xred | d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-12-2024 10:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18.exe
Size

8.4MB
MD5

5a7d823359c21af24512dd647c0c3063
SHA1

8478412d6375084597d944dc231a5b8ac16817bd
SHA256

d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18
SHA512

8e3ebafc02d4755fd7bccff4a9edb291e9b2642f5b47bc92fb78018602ebec2a12a432b53c290001444f77ff967229422711564ea21e5331143557d2f79e5778
SSDEEP

196608:tLUdwAmXaSMDdu+FtEF+mt6faSbMdoQDrCqIgxf0OKt72:tW5mKRDdu+MF+xfaSbuoQPLxFKt2

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18.exe

Executes dropped EXE 5 IoCs

pid	Process
2792	._cache_d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18.exe
1296	TeamViewer_.exe
3656	Synaptics.exe
1456	._cache_Synaptics.exe
4792	TeamViewer_.exe

Loads dropped DLL 24 IoCs

pid	Process
2792	._cache_d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18.exe
1296	TeamViewer_.exe
1296	TeamViewer_.exe
1296	TeamViewer_.exe
1296	TeamViewer_.exe
1456	._cache_Synaptics.exe
4792	TeamViewer_.exe
4792	TeamViewer_.exe
4792	TeamViewer_.exe
4792	TeamViewer_.exe
1296	TeamViewer_.exe
1296	TeamViewer_.exe
1296	TeamViewer_.exe
1296	TeamViewer_.exe
1296	TeamViewer_.exe
1296	TeamViewer_.exe
1296	TeamViewer_.exe
4792	TeamViewer_.exe
4792	TeamViewer_.exe
4792	TeamViewer_.exe
4792	TeamViewer_.exe
4792	TeamViewer_.exe
4792	TeamViewer_.exe
4792	TeamViewer_.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TeamViewer_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TeamViewer_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4504	EXCEL.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4504	EXCEL.EXE
4504	EXCEL.EXE
4504	EXCEL.EXE
4504	EXCEL.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 2792	2096	d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18.exe	82
PID 2096 wrote to memory of 2792	2096	d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18.exe	82
PID 2096 wrote to memory of 2792	2096	d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18.exe	82
PID 2792 wrote to memory of 1296	2792	._cache_d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18.exe	83
PID 2792 wrote to memory of 1296	2792	._cache_d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18.exe	83
PID 2792 wrote to memory of 1296	2792	._cache_d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18.exe	83
PID 2096 wrote to memory of 3656	2096	d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18.exe	84
PID 2096 wrote to memory of 3656	2096	d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18.exe	84
PID 2096 wrote to memory of 3656	2096	d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18.exe	84
PID 3656 wrote to memory of 1456	3656	Synaptics.exe	85
PID 3656 wrote to memory of 1456	3656	Synaptics.exe	85
PID 3656 wrote to memory of 1456	3656	Synaptics.exe	85
PID 1456 wrote to memory of 4792	1456	._cache_Synaptics.exe	87
PID 1456 wrote to memory of 4792	1456	._cache_Synaptics.exe	87
PID 1456 wrote to memory of 4792	1456	._cache_Synaptics.exe	87

C:\Users\Admin\AppData\Local\Temp\d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18.exe
"C:\Users\Admin\AppData\Local\Temp\d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Users\Admin\AppData\Local\Temp\._cache_d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe
    "C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1296
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3656
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1456
  - - C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe
      "C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe" InjUpdate
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:4792

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
8.4MB

MD5
5a7d823359c21af24512dd647c0c3063

SHA1
8478412d6375084597d944dc231a5b8ac16817bd

SHA256
d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18

SHA512
8e3ebafc02d4755fd7bccff4a9edb291e9b2642f5b47bc92fb78018602ebec2a12a432b53c290001444f77ff967229422711564ea21e5331143557d2f79e5778

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18.exe

Filesize
7.7MB

MD5
6ff62388b265f3682a390417ae4b47d6

SHA1
8e7afffd442a54ce004972181b0eec6d34270634

SHA256
b0edb941157eb8bb6b1e80d53b0ad2bce180f54abffddc08b7e7b2d20be445c1

SHA512
3429572e0d634ea4eeb01cf903e6ca654b993a0abe698bb6e682a86c4d3405216c58da70a9d58aaf81cb19dad51a009974f746885a5545d44809db3257a81a68

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pki7eSCi.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe

Filesize
7.5MB

MD5
2f33659e551eac0332b2bd9f228fb811

SHA1
5e8c5e0e5e6d871740d163b7a81beeae709b3942

SHA256
a52f02c33354022b329f86f6283235aa7a58942e60659dcce3069d3a873845bb

SHA512
653b8632c1aeddfbe90a9a8e94966a8f3660bb42edb7dcce303f23f5d95f568a7e2d7dc3d7b3a2ba0657877812829f7aae49a08c1a4da792d450f2d4a9b5df51

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeamViewer\tvinfo.ini

Filesize
102B

MD5
69a564a941c3b40b7745d8d30f77095c

SHA1
05a5b4e997bcdd9d8214ed7c77425eb871546fd5

SHA256
dc2f88879af6cc7301370feac2e0fc83724e1641bfa3224b228c83eee8c680a5

SHA512
6100b07556d54f4f953b9584383299bb5cfe42743fad45565144392c75b469c0d5db66e91680fff7f824da7ae139f6642197dbb016192a20e6f4b06ad034ca5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeamViewer\tvinfo.ini

Filesize
47B

MD5
b79df1c7a14576aeee74a58fdac22c69

SHA1
3cb7c8558f62f0c7b641c451d5c871cbd1bb951c

SHA256
6fc06809746090e4c55613cc16b7f673b89e4dd49a34f0f72c6f3d54225a5f75

SHA512
cfc5207320b56f5df83d5afc6256a9a594bcdc3de846747e09306ecfa5a4d1ff33f14327e5e4dddb26fab2b4fbd59dc912c5e7d5d9791e88179cfc3b3d919930

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscCAD4.tmp\start_unicode.ini

Filesize
2KB

MD5
8f4d74e546c40329771ec8dc4de5e55a

SHA1
39daf27f8897d03a3ab0f44eef9e1aae7b7eae0b

SHA256
7ba59d2d5b4267eed08a7e4d8ec6cc3534c7e9ea1a7c751d57ea184fe938358e

SHA512
347c37103bc43a5e71aef1561a2de6343fb108d341d3b9f356ac2a43b20996ea566c16cd401276481a73ebee2e789f4983df0a408f750abe5ed7e757abe9dca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscCAD4.tmp\start_unicode.ini

Filesize
2KB

MD5
2a8a139cdab38b5f4264ae82850cbd22

SHA1
816e8acb2adc36c7f138f963a9802622dfc9536a

SHA256
94bde605292510f8ae6df19083130770ae8c754906007ea93150cab63962190b

SHA512
d6f99e88e72cfb28afc4af0780d2ac380f00f9fe9265cbbb4b8e6390e9b6ee5870a723e1971288783fd919158659ff214bab383242fa22470d9f6f1a170e2cf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscCAD4.tmp\start_unicode.ini

Filesize
2KB

MD5
dfd541aedb93491880d2084188abbc01

SHA1
8a7a34668c189af2a5a8303f4b534fa1f2e873d7

SHA256
89a1989eee149926510fc2fcda06adb4b2f14bbfd5308f2bc493f5abf626f29e

SHA512
ab76c982f9573f7ff2943ca9460136c4b745176ff697db2609668bd6f46f82752ef58be989a7712a5bf63d75c484d79c6a5bfb71c5d82fdae6b0049504b3fc4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscCAD4.tmp\start_unicode.ini

Filesize
2KB

MD5
e83a09d4c06fad630988b62b8e48994d

SHA1
ea9bce813071688311d38c05665507929e302061

SHA256
b0bccb7b340445f503a56d04d157c73d5e126982cb45ddabfbb6c10fb25479fe

SHA512
b759cc0888fc61c3ae2b390433666fa77067f36eefd101c15c7aee955faddd7d78eadf8a4aa56531983b1a31c0e7ce12dcb8fb0af05f94d2d9eac82d9c3022c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscCAD4.tmp\start_unicode.ini

Filesize
2KB

MD5
d6f32d934f2ae7c43bb53b45b2541499

SHA1
b2b5b4dd8d14b3fb93aa3d1b487d1a7044212f21

SHA256
6495458465f0bed9c53a6e82ed388ba51d850cbf94f96b4ad0592b254c5a2776

SHA512
c13c6bb8c234fa9cfa24fa8f65d24c8e0f883da6f606df4f54c389316ac56484bb5fe234f5d4d175b2c5d2232564dbaf4edb1d8296464c5a0df05797fafef017

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscCAD4.tmp\start_unicode.ini

Filesize
2KB

MD5
6dbb78bc731d4e62de37de89ab62d220

SHA1
702f1be9925134800c58358ba42e6fadb96347ca

SHA256
1a8cf2fb8df623de5a9274f61dc960e176dd73cd681f1eb520aa6bffda052f44

SHA512
b44d202fb428b93f86ef32928454a4d030e9d2912066e35f1616806e23bb93ee3609714d2d9a0d7f6e227a51b1f3d3bcb82f63ee8090f33689c2425363c483f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscCAD4.tmp\start_unicode.ini

Filesize
2KB

MD5
5dadeb3dba4a8fd823c4d8e9743bec96

SHA1
84cfbeb10a81f9e14047fd87ac76269eb287116a

SHA256
ce828f2c3e4b0d956f16bb5fdb8be230be71dcadd1f47d52e3c90e749845b9b6

SHA512
7a0db853f3d3a1830757823924f68edfc83ccda962bba523f1a00cc95c2c58cef47a9189993488c35ffaa0639765e1d2e990fef7330234aee24726a910236b6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscCAD4.tmp\start_unicode.ini

Filesize
2KB

MD5
6baf2ad274a95cf1979a14a4fdda2697

SHA1
9872e581f242b24ca30b80ca15c58b0df1a5f39e

SHA256
30a2f67e2839cca167b77ffee0c1fb7e4ec2e5f85852ddff37ec684dd0f25626

SHA512
d5139029fe1b7f11d5d54eab794fa367246af5aaeef3eb30c0ea2455d0fa23d7f187b42073491e02d23bbe831063333d8b6f2513093e331ead05b6cd7c92361b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscCAD4.tmp\start_unicode.ini

Filesize
2KB

MD5
db20a59a3fd08afb2b0d58764593057c

SHA1
a63d6b50233a8382e5766c6670df7166d075f1eb

SHA256
ad94615c0f3b2c90a08699a96814aea6ec88dabe88366df4714b8fca238d4e83

SHA512
633f8c51a885dad4c7e41a5a668387d8d29778e3c4d170ec3e10210fec9db8a8f5717df38fd8041332feb2703a39ed8d460ac431b748846375b2839d220e27db

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscCAD4.tmp\start_unicode.ini

Filesize
2KB

MD5
92feed59b6975cfb80caf9079c46f2d0

SHA1
d84c523f8f7c87eb46a4732024e733011fc6ef0b

SHA256
08a1b91084d6a1ccff49614e11b5d9831b23277f68b11f7252329fe065c57bd3

SHA512
4b69633fa54fcc6801da855684b3db931e4f7bc03a1e1e499aeaec03554fb96a09f4ca8798f18950c675f2f3c3f95aedb4d161308b1c1f725326a08c51b07e72

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsvBB42.tmp\TvGetVersion.dll

Filesize
153KB

MD5
a366cd40b73d191cdb1aa7b14267213f

SHA1
d7bad68f24127972b1363c44ad3a225fdf3d3659

SHA256
3d661aaac7698a5b4611ca22bda5e0194d90ec238d9dfe7e4ab38a8d866176b0

SHA512
96ea62df2ec21d80eae9a48c23fe38601564aa942e1e02013f1d78497ff4d9a332f41a4105c4d79e632b24bb7e75b1532d1a58e790c929570da51d6584e2eb8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswBC7C.tmp\InstallOptions.dll

Filesize
15KB

MD5
89351a0a6a89519c86c5531e20dab9ea

SHA1
9e801aaaae9e70d8f7fc52f6f12cedc55e4c8a00

SHA256
f530069ef87a1c163c4fd63a3d5b053420ce3d7a98739c70211b4a99f90d6277

SHA512
13168fa828b581383e5f64d3b54be357e98d2eb9362b45685e7426ffc2f0696ab432cc8a3f374ce8abd03c096f1662d954877afa886fc4aa74709e6044b75c08

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswBC7C.tmp\System.dll

Filesize
11KB

MD5
bf712f32249029466fa86756f5546950

SHA1
75ac4dc4808ac148ddd78f6b89a51afbd4091c2e

SHA256
7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af

SHA512
13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswBC7C.tmp\UserInfo.dll

Filesize
4KB

MD5
c7ce0e47c83525983fd2c4c9566b4aad

SHA1
38b7ad7bb32ffae35540fce373b8a671878dc54e

SHA256
6293408a5fa6d0f55f0a4d01528eb5b807ee9447a75a28b5986267475ebcd3ae

SHA512
ee9f23ea5210f418d4c559628bbfb3a0f892440bcd5dc4c1901cb8e510078e4481ea8353b262795076a19055e70b88e08fee5fb7e8f35a6f49022096408df20e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswBC7C.tmp\advanced_unicode.ini

Filesize
1KB

MD5
8b3e104f11c5d046bd93df4e9fb40f4e

SHA1
0362bb65744a07563dc05cd612dd54a865233d79

SHA256
cc18c611578d796a879cac46746406dbaa96eddd544d7a12d4fa56856cb2cbc1

SHA512
edc08be542234c3ed6a94c46c610eb5398782c580859eda11f35df6112b3dfee10cf4be068c7a87f39a339f10a9176350cae9f657857375d641a35d5d151ced8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswBC7C.tmp\linker.dll

Filesize
45KB

MD5
4ac3f0ab2e423515ed9c575333342054

SHA1
a3e4f2b2135157f964d471564044b023a64f2532

SHA256
f223d6c72f86544b358a6301daf60ccdd86198f32e3447a1860acf3f59f2dae9

SHA512
8fbd5b4989be51c27fa15af155d2921bea9aa5d0557a22d4224256e678dfe7dcaa5f80917a748c31dc9c9a91573e4618e2497ccfd47eefd7a0fa08c12366a1e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswBC7C.tmp\start_unicode.ini

Filesize
2KB

MD5
216fb95d541affa235959f1da6561e75

SHA1
1775df15cc913bf0488e5718016475e65501f0a8

SHA256
f8b24ba62a1e4cb2e3d11c722b4bc5f8673117541a59a5ce2b34383318b58e26

SHA512
007d81c452a2d64e4ef5909860929c50d118490ab75e253ab2a3284adadb86910b6a1c5ffbf2b1147de2a032dbd4fa7ae6c308fc70f67ad365bfe42945fd0063

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswBC7C.tmp\start_unicode.ini

Filesize
2KB

MD5
a6d85f086ede645bb15919d444f933b4

SHA1
2169ffc1a9f54ce1ff8b3c417e3ab3a0c6f0b59d

SHA256
5458821e6050eeff0fade2433a46aa47989857dd1c3f237d1cd52d0516d3a2ba

SHA512
3376593e5feb20729a5d420843794733ad3749aeb75f79cda7009f7b934869ca45b7a010669da70d28912cf12f0eda05830a84e6f7b45b46e5355dddd696298d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswBC7C.tmp\start_unicode.ini

Filesize
2KB

MD5
060ef8bacd2fe6f6e1784fd9c3addcd1

SHA1
5e5c5e20c32edee92f0e573a2db34b2dfbc58769

SHA256
de83945f95ebf86a4410f511f94649ecc49f1b2957bc150836e2e3ecad7f16fa

SHA512
dff1eb569047058a4abe98f4ddcf776c1695b22bb167e84c724cec38f74bbc7f0620d188819956bcee45d37c435669684eb820f23b76b824a712687dfde6a8d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswBC7C.tmp\start_unicode.ini

Filesize
2KB

MD5
feac31d0eb7053d705a4abe1597c7760

SHA1
7dc32d634bf12ceba8cb6d93c431ef21a3d0dbef

SHA256
c52c8e95d8fafbcba10c1ed04e8b78684b010f11738d52fd6747d4b2eed07708

SHA512
563919a90ea3b56684c3f419126327d2a48b72a2413b1dfc0540615d730fb0bbb69c9ee55a55e343fa6f6512b943d4f4d3487a407e6b11d1832e47f7c59210ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswBC7C.tmp\start_unicode.ini

Filesize
2KB

MD5
5830558493a892dc17233675801b0e3c

SHA1
fa328eb1581ffa29d8c9da2ce403bdcdad168f25

SHA256
7d410131f217402b3e39a99223a70ca8c5be8e03fc47ec57664f8671313f2def

SHA512
2a54ed1d2f8527025eaf1c99eac99a4ed6048887cf0a35e8cf3463e4c18848060645c0a5438d96750f1a8450b18d15ec5984bbc94ca1f8b1e1d90fa30a3acb70

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswBC7C.tmp\start_unicode.ini

Filesize
2KB

MD5
7563a414f8f5b3b387c6d58936fda1f3

SHA1
6f9d4717f01b8e605d0a5f497166e4996e7edf5f

SHA256
fb5bc2d9c8fc50c91cadb92d7a16da71d487f1d1c33f1a01b8c1afa84e232719

SHA512
b0e0ccb857f2239bfd0924702bc148914eed7da6f3fcee2176282b7a7e0b8661cb35987e4d25e66f35a1bef1f13b15d6df458d008eea93655c2a9392e2a602d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswBC7C.tmp\start_unicode.ini

Filesize
2KB

MD5
e8eec61628c34243e5c2e2aa3728bd99

SHA1
9e3c8aac25cb39ebdbc4445f3396e53e58571a7e

SHA256
517cb809466faaaed4ab54e887f8b86c4ec006461deba678cdda95baf424d25c

SHA512
f76692c1e2a1021cd3be3c4d321debe55d4c31e5c5f74235b6469fe362675f7643845663861b86b8696b44bfedacde6c1548c655403511fcd798e09ad4195792

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswBC7C.tmp\start_unicode.ini

Filesize
2KB

MD5
fe6b10ff2e5b38e22c1f5e732269c2f1

SHA1
f9d4fdcfe1df0041d0ad2d851169ba7a20192a64

SHA256
611495b7b5198a6f7114c3335bbacd69e65c7de32ee9d969d70ba823a7ed8b47

SHA512
a07a628fc07c2564ffa4540372750e660a50578ae15594326eaf295312e97ba577223b02ffa4d0d74418979d9ec14ff8ce35523b66e6305063aba9c4d8504401

Download Submit
memory/2096-0-0x0000000002B00000-0x0000000002B01000-memory.dmp

Filesize
4KB

Download
memory/2096-160-0x0000000000400000-0x0000000000C70000-memory.dmp

Filesize
8.4MB

Download
memory/3656-2009-0x0000000000400000-0x0000000000C70000-memory.dmp

Filesize
8.4MB

Download
memory/3656-902-0x0000000000400000-0x0000000000C70000-memory.dmp

Filesize
8.4MB

Download
memory/4504-261-0x00007FF9EE690000-0x00007FF9EE6A0000-memory.dmp

Filesize
64KB

Download
memory/4504-258-0x00007FF9EE690000-0x00007FF9EE6A0000-memory.dmp

Filesize
64KB

Download
memory/4504-259-0x00007FF9EE690000-0x00007FF9EE6A0000-memory.dmp

Filesize
64KB

Download
memory/4504-260-0x00007FF9EE690000-0x00007FF9EE6A0000-memory.dmp

Filesize
64KB

Download
memory/4504-271-0x00007FF9EC280000-0x00007FF9EC290000-memory.dmp

Filesize
64KB

Download
memory/4504-290-0x00007FF9EC280000-0x00007FF9EC290000-memory.dmp

Filesize
64KB

Download
memory/4504-262-0x00007FF9EE690000-0x00007FF9EE6A0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads