xred | hxxps://cdn[.]discordapp[.]com/attachments/1299033012801110140/1314795009614024765/All_function[.]rar?ex=675511c6&is=6753c046&hm=400f52e1453dc133d03dcade625b2e88e4d1249ce88ce060262ca7ad37ef9e69&

Analysis

max time kernel
17s
max time network
27s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2024 07:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1299033012801110140/1314795009614024765/All_function.rar?ex=675511c6&is=6753c046&hm=400f52e1453dc133d03dcade625b2e88e4d1249ce88ce060262ca7ad37ef9e69&

Score

10^/10

xred xworm backdoor execution macro rat trojan

Malware Config

Extracted

Family

xworm

45.141.27.248:7777

Attributes

Install_directory
%AppData%
install_file
svchostt.exe

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000a000000023b8d-357.dat	family_xworm
behavioral1/memory/4784-366-0x0000000000D70000-0x0000000000D88000-memory.dmp	family_xworm

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5196	powershell.exe
5580	powershell.exe
5380	powershell.exe
5772	powershell.exe

Suspicious Office macro 1 IoCs

Office document equipped with macros.

macro

resource
behavioral1/files/0x000f000000023ba0-679.dat

Executes dropped EXE 1 IoCs

pid	Process
3604	All function.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
71	ip-api.com

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\All function.rar:Zone.Identifier	firefox.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	860	firefox.exe
Token: SeDebugPrivilege	860	firefox.exe
Token: SeDebugPrivilege	860	firefox.exe
Token: SeRestorePrivilege	4580	7zG.exe
Token: 35	4580	7zG.exe
Token: SeSecurityPrivilege	4580	7zG.exe
Token: SeSecurityPrivilege	4580	7zG.exe

Suspicious use of FindShellTrayWindow 22 IoCs

pid	Process
860	firefox.exe
860	firefox.exe
860	firefox.exe
860	firefox.exe
860	firefox.exe
860	firefox.exe
860	firefox.exe
860	firefox.exe
860	firefox.exe
860	firefox.exe
860	firefox.exe
860	firefox.exe
860	firefox.exe
860	firefox.exe
860	firefox.exe
860	firefox.exe
860	firefox.exe
860	firefox.exe
860	firefox.exe
860	firefox.exe
860	firefox.exe
4580	7zG.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
860	firefox.exe
860	firefox.exe
860	firefox.exe
860	firefox.exe
860	firefox.exe
860	firefox.exe
860	firefox.exe
860	firefox.exe
860	firefox.exe
860	firefox.exe
860	firefox.exe
860	firefox.exe
860	firefox.exe
860	firefox.exe
860	firefox.exe
860	firefox.exe
860	firefox.exe
860	firefox.exe
860	firefox.exe
860	firefox.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
860	firefox.exe
860	firefox.exe
860	firefox.exe
860	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4104 wrote to memory of 860	4104	firefox.exe	83
PID 4104 wrote to memory of 860	4104	firefox.exe	83
PID 4104 wrote to memory of 860	4104	firefox.exe	83
PID 4104 wrote to memory of 860	4104	firefox.exe	83
PID 4104 wrote to memory of 860	4104	firefox.exe	83
PID 4104 wrote to memory of 860	4104	firefox.exe	83
PID 4104 wrote to memory of 860	4104	firefox.exe	83
PID 4104 wrote to memory of 860	4104	firefox.exe	83
PID 4104 wrote to memory of 860	4104	firefox.exe	83
PID 4104 wrote to memory of 860	4104	firefox.exe	83
PID 4104 wrote to memory of 860	4104	firefox.exe	83
PID 860 wrote to memory of 3816	860	firefox.exe	84
PID 860 wrote to memory of 3816	860	firefox.exe	84
PID 860 wrote to memory of 3816	860	firefox.exe	84
PID 860 wrote to memory of 3816	860	firefox.exe	84
PID 860 wrote to memory of 3816	860	firefox.exe	84
PID 860 wrote to memory of 3816	860	firefox.exe	84
PID 860 wrote to memory of 3816	860	firefox.exe	84
PID 860 wrote to memory of 3816	860	firefox.exe	84
PID 860 wrote to memory of 3816	860	firefox.exe	84
PID 860 wrote to memory of 3816	860	firefox.exe	84
PID 860 wrote to memory of 3816	860	firefox.exe	84
PID 860 wrote to memory of 3816	860	firefox.exe	84
PID 860 wrote to memory of 3816	860	firefox.exe	84
PID 860 wrote to memory of 3816	860	firefox.exe	84
PID 860 wrote to memory of 3816	860	firefox.exe	84
PID 860 wrote to memory of 3816	860	firefox.exe	84
PID 860 wrote to memory of 3816	860	firefox.exe	84
PID 860 wrote to memory of 3816	860	firefox.exe	84
PID 860 wrote to memory of 3816	860	firefox.exe	84
PID 860 wrote to memory of 3816	860	firefox.exe	84
PID 860 wrote to memory of 3816	860	firefox.exe	84
PID 860 wrote to memory of 3816	860	firefox.exe	84
PID 860 wrote to memory of 3816	860	firefox.exe	84
PID 860 wrote to memory of 3816	860	firefox.exe	84
PID 860 wrote to memory of 3816	860	firefox.exe	84
PID 860 wrote to memory of 3816	860	firefox.exe	84
PID 860 wrote to memory of 3816	860	firefox.exe	84
PID 860 wrote to memory of 3816	860	firefox.exe	84
PID 860 wrote to memory of 3816	860	firefox.exe	84
PID 860 wrote to memory of 3816	860	firefox.exe	84
PID 860 wrote to memory of 3816	860	firefox.exe	84
PID 860 wrote to memory of 3816	860	firefox.exe	84
PID 860 wrote to memory of 3816	860	firefox.exe	84
PID 860 wrote to memory of 3816	860	firefox.exe	84
PID 860 wrote to memory of 3816	860	firefox.exe	84
PID 860 wrote to memory of 3816	860	firefox.exe	84
PID 860 wrote to memory of 3816	860	firefox.exe	84
PID 860 wrote to memory of 3816	860	firefox.exe	84
PID 860 wrote to memory of 3816	860	firefox.exe	84
PID 860 wrote to memory of 3816	860	firefox.exe	84
PID 860 wrote to memory of 3816	860	firefox.exe	84
PID 860 wrote to memory of 3816	860	firefox.exe	84
PID 860 wrote to memory of 3816	860	firefox.exe	84
PID 860 wrote to memory of 3816	860	firefox.exe	84
PID 860 wrote to memory of 3816	860	firefox.exe	84
PID 860 wrote to memory of 704	860	firefox.exe	85
PID 860 wrote to memory of 704	860	firefox.exe	85
PID 860 wrote to memory of 704	860	firefox.exe	85
PID 860 wrote to memory of 704	860	firefox.exe	85
PID 860 wrote to memory of 704	860	firefox.exe	85
PID 860 wrote to memory of 704	860	firefox.exe	85
PID 860 wrote to memory of 704	860	firefox.exe	85
PID 860 wrote to memory of 704	860	firefox.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://cdn.discordapp.com/attachments/1299033012801110140/1314795009614024765/All_function.rar?ex=675511c6&is=6753c046&hm=400f52e1453dc133d03dcade625b2e88e4d1249ce88ce060262ca7ad37ef9e69&"
1⤵
- Suspicious use of WriteProcessMemory
PID:4104
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://cdn.discordapp.com/attachments/1299033012801110140/1314795009614024765/All_function.rar?ex=675511c6&is=6753c046&hm=400f52e1453dc133d03dcade625b2e88e4d1249ce88ce060262ca7ad37ef9e69&
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:860
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1980 -parentBuildID 20240401114208 -prefsHandle 1900 -prefMapHandle 1908 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c60a9ea6-da1a-4a2c-8c09-e149f844d5f1} 860 "\\.\pipe\gecko-crash-server-pipe.860" gpu
    3⤵
    PID:3816
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2416 -parentBuildID 20240401114208 -prefsHandle 2408 -prefMapHandle 2404 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f5d115d4-d3dd-4262-9d7b-1f4733b2fddf} 860 "\\.\pipe\gecko-crash-server-pipe.860" socket
    3⤵
    PID:704
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3008 -childID 1 -isForBrowser -prefsHandle 3132 -prefMapHandle 3124 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2bfed150-a97c-47d4-8386-2ef70eec1669} 860 "\\.\pipe\gecko-crash-server-pipe.860" tab
    3⤵
    PID:3128
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2660 -childID 2 -isForBrowser -prefsHandle 3804 -prefMapHandle 3800 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e93a943c-d4f7-466f-a6db-2bfda1b6129a} 860 "\\.\pipe\gecko-crash-server-pipe.860" tab
    3⤵
    PID:1988
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4808 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4264 -prefMapHandle 4604 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f1fb53a-9bde-4651-9ac3-129a3f81e2ca} 860 "\\.\pipe\gecko-crash-server-pipe.860" utility
    3⤵
    - Checks processor information in registry
    PID:3272
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5400 -childID 3 -isForBrowser -prefsHandle 5392 -prefMapHandle 5352 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6c3140c5-3c98-4a38-9e4f-31816e20654f} 860 "\\.\pipe\gecko-crash-server-pipe.860" tab
    3⤵
    PID:2724
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5540 -childID 4 -isForBrowser -prefsHandle 5548 -prefMapHandle 5552 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e014be47-b3d1-4e97-9496-030a885659fc} 860 "\\.\pipe\gecko-crash-server-pipe.860" tab
    3⤵
    PID:3316
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5832 -childID 5 -isForBrowser -prefsHandle 5824 -prefMapHandle 5820 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8493fc33-0bd5-420b-803d-9dcf1f985d68} 860 "\\.\pipe\gecko-crash-server-pipe.860" tab
    3⤵
    PID:700

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5008

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\All function\" -spe -an -ai#7zMap6357:86:7zEvent19478
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4580

C:\Users\Admin\Downloads\All function\All function.exe
"C:\Users\Admin\Downloads\All function\All function.exe"
1⤵
- Executes dropped EXE
PID:3604
- C:\Users\Admin\AppData\Roaming\All function.exe
  "C:\Users\Admin\AppData\Roaming\All function.exe"
  2⤵
  PID:4872
- - C:\Users\Admin\Downloads\All function\._cache_All function.exe
    "C:\Users\Admin\Downloads\All function\._cache_All function.exe"
    3⤵
    PID:3524
  - - C:\Users\Admin\AppData\Roaming\ALL slumzick.exe
      "C:\Users\Admin\AppData\Roaming\ALL slumzick.exe"
      4⤵
      PID:3188
  - - C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      4⤵
      PID:4336
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    PID:5092
  - - C:\Users\Admin\Downloads\All function\._cache_Synaptics.exe
      "C:\Users\Admin\Downloads\All function\._cache_Synaptics.exe" InjUpdate
      4⤵
      PID:2688
    - - C:\Users\Admin\AppData\Roaming\ALL slumzick.exe
        
        "C:\Users\Admin\AppData\Roaming\ALL slumzick.exe"
        5⤵
        
        PID:4384
    - - C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        5⤵
        
        PID:1228
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  PID:4784
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5380
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5772
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchostt.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5196
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchostt.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5580

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:3232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
11.0MB

MD5
d2c2943b9146c0aaba2d687b493caacc

SHA1
e9acf6333bdd39b2e2bf9200f546b762e9bbd6f4

SHA256
e34cfe505546081cb728cfef2356b4c58714e7d8fe6417cfdae572dc2cfaec01

SHA512
12ca4ee79cdaef626e48231c5f41550d273be6086f8f968bbbf4c1becf9278ede5348575935f8c66e27d6efff73bae8b9baa7bcbc140418e685151f95acc3999

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
10.8MB

MD5
98767e696bed9e007b72b9d487019170

SHA1
5af44c64ce92c1dc850ed0e5927cf5e8a2abf942

SHA256
ebef8c06fd5b373d42046ecd390c59f8a5d003e6d4d5c63505b00a0b244ecbdc

SHA512
53223db040b11851a6f6588a2fde1f90e1776472e86d2ef33b80f39f2f29c7374b010668997a018ada5b0f56108389226577bcfc4d035eef3b00f9732085ce3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
34f595487e6bfd1d11c7de88ee50356a

SHA1
4caad088c15766cc0fa1f42009260e9a02f953bb

SHA256
0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d

SHA512
10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d8cb3e9459807e35f02130fad3f9860d

SHA1
5af7f32cb8a30e850892b15e9164030a041f4bd6

SHA256
2b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68

SHA512
045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\42vejdix.default-release\activity-stream.discovery_stream.json

Filesize
27KB

MD5
3e87ba1572267e57a4786be3f9ec0724

SHA1
4d99ab1b8f4d9de5b1decd0c6e7b8682d384e2a6

SHA256
5f3a4eed6ad92eef236a2ace5094880001cbf56b7a22294277b70e0b76f433ef

SHA512
3682915b1df4232d4fe63eff48c46c0f9ffc5c2dcefb56ca9cd171efcdf8a89bed9f8154a7cdf0f44c99d7e91263ec212c119083467fb87f917a5412cf795b68

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\42vejdix.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r2fvtjtz.qas.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\smTOaeje.xlsm

Filesize
24KB

MD5
02710013c10909ebe313f7db4cd800cf

SHA1
50a3cdf6bb0f1fb6b0dcc1e5d798d2f0af7103a9

SHA256
f0d181e8774605f4514dcf69c5dd061c512a97b51641799c82b3b7391d143452

SHA512
3e7f000f6e7858410061619d4904313b1c117b8a493aec2a0554df77aeed0137629104c3fa798cf69a39981510b730e7b7a922dfbf6b55e271b0e726410ad472

Download Submit
C:\Users\Admin\AppData\Local\Temp\smTOaeje.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Roaming\ALL slumzick.exe

Filesize
9.8MB

MD5
3ff95a79afe41e5defb39a15b198fedf

SHA1
a88afecc2be750a6e8a24b8f9e6c8449ac54313b

SHA256
fddde12af10a0875f1d484515e5531ff53745a83ec2ba7af8cbae51a3a964004

SHA512
c38807bd3f4157ccc8325a1c8bb53dc3c981e2c9a4f35d68ef20f146e5b1e8eb790062a2f3d3edc69b530ef260e0f904c7f3fd0d577bf2236d75a8e6c07984cb

Download Submit
C:\Users\Admin\AppData\Roaming\ALL slumzick.exe

Filesize
9.6MB

MD5
e70b2808b2c2c50f3bb5bd8e69bcdc5d

SHA1
05852e2890ba8ca5f1533f89b9378ddedc4bcb21

SHA256
df94d1dda61a3d6d1a06e2f2b60181fb4a09ed8cf5bd50a680ab68636f790063

SHA512
e43102dbf3f3169a06bc6074ecabe1d44c592b87a3cce37116a7ff4cc9a4e1cd753419ee9ced76e921b35b71bbe575c9d260543683936150a745b034af50e12f

Download Submit
C:\Users\Admin\AppData\Roaming\ALL slumzick.exe

Filesize
9.4MB

MD5
05de64dcdddb98078cc8a4f89fad1a24

SHA1
3d524af74638fcadadb6dae0702b3d5376f1e487

SHA256
9780c704fedd1e73ea4dfc1e804fcad6ea8df7d2c6cdca3836f13cd1ea671def

SHA512
e8cbfaf1a4dd41b34dda2addb8bb38290161b1be4acb4631cfecce9a87ae063d66808c168d33e3ea17d4fc31bf9cfaf3e28384ffe81d4920bc80458d7f3aff52

Download Submit
C:\Users\Admin\AppData\Roaming\ALL slumzick.exe

Filesize
8.6MB

MD5
6457bcda85bdf171174c6716fb8ab367

SHA1
9e7c3656d5314b0fee34db5d67a194fc52dd6c39

SHA256
eed9d507b799d9e4695ee6198ddd7fc6e758fedb1e3bcad75893d8a9534e0d26

SHA512
acc887a7417c8b60a9fea143d9ee2ad7412042e8cac9f422339120325d6c39534a07b7b9368d642504747b04bb2e94dfe3a704548fadb2c99f28ba1c7c2d2792

Download Submit
C:\Users\Admin\AppData\Roaming\All function.exe

Filesize
14.8MB

MD5
6aafb6ce40bbdce8f440dc87f3a1f1c1

SHA1
274bc0cdb8b1be91e5e010f3eed7736625ede509

SHA256
e81024416e0e79558af3873e4eb099d69f48d4d4a775e919c6e63202ed3a2cb3

SHA512
e3fe0543c639700a8dc2b5ebe697277b256e561fe77fd3f2a4f3e615944fea1d85555e54d8722a4d75078f8f11adeb95d432fd984aa2e420f5835a6ece8406d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\AlternateServices.bin

Filesize
6KB

MD5
dfd89b388b817c3448971e2bd0bba45f

SHA1
198e497d11f57d2f79ea141256d11cc7016bfa53

SHA256
886dfa0c84554eabaa810e02a6d2542ff9493056ff18d32b8d025b884fc37e1c

SHA512
943bcab7e4bf12b2bf3db79e0af7444bf652530925e7fc0320092ef5a90cb83cab9b0ab7b2b58b5f76dad880783476e04bb18d7d422c3ffa851d5edab406ea61

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\AlternateServices.bin

Filesize
6KB

MD5
970b65e10dd951f09e11556104b112a8

SHA1
4af15098b7f4c7f9b313813a7a035d015281d6f7

SHA256
9647d08936254f930697df62d5fc4e159cf9ae2a4337546fde2f10a95ce72f9c

SHA512
d85d18c407dba53f81615eb73d24e0d499b781da4c4efd97a231ba75c743a52c9fd27b9d043dbdd2ad551ac3d59f18b6be66368ec78b76772ef211a6edb71e96

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
812e247757870ce10fa4e4a9e64640a6

SHA1
1d69981ade90d70cdc7382daeecc95dad88b8963

SHA256
504f5004d0d111ad3fa0f2b50d8088c23dcc2b289deab02249ff6cda61364d85

SHA512
3b0202829bb13f57fe9a5dfad3975cdd6668c7598b8d2f67351559f4356ad95d20ece5f98afbb799544d41e1e9263273750e304ffbd21ceb4bff0d727ecba7eb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
d7c9fd3f927b0d1126857982c46966f3

SHA1
657910739b7b89efb86143e4f120250a38e040a0

SHA256
3b3ef7dc913f7a4363acf72bf90867364a6fd21a86a868acfc781cb904b8e917

SHA512
7f22a3c12fb836c28802ca8f88e1426ffe2badc73e92e93c2cd485f903a1ed36da086d63672ed2a5a9cbab77f91ec7b839e52525d91595f1ab2396ec53ff18c4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\pending_pings\3628685d-d028-4d68-a169-d83fee350fba

Filesize
671B

MD5
415f1f17a7d33d552479e1695d2373e4

SHA1
6053b71b4c678ccbb21953c8b8433f65f521fef5

SHA256
25fafc6c5369604403639a2cb78fca57065a498481c05978a2e698b7e7216291

SHA512
d57d32e2ae53a7bec79c3e4ce0eac03390c0f71ddc42ecc04020d88be7f07dd617845c25453c796ce610ed2077f11f8fb0d4d019c5a4a6f48f5860c054aa9adb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\pending_pings\b272dd73-03ab-4452-8192-d56219b2bef6

Filesize
25KB

MD5
a5df07f34fe55797263c653227626ad4

SHA1
ffdadbee88f1fd7f2149da928bbf3dd1fce9eded

SHA256
32897860603eb62ef3f9f0cff7febdf066cb4c427d60e384296d18860a47656b

SHA512
3ec1f24ff5d0e9c22a174ec4b6d64be15e14de91a898cfc010ddb9dfef4f07890240d0df2175a1f457f33513496b56a34bee4f7d96d6f44fa92554a5f1f2ae0a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\pending_pings\c7570c0d-846d-4615-bf92-eafc80aef74a

Filesize
982B

MD5
0b2576cbb889d3450de555190cedcbfb

SHA1
d6eb0c29c63cc6395645ee1e39631b193224b8c3

SHA256
8d37de5d24f900711e8002b8c0e08781b779d77dd8acd5b69897e1f7e177ed00

SHA512
c2211a00b8ad5073735b26938e5900f2b9170a30de7777c1a727d18b92a407cb9ae4225cc078896466e2d7fd7bb555ef94cb078eea3af5e1c640bd823db0e92d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\prefs.js

Filesize
10KB

MD5
8d510d6ef5fca2e6a53c2aaedfad0072

SHA1
bf7a5cd6b41d169691690f2c6ff7839b540f81cd

SHA256
2347ece2f690039256cd943f58fd29593b5ede6d394328ed3877ce4acc3532c2

SHA512
d0a62f8434087573bbb7826a87084976e9f0d093154aa2994a444466bed11f90de718b2e87863fabe263041717370d36cfe3198d68777afb302294aa2700be45

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
70KB

MD5
ef571ff4342a8163b1518248e705c719

SHA1
01b81eaabcaa382740e71e246e7e769b244da0e7

SHA256
2bda48bc6a0ad08a566fd8cc13b259ada3113c49700d03bd5aafd7e7bdf37ff2

SHA512
e53fce54a4a6fab5abc6a0b8c61b0fbe3eccb2c780460648faf45c71fb1cbb8750e3d8890b4dcedf175d782a9fc3d665dc3f0de370e10620cc68784eb88bd437

Download Submit
C:\Users\Admin\Downloads\All function.QCTtWqh3.rar.part

Filesize
3.0MB

MD5
d8ac22aca70fd12750e5ddd4aca86915

SHA1
0bd081b19f5d3d428e000ea45395420d5b0a9599

SHA256
aa1b266ffb495b8c0c3f41aa1d9088281dc4c4d3a5bd8786588ba533d3b6d731

SHA512
77ef19da695604ce373d04df8b9903d4c56434c4dbcf07b220554002a20ee7b5f993ffc6d2108f764558f6e8f04dd17eab787ac3159efd9866928ad93197ad63

Download Submit
C:\Users\Admin\Downloads\All function\._cache_All function.exe

Filesize
14.0MB

MD5
a23632476984a0d607dbf76b1096432f

SHA1
47c78ae1d0ff1e3ef1ccc6b229086c355edfffd0

SHA256
ba87298065dec0671a3194454a08f0b3671a78087a4043548b7fcca9e229d8a4

SHA512
a6482876a6b99048acb64ea46b7cfd4adcd55537e7ea25c7cfd353bc57c224336750f5024008832f2eddf1d358da19e7cfac1abac23d21fcd8272313820fbf6c

Download Submit
C:\Users\Admin\Downloads\All function\._cache_All function.exe

Filesize
11.4MB

MD5
b689548c31292df3fce8a3b76851748c

SHA1
f969074dd0bf634e373406f752b6f1d37e9de183

SHA256
7c90e81d118d54d06b4d378c6e6520832be15af7405074f0695797a8d0d91928

SHA512
903debddfd9d2ecad58343a5d3e643c7f15d0eaba3566fff9c4b8442c810416e794110ecbe576a164b8cf965a82e9b2812ea09379d8b7d803134343959befd53

Download Submit
C:\Users\Admin\Downloads\All function\._cache_All function.exe

Filesize
11.7MB

MD5
7f6db8bd9864b3125660dbd93ec17a1a

SHA1
dba2bd4c4522c264af3e329084f04c9118b163ca

SHA256
e3bb9aab215f92adebe06a44f87442ef86f4f3e0844a2ef08bda2b3ee88467eb

SHA512
085d3e58cd6e3eeb3e5096dc25a84c04f2c7bf3a30215e50a31fdf544e7212f8f55a768a3ef094b06d8dcfe10706be635916a59a640a54a98cc8082494bf55c8

Download Submit
C:\Users\Admin\Downloads\All function\._cache_Synaptics.exe

Filesize
9.5MB

MD5
1a1c0705261f8e3bc1e4b5af6c409990

SHA1
8680959049f0baa3454e10150825f8a983ed9af9

SHA256
531944a34d915cbea0317f55afe2ad4c0d74a567e897178a5a5bf623dd04890a

SHA512
5396792652fc164052640495882a3f0bb9b009a4650d18a0798513f1c1cee4bb8636162e1a702a9acbd6031532c8b890bc85dc7192b0fcffa8bea4b48b560168

Download Submit
C:\Users\Admin\Downloads\All function\._cache_Synaptics.exe

Filesize
9.8MB

MD5
995ab1ad4c0c3829535fbfdaca3bbeb5

SHA1
6d27d94578cd2abf30779df34cbcfff5ffd06209

SHA256
a947318b3fc404024178f6b36035aff04f362e2fe9d924608333dd97fa4e250f

SHA512
aeb2b3178c6347e26916ff1db124d611f0e68db5a300cfe695a62159ee5e39436c25884f9197cdd32bd0addd296e48885af16f4bdf917e910b655ef83949806b

Download Submit
C:\Users\Admin\Downloads\All function\All function.exe

Filesize
14.8MB

MD5
f935a1d69173631fb5959c047ec2f12a

SHA1
bdd4944074596ef174b726e88d62e545adcdbbc6

SHA256
3b4c938bf78f29a07de05d286b87d67d86f12fee4518dd8b4b894457210c2a51

SHA512
3cb34206c67000c5be130c8e1bc62cd6c8e6e1e1549e42aecec5d83eca1f3c65120484d0002d20b7d34cf092922c83d5ea3b542db5f3e5d65b5fd1d9e6071d3a

Download Submit
C:\Users\Admin\Downloads\All function\All function.exe

Filesize
9.9MB

MD5
7d1115ae822fe28903eb13b2ae107dc1

SHA1
63aa657977027d699706e928d71a790705da9a8a

SHA256
bb776e5b8b3f8c55d66faab5f589022b115db11d93d1705d480f3414d2b38931

SHA512
5a87b3f7c0d76afaa71879b6b32707150d6757670e061846924715a6726d8f744e3aeadacb0bc5498629a6ee704bb57cb8a556a484ddaf99f55f87f9e638c5a5

Download Submit
C:\Users\Admin\Downloads\All function\All function.exe

Filesize
9.8MB

MD5
15630fe22aba850ffab4037991c506ca

SHA1
e89a3a91d839199c2dc0559ef1837e03501ed79b

SHA256
f8c37dd74b9f97c9b9422d672b9812448360564b8532c040682704bda70630dd

SHA512
f927903dd47c473a9c68fdca562f91ce625a18e8f09056c12db81cc1a8f46b2d1cd3dabe275e6da5b5eb44926a3bee72e624bcf8e2b5e56f0356bb1145f47d9f

Download Submit
memory/3232-584-0x00007FFDDF650000-0x00007FFDDF660000-memory.dmp

Filesize
64KB

Download
memory/3232-593-0x00007FFDDD530000-0x00007FFDDD540000-memory.dmp

Filesize
64KB

Download
memory/3232-585-0x00007FFDDF650000-0x00007FFDDF660000-memory.dmp

Filesize
64KB

Download
memory/3232-586-0x00007FFDDF650000-0x00007FFDDF660000-memory.dmp

Filesize
64KB

Download
memory/3232-587-0x00007FFDDF650000-0x00007FFDDF660000-memory.dmp

Filesize
64KB

Download
memory/3232-588-0x00007FFDDF650000-0x00007FFDDF660000-memory.dmp

Filesize
64KB

Download
memory/3232-589-0x00007FFDDD530000-0x00007FFDDD540000-memory.dmp

Filesize
64KB

Download
memory/3524-441-0x0000000000370000-0x000000000117E000-memory.dmp

Filesize
14.1MB

Download
memory/3604-342-0x0000000000E20000-0x0000000001D00000-memory.dmp

Filesize
14.9MB

Download
memory/3604-341-0x00007FFDFC663000-0x00007FFDFC665000-memory.dmp

Filesize
8KB

Download
memory/4784-366-0x0000000000D70000-0x0000000000D88000-memory.dmp

Filesize
96KB

Download
memory/4872-499-0x0000000000400000-0x00000000012C9000-memory.dmp

Filesize
14.8MB

Download
memory/5380-595-0x000001D4D1250000-0x000001D4D1272000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads