xred | 414f0d4f19f59139e6c9189d295da4d982c2b8fdbbea6ae9db8448968b39e452

Analysis

max time kernel
111s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2024 18:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

414f0d4f19f59139e6c9189d295da4d982c2b8fdbbea6ae9db8448968b39e452.exe
Size

1.6MB
MD5

6d626a8d94a479f28da8ff463206850c
SHA1

e12c85290275c5a300eaece8803043cb1073138b
SHA256

414f0d4f19f59139e6c9189d295da4d982c2b8fdbbea6ae9db8448968b39e452
SHA512

5fc49c327b05acd8de78fbc6703ed06b844c1792339d6c2a2a89e7e03392e17022b2da996f6d1384024b78e8a967f896cc17a1e5c806422ba3b4cf49e76817e8
SSDEEP

49152:EnsHyjtk2MYC5GD2HZxOe4+T+4sOj8yJ4LJ+Y:Ensmtk2af4R4xj8UOx

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	414f0d4f19f59139e6c9189d295da4d982c2b8fdbbea6ae9db8448968b39e452.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 9 IoCs

pid	Process
4896	._cache_414f0d4f19f59139e6c9189d295da4d982c2b8fdbbea6ae9db8448968b39e452.exe
1944	Synaptics.exe
1544	._cache_Synaptics.exe
3924	Setup.exe
3960	_INS5576._MP
4392	_ISDEL.EXE
4808	Setup.exe
2592	_INS5576._MP
4696	_ISDEL.EXE

Loads dropped DLL 16 IoCs

pid	Process
3924	Setup.exe
3960	_INS5576._MP
3960	_INS5576._MP
3960	_INS5576._MP
3960	_INS5576._MP
3960	_INS5576._MP
3960	_INS5576._MP
3960	_INS5576._MP
4808	Setup.exe
2592	_INS5576._MP
2592	_INS5576._MP
2592	_INS5576._MP
2592	_INS5576._MP
2592	_INS5576._MP
2592	_INS5576._MP
2592	_INS5576._MP

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	414f0d4f19f59139e6c9189d295da4d982c2b8fdbbea6ae9db8448968b39e452.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\GM\TIFF Viewer Plugin\Uninst.isu	_INS5576._MP
File opened for modification	C:\Program Files (x86)\GM\TIFF Viewer Plugin\NPIMGVIE.dll	_INS5576._MP
File opened for modification	C:\Program Files (x86)\GM\TIFF Viewer Plugin\DeIsL1.isu	_INS5576._MP
File opened for modification	C:\Program Files (x86)\GM\TIFF Viewer Plugin\NPIMGVIE.dll	_INS5576._MP

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\_delis32.ini	Setup.exe
File opened for modification	C:\Windows\_delis32.ini	Setup.exe
File created	C:\Windows\_INS33IS._MP	_ISDEL.EXE
File opened for modification	C:\Windows\_delis32.ini	_ISDEL.EXE
File opened for modification	C:\Windows\_iserr31.ini	Setup.exe
File created	C:\Windows\_isenv31.ini	Setup.exe
File opened for modification	C:\Windows\IsUninst.exe	_INS5576._MP
File created	C:\Windows\_INS33IS._MP	_ISDEL.EXE
File opened for modification	C:\Windows\_delis32.ini	_ISDEL.EXE
File opened for modification	C:\Windows\_iserr31.ini	Setup.exe
File created	C:\Windows\_isenv31.ini	Setup.exe
File opened for modification	C:\Windows\IsUninst.exe	_INS5576._MP

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	414f0d4f19f59139e6c9189d295da4d982c2b8fdbbea6ae9db8448968b39e452.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_414f0d4f19f59139e6c9189d295da4d982c2b8fdbbea6ae9db8448968b39e452.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	_ISDEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	_INS5576._MP
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	_INS5576._MP
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	_ISDEL.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NPIMGVIE.TIFFHotSpotCtrl.1\CLSID	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1D0E4ED9-3E73-11D3-A295-00E0290E822E}\TypeLib	_INS5576._MP
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}\Control	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NPIMGVIE.TIFFHotSpotCtrl.1	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}\MiscStatus	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1D0E4EDB-3E73-11D3-A295-00E0290E822E}	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NPIMGVIE.TIFFHotSpotCtrl\ = "TIFFHotSpotCtrl Class"	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-TIFF-GM\Extension = ".itf"	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NPIMGVIE.TIFFHotSpotCtrl\CurVer	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htf	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D0E4ECD-3E73-11D3-A295-00E0290E822E}\1.0\ = "NPIMGVIE 1.0 Type Library"	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htf	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}\Version\ = "1.0"	_INS5576._MP
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}\VersionIndependentProgID	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}\ProgID	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}\Insertable	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}\MiscStatus\ = "0"	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}\TypeLib	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}\InprocServer32	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}\MiscStatus\ = "0"	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D0E4ECD-3E73-11D3-A295-00E0290E822E}\1.0\HELPDIR	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1D0E4EDB-3E73-11D3-A295-00E0290E822E}\ = "_ITIFFHotSpotCtrlEvents"	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1D0E4ED9-3E73-11D3-A295-00E0290E822E}\ = "ITIFFHotSpotCtrl"	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1D0E4ED9-3E73-11D3-A295-00E0290E822E}\TypeLib\ = "{1D0E4ECD-3E73-11D3-A295-00E0290E822E}"	_INS5576._MP
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}\TypeLib	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}\MiscStatus\1\ = "131473"	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1D0E4EDB-3E73-11D3-A295-00E0290E822E}\ = "_ITIFFHotSpotCtrlEvents"	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1D0E4ED9-3E73-11D3-A295-00E0290E822E}\ = "ITIFFHotSpotCtrl"	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}\Programmable	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}\Insertable	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-TIFF-GM	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D0E4ECD-3E73-11D3-A295-00E0290E822E}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\GM\\TIFF Viewer Plugin\\"	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1D0E4EDB-3E73-11D3-A295-00E0290E822E}\TypeLib\ = "{1D0E4ECD-3E73-11D3-A295-00E0290E822E}"	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1D0E4EDB-3E73-11D3-A295-00E0290E822E}\TypeLib\Version = "1.0"	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1D0E4ED9-3E73-11D3-A295-00E0290E822E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1D0E4EDB-3E73-11D3-A295-00E0290E822E}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1D0E4ED9-3E73-11D3-A295-00E0290E822E}\TypeLib\Version = "1.0"	_INS5576._MP
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}\ToolboxBitmap32	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}\InprocServer32\ = "C:\\PROGRA~2\\GM\\TIFFVI~1\\NPIMGVIE.dll"	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NPIMGVIE.TIFFHotSpotCtrl\CLSID	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}\EnableFullPage\.htf	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D0E4ECD-3E73-11D3-A295-00E0290E822E}\1.0	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}\EnableFullPage\.itf	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D0E4ECD-3E73-11D3-A295-00E0290E822E}\1.0\0\win32	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1D0E4EDB-3E73-11D3-A295-00E0290E822E}\TypeLib\Version = "1.0"	_INS5576._MP
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}\ProgID	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}\TypeLib\ = "{1D0E4ECD-3E73-11D3-A295-00E0290E822E}"	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-TIFF-HotSpot\CLSID = "{1D0E4EDA-3E73-11D3-A295-00E0290E822E}"	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D0E4ECD-3E73-11D3-A295-00E0290E822E}	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1D0E4EDB-3E73-11D3-A295-00E0290E822E}	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}\ToolboxBitmap32	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-TIFF-GM	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D0E4ECD-3E73-11D3-A295-00E0290E822E}\1.0\FLAGS\ = "0"	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1D0E4EDB-3E73-11D3-A295-00E0290E822E}\ProxyStubClsid32	_INS5576._MP
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.htf	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NPIMGVIE.TIFFHotSpotCtrl	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1D0E4ED9-3E73-11D3-A295-00E0290E822E}	_INS5576._MP
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}\EnableFullPage\.itf	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}\ = "TIFFHotSpotCtrl Class"	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}\MiscStatus\1\ = "131473"	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-TIFF-HotSpot\Extension = ".htf"	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}\VersionIndependentProgID\ = "NPIMGVIE.TIFFHotSpotCtrl"	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1D0E4ED9-3E73-11D3-A295-00E0290E822E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	_INS5576._MP

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3960	_INS5576._MP
2592	_INS5576._MP

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1396 wrote to memory of 4896	1396	414f0d4f19f59139e6c9189d295da4d982c2b8fdbbea6ae9db8448968b39e452.exe	82
PID 1396 wrote to memory of 4896	1396	414f0d4f19f59139e6c9189d295da4d982c2b8fdbbea6ae9db8448968b39e452.exe	82
PID 1396 wrote to memory of 4896	1396	414f0d4f19f59139e6c9189d295da4d982c2b8fdbbea6ae9db8448968b39e452.exe	82
PID 1396 wrote to memory of 1944	1396	414f0d4f19f59139e6c9189d295da4d982c2b8fdbbea6ae9db8448968b39e452.exe	83
PID 1396 wrote to memory of 1944	1396	414f0d4f19f59139e6c9189d295da4d982c2b8fdbbea6ae9db8448968b39e452.exe	83
PID 1396 wrote to memory of 1944	1396	414f0d4f19f59139e6c9189d295da4d982c2b8fdbbea6ae9db8448968b39e452.exe	83
PID 1944 wrote to memory of 1544	1944	Synaptics.exe	84
PID 1944 wrote to memory of 1544	1944	Synaptics.exe	84
PID 1944 wrote to memory of 1544	1944	Synaptics.exe	84
PID 1544 wrote to memory of 3924	1544	._cache_Synaptics.exe	85
PID 1544 wrote to memory of 3924	1544	._cache_Synaptics.exe	85
PID 1544 wrote to memory of 3924	1544	._cache_Synaptics.exe	85
PID 3924 wrote to memory of 3960	3924	Setup.exe	86
PID 3924 wrote to memory of 3960	3924	Setup.exe	86
PID 3924 wrote to memory of 3960	3924	Setup.exe	86
PID 3924 wrote to memory of 4392	3924	Setup.exe	87
PID 3924 wrote to memory of 4392	3924	Setup.exe	87
PID 3924 wrote to memory of 4392	3924	Setup.exe	87
PID 4896 wrote to memory of 4808	4896	._cache_414f0d4f19f59139e6c9189d295da4d982c2b8fdbbea6ae9db8448968b39e452.exe	93
PID 4896 wrote to memory of 4808	4896	._cache_414f0d4f19f59139e6c9189d295da4d982c2b8fdbbea6ae9db8448968b39e452.exe	93
PID 4896 wrote to memory of 4808	4896	._cache_414f0d4f19f59139e6c9189d295da4d982c2b8fdbbea6ae9db8448968b39e452.exe	93
PID 4808 wrote to memory of 2592	4808	Setup.exe	96
PID 4808 wrote to memory of 2592	4808	Setup.exe	96
PID 4808 wrote to memory of 2592	4808	Setup.exe	96
PID 4808 wrote to memory of 4696	4808	Setup.exe	97
PID 4808 wrote to memory of 4696	4808	Setup.exe	97
PID 4808 wrote to memory of 4696	4808	Setup.exe	97

C:\Users\Admin\AppData\Local\Temp\414f0d4f19f59139e6c9189d295da4d982c2b8fdbbea6ae9db8448968b39e452.exe
"C:\Users\Admin\AppData\Local\Temp\414f0d4f19f59139e6c9189d295da4d982c2b8fdbbea6ae9db8448968b39e452.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1396
- C:\Users\Admin\AppData\Local\Temp\._cache_414f0d4f19f59139e6c9189d295da4d982c2b8fdbbea6ae9db8448968b39e452.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_414f0d4f19f59139e6c9189d295da4d982c2b8fdbbea6ae9db8448968b39e452.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4896
- - C:\Users\Admin\AppData\Local\Temp\pftB7F6~tmp\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\pftB7F6~tmp\Setup.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4808
  - - C:\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\_INS5576._MP
      C:\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\_INS5576._MP
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      PID:2592
  - - C:\Users\Admin\AppData\Local\Temp\pftB7F6~tmp\_ISDEL.EXE
      C:\Users\Admin\AppData\Local\Temp\pftB7F6~tmp\_ISDEL.EXE
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:4696
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1944
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1544
  - - C:\Users\Admin\AppData\Local\Temp\pft877F~tmp\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\pft877F~tmp\Setup.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3924
    - - C:\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\_INS5576._MP
        
        C:\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\_INS5576._MP
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:3960
    - - C:\Users\Admin\AppData\Local\Temp\pft877F~tmp\_ISDEL.EXE
        
        C:\Users\Admin\AppData\Local\Temp\pft877F~tmp\_ISDEL.EXE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GM\TIFF Viewer Plugin\NPIMGVIE.dll

Filesize
620KB

MD5
13ab2d02bbff6b6bb7a699f97f03d03c

SHA1
0fa848dfb2b85d50bd38e14b2b15083198057a79

SHA256
cd8608c00b79b2bdc515a517839ff77369a80fe4d6f877f9ba2dd27a9161c26d

SHA512
d5c74ba0e37b623a7ffb0338e2c6393d6eebd4b87c12f4d1c0f43846b27332d1a2aaa28fea681d259f971c1378a8e3db2537d50a46337139ea29bd29f2a7be11

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.6MB

MD5
6d626a8d94a479f28da8ff463206850c

SHA1
e12c85290275c5a300eaece8803043cb1073138b

SHA256
414f0d4f19f59139e6c9189d295da4d982c2b8fdbbea6ae9db8448968b39e452

SHA512
5fc49c327b05acd8de78fbc6703ed06b844c1792339d6c2a2a89e7e03392e17022b2da996f6d1384024b78e8a967f896cc17a1e5c806422ba3b4cf49e76817e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_414f0d4f19f59139e6c9189d295da4d982c2b8fdbbea6ae9db8448968b39e452.exe

Filesize
935KB

MD5
5efa0e6fcb7452aee89ae7ae3fb8a0b1

SHA1
8c0010c61b7921cfc795d7e07cc19070765206c2

SHA256
08b733416d9dbe1261f206dd524a4903f0c852b62c74450aafcb3bc44e1c2bd5

SHA512
94d86bd670c949473f5c076b8c1232fd42282fda2d14d4448e613cda0161a431e1c787901f08221a39c47fef0f48c784d84b96bc5103c85c0e6b371f22373655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\ZDATAI51.DLL

Filesize
52KB

MD5
2a9a390018a50f1af0df0b7118696f6e

SHA1
f9a4cf357e49cf1f032ca4f8d46def52c6935e33

SHA256
1d9321dd5e1790dff91cbd475a023760f3b6b6b26e849b70b171b841070378f2

SHA512
813be48cf11a14b618fbfa358794b1e6cef727f305470f27c82bbfccc0921ef2141d740a71c47890db1e705f10bc3d0c67e3d9f651710fdd88f19b9e7e30bc38

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\_INS0432.INI

Filesize
178B

MD5
859908acc16dbf7fbfa424a320349377

SHA1
87eaf59a62521927b04d761d11710dcd8ad9f547

SHA256
6bf090709fe39beaa367e83a75a9474157f280571cc2ec08bf49ebe39027df71

SHA512
1a90495546b7a2db25ed76b891cfebeac3d816693c7a46990d73e1b7fd64ebaac84470a35a581fd003800d1eff28d31807b1eca134d2880b748c5611e25cb947

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\_INS0432.INI

Filesize
178B

MD5
fbf2972af4ab0e6068f48b08f8eb2da6

SHA1
71b60345a09b139e73bf4653db39c715432ddca4

SHA256
b1ec1c84c190e001802b31ae07a73187ac261c0b9da00f7aca0214150356e3af

SHA512
c2cf3c7673d7afce97af58415354918232c91f4d38f8bdc109fb1e9d69191d4472eb46445089e492da258f68c6a83370f4ef00093d7c9f6d9d6a476f10eb7851

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\_INS5576._MP

Filesize
544KB

MD5
d28cb295e2395b3593293470e7784512

SHA1
8a734689b76929beaeb6110c45c41948d4d4c12f

SHA256
a8657371f03e2e66db951c3dcd3aeb42c576894908ca2eb1b3806aa0404cb083

SHA512
c526b986e47a8cb2f9cb6fd0bf1f48d9fbbcbfaa6dcee0bce6670095df586b179eef0fa6fc7ee56995d3f100df5ed359eff6858d646b68268bd9d3c68dd816f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\_ISTMP0.DIR\Corecomp.ini

Filesize
27KB

MD5
b6c87bb7d1504ff47cf73513f85cddd2

SHA1
1068bbde1054e1efad18f5dce17ba539608541ce

SHA256
1e7aa59759b9ca31607b5e2df10117bfa13473354bdacf08ec4625558d040f25

SHA512
b2eca3dc3d3a20d49c58fb1093911f118e93e3a67c419bd19568e35cf7c4acd08590d795073babbf21bb2e060afc86540445de67ac9549e240e9d8dcf14dfe19

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\_ISTMP0.DIR\Ctl3d32.dll

Filesize
26KB

MD5
89cf6af0a2a1cfebc82851c20852c121

SHA1
9106f4ade6a696d5f98968bce895333ad5dbd9ae

SHA256
94ef91b4c7864bd1ecc0db099e58298708bc5d22da40132ebb1c17feb4675964

SHA512
af4a484b9bb8850c29fbfee1784b3cd3f78e6cbb419ad49262c28be16b31b5e1b43328c3088ae83f202ad2941062fa94325d77078f5c8e07a11a3fea1b56d627

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\_ISTMP0.DIR\ISUninst.exe

Filesize
299KB

MD5
515e4684008e955de0c81e6a7aea1c2a

SHA1
ebe026f9c551f372ad82186ff6b9c2ca26dd684c

SHA256
6d631e94acce1f2808a6b1125a6617d1b0ba7e50d93c1d656aa2620bcd0bb965

SHA512
c889a733c61687aa9be0b67cc2e4ecf2a500386054dffa072780a4f46b29373e0dad79c35f375fdeb6572dbc11b24436b88cee3ba431a37965cf0e884ab636b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\_ISTMP0.DIR\e578b19.DLL

Filesize
126KB

MD5
18556ed6ea953c31f1c4953d2f210c78

SHA1
7ec5618bae6bbfb45a02c933de7bce8d0fdeb22c

SHA256
f8fa0c3350ed8675c95a9532a0ee057bd0d1c0e79d90bf5e91f75b3f7f25d969

SHA512
0523df4e8062f8dca1a3096f17eaf359c4cd84a00aaadf734e0431a07ded2fa7fe6549bb5a387d839cffe60a9705c3e4f376679006d3eea4e95dcac21766e79f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\_ISTMP0.DIR\value.shl

Filesize
696B

MD5
6d9b108c8cbc34616bfd3ca288ede98f

SHA1
473846c8ec012ec35acb93435d05d526e3273db1

SHA256
ddd5fcf21c22b58081c2077036e45e3a082ae14cc228d37683d500523da58703

SHA512
8a8853d0bfa9ba8dc91bde6087ced8c22f2e672ab9954f4b4e412e77b54a1f44a3e4f59bf6277c67dbc30ee4c3057b6225593e9e26a3f1d8fa6a365fba5f8a06

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\_WUTL951.DLL

Filesize
45KB

MD5
9567a2dac1b8efbd7b0c6dce2a2251c3

SHA1
db72683ff3a3000771394d5eed7e2de922dcadbf

SHA256
67d309a88d68c449c2d0a76c0f2d2c9b2b764a469a6daea67df0279dd49c9296

SHA512
51806383e05cbc67754fc746c16ddf8364610bb22260b8638f586b02dbeb0813cee6acc9962b2b928205d445a82f2cc2022b6d1162f8da644ac902c0f3a327a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft877F~tmp\LAYOUT.BIN

Filesize
590B

MD5
34a1ec00b2470bd90d0a9c6480aa9054

SHA1
9d8d13b9df708a6ffdc7cf4f29e6783bb7ba3a8c

SHA256
b48cf9b1279830032c9c9d3229004658a55d5e34ced2eed0c4f79e4ca94e3d04

SHA512
27ea2cbe231c88434e225b6437013e8152a9b1121b2216f0331cb6cecc8a4e3eb17613ed4ddb4635639e5e1f06a12e9588608b23c615a8e5a48318dca0dba334

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft877F~tmp\SETUP.INS

Filesize
55KB

MD5
fa14cba392925f26f53a5c16ccc863fe

SHA1
4baa27eccb6b0facd6728533775bc5ec1a3e5e61

SHA256
6066a60ef19d52bf10b42632e46a49b88bb63020eca448255aa71cfb81055e69

SHA512
a280259e0e4cb9edeb2450ee70db35b6fad14ece1055832bd86286ce952a7865ab700a45f6cca438c664268883f2fdb87872691cac025f858e4b391a52228c50

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft877F~tmp\SETUP.LID

Filesize
49B

MD5
1b79748e93a541cc1590505b6c72828a

SHA1
1ddefee04dc9e9b2576dc34eebcfa3de4aa82af9

SHA256
708d29c649525882937031b3d73cc851b7b1bc30772eb4e0e2a71523908f2eb5

SHA512
e85c1f04d3841cd1e5aa5d7ba37bb3aff557d67b1aceb2d9435f07862593eb4e139162c71d9b017c82aade2e1c535c79d1a18d26dffb95282e10bc64bda04bfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft877F~tmp\Setup.exe

Filesize
72KB

MD5
71e6dd8a9de4a9baf89fca951768059a

SHA1
aac779471a2f9ae3d3e0e39047ef1744feda77b1

SHA256
5656e87da0641c9dcfcd0ee8949ce72b3fa6a7d0e8b1fd985a16f6bd6c34ce52

SHA512
d15bb31ce595767dd366ea2130121a7a2a311c4e639f8b464ceac880d00735c11d950fc16725a3da9459d22a122dd3c33bc0631be90556b4078df9509b0048de

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft877F~tmp\_INST32I.EX_

Filesize
289KB

MD5
6229a86a1d291c311da49a7d69a49a1f

SHA1
586254e13d8ffdd956f1fb4e6ce858b91a390864

SHA256
b2ff4e8402a5160c491b1ac7eba0073fbbe2220dce107441461b250544eff35a

SHA512
d2e21662258593d17b8debbd74f92e2b37ee3f5f3fdb0cbe8a4c9a16a6dbee6911b92c4afff86f4fa2afa311343e43029dec9c0e08a728309f2ccbf1ded7e896

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft877F~tmp\_ISDEL.EXE

Filesize
27KB

MD5
51161bf79f25ff278912005078ad93d5

SHA1
13cb580aa1d2823ca0f748b1fc262b7db1689f19

SHA256
b5dc0feb738a91ce3cfa982647fe2779787335c6c2c598d5b49818565d7c3e84

SHA512
c91eac5a01ec7bfb4d3c9df7f90a1c6c6211464ecfede54f7ce2f0c8a79561e4425a56eb41b48bcd89a80bd45228b2ce0c649ed92d24019a15916306d9131d8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft877F~tmp\_SETUP.DLL

Filesize
34KB

MD5
ecacc9ab09d7e8898799fe5c4ebbbdd2

SHA1
be255fe9b6c9d638a40a5c1e88f2d5f4e37654e6

SHA256
1ad637e80a25f6f885604589056814d16ccad55699be14920e2b99f2d74c1019

SHA512
16412756b147a9e6c1e8ce503f374abde87919a5ae1de576963ed748a2934eff9f95d5b33cacefebe1c6cdfe64d9b595986c60bdbce8aebf0a4bcc83b6f25779

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft877F~tmp\_sys1.cab

Filesize
171KB

MD5
969ac09a8e439ae814e0855fd9473e1e

SHA1
2fc2f4fafc98f91504e03f85246ef09dc8b9be8d

SHA256
d97bd0e8ba728e1a1ce5147a9fb60008e7b6d1ff1529f7b1ee646112ebf79e10

SHA512
ea497b2c2cc66bd9255d38bb2a938c65a87ec94db66bf9f0ba93864ad87396920f19555a9ce88a65492226fdbf9958173ecd2eca5602afcc0e2bab89db3a22a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft877F~tmp\_sys1.hdr

Filesize
3KB

MD5
0687fb7d9e9ca7a053ca8a02817aaf01

SHA1
26333ccc22aa7d19c6cd292ba5db90dc7d9ea067

SHA256
87525135e6cb44a607eaad61028e84f0b2e6a4689fe48ad923f4c4f7d1829d6a

SHA512
49569b88c9f4e6580e02719341e0a40f73bdbdf8e0247edacc0a14a185b7d46bb776b0e2e306eea50888a75c6694bfbc8350cd67a659ca4491e24902df0297fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft877F~tmp\_user1.cab

Filesize
928B

MD5
c0b06f789609706d89256a74f151f2e8

SHA1
d1ea04d9ed2b01bed60d20a7bfde7a0e80583e26

SHA256
71ea51273b233026cf0803e0351610ecf4cb1b6a704daca1b63f7f09b1d278d2

SHA512
f79920215ae18366bf6095270597305cbcf979b6c5a49b97e2fe840146ab16b96e229db6be6dc82fdcef3c44672a7a2a0bed173f50d30a5020ea0d4d7f3b1c7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft877F~tmp\_user1.hdr

Filesize
4KB

MD5
002c98334ca2fa21fe75d35611889ba8

SHA1
713f4a78b7b2c56dd1b6c052e1f7542c5fbdadda

SHA256
5d696e38520fad0a321f47ef03d901e5a635803478bf107ce534c895ba8e1bfe

SHA512
fd122c6f62776dbf2fc78d523df6895ae499e84f5c66e29d23f8b752283a4a97af283ffadd1b1bb28c67f31babc42bf859e95746a7ea4788b4c6b7959e5218ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft877F~tmp\data1.cab

Filesize
268KB

MD5
65c536448bfb096978956636c5797986

SHA1
302b8d307dae7af6146785d39c25a598c676fc41

SHA256
d6b0b85ef45b10efc73800d142d27130a60f60f76a8983d29a5b43400ee2feca

SHA512
128f861febe8401db65d30f22d93c15fccaecac17d73318095f39fa5af7b6f031790ea9fa4a96023c56df14336b3a67b79717bece9c29b96c99a8f243435c78c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft877F~tmp\data1.hdr

Filesize
2KB

MD5
941c58b4485190409bb29c50dba48bbb

SHA1
afc0573818f05acf2f858bafc47773fa44f0fefe

SHA256
be67cb3ac80c8637d19fae775c967f0ebf96ebf823fe24480877944a68db8d64

SHA512
c19830405c41e135161dea6aab2c6e4cfcd94ed35d62bfccdf7ebff2dec41b4f2610e6f9bd065ae29393a85b39f1d6e13880523d0b9fccc111e36adab00d811d

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft877F~tmp\os.dat

Filesize
450B

MD5
478f65a0b922b6ba0a6ce99e1d15c336

SHA1
577bb092378b8e4522eff40335ff7a50040170b7

SHA256
be2292517342de82d50cefbacb185e36558fcdfbf686692e7df08a80331f9bee

SHA512
747589cae4514cff7d5ea9b51b483c0fe6cb9242b0f31503268a73881acddf25541a7ae56f8826b4f15235dd2ab8c98c94674666e47c36ea913bcfb539143c9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft877F~tmp\pftw1.pkg

Filesize
806KB

MD5
1b41aaf5f449dfcce9bff89a7fcbbcf3

SHA1
87eeee167c02442af9d60e0da654476bbd7a6652

SHA256
e2d9292406eb9bf1a49ab95b8a1a43503d34216aa778d2ff017ba4f8fbad7d19

SHA512
2aea9bb85951d101a66a622e855c592867d194c0e117a9662ca0877d169fccf599960901962c26ecdbd548e05fa030017fd87afd1ddb16dcb12c8c20984c7c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\pft877F~tmp\setup.ini

Filesize
106B

MD5
6c823e4fc1e4bd3e0359db1e2c14cdfb

SHA1
a65396bdd98b7f05f41887da536d65f84292f626

SHA256
f55d480fb1869fbaf39ed96d846c6216d82b027d4a3ef2efbe3a8e05b1cb25ba

SHA512
d5de6fd8d7adbab7570fcb82e347ab4d04652455bfec439543b210f85c87479dec5362d9d530c93d6cad433dfa654e5dc489a2d69d8e192355366d83e23403d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftB7F6~tmp\DATA.TAG

Filesize
134B

MD5
b7dca964443d7ca98b84903e67b8f798

SHA1
aed842b2b9281e695672c2a1c24fc1df9df6d630

SHA256
2a6667cacc2ccf565f441f9499845d843e916b2f945a77d32a2ba6a48ba2872a

SHA512
708dbee786e88e6159541257805afde9f76da77874a45c8f03983119d7e91e7beb9b59a96a9e94d545167d4a3d3494badcce7488fcacc6f49d7cb4f289ee84ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftB7F6~tmp\lang.dat

Filesize
22KB

MD5
70627bd56fe92a5c97027cbbd88bacd0

SHA1
9cbdb75947dc561c929b0e799cf022961a7fe074

SHA256
b67a09f3fe25b08025810bbb20b8fae05672d0a723f2dbed84f04224a89e6344

SHA512
2377840a55f883e4f9fdafbd370ace9bf6bfe4ad55c1b7a46a269a5f9ef5c2032f00ef7c37f8863f99c2965d4dd4828edb11c668abe5dca4eba2c2dfde2bb0f4

Download Submit
C:\Windows\_delis32.ini

Filesize
138B

MD5
30fc74954db1674d9ff7b18a57d238d1

SHA1
48e6ff8513571aa7645d634fff8414f6ae6ff907

SHA256
84dec7a4b0013aece8d2549b77dbbdbd69f834838cfa1b634c3987a484b01783

SHA512
3b8cd261d025058c4542120d23f4be22a6bca8b80adab3fd55c213a5547dd77a3fc8ec0c4f0127ed440fbd0b32fd34fe5fe5b8a60bdf15f65a24e5a7a71647cc

Download Submit
C:\Windows\_delis32.ini

Filesize
268B

MD5
88c6ea9ed6cd04c7cae5d96a623d1973

SHA1
50e875bc6a3ce09b8e2e31a738747bcbb26d78b2

SHA256
290b98b00f660ca6317dc2b64ec399b15373a9b7a0574c45b7b4b5888a0b257d

SHA512
dce8c79b04d4319f9b43cd585877c382b0d5b1778ee1e85614e78a87366526167c658512c245ad1ebf96d465f4cb33f2c959fbc8189ccff53d888cd154e500b8

Download Submit
C:\Windows\_isenv31.ini

Filesize
1KB

MD5
29e40768e548a1bf2bf32aca813d65e6

SHA1
66fbd2b17e7134bfeb28d06be5a8013e74ae908a

SHA256
0706ad4e230b200adeccdd20e1b89dfc212b4f55b0e4e18c685e2e4446a64fdc

SHA512
a5d772a773d90cb645aa873fb521a257abaec807217365b1236c177c672349c088ba7cd7685bd40780190d5ed473ce95f2157f104beff04f355a24ceedfd94bc

Download Submit
C:\Windows\_isenv31.ini

Filesize
1KB

MD5
bdd0a68bbd58da01af11267db87887f6

SHA1
97e4a10c2c724d061602c4fd9d5bdfe03320883f

SHA256
ca4221f262eb6350e4461847d4b33bbd1cc2a3b9510d26967c46a37b4c152ecf

SHA512
4df3fbc76e61ca0d1dbae5aaae25f978284f7a2bad5918e8872ba4b001dc4218bf3939cadebdce8b7cff829a9ab226c9b8220213f7fe5651baf1c0d6c4ed3a8a

Download Submit
C:\Windows\_iserr31.ini

Filesize
521B

MD5
b99921c1ce27e631044ad7ad03e27faa

SHA1
13fa80578e7a9f5ece1cfd7913eec6e3e5b12250

SHA256
bd6efc8e0f5b775ae357f3b647d74b7ddbc5fb8fc827e659d77ac2ef9888f16f

SHA512
79ff7699ad240f4b62c5b336fb6ebb684e675b2d74cf541997f1d42716c1e05bcc35d92443c0641a6f0e60a26d3add03f6316390aacb22701b718f652e5472ab

Download Submit
memory/1396-0-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/1396-128-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/1944-322-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/1944-129-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/1944-323-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/1944-574-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/2592-500-0x0000000000560000-0x0000000000570000-memory.dmp

Filesize
64KB

Download
memory/3960-330-0x0000000005320000-0x00000000053BD000-memory.dmp

Filesize
628KB

Download
memory/3960-318-0x00000000004D0000-0x00000000004E0000-memory.dmp

Filesize
64KB

Download
memory/4392-339-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4696-516-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads