xred | 414f0d4f19f59139e6c9189d295da4d982c2b8fdbbea6ae9db8448968b39e452

Analysis

max time kernel
141s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-12-2024 18:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

414f0d4f19f59139e6c9189d295da4d982c2b8fdbbea6ae9db8448968b39e452.exe
Size

1.6MB
MD5

6d626a8d94a479f28da8ff463206850c
SHA1

e12c85290275c5a300eaece8803043cb1073138b
SHA256

414f0d4f19f59139e6c9189d295da4d982c2b8fdbbea6ae9db8448968b39e452
SHA512

5fc49c327b05acd8de78fbc6703ed06b844c1792339d6c2a2a89e7e03392e17022b2da996f6d1384024b78e8a967f896cc17a1e5c806422ba3b4cf49e76817e8
SSDEEP

49152:EnsHyjtk2MYC5GD2HZxOe4+T+4sOj8yJ4LJ+Y:Ensmtk2af4R4xj8UOx

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 8 IoCs

pid	Process
2128	._cache_414f0d4f19f59139e6c9189d295da4d982c2b8fdbbea6ae9db8448968b39e452.exe
2704	Synaptics.exe
2604	._cache_Synaptics.exe
2180	Setup.exe
3028	_INS5576._MP
1360	_ISDEL.EXE
2720	Setup.exe
2612	_INS5576._MP

Loads dropped DLL 40 IoCs

pid	Process
1260	414f0d4f19f59139e6c9189d295da4d982c2b8fdbbea6ae9db8448968b39e452.exe
1260	414f0d4f19f59139e6c9189d295da4d982c2b8fdbbea6ae9db8448968b39e452.exe
2128	._cache_414f0d4f19f59139e6c9189d295da4d982c2b8fdbbea6ae9db8448968b39e452.exe
2128	._cache_414f0d4f19f59139e6c9189d295da4d982c2b8fdbbea6ae9db8448968b39e452.exe
2128	._cache_414f0d4f19f59139e6c9189d295da4d982c2b8fdbbea6ae9db8448968b39e452.exe
1260	414f0d4f19f59139e6c9189d295da4d982c2b8fdbbea6ae9db8448968b39e452.exe
1260	414f0d4f19f59139e6c9189d295da4d982c2b8fdbbea6ae9db8448968b39e452.exe
2704	Synaptics.exe
2704	Synaptics.exe
2704	Synaptics.exe
2604	._cache_Synaptics.exe
2604	._cache_Synaptics.exe
2604	._cache_Synaptics.exe
2604	._cache_Synaptics.exe
2180	Setup.exe
2180	Setup.exe
2180	Setup.exe
2180	Setup.exe
2180	Setup.exe
2180	Setup.exe
3028	_INS5576._MP
3028	_INS5576._MP
3028	_INS5576._MP
3028	_INS5576._MP
3028	_INS5576._MP
3028	_INS5576._MP
2128	._cache_414f0d4f19f59139e6c9189d295da4d982c2b8fdbbea6ae9db8448968b39e452.exe
2720	Setup.exe
2720	Setup.exe
2720	Setup.exe
2720	Setup.exe
2720	Setup.exe
2612	_INS5576._MP
2612	_INS5576._MP
2612	_INS5576._MP
2612	_INS5576._MP
2612	_INS5576._MP
2612	_INS5576._MP
2612	_INS5576._MP
2612	_INS5576._MP

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	414f0d4f19f59139e6c9189d295da4d982c2b8fdbbea6ae9db8448968b39e452.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\GM\TIFF Viewer Plugin\Uninst.isu	_INS5576._MP
File opened for modification	C:\Program Files (x86)\GM\TIFF Viewer Plugin\NPIMGVIE.dll	_INS5576._MP
File opened for modification	C:\Program Files (x86)\GM\TIFF Viewer Plugin\DeIsL1.isu	_INS5576._MP
File opened for modification	C:\Program Files (x86)\GM\TIFF Viewer Plugin\NPIMGVIE.dll	_INS5576._MP

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\IsUninst.exe	_INS5576._MP
File opened for modification	C:\Windows\_delis32.ini	_ISDEL.EXE
File created	C:\Windows\_isenv31.ini	Setup.exe
File created	C:\Windows\_INS33IS._MP	_ISDEL.EXE
File opened for modification	C:\Windows\_iserr31.ini	Setup.exe
File created	C:\Windows\_isenv31.ini	Setup.exe
File opened for modification	C:\Windows\_delis32.ini	Setup.exe
File opened for modification	C:\Windows\_iserr31.ini	Setup.exe
File opened for modification	C:\Windows\_delis32.ini	Setup.exe
File opened for modification	C:\Windows\IsUninst.exe	_INS5576._MP

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	_INS5576._MP
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	_INS5576._MP
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_414f0d4f19f59139e6c9189d295da4d982c2b8fdbbea6ae9db8448968b39e452.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	_ISDEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	414f0d4f19f59139e6c9189d295da4d982c2b8fdbbea6ae9db8448968b39e452.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}\MiscStatus	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}\MiscStatus\1	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}\Version	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1D0E4ED9-3E73-11D3-A295-00E0290E822E}\TypeLib	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NPIMGVIE.TIFFHotSpotCtrl.1\ = "TIFFHotSpotCtrl Class"	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}\MiscStatus\1\ = "131473"	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1D0E4EDB-3E73-11D3-A295-00E0290E822E}\TypeLib\Version = "1.0"	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1D0E4ED9-3E73-11D3-A295-00E0290E822E}\TypeLib\Version = "1.0"	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}\InprocServer32\ = "C:\\PROGRA~2\\GM\\TIFFVI~1\\NPIMGVIE.dll"	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}\EnableFullPage\.htf	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.itf	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}\MiscStatus\ = "0"	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-TIFF-GM	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}\Programmable	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}\InprocServer32	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}\EnableFullPage\.htf	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-TIFF-HotSpot\CLSID = "{1D0E4EDA-3E73-11D3-A295-00E0290E822E}"	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1D0E4EDB-3E73-11D3-A295-00E0290E822E}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1D0E4ED9-3E73-11D3-A295-00E0290E822E}\TypeLib\ = "{1D0E4ECD-3E73-11D3-A295-00E0290E822E}"	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.itf	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}\VersionIndependentProgID	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}\InprocServer32\ThreadingModel = "Apartment"	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}\EnableFullPage	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-TIFF-HotSpot	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D0E4ECD-3E73-11D3-A295-00E0290E822E}\1.0	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1D0E4EDB-3E73-11D3-A295-00E0290E822E}\ = "_ITIFFHotSpotCtrlEvents"	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D0E4ED9-3E73-11D3-A295-00E0290E822E}\TypeLib\Version = "1.0"	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1D0E4ED9-3E73-11D3-A295-00E0290E822E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NPIMGVIE.TIFFHotSpotCtrl.1	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}\TypeLib\ = "{1D0E4ECD-3E73-11D3-A295-00E0290E822E}"	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1D0E4ED9-3E73-11D3-A295-00E0290E822E}	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}\VersionIndependentProgID	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}\MiscStatus\ = "0"	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}\MiscStatus\1	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}\Insertable	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}\Version\ = "1.0"	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}\VersionIndependentProgID\ = "NPIMGVIE.TIFFHotSpotCtrl"	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}\Programmable	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1D0E4ED9-3E73-11D3-A295-00E0290E822E}\ = "ITIFFHotSpotCtrl"	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}\TypeLib\ = "{1D0E4ECD-3E73-11D3-A295-00E0290E822E}"	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1D0E4EDB-3E73-11D3-A295-00E0290E822E}\ProxyStubClsid32	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D0E4ED9-3E73-11D3-A295-00E0290E822E}\TypeLib	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}\TypeLib	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-TIFF-GM	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D0E4ED9-3E73-11D3-A295-00E0290E822E}	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}\InprocServer32	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D0E4ECD-3E73-11D3-A295-00E0290E822E}\1.0\ = "NPIMGVIE 1.0 Type Library"	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1D0E4EDB-3E73-11D3-A295-00E0290E822E}	_INS5576._MP
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}\InprocServer32	_INS5576._MP
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}\Version	_INS5576._MP
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}\VersionIndependentProgID	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}\Control	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NPIMGVIE.TIFFHotSpotCtrl\CLSID\ = "{1D0E4EDA-3E73-11D3-A295-00E0290E822E}"	_INS5576._MP
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-TIFF-GM	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.itf\Content Type = "application/x-TIFF-GM"	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-TIFF-GM\CLSID = "{1D0E4EDA-3E73-11D3-A295-00E0290E822E}"	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D0E4ECD-3E73-11D3-A295-00E0290E822E}\1.0\FLAGS\ = "0"	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D0E4ED9-3E73-11D3-A295-00E0290E822E}\ProxyStubClsid32	_INS5576._MP
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}\TypeLib	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}\ProgID	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}\ToolboxBitmap32	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-TIFF-GM\CLSID = "{1D0E4EDA-3E73-11D3-A295-00E0290E822E}"	_INS5576._MP

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2632	EXCEL.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2632	EXCEL.EXE

Suspicious use of WriteProcessMemory 53 IoCs

description	pid	Process	procid_target
PID 1260 wrote to memory of 2128	1260	414f0d4f19f59139e6c9189d295da4d982c2b8fdbbea6ae9db8448968b39e452.exe	30
PID 1260 wrote to memory of 2128	1260	414f0d4f19f59139e6c9189d295da4d982c2b8fdbbea6ae9db8448968b39e452.exe	30
PID 1260 wrote to memory of 2128	1260	414f0d4f19f59139e6c9189d295da4d982c2b8fdbbea6ae9db8448968b39e452.exe	30
PID 1260 wrote to memory of 2128	1260	414f0d4f19f59139e6c9189d295da4d982c2b8fdbbea6ae9db8448968b39e452.exe	30
PID 1260 wrote to memory of 2128	1260	414f0d4f19f59139e6c9189d295da4d982c2b8fdbbea6ae9db8448968b39e452.exe	30
PID 1260 wrote to memory of 2128	1260	414f0d4f19f59139e6c9189d295da4d982c2b8fdbbea6ae9db8448968b39e452.exe	30
PID 1260 wrote to memory of 2128	1260	414f0d4f19f59139e6c9189d295da4d982c2b8fdbbea6ae9db8448968b39e452.exe	30
PID 1260 wrote to memory of 2704	1260	414f0d4f19f59139e6c9189d295da4d982c2b8fdbbea6ae9db8448968b39e452.exe	31
PID 1260 wrote to memory of 2704	1260	414f0d4f19f59139e6c9189d295da4d982c2b8fdbbea6ae9db8448968b39e452.exe	31
PID 1260 wrote to memory of 2704	1260	414f0d4f19f59139e6c9189d295da4d982c2b8fdbbea6ae9db8448968b39e452.exe	31
PID 1260 wrote to memory of 2704	1260	414f0d4f19f59139e6c9189d295da4d982c2b8fdbbea6ae9db8448968b39e452.exe	31
PID 2704 wrote to memory of 2604	2704	Synaptics.exe	32
PID 2704 wrote to memory of 2604	2704	Synaptics.exe	32
PID 2704 wrote to memory of 2604	2704	Synaptics.exe	32
PID 2704 wrote to memory of 2604	2704	Synaptics.exe	32
PID 2704 wrote to memory of 2604	2704	Synaptics.exe	32
PID 2704 wrote to memory of 2604	2704	Synaptics.exe	32
PID 2704 wrote to memory of 2604	2704	Synaptics.exe	32
PID 2604 wrote to memory of 2180	2604	._cache_Synaptics.exe	34
PID 2604 wrote to memory of 2180	2604	._cache_Synaptics.exe	34
PID 2604 wrote to memory of 2180	2604	._cache_Synaptics.exe	34
PID 2604 wrote to memory of 2180	2604	._cache_Synaptics.exe	34
PID 2604 wrote to memory of 2180	2604	._cache_Synaptics.exe	34
PID 2604 wrote to memory of 2180	2604	._cache_Synaptics.exe	34
PID 2604 wrote to memory of 2180	2604	._cache_Synaptics.exe	34
PID 2180 wrote to memory of 3028	2180	Setup.exe	35
PID 2180 wrote to memory of 3028	2180	Setup.exe	35
PID 2180 wrote to memory of 3028	2180	Setup.exe	35
PID 2180 wrote to memory of 3028	2180	Setup.exe	35
PID 2180 wrote to memory of 3028	2180	Setup.exe	35
PID 2180 wrote to memory of 3028	2180	Setup.exe	35
PID 2180 wrote to memory of 3028	2180	Setup.exe	35
PID 2180 wrote to memory of 1360	2180	Setup.exe	36
PID 2180 wrote to memory of 1360	2180	Setup.exe	36
PID 2180 wrote to memory of 1360	2180	Setup.exe	36
PID 2180 wrote to memory of 1360	2180	Setup.exe	36
PID 2180 wrote to memory of 1360	2180	Setup.exe	36
PID 2180 wrote to memory of 1360	2180	Setup.exe	36
PID 2180 wrote to memory of 1360	2180	Setup.exe	36
PID 2128 wrote to memory of 2720	2128	._cache_414f0d4f19f59139e6c9189d295da4d982c2b8fdbbea6ae9db8448968b39e452.exe	39
PID 2128 wrote to memory of 2720	2128	._cache_414f0d4f19f59139e6c9189d295da4d982c2b8fdbbea6ae9db8448968b39e452.exe	39
PID 2128 wrote to memory of 2720	2128	._cache_414f0d4f19f59139e6c9189d295da4d982c2b8fdbbea6ae9db8448968b39e452.exe	39
PID 2128 wrote to memory of 2720	2128	._cache_414f0d4f19f59139e6c9189d295da4d982c2b8fdbbea6ae9db8448968b39e452.exe	39
PID 2128 wrote to memory of 2720	2128	._cache_414f0d4f19f59139e6c9189d295da4d982c2b8fdbbea6ae9db8448968b39e452.exe	39
PID 2128 wrote to memory of 2720	2128	._cache_414f0d4f19f59139e6c9189d295da4d982c2b8fdbbea6ae9db8448968b39e452.exe	39
PID 2128 wrote to memory of 2720	2128	._cache_414f0d4f19f59139e6c9189d295da4d982c2b8fdbbea6ae9db8448968b39e452.exe	39
PID 2720 wrote to memory of 2612	2720	Setup.exe	40
PID 2720 wrote to memory of 2612	2720	Setup.exe	40
PID 2720 wrote to memory of 2612	2720	Setup.exe	40
PID 2720 wrote to memory of 2612	2720	Setup.exe	40
PID 2720 wrote to memory of 2612	2720	Setup.exe	40
PID 2720 wrote to memory of 2612	2720	Setup.exe	40
PID 2720 wrote to memory of 2612	2720	Setup.exe	40

C:\Users\Admin\AppData\Local\Temp\414f0d4f19f59139e6c9189d295da4d982c2b8fdbbea6ae9db8448968b39e452.exe
"C:\Users\Admin\AppData\Local\Temp\414f0d4f19f59139e6c9189d295da4d982c2b8fdbbea6ae9db8448968b39e452.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1260
- C:\Users\Admin\AppData\Local\Temp\._cache_414f0d4f19f59139e6c9189d295da4d982c2b8fdbbea6ae9db8448968b39e452.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_414f0d4f19f59139e6c9189d295da4d982c2b8fdbbea6ae9db8448968b39e452.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\Users\Admin\AppData\Local\Temp\pftEBD5~tmp\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\pftEBD5~tmp\Setup.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Users\Admin\AppData\Local\Temp\_ISTMP2.DIR\_INS5576._MP
      C:\Users\Admin\AppData\Local\Temp\_ISTMP2.DIR\_INS5576._MP
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:2612
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\Users\Admin\AppData\Local\Temp\pftBB25~tmp\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\pftBB25~tmp\Setup.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2180
    - - C:\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\_INS5576._MP
        
        C:\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\_INS5576._MP
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3028
    - - C:\Users\Admin\AppData\Local\Temp\pftBB25~tmp\_ISDEL.EXE
        
        C:\Users\Admin\AppData\Local\Temp\pftBB25~tmp\_ISDEL.EXE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1360

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.6MB

MD5
6d626a8d94a479f28da8ff463206850c

SHA1
e12c85290275c5a300eaece8803043cb1073138b

SHA256
414f0d4f19f59139e6c9189d295da4d982c2b8fdbbea6ae9db8448968b39e452

SHA512
5fc49c327b05acd8de78fbc6703ed06b844c1792339d6c2a2a89e7e03392e17022b2da996f6d1384024b78e8a967f896cc17a1e5c806422ba3b4cf49e76817e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\LuUgub5S.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\LuUgub5S.xlsm

Filesize
25KB

MD5
8b4e430fa5a83ede4f555f427f625f2f

SHA1
0dddf05ff6ede8f54807ad94d794b18ec1624786

SHA256
5c208d21b17222b24641eb2ba56494ca6e25f7b8654e7db17ee2461db9bbeba7

SHA512
19a4f84b35ed31113cd3458cd5461dd4c48332acc5f862d8380157de840d2386231cb5732490b4029373c3dc50808e11d8ec92053d0367673f5c03a7fcdbcf10

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\_INS0432.INI

Filesize
178B

MD5
6fba2281b1a226f969b11e445a9d1a91

SHA1
19ac6371c69ed54b02a3d27f3d023a8e8a187331

SHA256
5ea2e415cb2c058cd6b428a67da5b890e72ddc6d0d655c1797fa3ef318e3fd65

SHA512
f77747b99aa2115078f00e0d69dc79a305e7af051e8ddcdabadb9d4c062f9f24b76cbfe58b24b996c7c792275a25163e0e17e1d83faa789c879855d7e985b9eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\_ISTMP0.DIR\f76bd08.DLL

Filesize
126KB

MD5
18556ed6ea953c31f1c4953d2f210c78

SHA1
7ec5618bae6bbfb45a02c933de7bce8d0fdeb22c

SHA256
f8fa0c3350ed8675c95a9532a0ee057bd0d1c0e79d90bf5e91f75b3f7f25d969

SHA512
0523df4e8062f8dca1a3096f17eaf359c4cd84a00aaadf734e0431a07ded2fa7fe6549bb5a387d839cffe60a9705c3e4f376679006d3eea4e95dcac21766e79f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\_WUTL951.DLL

Filesize
45KB

MD5
9567a2dac1b8efbd7b0c6dce2a2251c3

SHA1
db72683ff3a3000771394d5eed7e2de922dcadbf

SHA256
67d309a88d68c449c2d0a76c0f2d2c9b2b764a469a6daea67df0279dd49c9296

SHA512
51806383e05cbc67754fc746c16ddf8364610bb22260b8638f586b02dbeb0813cee6acc9962b2b928205d445a82f2cc2022b6d1162f8da644ac902c0f3a327a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ISTMP2.DIR\_ISTMP0.DIR\Corecomp.ini

Filesize
27KB

MD5
b6c87bb7d1504ff47cf73513f85cddd2

SHA1
1068bbde1054e1efad18f5dce17ba539608541ce

SHA256
1e7aa59759b9ca31607b5e2df10117bfa13473354bdacf08ec4625558d040f25

SHA512
b2eca3dc3d3a20d49c58fb1093911f118e93e3a67c419bd19568e35cf7c4acd08590d795073babbf21bb2e060afc86540445de67ac9549e240e9d8dcf14dfe19

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ISTMP2.DIR\_ISTMP0.DIR\Ctl3d32.dll

Filesize
26KB

MD5
89cf6af0a2a1cfebc82851c20852c121

SHA1
9106f4ade6a696d5f98968bce895333ad5dbd9ae

SHA256
94ef91b4c7864bd1ecc0db099e58298708bc5d22da40132ebb1c17feb4675964

SHA512
af4a484b9bb8850c29fbfee1784b3cd3f78e6cbb419ad49262c28be16b31b5e1b43328c3088ae83f202ad2941062fa94325d77078f5c8e07a11a3fea1b56d627

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ISTMP2.DIR\_ISTMP0.DIR\value.shl

Filesize
696B

MD5
6d9b108c8cbc34616bfd3ca288ede98f

SHA1
473846c8ec012ec35acb93435d05d526e3273db1

SHA256
ddd5fcf21c22b58081c2077036e45e3a082ae14cc228d37683d500523da58703

SHA512
8a8853d0bfa9ba8dc91bde6087ced8c22f2e672ab9954f4b4e412e77b54a1f44a3e4f59bf6277c67dbc30ee4c3057b6225593e9e26a3f1d8fa6a365fba5f8a06

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftBB25~tmp\LAYOUT.BIN

Filesize
590B

MD5
34a1ec00b2470bd90d0a9c6480aa9054

SHA1
9d8d13b9df708a6ffdc7cf4f29e6783bb7ba3a8c

SHA256
b48cf9b1279830032c9c9d3229004658a55d5e34ced2eed0c4f79e4ca94e3d04

SHA512
27ea2cbe231c88434e225b6437013e8152a9b1121b2216f0331cb6cecc8a4e3eb17613ed4ddb4635639e5e1f06a12e9588608b23c615a8e5a48318dca0dba334

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftBB25~tmp\SETUP.INS

Filesize
55KB

MD5
fa14cba392925f26f53a5c16ccc863fe

SHA1
4baa27eccb6b0facd6728533775bc5ec1a3e5e61

SHA256
6066a60ef19d52bf10b42632e46a49b88bb63020eca448255aa71cfb81055e69

SHA512
a280259e0e4cb9edeb2450ee70db35b6fad14ece1055832bd86286ce952a7865ab700a45f6cca438c664268883f2fdb87872691cac025f858e4b391a52228c50

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftBB25~tmp\SETUP.LID

Filesize
49B

MD5
1b79748e93a541cc1590505b6c72828a

SHA1
1ddefee04dc9e9b2576dc34eebcfa3de4aa82af9

SHA256
708d29c649525882937031b3d73cc851b7b1bc30772eb4e0e2a71523908f2eb5

SHA512
e85c1f04d3841cd1e5aa5d7ba37bb3aff557d67b1aceb2d9435f07862593eb4e139162c71d9b017c82aade2e1c535c79d1a18d26dffb95282e10bc64bda04bfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftBB25~tmp\_INST32I.EX_

Filesize
289KB

MD5
6229a86a1d291c311da49a7d69a49a1f

SHA1
586254e13d8ffdd956f1fb4e6ce858b91a390864

SHA256
b2ff4e8402a5160c491b1ac7eba0073fbbe2220dce107441461b250544eff35a

SHA512
d2e21662258593d17b8debbd74f92e2b37ee3f5f3fdb0cbe8a4c9a16a6dbee6911b92c4afff86f4fa2afa311343e43029dec9c0e08a728309f2ccbf1ded7e896

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftBB25~tmp\_ISDEL.EXE

Filesize
27KB

MD5
51161bf79f25ff278912005078ad93d5

SHA1
13cb580aa1d2823ca0f748b1fc262b7db1689f19

SHA256
b5dc0feb738a91ce3cfa982647fe2779787335c6c2c598d5b49818565d7c3e84

SHA512
c91eac5a01ec7bfb4d3c9df7f90a1c6c6211464ecfede54f7ce2f0c8a79561e4425a56eb41b48bcd89a80bd45228b2ce0c649ed92d24019a15916306d9131d8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftBB25~tmp\_SETUP.DLL

Filesize
34KB

MD5
ecacc9ab09d7e8898799fe5c4ebbbdd2

SHA1
be255fe9b6c9d638a40a5c1e88f2d5f4e37654e6

SHA256
1ad637e80a25f6f885604589056814d16ccad55699be14920e2b99f2d74c1019

SHA512
16412756b147a9e6c1e8ce503f374abde87919a5ae1de576963ed748a2934eff9f95d5b33cacefebe1c6cdfe64d9b595986c60bdbce8aebf0a4bcc83b6f25779

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftBB25~tmp\_sys1.cab

Filesize
171KB

MD5
969ac09a8e439ae814e0855fd9473e1e

SHA1
2fc2f4fafc98f91504e03f85246ef09dc8b9be8d

SHA256
d97bd0e8ba728e1a1ce5147a9fb60008e7b6d1ff1529f7b1ee646112ebf79e10

SHA512
ea497b2c2cc66bd9255d38bb2a938c65a87ec94db66bf9f0ba93864ad87396920f19555a9ce88a65492226fdbf9958173ecd2eca5602afcc0e2bab89db3a22a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftBB25~tmp\_sys1.hdr

Filesize
3KB

MD5
0687fb7d9e9ca7a053ca8a02817aaf01

SHA1
26333ccc22aa7d19c6cd292ba5db90dc7d9ea067

SHA256
87525135e6cb44a607eaad61028e84f0b2e6a4689fe48ad923f4c4f7d1829d6a

SHA512
49569b88c9f4e6580e02719341e0a40f73bdbdf8e0247edacc0a14a185b7d46bb776b0e2e306eea50888a75c6694bfbc8350cd67a659ca4491e24902df0297fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftBB25~tmp\_user1.cab

Filesize
928B

MD5
c0b06f789609706d89256a74f151f2e8

SHA1
d1ea04d9ed2b01bed60d20a7bfde7a0e80583e26

SHA256
71ea51273b233026cf0803e0351610ecf4cb1b6a704daca1b63f7f09b1d278d2

SHA512
f79920215ae18366bf6095270597305cbcf979b6c5a49b97e2fe840146ab16b96e229db6be6dc82fdcef3c44672a7a2a0bed173f50d30a5020ea0d4d7f3b1c7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftBB25~tmp\_user1.hdr

Filesize
4KB

MD5
002c98334ca2fa21fe75d35611889ba8

SHA1
713f4a78b7b2c56dd1b6c052e1f7542c5fbdadda

SHA256
5d696e38520fad0a321f47ef03d901e5a635803478bf107ce534c895ba8e1bfe

SHA512
fd122c6f62776dbf2fc78d523df6895ae499e84f5c66e29d23f8b752283a4a97af283ffadd1b1bb28c67f31babc42bf859e95746a7ea4788b4c6b7959e5218ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftBB25~tmp\data1.cab

Filesize
268KB

MD5
65c536448bfb096978956636c5797986

SHA1
302b8d307dae7af6146785d39c25a598c676fc41

SHA256
d6b0b85ef45b10efc73800d142d27130a60f60f76a8983d29a5b43400ee2feca

SHA512
128f861febe8401db65d30f22d93c15fccaecac17d73318095f39fa5af7b6f031790ea9fa4a96023c56df14336b3a67b79717bece9c29b96c99a8f243435c78c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftBB25~tmp\data1.hdr

Filesize
2KB

MD5
941c58b4485190409bb29c50dba48bbb

SHA1
afc0573818f05acf2f858bafc47773fa44f0fefe

SHA256
be67cb3ac80c8637d19fae775c967f0ebf96ebf823fe24480877944a68db8d64

SHA512
c19830405c41e135161dea6aab2c6e4cfcd94ed35d62bfccdf7ebff2dec41b4f2610e6f9bd065ae29393a85b39f1d6e13880523d0b9fccc111e36adab00d811d

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftBB25~tmp\os.dat

Filesize
450B

MD5
478f65a0b922b6ba0a6ce99e1d15c336

SHA1
577bb092378b8e4522eff40335ff7a50040170b7

SHA256
be2292517342de82d50cefbacb185e36558fcdfbf686692e7df08a80331f9bee

SHA512
747589cae4514cff7d5ea9b51b483c0fe6cb9242b0f31503268a73881acddf25541a7ae56f8826b4f15235dd2ab8c98c94674666e47c36ea913bcfb539143c9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftBB25~tmp\pftw1.pkg

Filesize
806KB

MD5
1b41aaf5f449dfcce9bff89a7fcbbcf3

SHA1
87eeee167c02442af9d60e0da654476bbd7a6652

SHA256
e2d9292406eb9bf1a49ab95b8a1a43503d34216aa778d2ff017ba4f8fbad7d19

SHA512
2aea9bb85951d101a66a622e855c592867d194c0e117a9662ca0877d169fccf599960901962c26ecdbd548e05fa030017fd87afd1ddb16dcb12c8c20984c7c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftBB25~tmp\setup.ini

Filesize
106B

MD5
6c823e4fc1e4bd3e0359db1e2c14cdfb

SHA1
a65396bdd98b7f05f41887da536d65f84292f626

SHA256
f55d480fb1869fbaf39ed96d846c6216d82b027d4a3ef2efbe3a8e05b1cb25ba

SHA512
d5de6fd8d7adbab7570fcb82e347ab4d04652455bfec439543b210f85c87479dec5362d9d530c93d6cad433dfa654e5dc489a2d69d8e192355366d83e23403d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftEBD5~tmp\DATA.TAG

Filesize
134B

MD5
b7dca964443d7ca98b84903e67b8f798

SHA1
aed842b2b9281e695672c2a1c24fc1df9df6d630

SHA256
2a6667cacc2ccf565f441f9499845d843e916b2f945a77d32a2ba6a48ba2872a

SHA512
708dbee786e88e6159541257805afde9f76da77874a45c8f03983119d7e91e7beb9b59a96a9e94d545167d4a3d3494badcce7488fcacc6f49d7cb4f289ee84ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftEBD5~tmp\lang.dat

Filesize
22KB

MD5
70627bd56fe92a5c97027cbbd88bacd0

SHA1
9cbdb75947dc561c929b0e799cf022961a7fe074

SHA256
b67a09f3fe25b08025810bbb20b8fae05672d0a723f2dbed84f04224a89e6344

SHA512
2377840a55f883e4f9fdafbd370ace9bf6bfe4ad55c1b7a46a269a5f9ef5c2032f00ef7c37f8863f99c2965d4dd4828edb11c668abe5dca4eba2c2dfde2bb0f4

Download Submit
C:\Windows\_delis32.ini

Filesize
268B

MD5
88c6ea9ed6cd04c7cae5d96a623d1973

SHA1
50e875bc6a3ce09b8e2e31a738747bcbb26d78b2

SHA256
290b98b00f660ca6317dc2b64ec399b15373a9b7a0574c45b7b4b5888a0b257d

SHA512
dce8c79b04d4319f9b43cd585877c382b0d5b1778ee1e85614e78a87366526167c658512c245ad1ebf96d465f4cb33f2c959fbc8189ccff53d888cd154e500b8

Download Submit
C:\Windows\_delis32.ini

Filesize
536B

MD5
64ebded387fba703ab66a14b7f5b601d

SHA1
e50e4c8a62875a781df8809bd8a4a7e9c5d5c4e6

SHA256
2e69c3e692b502775c27e8f1673a9d936a827d97f4cb91a1fe5c28dcec084372

SHA512
aa3d9c0c664f0a646ee990e28975c4f8ef28cd8c94ab4e35d90e8e66536c761cd2132c739cc9726a6ab1ced0737c3d659228065b2c7c88637939f506a7619fa7

Download Submit
C:\Windows\_delis32.ini

Filesize
268B

MD5
e66bcdef3fa4cbd2af659a129ecdbea0

SHA1
a064d6ea8ebd47c7aabd9f0b5bc1f115eee77b2f

SHA256
04fc29f9a37e7bf341bae36ef32cf4c83af747d532075d0e071ddd1738e30e67

SHA512
2743885d8e7688d175bd05111608cf6b802696e8829108068b5b454198068b2be7f29d0ba44b2399beb5f2cd2f5d238a3adb26be99d2b820716651ef9198bde6

Download Submit
C:\Windows\_delis32.ini

Filesize
138B

MD5
5eca0e3b649dec0496726117f4064b02

SHA1
00f62306769a76f444312d0d6a5fb0777066c810

SHA256
4ec341331950b9a0f781b4c2b9a5b76919aafff1e51f188fdbef1a3a12f51fc5

SHA512
255f7aa9e132c03324cf356100f0bb021e7a72bb5ce303c0ec351ac007a75ecc3974b301dc5eb53a0279c8abb18c39299b4c5cb6f47dccf021a6ffb15e7bb863

Download Submit
C:\Windows\_isenv31.ini

Filesize
1KB

MD5
9d54758ba892aff166209d8c9b0c2de9

SHA1
88cb3ade0c99e7f667dffb33928f6cf9f2ab9daf

SHA256
4e747cba0c91549d810756a11562820eacfdf1c57b868c6cfa39ccf222da14f6

SHA512
ffa406ec2d57c0ec4225f3bab182f038473928429aa7d2a142d42b04de1e319d3057ebc562878690c1c514a7012710e1138d9a29d80ef2641144b61c63fda65a

Download Submit
C:\Windows\_iserr31.ini

Filesize
521B

MD5
b99921c1ce27e631044ad7ad03e27faa

SHA1
13fa80578e7a9f5ece1cfd7913eec6e3e5b12250

SHA256
bd6efc8e0f5b775ae357f3b647d74b7ddbc5fb8fc827e659d77ac2ef9888f16f

SHA512
79ff7699ad240f4b62c5b336fb6ebb684e675b2d74cf541997f1d42716c1e05bcc35d92443c0641a6f0e60a26d3add03f6316390aacb22701b718f652e5472ab

Download Submit
\Program Files (x86)\GM\TIFF Viewer Plugin\NPIMGVIE.dll

Filesize
620KB

MD5
13ab2d02bbff6b6bb7a699f97f03d03c

SHA1
0fa848dfb2b85d50bd38e14b2b15083198057a79

SHA256
cd8608c00b79b2bdc515a517839ff77369a80fe4d6f877f9ba2dd27a9161c26d

SHA512
d5c74ba0e37b623a7ffb0338e2c6393d6eebd4b87c12f4d1c0f43846b27332d1a2aaa28fea681d259f971c1378a8e3db2537d50a46337139ea29bd29f2a7be11

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_414f0d4f19f59139e6c9189d295da4d982c2b8fdbbea6ae9db8448968b39e452.exe

Filesize
935KB

MD5
5efa0e6fcb7452aee89ae7ae3fb8a0b1

SHA1
8c0010c61b7921cfc795d7e07cc19070765206c2

SHA256
08b733416d9dbe1261f206dd524a4903f0c852b62c74450aafcb3bc44e1c2bd5

SHA512
94d86bd670c949473f5c076b8c1232fd42282fda2d14d4448e613cda0161a431e1c787901f08221a39c47fef0f48c784d84b96bc5103c85c0e6b371f22373655

Download Submit
\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\ZDataI51.dll

Filesize
52KB

MD5
2a9a390018a50f1af0df0b7118696f6e

SHA1
f9a4cf357e49cf1f032ca4f8d46def52c6935e33

SHA256
1d9321dd5e1790dff91cbd475a023760f3b6b6b26e849b70b171b841070378f2

SHA512
813be48cf11a14b618fbfa358794b1e6cef727f305470f27c82bbfccc0921ef2141d740a71c47890db1e705f10bc3d0c67e3d9f651710fdd88f19b9e7e30bc38

Download Submit
\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\_INS5576._MP

Filesize
544KB

MD5
d28cb295e2395b3593293470e7784512

SHA1
8a734689b76929beaeb6110c45c41948d4d4c12f

SHA256
a8657371f03e2e66db951c3dcd3aeb42c576894908ca2eb1b3806aa0404cb083

SHA512
c526b986e47a8cb2f9cb6fd0bf1f48d9fbbcbfaa6dcee0bce6670095df586b179eef0fa6fc7ee56995d3f100df5ed359eff6858d646b68268bd9d3c68dd816f5

Download Submit
\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\_ISTMP0.DIR\ISUninst.exe

Filesize
299KB

MD5
515e4684008e955de0c81e6a7aea1c2a

SHA1
ebe026f9c551f372ad82186ff6b9c2ca26dd684c

SHA256
6d631e94acce1f2808a6b1125a6617d1b0ba7e50d93c1d656aa2620bcd0bb965

SHA512
c889a733c61687aa9be0b67cc2e4ecf2a500386054dffa072780a4f46b29373e0dad79c35f375fdeb6572dbc11b24436b88cee3ba431a37965cf0e884ab636b8

Download Submit
\Users\Admin\AppData\Local\Temp\pftBB25~tmp\Setup.exe

Filesize
72KB

MD5
71e6dd8a9de4a9baf89fca951768059a

SHA1
aac779471a2f9ae3d3e0e39047ef1744feda77b1

SHA256
5656e87da0641c9dcfcd0ee8949ce72b3fa6a7d0e8b1fd985a16f6bd6c34ce52

SHA512
d15bb31ce595767dd366ea2130121a7a2a311c4e639f8b464ceac880d00735c11d950fc16725a3da9459d22a122dd3c33bc0631be90556b4078df9509b0048de

Download Submit
memory/1260-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1260-31-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/1360-244-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1360-419-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1360-507-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2612-358-0x00000000001E0000-0x00000000001F0000-memory.dmp

Filesize
64KB

Download
memory/2612-414-0x0000000002560000-0x00000000025FD000-memory.dmp

Filesize
628KB

Download
memory/2632-49-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2704-359-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/2704-231-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/2704-539-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/3028-236-0x0000000003D40000-0x0000000003DDD000-memory.dmp

Filesize
628KB

Download
memory/3028-227-0x0000000000260000-0x0000000000270000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads