xred | d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
18/12/2024, 09:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18.exe
Size

8.4MB
MD5

5a7d823359c21af24512dd647c0c3063
SHA1

8478412d6375084597d944dc231a5b8ac16817bd
SHA256

d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18
SHA512

8e3ebafc02d4755fd7bccff4a9edb291e9b2642f5b47bc92fb78018602ebec2a12a432b53c290001444f77ff967229422711564ea21e5331143557d2f79e5778
SSDEEP

196608:tLUdwAmXaSMDdu+FtEF+mt6faSbMdoQDrCqIgxf0OKt72:tW5mKRDdu+MF+xfaSbuoQPLxFKt2

Score

10^/10

xred backdoor discovery macro persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Suspicious Office macro 2 IoCs

Office document equipped with macros.

macro

resource
behavioral1/files/0x000500000001a463-597.dat
behavioral1/files/0x000700000001a463-621.dat

Executes dropped EXE 5 IoCs

pid	Process
2116	._cache_d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18.exe
2820	TeamViewer_.exe
2808	Synaptics.exe
1796	._cache_Synaptics.exe
896	TeamViewer_.exe

Loads dropped DLL 31 IoCs

pid	Process
1300	d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18.exe
2116	._cache_d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18.exe
2116	._cache_d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18.exe
2820	TeamViewer_.exe
2820	TeamViewer_.exe
1300	d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18.exe
1300	d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18.exe
2820	TeamViewer_.exe
2820	TeamViewer_.exe
2820	TeamViewer_.exe
2820	TeamViewer_.exe
2820	TeamViewer_.exe
2820	TeamViewer_.exe
2820	TeamViewer_.exe
2820	TeamViewer_.exe
2820	TeamViewer_.exe
2808	Synaptics.exe
2808	Synaptics.exe
1796	._cache_Synaptics.exe
1796	._cache_Synaptics.exe
896	TeamViewer_.exe
896	TeamViewer_.exe
896	TeamViewer_.exe
896	TeamViewer_.exe
896	TeamViewer_.exe
896	TeamViewer_.exe
896	TeamViewer_.exe
896	TeamViewer_.exe
896	TeamViewer_.exe
896	TeamViewer_.exe
896	TeamViewer_.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TeamViewer_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TeamViewer_.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1060	EXCEL.EXE

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
896	TeamViewer_.exe
2820	TeamViewer_.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1060	EXCEL.EXE

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1300 wrote to memory of 2116	1300	d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18.exe	30
PID 1300 wrote to memory of 2116	1300	d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18.exe	30
PID 1300 wrote to memory of 2116	1300	d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18.exe	30
PID 1300 wrote to memory of 2116	1300	d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18.exe	30
PID 2116 wrote to memory of 2820	2116	._cache_d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18.exe	31
PID 2116 wrote to memory of 2820	2116	._cache_d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18.exe	31
PID 2116 wrote to memory of 2820	2116	._cache_d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18.exe	31
PID 2116 wrote to memory of 2820	2116	._cache_d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18.exe	31
PID 2116 wrote to memory of 2820	2116	._cache_d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18.exe	31
PID 2116 wrote to memory of 2820	2116	._cache_d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18.exe	31
PID 2116 wrote to memory of 2820	2116	._cache_d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18.exe	31
PID 1300 wrote to memory of 2808	1300	d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18.exe	32
PID 1300 wrote to memory of 2808	1300	d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18.exe	32
PID 1300 wrote to memory of 2808	1300	d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18.exe	32
PID 1300 wrote to memory of 2808	1300	d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18.exe	32
PID 2808 wrote to memory of 1796	2808	Synaptics.exe	33
PID 2808 wrote to memory of 1796	2808	Synaptics.exe	33
PID 2808 wrote to memory of 1796	2808	Synaptics.exe	33
PID 2808 wrote to memory of 1796	2808	Synaptics.exe	33
PID 1796 wrote to memory of 896	1796	._cache_Synaptics.exe	35
PID 1796 wrote to memory of 896	1796	._cache_Synaptics.exe	35
PID 1796 wrote to memory of 896	1796	._cache_Synaptics.exe	35
PID 1796 wrote to memory of 896	1796	._cache_Synaptics.exe	35
PID 1796 wrote to memory of 896	1796	._cache_Synaptics.exe	35
PID 1796 wrote to memory of 896	1796	._cache_Synaptics.exe	35
PID 1796 wrote to memory of 896	1796	._cache_Synaptics.exe	35

C:\Users\Admin\AppData\Local\Temp\d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18.exe
"C:\Users\Admin\AppData\Local\Temp\d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1300
- C:\Users\Admin\AppData\Local\Temp\._cache_d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe
    "C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2820
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1796
  - - C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe
      "C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe" InjUpdate
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      PID:896

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
8.4MB

MD5
5a7d823359c21af24512dd647c0c3063

SHA1
8478412d6375084597d944dc231a5b8ac16817bd

SHA256
d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18

SHA512
8e3ebafc02d4755fd7bccff4a9edb291e9b2642f5b47bc92fb78018602ebec2a12a432b53c290001444f77ff967229422711564ea21e5331143557d2f79e5778

Download Submit
C:\Users\Admin\AppData\Local\Temp\JOF5Kx9L.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\JOF5Kx9L.xlsm

Filesize
27KB

MD5
933fef0dbab5506b45a49d18afcb873c

SHA1
04503fd9084abb2066ac14eab958039b16857dea

SHA256
2a828b3c262b10fa1816da43c484036e62569ae413db3fb9908b2a326332bdff

SHA512
f29d80d83ccb3231de9ee04b7a0a1320bc0484d3a56644130a2b5e3ebb588ba0a5acbc8f033b001a8be552c3e038b4a37fe89a6a0ed35c479e2d5bb2c803188e

Download Submit
C:\Users\Admin\AppData\Local\Temp\JOF5Kx9L.xlsm

Filesize
29KB

MD5
8bc98ec76f91313ce52fa157ea4d00ca

SHA1
3dee2ceb34f23ad39c26cf3644d579f62062b808

SHA256
840e6807f00a8e2a03d847c2133ed8fea9aa029e390e14afee2213f5a6a75d62

SHA512
c3f9dc865b8c7c91431f41710280037b0fc823a8cd6daf70fe3717fecf1e536f4bfce64d7760c0283f9ff4959f94665641a1e4de3e28ca35a8b8e2cdff47b72a

Download Submit
C:\Users\Admin\AppData\Local\Temp\JOF5Kx9L.xlsm

Filesize
30KB

MD5
d3c8b13988a86f7da3800fddc8cad6d0

SHA1
3f4b84dc2ab8320332a3a301c0914fd0e22178c7

SHA256
259a8bdbb4af8747ef9a01b3d3df50b9bd04daed52359535b5dd7226f83bbc47

SHA512
72a8c2fb3b2c5417a3d0e1e82d6dd217f166cfe88521c1a8735195c54f33d69b766455d77dd0091915b606d36cda780283a55cf36da3780b242c45484f579bed

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe

Filesize
7.5MB

MD5
2f33659e551eac0332b2bd9f228fb811

SHA1
5e8c5e0e5e6d871740d163b7a81beeae709b3942

SHA256
a52f02c33354022b329f86f6283235aa7a58942e60659dcce3069d3a873845bb

SHA512
653b8632c1aeddfbe90a9a8e94966a8f3660bb42edb7dcce303f23f5d95f568a7e2d7dc3d7b3a2ba0657877812829f7aae49a08c1a4da792d450f2d4a9b5df51

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeamViewer\tvinfo.ini

Filesize
47B

MD5
b79df1c7a14576aeee74a58fdac22c69

SHA1
3cb7c8558f62f0c7b641c451d5c871cbd1bb951c

SHA256
6fc06809746090e4c55613cc16b7f673b89e4dd49a34f0f72c6f3d54225a5f75

SHA512
cfc5207320b56f5df83d5afc6256a9a594bcdc3de846747e09306ecfa5a4d1ff33f14327e5e4dddb26fab2b4fbd59dc912c5e7d5d9791e88179cfc3b3d919930

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeamViewer\tvinfo.ini

Filesize
102B

MD5
69a564a941c3b40b7745d8d30f77095c

SHA1
05a5b4e997bcdd9d8214ed7c77425eb871546fd5

SHA256
dc2f88879af6cc7301370feac2e0fc83724e1641bfa3224b228c83eee8c680a5

SHA512
6100b07556d54f4f953b9584383299bb5cfe42743fad45565144392c75b469c0d5db66e91680fff7f824da7ae139f6642197dbb016192a20e6f4b06ad034ca5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdB7FB.tmp\start_unicode.ini

Filesize
2KB

MD5
4083fafdd57e2e1ecf772e3b6f519127

SHA1
d875623dcd4217ba098166243649a5625c03e9ed

SHA256
41ef0753c96e910c05b249e86cf36a6f29b8e86fa921e976a2a8e81eb377b84f

SHA512
7efd62d188690f4a347ee08660a8132dc0fed7a6f865e71d2ce8940072d9d1daf8bfc60927496bc6a82eb4c3e308c35261934d4bb4bffe3fe88a5514d6b226b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdB7FB.tmp\start_unicode.ini

Filesize
2KB

MD5
5e75d47fb8bfa4ae6badc693b7f6b931

SHA1
e5a16186bed439d03e765cda4bdc68e72c75886a

SHA256
e2233fcc2d03a1151b4fac1a10fcb50cb6bda247633e899d17c417cf8175aaa5

SHA512
46d666bd096559e19913417b33506d68fd36cd7d99b6ccca2caf4830184e8f5d4892cbb8057cb4c285abac3517e4ae4227879dddc1db027be5175a38b56b132c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdB7FB.tmp\start_unicode.ini

Filesize
2KB

MD5
50287aa66db8bd36ace375dc05bbc15d

SHA1
d7df4f7e56c21b6c6d466f4934f0e07e0be15225

SHA256
9a4dbb32dbbdb6c36ef2f5127b32e8b8d1e4cb5151376a4c47889b363d36f818

SHA512
c86229c42d33811bc88a408747f5cddd52621c80607675f2dc4b08c1036cfaa860b1096047fa8a33548b595ed796fde6c79a5227705e38f5eb078840b585ec78

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdB7FB.tmp\start_unicode.ini

Filesize
2KB

MD5
068690331214ec69c7431310ea725cfb

SHA1
4469ae178989aec50a3f784a58a491a5e9d0b113

SHA256
cb3d06aebb190e5c5d66b5652da729ceea5b462b28abe47d222acef2f669aad6

SHA512
cc952a4077c31e82c36c1c44612867d7ead5cdd0b14228007398b12efcb67a934022a110720e4619287549282b37d088976063fcdef6bc6f765c2c205ed94873

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdB7FB.tmp\start_unicode.ini

Filesize
2KB

MD5
d40ae8e5e1890cabdb6745f455be4c16

SHA1
79541e1d10f40cd067297b29ddaee71772429d46

SHA256
a8ce6fb2050975d4d3c281f28f64acaa2f2226869b504c2aec6079caa5c1f9df

SHA512
ada63d638e62cec4077819ec0a7076d5678674d000baa01464e434d3bd9960194899724b64c15c96741bcbcaace85bb04b557653f9e2d5dfdd7b467de117d893

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdB7FB.tmp\start_unicode.ini

Filesize
2KB

MD5
bfde71137ae33efeb3826ece9eecfb44

SHA1
436ab1716f23d0139a7c79454f392feb6d88a8ab

SHA256
ab8826fa1877a1049941490d32013486cfff3b9b73d7c002d8eaaa6638b8181e

SHA512
c0f305cb87c92c83b75c3a1dc96b905d80e954722c0d2598e65548517462b8801b05a86b9631c2468e80662675379aaa4503955cc18be13cac48bbfef3f817dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoB1D3.tmp\TvGetVersion.dll

Filesize
153KB

MD5
a366cd40b73d191cdb1aa7b14267213f

SHA1
d7bad68f24127972b1363c44ad3a225fdf3d3659

SHA256
3d661aaac7698a5b4611ca22bda5e0194d90ec238d9dfe7e4ab38a8d866176b0

SHA512
96ea62df2ec21d80eae9a48c23fe38601564aa942e1e02013f1d78497ff4d9a332f41a4105c4d79e632b24bb7e75b1532d1a58e790c929570da51d6584e2eb8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoB444.tmp\advanced_unicode.ini

Filesize
1KB

MD5
8b3e104f11c5d046bd93df4e9fb40f4e

SHA1
0362bb65744a07563dc05cd612dd54a865233d79

SHA256
cc18c611578d796a879cac46746406dbaa96eddd544d7a12d4fa56856cb2cbc1

SHA512
edc08be542234c3ed6a94c46c610eb5398782c580859eda11f35df6112b3dfee10cf4be068c7a87f39a339f10a9176350cae9f657857375d641a35d5d151ced8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoB444.tmp\start_unicode.ini

Filesize
2KB

MD5
6138b2d6d6aed09dba5e804e5ac7e66b

SHA1
e70407a9934cb73fe1a308d47697d79e649e9e4f

SHA256
3962204dfef72b646696c1706201b0df0ee80d6745f4d6b6d389e6d8000005bf

SHA512
516fbd080024330c4ee0ced662571818561678a9f032a4ff3ee1ddef9aa945667dcf248dac221224f5aef728a0cc899380e76d9213614a4d65d44b86b822b156

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoB444.tmp\start_unicode.ini

Filesize
2KB

MD5
f6df0f2a0f1c75e6723dc686f6cc36d7

SHA1
e96bcd0d9189aec9ffda8de30ed50e31c62332f5

SHA256
470d659b01ee033083c38fa42fa124af74101ff56410f96c576256954bd33bf1

SHA512
e49bcc13d5968346b31e53a7f07ce5aa60b2d7a85483184385d599fadc971dd154a246c5a6fc3e16a7be1a42446b224475d5dc8420f0e94073c514182c5dc980

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoB444.tmp\start_unicode.ini

Filesize
2KB

MD5
bd9dca7cab230b21bc4dba7a83bd0d2c

SHA1
a10cf0d5fed42bd795bec3e86227c541c394c46c

SHA256
b82b65d759765d704fe252f3495a80806bace743b1d0afb9636e73551db1b8a7

SHA512
28465e1e27922696557622b9659a9eb402ffa604c4d7dde60054c50ad7a1bd334fc9ce5fc8a120cee0a85a9f4772e1a174cd914a015874ff014eb72594283474

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoB444.tmp\start_unicode.ini

Filesize
2KB

MD5
0b9af32e630b312bcdadad85a3eb8c91

SHA1
595cb4e086929bde69d4127f3da106c97a9e9ba1

SHA256
038d4f2aad8020b17f892714aa48dafdbcb638dd67551fb04b7e87b8508479df

SHA512
5ee17da10b15a51efc64afb95403c75951a715f1d8caf123a74f1be2ca3518029a06d3cdd832f35a2755e6d1c2a0f7160ffdd2ba3670bc1259f4c68914c181fe

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18.exe

Filesize
7.7MB

MD5
6ff62388b265f3682a390417ae4b47d6

SHA1
8e7afffd442a54ce004972181b0eec6d34270634

SHA256
b0edb941157eb8bb6b1e80d53b0ad2bce180f54abffddc08b7e7b2d20be445c1

SHA512
3429572e0d634ea4eeb01cf903e6ca654b993a0abe698bb6e682a86c4d3405216c58da70a9d58aaf81cb19dad51a009974f746885a5545d44809db3257a81a68

Download Submit
\Users\Admin\AppData\Local\Temp\nsdB7FB.tmp\InstallOptions.dll

Filesize
15KB

MD5
89351a0a6a89519c86c5531e20dab9ea

SHA1
9e801aaaae9e70d8f7fc52f6f12cedc55e4c8a00

SHA256
f530069ef87a1c163c4fd63a3d5b053420ce3d7a98739c70211b4a99f90d6277

SHA512
13168fa828b581383e5f64d3b54be357e98d2eb9362b45685e7426ffc2f0696ab432cc8a3f374ce8abd03c096f1662d954877afa886fc4aa74709e6044b75c08

Download Submit
\Users\Admin\AppData\Local\Temp\nsdB7FB.tmp\System.dll

Filesize
11KB

MD5
bf712f32249029466fa86756f5546950

SHA1
75ac4dc4808ac148ddd78f6b89a51afbd4091c2e

SHA256
7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af

SHA512
13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

Download Submit
\Users\Admin\AppData\Local\Temp\nsdB7FB.tmp\linker.dll

Filesize
45KB

MD5
4ac3f0ab2e423515ed9c575333342054

SHA1
a3e4f2b2135157f964d471564044b023a64f2532

SHA256
f223d6c72f86544b358a6301daf60ccdd86198f32e3447a1860acf3f59f2dae9

SHA512
8fbd5b4989be51c27fa15af155d2921bea9aa5d0557a22d4224256e678dfe7dcaa5f80917a748c31dc9c9a91573e4618e2497ccfd47eefd7a0fa08c12366a1e5

Download Submit
\Users\Admin\AppData\Local\Temp\nsoB444.tmp\UserInfo.dll

Filesize
4KB

MD5
c7ce0e47c83525983fd2c4c9566b4aad

SHA1
38b7ad7bb32ffae35540fce373b8a671878dc54e

SHA256
6293408a5fa6d0f55f0a4d01528eb5b807ee9447a75a28b5986267475ebcd3ae

SHA512
ee9f23ea5210f418d4c559628bbfb3a0f892440bcd5dc4c1901cb8e510078e4481ea8353b262795076a19055e70b88e08fee5fb7e8f35a6f49022096408df20e

Download Submit
memory/1060-340-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1060-625-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1300-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1300-51-0x0000000000400000-0x0000000000C70000-memory.dmp

Filesize
8.4MB

Download
memory/2808-724-0x0000000000400000-0x0000000000C70000-memory.dmp

Filesize
8.4MB

Download
memory/2808-921-0x0000000000400000-0x0000000000C70000-memory.dmp

Filesize
8.4MB

Download
memory/2808-1835-0x0000000000400000-0x0000000000C70000-memory.dmp

Filesize
8.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads