xred | 9346f3f564c4560bf00e69486a1fbcf43231776ace10ba2e7b463d681c886ae2

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-12-2024 09:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9346f3f564c4560bf00e69486a1fbcf43231776ace10ba2e7b463d681c886ae2N.exe
Size

3.1MB
MD5

c45f0acf50a0d9b1c15d65a5633eab30
SHA1

8349cf2c1c9c8a2c3779bcd280123cfcd3d96dfe
SHA256

9346f3f564c4560bf00e69486a1fbcf43231776ace10ba2e7b463d681c886ae2
SHA512

a9e4a01d38a013ae04cecbad3c4d125639146f1e8e61d93c7ec17c9219feeb54c690861079b9ef906b649a55361798230772f2069e72f28b7ab41cc6e1d04285
SSDEEP

49152:tnnsHyjtk2MYC5GDFDP/q9MIX/crfcNVBaXp1m0zyVCMwBHgFzoZhRP5:dnsmtk2aCC9MI8Hm0GCjgFc3Rx

Score

10^/10

xred backdoor discovery evasion persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 10 IoCs

pid	Process
2828	9346f3f564c4560bf00e69486a1fbcf43231776ace10ba2e7b463d681c886ae2n.exe
2652	icsys.icn.exe
2836	explorer.exe
2548	spoolsv.exe
3020	svchost.exe
1932	spoolsv.exe
1836	Synaptics.exe
2144	._cache_Synaptics.exe
1480	steamservice.exe
2816	steam.exe

Loads dropped DLL 20 IoCs

pid	Process
2664	9346f3f564c4560bf00e69486a1fbcf43231776ace10ba2e7b463d681c886ae2N.exe
2664	9346f3f564c4560bf00e69486a1fbcf43231776ace10ba2e7b463d681c886ae2N.exe
2664	9346f3f564c4560bf00e69486a1fbcf43231776ace10ba2e7b463d681c886ae2N.exe
2652	icsys.icn.exe
2836	explorer.exe
2548	spoolsv.exe
3020	svchost.exe
2828	9346f3f564c4560bf00e69486a1fbcf43231776ace10ba2e7b463d681c886ae2n.exe
2828	9346f3f564c4560bf00e69486a1fbcf43231776ace10ba2e7b463d681c886ae2n.exe
2828	9346f3f564c4560bf00e69486a1fbcf43231776ace10ba2e7b463d681c886ae2n.exe
1836	Synaptics.exe
1836	Synaptics.exe
2144	._cache_Synaptics.exe
2144	._cache_Synaptics.exe
2144	._cache_Synaptics.exe
2144	._cache_Synaptics.exe
2144	._cache_Synaptics.exe
2144	._cache_Synaptics.exe
2144	._cache_Synaptics.exe
2144	._cache_Synaptics.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	9346f3f564c4560bf00e69486a1fbcf43231776ace10ba2e7b463d681c886ae2n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Steam = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -silent"	._cache_Synaptics.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Steam\package\tmp\resource\overlay_japanese.txt_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\sc_dpad_left_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\ps4_trackpad_l_ring.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\switchpro_dpad_right.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps_button_mute_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\css\chunk~1a96cdf59.css_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\localization\steampops_italian-json.js_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\localization\dualshock_4_korean.txt_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\switchpro_rstick_click_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\shared_color_outlined_button_x_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\shared_gyro_pitch_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_030_inv_0030.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_070_setting_0304.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_010_wpn_0190.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\clientui\images\8669e97b288da32670e77181618c3dfb.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\ps4_button_options.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\sd_r5_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\shared_rstick_right_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\resource\icon_steamvr_desktop.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\switchpro_dpad_right_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\sc_rt_soft_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\sc_rb_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\templates\controller_neptune_gamepad_fps.vdf_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\ps4_trackpad_r_ring_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\ps_button_mute_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\ps_color_button_triangle.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\sc_lg.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps4_l1_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_035_magic_0352.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\localization\xbox_360_thai.txt_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\ps5_trackpad_r_swipe.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\resource\filter_profanity_english.txt.gz_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps5_trackpad_l_click_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\sc_dpad_touch_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\shared_gyro_yaw_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\public\steamui_bulgarian.txt_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\switchpro_lstick_right_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\sd_rtrackpad_swipe_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_040_act_0304.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_010_wpn_0511.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\public\c16.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\sd_l5_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_045_move_0418.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\mini_expand_mouseover.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\sd_ltrackpad_right_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\sc_dpad_left_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\sd_ltrackpad_click_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_040_act_0303.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\ps5_r2_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps4_trackpad_r_left_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_010_wpn_0514.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps_dpad_right.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\templates\controller_ps5_gamepad_fps.vdf_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\shared_outlined_button_y_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\shared_lstick_up_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\friends\voicebar.res_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\public\ScreenshotErrorNotification.res_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\friends\trackerui_french.txt_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\ps5_l2_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\sc_touchpad_click_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\xbox_lt_soft_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\shared_lstick_touch_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\xbox_rt_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\icon_button_grid.tga_	steam.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	9346f3f564c4560bf00e69486a1fbcf43231776ace10ba2e7b463d681c886ae2N.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9346f3f564c4560bf00e69486a1fbcf43231776ace10ba2e7b463d681c886ae2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9346f3f564c4560bf00e69486a1fbcf43231776ace10ba2e7b463d681c886ae2n.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steam.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	steam.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies registry class 40 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\steam	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\ = "URL:steamlink protocol"	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink\DefaultIcon	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\DefaultIcon\ = "steam.exe"	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\steam\DefaultIcon	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\steamlink\URL Protocol	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\steamlink\Shell	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\ = "URL:steam protocol"	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell\Open\Command	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\URL Protocol	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\steam	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\steamlink\Shell\Open\Command	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\DefaultIcon\ = "steam.exe"	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell\Open	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\steam\Shell\Open\Command	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\steamlink\ = "URL:steamlink protocol"	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\steamlink\DefaultIcon	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steam\DefaultIcon	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steam\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\steam\ = "URL:steam protocol"	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\steam\Shell	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\steam\Shell\Open	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell\Open	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell\Open\Command	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\steam\URL Protocol	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\steam\DefaultIcon\ = "steam.exe"	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\steamlink	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink\Shell\Open\Command	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\steamlink\DefaultIcon\ = "steam.exe"	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\steamlink\Shell\Open	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\URL Protocol	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\steam\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\steamlink\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	steam.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	steam.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2332	schtasks.exe
1924	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2804	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2664	9346f3f564c4560bf00e69486a1fbcf43231776ace10ba2e7b463d681c886ae2N.exe
2664	9346f3f564c4560bf00e69486a1fbcf43231776ace10ba2e7b463d681c886ae2N.exe
2664	9346f3f564c4560bf00e69486a1fbcf43231776ace10ba2e7b463d681c886ae2N.exe
2664	9346f3f564c4560bf00e69486a1fbcf43231776ace10ba2e7b463d681c886ae2N.exe
2664	9346f3f564c4560bf00e69486a1fbcf43231776ace10ba2e7b463d681c886ae2N.exe
2664	9346f3f564c4560bf00e69486a1fbcf43231776ace10ba2e7b463d681c886ae2N.exe
2664	9346f3f564c4560bf00e69486a1fbcf43231776ace10ba2e7b463d681c886ae2N.exe
2664	9346f3f564c4560bf00e69486a1fbcf43231776ace10ba2e7b463d681c886ae2N.exe
2664	9346f3f564c4560bf00e69486a1fbcf43231776ace10ba2e7b463d681c886ae2N.exe
2664	9346f3f564c4560bf00e69486a1fbcf43231776ace10ba2e7b463d681c886ae2N.exe
2664	9346f3f564c4560bf00e69486a1fbcf43231776ace10ba2e7b463d681c886ae2N.exe
2664	9346f3f564c4560bf00e69486a1fbcf43231776ace10ba2e7b463d681c886ae2N.exe
2664	9346f3f564c4560bf00e69486a1fbcf43231776ace10ba2e7b463d681c886ae2N.exe
2664	9346f3f564c4560bf00e69486a1fbcf43231776ace10ba2e7b463d681c886ae2N.exe
2664	9346f3f564c4560bf00e69486a1fbcf43231776ace10ba2e7b463d681c886ae2N.exe
2664	9346f3f564c4560bf00e69486a1fbcf43231776ace10ba2e7b463d681c886ae2N.exe
2652	icsys.icn.exe
2652	icsys.icn.exe
2652	icsys.icn.exe
2652	icsys.icn.exe
2652	icsys.icn.exe
2652	icsys.icn.exe
2652	icsys.icn.exe
2652	icsys.icn.exe
2652	icsys.icn.exe
2652	icsys.icn.exe
2652	icsys.icn.exe
2652	icsys.icn.exe
2652	icsys.icn.exe
2652	icsys.icn.exe
2652	icsys.icn.exe
2652	icsys.icn.exe
2652	icsys.icn.exe
2836	explorer.exe
2836	explorer.exe
2836	explorer.exe
2836	explorer.exe
2836	explorer.exe
2836	explorer.exe
2836	explorer.exe
2836	explorer.exe
2836	explorer.exe
2836	explorer.exe
2836	explorer.exe
2836	explorer.exe
2836	explorer.exe
2836	explorer.exe
2836	explorer.exe
2836	explorer.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe
3020	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2836	explorer.exe
3020	svchost.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
2664	9346f3f564c4560bf00e69486a1fbcf43231776ace10ba2e7b463d681c886ae2N.exe
2664	9346f3f564c4560bf00e69486a1fbcf43231776ace10ba2e7b463d681c886ae2N.exe
2652	icsys.icn.exe
2652	icsys.icn.exe
2836	explorer.exe
2836	explorer.exe
2548	spoolsv.exe
2548	spoolsv.exe
3020	svchost.exe
3020	svchost.exe
1932	spoolsv.exe
1932	spoolsv.exe
2804	EXCEL.EXE

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 2828	2664	9346f3f564c4560bf00e69486a1fbcf43231776ace10ba2e7b463d681c886ae2N.exe	31
PID 2664 wrote to memory of 2828	2664	9346f3f564c4560bf00e69486a1fbcf43231776ace10ba2e7b463d681c886ae2N.exe	31
PID 2664 wrote to memory of 2828	2664	9346f3f564c4560bf00e69486a1fbcf43231776ace10ba2e7b463d681c886ae2N.exe	31
PID 2664 wrote to memory of 2828	2664	9346f3f564c4560bf00e69486a1fbcf43231776ace10ba2e7b463d681c886ae2N.exe	31
PID 2664 wrote to memory of 2652	2664	9346f3f564c4560bf00e69486a1fbcf43231776ace10ba2e7b463d681c886ae2N.exe	32
PID 2664 wrote to memory of 2652	2664	9346f3f564c4560bf00e69486a1fbcf43231776ace10ba2e7b463d681c886ae2N.exe	32
PID 2664 wrote to memory of 2652	2664	9346f3f564c4560bf00e69486a1fbcf43231776ace10ba2e7b463d681c886ae2N.exe	32
PID 2664 wrote to memory of 2652	2664	9346f3f564c4560bf00e69486a1fbcf43231776ace10ba2e7b463d681c886ae2N.exe	32
PID 2652 wrote to memory of 2836	2652	icsys.icn.exe	33
PID 2652 wrote to memory of 2836	2652	icsys.icn.exe	33
PID 2652 wrote to memory of 2836	2652	icsys.icn.exe	33
PID 2652 wrote to memory of 2836	2652	icsys.icn.exe	33
PID 2836 wrote to memory of 2548	2836	explorer.exe	34
PID 2836 wrote to memory of 2548	2836	explorer.exe	34
PID 2836 wrote to memory of 2548	2836	explorer.exe	34
PID 2836 wrote to memory of 2548	2836	explorer.exe	34
PID 2548 wrote to memory of 3020	2548	spoolsv.exe	35
PID 2548 wrote to memory of 3020	2548	spoolsv.exe	35
PID 2548 wrote to memory of 3020	2548	spoolsv.exe	35
PID 2548 wrote to memory of 3020	2548	spoolsv.exe	35
PID 3020 wrote to memory of 1932	3020	svchost.exe	36
PID 3020 wrote to memory of 1932	3020	svchost.exe	36
PID 3020 wrote to memory of 1932	3020	svchost.exe	36
PID 3020 wrote to memory of 1932	3020	svchost.exe	36
PID 2836 wrote to memory of 3008	2836	explorer.exe	37
PID 2836 wrote to memory of 3008	2836	explorer.exe	37
PID 2836 wrote to memory of 3008	2836	explorer.exe	37
PID 2836 wrote to memory of 3008	2836	explorer.exe	37
PID 3020 wrote to memory of 1924	3020	svchost.exe	38
PID 3020 wrote to memory of 1924	3020	svchost.exe	38
PID 3020 wrote to memory of 1924	3020	svchost.exe	38
PID 3020 wrote to memory of 1924	3020	svchost.exe	38
PID 2828 wrote to memory of 1836	2828	9346f3f564c4560bf00e69486a1fbcf43231776ace10ba2e7b463d681c886ae2n.exe	40
PID 2828 wrote to memory of 1836	2828	9346f3f564c4560bf00e69486a1fbcf43231776ace10ba2e7b463d681c886ae2n.exe	40
PID 2828 wrote to memory of 1836	2828	9346f3f564c4560bf00e69486a1fbcf43231776ace10ba2e7b463d681c886ae2n.exe	40
PID 2828 wrote to memory of 1836	2828	9346f3f564c4560bf00e69486a1fbcf43231776ace10ba2e7b463d681c886ae2n.exe	40
PID 1836 wrote to memory of 2144	1836	Synaptics.exe	42
PID 1836 wrote to memory of 2144	1836	Synaptics.exe	42
PID 1836 wrote to memory of 2144	1836	Synaptics.exe	42
PID 1836 wrote to memory of 2144	1836	Synaptics.exe	42
PID 2144 wrote to memory of 1480	2144	._cache_Synaptics.exe	45
PID 2144 wrote to memory of 1480	2144	._cache_Synaptics.exe	45
PID 2144 wrote to memory of 1480	2144	._cache_Synaptics.exe	45
PID 2144 wrote to memory of 1480	2144	._cache_Synaptics.exe	45
PID 3020 wrote to memory of 2332	3020	svchost.exe	49
PID 3020 wrote to memory of 2332	3020	svchost.exe	49
PID 3020 wrote to memory of 2332	3020	svchost.exe	49
PID 3020 wrote to memory of 2332	3020	svchost.exe	49

C:\Users\Admin\AppData\Local\Temp\9346f3f564c4560bf00e69486a1fbcf43231776ace10ba2e7b463d681c886ae2N.exe
"C:\Users\Admin\AppData\Local\Temp\9346f3f564c4560bf00e69486a1fbcf43231776ace10ba2e7b463d681c886ae2N.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2664
- \??\c:\users\admin\appdata\local\temp\9346f3f564c4560bf00e69486a1fbcf43231776ace10ba2e7b463d681c886ae2n.exe
  c:\users\admin\appdata\local\temp\9346f3f564c4560bf00e69486a1fbcf43231776ace10ba2e7b463d681c886ae2n.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1836
  - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2144
    - - C:\Program Files (x86)\Steam\bin\steamservice.exe
        
        "C:\Program Files (x86)\Steam\bin\steamservice.exe" /Install
        5⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1480
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2652
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2548
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3020
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1932
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 09:06 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1924
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 09:07 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2332
  - - C:\Windows\Explorer.exe
      C:\Windows\Explorer.exe
      4⤵
      PID:3008

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2804

C:\Program Files (x86)\Steam\steam.exe
"C:\Program Files (x86)\Steam\steam.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies system certificate store
PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Steam\package\tmp\graphics\[email protected]_

Filesize
15KB

MD5
577b7286c7b05cecde9bea0a0d39740e

SHA1
144d97afe83738177a2dbe43994f14ec11e44b53

SHA256
983aa3928f15f5154266be7063a75e1fce87238bbe81a910219dea01d5376824

SHA512
8cd55264a6e973bb6683c6f376672b74a263b48b087240df8296735fd7ae6274ee688fdb16d7febad14288a866ea47e78b114c357a9b03471b1e72df053ebcb0

Download Submit
C:\Program Files (x86)\Steam\package\tmp\graphics\icon_button_news_mousedown.tga_

Filesize
20KB

MD5
00bf35778a90f9dfa68ce0d1a032d9b5

SHA1
de6a3d102de9a186e1585be14b49390dcb9605d6

SHA256
cab3a68b64d8bf22c44080f12d7eab5b281102a8761f804224074ab1f6130fe2

SHA512
342c9732ef4185dee691c9c8657a56f577f9c90fc43a4330bdc173536750cee1c40af4adac4f47ac5aca6b80ab347ebe2d31d38ea540245b38ab72ee8718a041

Download Submit
C:\Program Files (x86)\Steam\package\tmp\resource\filter_clean_bulgarian.txt.gz_

Filesize
23B

MD5
836dd6b25a8902af48cd52738b675e4b

SHA1
449347c06a872bedf311046bca8d316bfba3830b

SHA256
6feb83ca306745d634903cf09274b7baf0ac38e43c6b3fab1a608be344c3ef64

SHA512
6ab1e4a7fa9da6d33cee104344ba2ccb3e85cd2d013ba3e4c6790fd7fd482c85f5f76e9ae38c5190cdbbe246a48dae775501f7414bec4f6682a05685994e6b80

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_english.txt

Filesize
4KB

MD5
da6cd2483ad8a21e8356e63d036df55b

SHA1
0e808a400facec559e6fbab960a7bdfaab4c6b04

SHA256
ebececd3f691ac20e5b73e5c81861a01531203df3cf2baa9e1b6d004733a42a6

SHA512
06145861eb4803c9813a88cd715769a4baa0bab0e87b28f59aa242d4369817789f4c85114e8d0ceb502e080ec3ec03400385924ec7537e7b04f724ba7f17b925

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
512695e9b89dd3c1381d21a611a5b05f

SHA1
36f5a8aff455ea80f93af63a6400ddaa967a9093

SHA256
43bcd73ae2c8cfd4e57cdcbc985fe87ddece971525465c0da6e5c7b624c4b824

SHA512
8dba97a2ad393fd246bfa8761c85ac5fc19f80d6641391ec8bfad32f869db6481e94a1e30eed3b40a5b0680c4d7cdd8ff8993c58a45d292b9dcfeb20abeb7d96

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Filesize
2.3MB

MD5
1b54b70beef8eb240db31718e8f7eb5d

SHA1
da5995070737ec655824c92622333c489eb6bce4

SHA256
7d3654531c32d941b8cae81c4137fc542172bfa9635f169cb392f245a0a12bcb

SHA512
fda935694d0652dab3f1017faaf95781a300b420739e0f9d46b53ce07d592a4cfa536524989e2fc9f83602d315259817638a89c4e27da709aada5d1360b717eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDBDE.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nGc7e6El.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\nGc7e6El.xlsm

Filesize
24KB

MD5
1cca319f7e395d1f197165b3d6f4ceeb

SHA1
56da649532c503b0fc3589615358ca2c0650feb0

SHA256
b97b2c0c9fd97ff99d8a93760ac9dad601ba6b54614c3e4b3251eac79f448ddc

SHA512
41c11d05b0b81318b9b7d32158bb2ef50d9bf27ec9cde890e021020432cb259f014badf7e5440c417c2d3dd2803710735d0e7def1e6909c012c8b7b42ec1a5e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstEC73.tmp\modern-wizard.bmp

Filesize
150KB

MD5
3614a4be6b610f1daf6c801574f161fe

SHA1
6edee98c0084a94caa1fe0124b4c19f42b4e7de6

SHA256
16e0edc9f47e6e95a9bcad15adbdc46be774fbcd045dd526fc16fc38fdc8d49b

SHA512
06e0eff28dfd9a428b31147b242f989ce3e92474a3f391ba62ac8d0d05f1a48f4cf82fd27171658acbd667eaffb94cb4e1baf17040dc3b6e8b27f39b843ca281

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
5690ccaf7898b505385dcd8b8b555e8f

SHA1
a73e93e8895d1a9cbd879b478156eec65afa6cb6

SHA256
14d329b02ac52509fb3ea36da84e26c03d6374a75d3f26f7830af87214459910

SHA512
348ddafcdd297d4a82e9e204ca4c22efd8bfd2abd31ccac184152595ead4ebb0c8ebb09cf9f7c1683b407e83a09c905a20c97af925157224cf2cb07553261ba6

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
2d7a777838dff1b7a91b454f2a124110

SHA1
47006b6ce63794fa4303b78c879fb42d77e6cb2a

SHA256
3a4eeced7ad5d71a677fa22c41c937a230028cb30de84badc8a537355f36bbfb

SHA512
7e9da7907064cffa7c84fe0fdb292d095cb8ccbc73f0a9d679726de71eee11c7b30d6192249a41108aa284f298f1627124667b8d7c1d037f5347f36cc5a612b2

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
ef30230b1609f3c790c9ebd61e9fc3ba

SHA1
8af239c484aa196bc0f8706d53a3ea1559971109

SHA256
df6038259dee67f107b9c20e7b75ebb2389572fbbae39054c94e3bca588e1e53

SHA512
f22609514fc6aebeedb1f5e1244fe299dea59e9b3b911bd657a95b07cc0cc354c787094259de3b192e8b3250da433696e52b968d33161f3fd33335b0fd4736ad

Download Submit
\Program Files (x86)\Steam\Steam.exe

Filesize
4.2MB

MD5
33bcb1c8975a4063a134a72803e0ca16

SHA1
ed7a4e6e66511bb8b3e32cbfb5557ebcb4082b65

SHA256
12222b0908eb69581985f7e04aa6240e928fb08aa5a3ec36acae3440633c9eb1

SHA512
13f3a7d6215bb4837ea0a1a9c5ba06a985e0c80979c25cfb526a390d71a15d1737c0290a899f4705c2749982c9f6c9007c1751fef1a97b12db529b2f33c97b49

Download Submit
\Program Files (x86)\Steam\bin\SteamService.exe

Filesize
2.5MB

MD5
ba0ea9249da4ab8f62432617489ae5a6

SHA1
d8873c5dcb6e128c39cf0c423b502821343659a7

SHA256
ce177dc8cf42513ff819c7b8597c7be290f9e98632a34ecd868dc76003421f0d

SHA512
52958d55b03e1ddc69afc2f1a02f7813199e4b3bf114514c438ab4d10d5ca83b865ba6090550951c0a43b666c6728304009572212444a27a3f5184663f4b0b8b

Download Submit
\Users\Admin\AppData\Local\Temp\9346f3f564c4560bf00e69486a1fbcf43231776ace10ba2e7b463d681c886ae2n.exe

Filesize
3.0MB

MD5
7b0c0aff8fb0582f966e10d119ad5d42

SHA1
532c341ea1835bb9420abff941800539def81b9f

SHA256
82e7d163af4dc995fc8be34f7ec340262a02aa66626eec1a5267c2b3cff51240

SHA512
855f2a44d00ae25ec3396609bbfb98dfb45b7116ffec98204c2775f57a7ea6904bf49638282f55f09539c32bee0ba0758a9be010482c4817613a90f87b0ce794

Download Submit
\Users\Admin\AppData\Local\Temp\nstEC73.tmp\StdUtils.dll

Filesize
110KB

MD5
db11ab4828b429a987e7682e495c1810

SHA1
29c2c2069c4975c90789dc6d3677b4b650196561

SHA256
c602c44a4d4088dbf5a659f36ba1c3a9d81f8367577de0cb940c0b8afee5c376

SHA512
460d1ccfc0d7180eae4e6f1a326d175fec78a7d6014447a9a79b6df501fa05cd4bd90f8f7a85b7b6a4610e2fa7059e30ae6e17bc828d370e5750de9b40b9ae88

Download Submit
\Users\Admin\AppData\Local\Temp\nstEC73.tmp\System.dll

Filesize
22KB

MD5
a36fbe922ffac9cd85a845d7a813f391

SHA1
f656a613a723cc1b449034d73551b4fcdf0dcf1a

SHA256
fa367ae36bfbe7c989c24c7abbb13482fc20bc35e7812dc377aa1c281ee14cc0

SHA512
1d1b95a285536ddc2a89a9b3be4bb5151b1d4c018ea8e521de838498f62e8f29bb7b3b0250df73e327e8e65e2c80b4a2d9a781276bf2a51d10e7099bacb2e50b

Download Submit
\Users\Admin\AppData\Local\Temp\nstEC73.tmp\nsDialogs.dll

Filesize
20KB

MD5
4e5bc4458afa770636f2806ee0a1e999

SHA1
76dcc64af867526f776ab9225e7f4fe076487765

SHA256
91a484dc79be64dd11bf5acb62c893e57505fcd8809483aa92b04f10d81f9de0

SHA512
b6f529073a943bddbcb30a57d62216c78fcc9a09424b51ac0824ebfb9cac6cae4211bda26522d6923bd228f244ed8c41656c38284c71867f65d425727dd70162

Download Submit
\Users\Admin\AppData\Local\Temp\nstEC73.tmp\nsExec.dll

Filesize
17KB

MD5
2095af18c696968208315d4328a2b7fe

SHA1
b1b0e70c03724b2941e92c5098cc1fc0f2b51568

SHA256
3e2399ae5ce16dd69f7e2c71d928cf54a1024afced8155f1fd663a3e123d9226

SHA512
60105dfb1cd60b4048bd7b367969f36ed6bd29f92488ba8cfa862e31942fd529cbc58e8b0c738d91d8bef07c5902ce334e36c66eae1bfe104b44a159b5615ae5

Download Submit
\Users\Admin\AppData\Local\Temp\nstEC73.tmp\nsProcess.dll

Filesize
15KB

MD5
08072dc900ca0626e8c079b2c5bcfcf3

SHA1
35f2bfa0b1b2a65b9475fb91af31f7b02aee4e37

SHA256
bb6ce83ddaad4f530a66a1048fac868dfc3b86f5e7b8e240d84d1633e385aee8

SHA512
8981da7f225eb78c414e9fb3c63af0c4daae4a78b4f3033df11cce43c3a22fdbf3853425fe3024f68c73d57ffb128cba4d0db63eda1402212d1c7e0ac022353c

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
0359a5b77d4f05ebb0794c5da95044e1

SHA1
f5a81f1e89abb28eaf6fd04a856d376ad8f393c0

SHA256
01d58525246a95c92987f3316c70ef84e17383491355f66f21046c44d374d829

SHA512
cbf7626f3e706f5a71b3eba37aeed1f056506e2cd4572d4e75ada0f234875d6306b4e11779f2e79204424431a8c3fd458f495cfe5c287cfa1dfd7535eb005a74

Download Submit
memory/1836-306-0x0000000000400000-0x0000000000708000-memory.dmp

Filesize
3.0MB

Download
memory/1836-157-0x0000000000400000-0x0000000000708000-memory.dmp

Filesize
3.0MB

Download
memory/1932-74-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2144-224-0x0000000000590000-0x0000000000592000-memory.dmp

Filesize
8KB

Download
memory/2548-75-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2548-53-0x0000000000430000-0x000000000044F000-memory.dmp

Filesize
124KB

Download
memory/2652-32-0x00000000002D0000-0x00000000002EF000-memory.dmp

Filesize
124KB

Download
memory/2652-23-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2652-76-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2664-77-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2664-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2664-22-0x00000000003E0000-0x00000000003FF000-memory.dmp

Filesize
124KB

Download
memory/2804-111-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2828-70-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2828-87-0x0000000000400000-0x0000000000708000-memory.dmp

Filesize
3.0MB

Download
memory/2828-13-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2836-307-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3020-308-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download