	3320	msedge.exe	97
PID 3320 wrote to memory of 4924	3320	msedge.exe	97
PID 3320 wrote to memory of 4924	3320	msedge.exe	97
PID 3320 wrote to memory of 4924	3320	msedge.exe	97
PID 3320 wrote to memory of 4924	3320	msedge.exe	97
PID 3320 wrote to memory of 4924	3320	msedge.exe	97
PID 3320 wrote to memory of 4924	3320	msedge.exe	97
PID 3320 wrote to memory of 4924	3320	msedge.exe	97
PID 3320 wrote to memory of 4924	3320	msedge.exe	97
PID 3320 wrote to memory of 4924	3320	msedge.exe	97
PID 3320 wrote to memory of 4924	3320	msedge.exe	97
PID 3320 wrote to memory of 4924	3320	msedge.exe	97
PID 3320 wrote to memory of 4924	3320	msedge.exe	97
PID 3320 wrote to memory of 4924	3320	msedge.exe	97
PID 3320 wrote to memory of 4924	3320	msedge.exe	97
PID 3320 wrote to memory of 4924	3320	msedge.exe	97
PID 3320 wrote to memory of 4924	3320	msedge.exe	97
PID 3320 wrote to memory of 4924	3320	msedge.exe	97
PID 3320 wrote to memory of 4924	3320	msedge.exe	97
PID 3320 wrote to memory of 4924	3320	msedge.exe	97
PID 3320 wrote to memory of 4924	3320	msedge.exe	97
PID 3320 wrote to memory of 4924	3320	msedge.exe	97
PID 3320 wrote to memory of 4924	3320	msedge.exe	97
PID 3320 wrote to memory of 4924	3320	msedge.exe	97
PID 3320 wrote to memory of 4924	3320	msedge.exe	97
PID 3320 wrote to memory of 4924	3320	msedge.exe	97
PID 3320 wrote to memory of 4924	3320	msedge.exe	97
PID 3320 wrote to memory of 4924	3320	msedge.exe	97
PID 3320 wrote to memory of 4924	3320	msedge.exe	97
PID 3320 wrote to memory of 4924	3320	msedge.exe	97
PID 3320 wrote to memory of 4924	3320	msedge.exe	97
PID 3320 wrote to memory of 4924	3320	msedge.exe	97
PID 3320 wrote to memory of 4924	3320	msedge.exe	97
PID 3320 wrote to memory of 4924	3320	msedge.exe	97
PID 3320 wrote to memory of 4924	3320	msedge.exe	97
PID 3320 wrote to memory of 4924	3320	msedge.exe	97
PID 3320 wrote to memory of 4924	3320	msedge.exe	97
PID 3320 wrote to memory of 4220	3320	msedge.exe	98
PID 3320 wrote to memory of 4220	3320	msedge.exe	98
PID 3320 wrote to memory of 2748	3320	msedge.exe	99
PID 3320 wrote to memory of 2748	3320	msedge.exe	99
PID 3320 wrote to memory of 2748	3320	msedge.exe	99
PID 3320 wrote to memory of 2748	3320	msedge.exe	99
PID 3320 wrote to memory of 2748	3320	msedge.exe	99
PID 3320 wrote to memory of 2748	3320	msedge.exe	99
PID 3320 wrote to memory of 2748	3320	msedge.exe	99
PID 3320 wrote to memory of 2748	3320	msedge.exe	99
PID 3320 wrote to memory of 2748	3320	msedge.exe	99
PID 3320 wrote to memory of 2748	3320	msedge.exe	99
PID 3320 wrote to memory of 2748	3320	msedge.exe	99

C:\Users\Admin\AppData\Local\Temp\7036d9af1685face5a42401a29a3f0ae3316e069aba73480f59f6fb590fdaa0c.exe
"C:\Users\Admin\AppData\Local\Temp\7036d9af1685face5a42401a29a3f0ae3316e069aba73480f59f6fb590fdaa0c.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3676
- C:\Users\Admin\AppData\Local\Temp\._cache_7036d9af1685face5a42401a29a3f0ae3316e069aba73480f59f6fb590fdaa0c.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_7036d9af1685face5a42401a29a3f0ae3316e069aba73480f59f6fb590fdaa0c.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1080
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://apps.microsoft.com/store/detail/9NKSQGP7F2NH?ocid=&referrer=psi
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3320
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x9c,0x108,0x7ffbfb9946f8,0x7ffbfb994708,0x7ffbfb994718
      4⤵
      PID:1652
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,9379054066560238475,13229414789070838705,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
      4⤵
      PID:4924
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,9379054066560238475,13229414789070838705,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4220
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,9379054066560238475,13229414789070838705,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:8
      4⤵
      PID:2748
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,9379054066560238475,13229414789070838705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
      4⤵
      PID:1900
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,9379054066560238475,13229414789070838705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
      4⤵
      PID:1536
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,9379054066560238475,13229414789070838705,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5004 /prefetch:8
      4⤵
      PID:3492
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,9379054066560238475,13229414789070838705,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5004 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2380
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,9379054066560238475,13229414789070838705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
      4⤵
      PID:1660
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,9379054066560238475,13229414789070838705,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:1
      4⤵
      PID:4764
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,9379054066560238475,13229414789070838705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1
      4⤵
      PID:3660
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,9379054066560238475,13229414789070838705,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1
      4⤵
      PID:3112
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,9379054066560238475,13229414789070838705,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2268 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1096
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4964
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:3812

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4196

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1708

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.7MB

MD5
48b681e25b5f9c82adbfc2eed4e644cf

SHA1
7c4be41399eee4e5357356240b5b84a302d7bbd0

SHA256
7036d9af1685face5a42401a29a3f0ae3316e069aba73480f59f6fb590fdaa0c

SHA512
23558f8d287ed4cfa4ac5e441d26998e4b89f77c63814a67002c47234df111123403392842c7c80aceb583f0d87bd57366fd53cf88dc6b073b8fec4cf47694bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37f660dd4b6ddf23bc37f5c823d1c33a

SHA1
1c35538aa307a3e09d15519df6ace99674ae428b

SHA256
4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

SHA512
807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7cb450b1315c63b1d5d89d98ba22da5

SHA1
694005cd9e1a4c54e0b83d0598a8a0c089df1556

SHA256
38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

SHA512
df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
645b74ff7349f7c78c708782992e304f

SHA1
bc2075376ef6e0ca50c80283b70b70b8e72c07f5

SHA256
bb20aace819a09fb18e61295943e53108b3700343dac8360fc9e4d2d1f05a099

SHA512
7844509e8fff04629ce224ad074c2fc8806e07ec631f7b482b6cd765f5e8a42f3cd5118b155dd377c87ad2a797d21f9c9c50a1aa558f4ac07900d7ceda52522e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
258B

MD5
2c611a5e0570b35e3a86dbfb8a943254

SHA1
831b31fcc2ede459f33bffe011b16da64b593355

SHA256
ff8900bdf7180809bc7a96e48d2b2144cebc5b7a07bf28fba808d5f14a40d993

SHA512
cf36a01f8959acb6a74db5510717c12c9b17f67620a261590164c0e7b59e1dfc0602d05de4e80cd1a543829b7e01e863c54eec6a7f49acab7a707c085848254b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f3ef0457982798ce4fac2476bd34b90b

SHA1
b2019ac1155d651152f6380985f7bdc1c1d5142a

SHA256
c4bc588ca59780e4565c92b1e19b89cc6f25186e27c5ceba8253f1ea179f6052

SHA512
ef6b17533be8abfde54441b4872002dcff6bb58de5e843248584783bba0a3d1469a9ee1d720b17b0f14f37c88464456e29c1177e370565e6721688c68827c4b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
54fcf6424cc78354893c9ee9ff8cf8cf

SHA1
27ceb1f9746125a7992db63ad6dcae047db22d0c

SHA256
51a2c749fb1ef899781a771fe396f68bf42a16f791fb78542be19b08359e584a

SHA512
5b57fe0723bebf66332c869e36877880b1e91a8bf2bbb9c5421b70690502d2a1d7526e9fe9681b7c6186f157027cf671fcb330327a2e5a6c019402deee780449

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\6de2217a-221b-43e7-ac22-592d3a07114e\index-dir\the-real-index

Filesize
72B

MD5
463188ca53b44b5cade9c70804650042

SHA1
a1a66108f4fa204c31a650cee010240fc3f0a02d

SHA256
23db98f1a752d8751d698aa3e819b82912455c60466f4c2eeb7da8f7555a21ef

SHA512
4812af9ec03de271d8f9d118b172eb638ec9935d23258759a103433378b058b739ed737e9b58d34a6b112fc05de9ddd7546558713b548955656a7cf2e50329cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\6de2217a-221b-43e7-ac22-592d3a07114e\index-dir\the-real-index~RFe58340b.TMP

Filesize
48B

MD5
321de1d04ee4729eb684886e04ba37bb

SHA1
4677fa2dafaba6a795bafe12e51e32b68caa53f0

SHA256
dfddc4be2f17ba3f3b2788064b8f3f598f78d60677f73fd169e10e178df6965d

SHA512
45772baedf6798c5e2cc584865488dd03dce03986584ff6f0099013e2f6e26b44c5e42d86a7a07c22094d150977884973206a15a861f25b7df319b9ff509a5e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\c0c3155c-05c1-42f3-9b54-bfdf143256cd\index-dir\the-real-index

Filesize
1KB

MD5
494a57cd7e5e44c51f5509a7af293a34

SHA1
1ba254395603a930a93cdd52dd208729297055cc

SHA256
087894ba999bd05ac6d6dcc746e4ecc4e938fcb0f256a0730d01653dc38dc557

SHA512
29035a5b7953ed65e807ecaa85462b351d690329170c390afbfbe0bb495628e37ed48118b0ab1fea88c02793077554798e239c115e5a1a904d6bdfae5d147a02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\c0c3155c-05c1-42f3-9b54-bfdf143256cd\index-dir\the-real-index~RFe584b0e.TMP

Filesize
48B

MD5
ef87c7121325d1cf7e83551c1a1d3986

SHA1
d37fe3dc7a4aad746b8775080166067433bb66dd

SHA256
f664f8fd4681e429ce7f6e9aeff16d2dc17209559562ab913d1ff267e84fe783

SHA512
33c7d7324996498e796d200b191b68ab1122217e8d5eeaca56526c591f3b48d3678c9aea0d16313c5e5441c259fba300b22e1c4a7e6637a262ae3f0c2f80dddf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\index.txt

Filesize
109B

MD5
6c9347e6b01f1fc96839f928865299fd

SHA1
dc87fe201c5fc20903810fcdee616e032e27a1e5

SHA256
4d0dfc069bb6498454944a915cdaa1018ae68b6d6a23ed4d897afd7c3e988671

SHA512
a372aa482ae213869d9e0874e35195a8053f85ce93e114b5c0a97584249c956b6db065e741327bc25db1257069893db882f849a685a6ee0fee29307e9edce5ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\index.txt

Filesize
204B

MD5
d3b6594fb673bdd86505ffdbca686f23

SHA1
aae33070e440dc64c6e39653869026db3bccd072

SHA256
fb0a05baa08456042f3e0b5f18b39618c5865f60f57288add4fdc20946147bbe

SHA512
905b8b5b9589d79df4c53dbc8b250734aeb0043894d90fae129e634271e9e327381334530d806f18268add4e367ba4f6d2e6f7c4b40e7f17a9d9b3a39ded5877

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\a0a74304db73132d4bc12ef9404aa74f9fdeda56\index.txt

Filesize
201B

MD5
c28a1aeda28b1c8c16498aa5c26fc79e

SHA1
8354d6756e12e4bc94a33a9f71423698c1d94e6b

SHA256
e0bd967bf431a2356206fe8c2a31f314ba829517d198bcf4598ed75e3d24d9c5

SHA512
3e4cf955cb98d7d0bbd506c4c7c00575eef7cb0ba1e303a5f3383de3435c4904f87e01a1fdb3a611501bd6373df53433dc2da212b137b1a9395c90338927ca2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
7d6c04d439e0f47a809f66767d0ea003

SHA1
896c3ac11b259c24a6a6aa3d7745ab238df76219

SHA256
1ee995b7c168bd2b9aaa2279d7dd1da3b4c77c956027c108598bac93d02a3e88

SHA512
9001dad10635e17fdfec69b1b8d05c7da8aa326f0008e80e993d2db547e2d0b691150fc2f647734c1c427c487387c1378e62e34a3cf9464ec074e389991e7a97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5833bd.TMP

Filesize
48B

MD5
bfe0c2ee2d10c4dfa11f41af7321d700

SHA1
11f48b340345fb96eafc7c8ac9a24a8089e2ea76

SHA256
3b6f07cbf412e505381677a92da160fc05b55c5c2ad2fd5ca0f7ba90117e114b

SHA512
5e061606ff4c39e743e8ddb51c1d46a1bbf9ee378296d3a9342e6fdbd8c5ef37810995e3694dfc97438bf9064fb0c960e5e00e08162ff91ceb58fdc494f31306

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
eed4a80744887e49910cc5f79e4bc739

SHA1
8587f379844774328fde9ffa0f66ea2cce1d45da

SHA256
135e8e013e9ec54cf9774cf1ae1d646f4de698447db0fd89e7ec2ac3f1b94f03

SHA512
a69eb72d129aff0bf11521f36f1863a2cccdafb1e2006d8f1dd75ad8904c498e8e1306bb91c0711eb359cdabe71684e489cf53ac8d09531cc91f5d867dca5b4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
135fb079477d6bdb8e732ab249c343b5

SHA1
4bff7f4312b302592a5877347aeb1b17b97d76a8

SHA256
62e77c38a855176cdd247e5b076dcb0781f43a386a7e6baaebc2bf6dca80ae65

SHA512
08b9c2d79e38f673fd8b298576bf7c3b4d5ac62bef74ccbec48383a3ad4af902ea884004409f50f14aa24209d612669c1a55bef14822ad133cf2782ed1165e63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
7b230fc10eeeb9b2caad3a0c516075ec

SHA1
5fb5e5a141b6f83399e5eec69b1c2e53501f1e4f

SHA256
4b0a6280c85bea484f2076fa0982e00fe2c742f4e79ee35ba8ef156f332c75b2

SHA512
8de06c928a83844f1cf7eab8025d1d040a7d84b4fd6e71de8b5c0c5876562ed531f87e8428ba7c8e1a37ac41f54f8e6e8fc10cf309269414297648701ad82f30

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_7036d9af1685face5a42401a29a3f0ae3316e069aba73480f59f6fb590fdaa0c.exe

Filesize
1.0MB

MD5
bc054c2105f6fb4752dcb2b938461bad

SHA1
23bc0b21279a5cbf455f4ddd276d7831d96066de

SHA256
2c5e26d80e686c444bc3740a2bb311b84857f59b048fe3d659152c449922ee41

SHA512
ec12934cacd0b5b183e91712439b8b8f8ca71040f3343e35d25ed9e1febf12ec2f7f0fc6dc0f0b6e9a55f803183471af8c0c80aeff9d1aec1f421771bff2885b

Download Submit
C:\Users\Admin\AppData\Local\Temp\C5D75E00

Filesize
24KB

MD5
ace73db8e53a9768a1e24a3dd8f2ddb3

SHA1
f9fdf96415c2c40f727c6125aacc58c8f687c59c

SHA256
2afa64e2f065b2e041de73d306a0a55d77c987c720f0bc593a292e9c729fc3d2

SHA512
c80d3e0c3912283bf2ae864336639f75ba33bafd323b58e078537477616793919ccaa9fc0f1803367d6b5e7e00341dd8182606eaa87e3b58737daf7afc485faf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mesd1tKa.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpCF56.tmp

Filesize
1KB

MD5
a10f31fa140f2608ff150125f3687920

SHA1
ec411cc7005aaa8e3775cf105fcd4e1239f8ed4b

SHA256
28c871238311d40287c51dc09aee6510cac5306329981777071600b1112286c6

SHA512
cf915fb34cd5ecfbd6b25171d6e0d3d09af2597edf29f9f24fa474685d4c5ec9bc742ade9f29abac457dd645ee955b1914a635c90af77c519d2ada895e7ecf12

Download Submit
memory/1080-205-0x000002B53B3E0000-0x000002B53B418000-memory.dmp

Filesize
224KB

Download
memory/1080-171-0x000002B538DE0000-0x000002B538E9A000-memory.dmp

Filesize
744KB

Download
memory/1080-255-0x000002B53C650000-0x000002B53C676000-memory.dmp

Filesize
152KB

Download
memory/1080-155-0x000002B536C50000-0x000002B536C5A000-memory.dmp

Filesize
40KB

Download
memory/1080-207-0x000002B53C490000-0x000002B53C616000-memory.dmp

Filesize
1.5MB

Download
memory/1080-206-0x000002B53B3A0000-0x000002B53B3AE000-memory.dmp

Filesize
56KB

Download
memory/1080-89-0x000002B51C720000-0x000002B51C822000-memory.dmp

Filesize
1.0MB

Download
memory/1080-71-0x00007FFBFA593000-0x00007FFBFA595000-memory.dmp

Filesize
8KB

Download
memory/1080-187-0x000002B538760000-0x000002B53879C000-memory.dmp

Filesize
240KB

Download
memory/1080-204-0x000002B539190000-0x000002B539198000-memory.dmp

Filesize
32KB

Download
memory/1080-186-0x000002B538700000-0x000002B538712000-memory.dmp

Filesize
72KB

Download
memory/3676-103-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/3676-0-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download
memory/4196-167-0x00007FFBD91B0000-0x00007FFBD91C0000-memory.dmp

Filesize
64KB

Download
memory/4196-203-0x00007FFBD6F70000-0x00007FFBD6F80000-memory.dmp

Filesize
64KB

Download
memory/4196-188-0x00007FFBD6F70000-0x00007FFBD6F80000-memory.dmp

Filesize
64KB

Download
memory/4196-166-0x00007FFBD91B0000-0x00007FFBD91C0000-memory.dmp

Filesize
64KB

Download
memory/4196-170-0x00007FFBD91B0000-0x00007FFBD91C0000-memory.dmp

Filesize
64KB

Download
memory/4196-168-0x00007FFBD91B0000-0x00007FFBD91C0000-memory.dmp

Filesize
64KB

Download
memory/4196-169-0x00007FFBD91B0000-0x00007FFBD91C0000-memory.dmp

Filesize
64KB

Download
memory/4964-397-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/4964-398-0x0000000002330000-0x0000000002331000-memory.dmp

Filesize
4KB

Download
memory/4964-642-0x0000000000400000-0x00000000005C2000-memory.dmp

Filesize
1.8MB

Download
memory/4964-104-0x0000000002330000-0x0000000002331000-memory.dmp

Filesize
4KB

Download