xred | d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18

Analysis

max time kernel
118s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-12-2024 09:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18.exe
Size

8.4MB
MD5

5a7d823359c21af24512dd647c0c3063
SHA1

8478412d6375084597d944dc231a5b8ac16817bd
SHA256

d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18
SHA512

8e3ebafc02d4755fd7bccff4a9edb291e9b2642f5b47bc92fb78018602ebec2a12a432b53c290001444f77ff967229422711564ea21e5331143557d2f79e5778
SSDEEP

196608:tLUdwAmXaSMDdu+FtEF+mt6faSbMdoQDrCqIgxf0OKt72:tW5mKRDdu+MF+xfaSbuoQPLxFKt2

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 5 IoCs

pid	Process
1660	._cache_d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18.exe
3448	Synaptics.exe
2588	TeamViewer_.exe
3004	._cache_Synaptics.exe
4760	TeamViewer_.exe

Loads dropped DLL 24 IoCs

pid	Process
1660	._cache_d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18.exe
2588	TeamViewer_.exe
2588	TeamViewer_.exe
2588	TeamViewer_.exe
2588	TeamViewer_.exe
3004	._cache_Synaptics.exe
4760	TeamViewer_.exe
4760	TeamViewer_.exe
4760	TeamViewer_.exe
4760	TeamViewer_.exe
2588	TeamViewer_.exe
2588	TeamViewer_.exe
2588	TeamViewer_.exe
2588	TeamViewer_.exe
2588	TeamViewer_.exe
2588	TeamViewer_.exe
2588	TeamViewer_.exe
4760	TeamViewer_.exe
4760	TeamViewer_.exe
4760	TeamViewer_.exe
4760	TeamViewer_.exe
4760	TeamViewer_.exe
4760	TeamViewer_.exe
4760	TeamViewer_.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TeamViewer_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TeamViewer_.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
864	EXCEL.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
864	EXCEL.EXE
864	EXCEL.EXE
864	EXCEL.EXE
864	EXCEL.EXE
864	EXCEL.EXE
864	EXCEL.EXE
864	EXCEL.EXE
864	EXCEL.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4264 wrote to memory of 1660	4264	d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18.exe	82
PID 4264 wrote to memory of 1660	4264	d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18.exe	82
PID 4264 wrote to memory of 1660	4264	d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18.exe	82
PID 4264 wrote to memory of 3448	4264	d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18.exe	84
PID 4264 wrote to memory of 3448	4264	d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18.exe	84
PID 4264 wrote to memory of 3448	4264	d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18.exe	84
PID 1660 wrote to memory of 2588	1660	._cache_d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18.exe	83
PID 1660 wrote to memory of 2588	1660	._cache_d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18.exe	83
PID 1660 wrote to memory of 2588	1660	._cache_d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18.exe	83
PID 3448 wrote to memory of 3004	3448	Synaptics.exe	85
PID 3448 wrote to memory of 3004	3448	Synaptics.exe	85
PID 3448 wrote to memory of 3004	3448	Synaptics.exe	85
PID 3004 wrote to memory of 4760	3004	._cache_Synaptics.exe	86
PID 3004 wrote to memory of 4760	3004	._cache_Synaptics.exe	86
PID 3004 wrote to memory of 4760	3004	._cache_Synaptics.exe	86

C:\Users\Admin\AppData\Local\Temp\d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18.exe
"C:\Users\Admin\AppData\Local\Temp\d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4264
- C:\Users\Admin\AppData\Local\Temp\._cache_d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1660
- - C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe
    "C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2588
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3448
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3004
  - - C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe
      "C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe" InjUpdate
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:4760

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
8.4MB

MD5
5a7d823359c21af24512dd647c0c3063

SHA1
8478412d6375084597d944dc231a5b8ac16817bd

SHA256
d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18

SHA512
8e3ebafc02d4755fd7bccff4a9edb291e9b2642f5b47bc92fb78018602ebec2a12a432b53c290001444f77ff967229422711564ea21e5331143557d2f79e5778

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_d584e58130d63580e6ad71f41f09ca5b765d0516d26749e9ace7bc85d49c7a18.exe

Filesize
7.7MB

MD5
6ff62388b265f3682a390417ae4b47d6

SHA1
8e7afffd442a54ce004972181b0eec6d34270634

SHA256
b0edb941157eb8bb6b1e80d53b0ad2bce180f54abffddc08b7e7b2d20be445c1

SHA512
3429572e0d634ea4eeb01cf903e6ca654b993a0abe698bb6e682a86c4d3405216c58da70a9d58aaf81cb19dad51a009974f746885a5545d44809db3257a81a68

Download Submit
C:\Users\Admin\AppData\Local\Temp\D4A75E00

Filesize
22KB

MD5
0a179543c25170ab2f577a1013f25c1e

SHA1
66509383f6f9123d07b7a1d76ff2c542fb6f4c0e

SHA256
9ab5079ca0405b453d88af56785b1c904fe1f30ee1efc42d27c098e3f332f644

SHA512
024958e4b5b439ea6a5170abf32149e8eefb9233cb02240ad3d4c69a1b8e7589108fae83bc22d054909a5c1dfa571b7f9a3c297082d1c6bfb61986bff6a3c37a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe

Filesize
7.5MB

MD5
2f33659e551eac0332b2bd9f228fb811

SHA1
5e8c5e0e5e6d871740d163b7a81beeae709b3942

SHA256
a52f02c33354022b329f86f6283235aa7a58942e60659dcce3069d3a873845bb

SHA512
653b8632c1aeddfbe90a9a8e94966a8f3660bb42edb7dcce303f23f5d95f568a7e2d7dc3d7b3a2ba0657877812829f7aae49a08c1a4da792d450f2d4a9b5df51

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeamViewer\tvinfo.ini

Filesize
102B

MD5
69a564a941c3b40b7745d8d30f77095c

SHA1
05a5b4e997bcdd9d8214ed7c77425eb871546fd5

SHA256
dc2f88879af6cc7301370feac2e0fc83724e1641bfa3224b228c83eee8c680a5

SHA512
6100b07556d54f4f953b9584383299bb5cfe42743fad45565144392c75b469c0d5db66e91680fff7f824da7ae139f6642197dbb016192a20e6f4b06ad034ca5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeamViewer\tvinfo.ini

Filesize
47B

MD5
b79df1c7a14576aeee74a58fdac22c69

SHA1
3cb7c8558f62f0c7b641c451d5c871cbd1bb951c

SHA256
6fc06809746090e4c55613cc16b7f673b89e4dd49a34f0f72c6f3d54225a5f75

SHA512
cfc5207320b56f5df83d5afc6256a9a594bcdc3de846747e09306ecfa5a4d1ff33f14327e5e4dddb26fab2b4fbd59dc912c5e7d5d9791e88179cfc3b3d919930

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb6FD2.tmp\TvGetVersion.dll

Filesize
153KB

MD5
a366cd40b73d191cdb1aa7b14267213f

SHA1
d7bad68f24127972b1363c44ad3a225fdf3d3659

SHA256
3d661aaac7698a5b4611ca22bda5e0194d90ec238d9dfe7e4ab38a8d866176b0

SHA512
96ea62df2ec21d80eae9a48c23fe38601564aa942e1e02013f1d78497ff4d9a332f41a4105c4d79e632b24bb7e75b1532d1a58e790c929570da51d6584e2eb8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc732E.tmp\start_unicode.ini

Filesize
2KB

MD5
0e86b2e220032430b50da04068a9eeb7

SHA1
a22af82fdca6c83f093fbe5d5a2f32d4d1ed379c

SHA256
2892641c8836b58aa9937abc13db3585a71645ac2bbe18045c1216a1452e43ac

SHA512
b72dfbd3911c6d90d3b9178dc111382a27cedb43bdd64e84a3c2c5a9f025c53b460174688fefebe20029e86788e600e0f421e6b73de9273aacb482baf5feac88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc732E.tmp\start_unicode.ini

Filesize
2KB

MD5
2a8a139cdab38b5f4264ae82850cbd22

SHA1
816e8acb2adc36c7f138f963a9802622dfc9536a

SHA256
94bde605292510f8ae6df19083130770ae8c754906007ea93150cab63962190b

SHA512
d6f99e88e72cfb28afc4af0780d2ac380f00f9fe9265cbbb4b8e6390e9b6ee5870a723e1971288783fd919158659ff214bab383242fa22470d9f6f1a170e2cf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc732E.tmp\start_unicode.ini

Filesize
2KB

MD5
0a182f2f053b3833da4d2ed1577b9e11

SHA1
025c05767498714ba6dbc46c2c3017257370a50a

SHA256
8b2293e7e7fc6654283576ba5584c92822023010db21936d615084c60f83e93c

SHA512
ca5d8fb69e5b0da53f0c333b955ef59263679f46e946b74e51be6ff50db61b556a7352a17ad38cbf9c67126aa4d5670a2f10fea7d4f39cd77c48a1c956617ebf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc732E.tmp\start_unicode.ini

Filesize
2KB

MD5
e04c318d633dedd6d5df4df758746293

SHA1
a791b013d4c92934a8b3b5f3d073d8215a3f59ff

SHA256
a232f91df09c00221c973a349be233b84072e40059291f262f2cd8245ff6598f

SHA512
3e55be19e8d1614a265a109c51886c05af1da461b368ea31e9b44aaf25917d413558915c9385d50547a5281453fc667d9eda30cba2a4178b092907907b60ced1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc732E.tmp\start_unicode.ini

Filesize
2KB

MD5
8df0ebc77490c08785da727da16fda7e

SHA1
09683d3dba3e715098e3cbc9dc027df477d70f70

SHA256
6fad036ed47764ba096b0c63985f7bed31f64bb418e50a3a3162815760538120

SHA512
f62bb0268de6712bd3d1a5e06351540045ae484b2d3bd8348881b845216bc4c7298041796f43d4e920c6d3da7f876319a37a998a0106b377bc5cad294cf61247

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc732E.tmp\start_unicode.ini

Filesize
2KB

MD5
cc5de67846dd8eb1a3f2d17bb7db30de

SHA1
320b7e8a697a73afc1942f4cf238e5d9e00ac884

SHA256
470d0ca0e21d9896d714ad2aba3b2275ff94ae04417749fe79188128cf2c0446

SHA512
61605013fa48cf0bdfb4a3016ae5bcc544cd0e763e0d49d21c943c01f5ffa0cdc0b29bc3b02f7a3b0e53aa42e5b712f40f71675e8bef6736b81cca62d6ed2087

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc732E.tmp\start_unicode.ini

Filesize
2KB

MD5
f150041a41b97240ba20341714759d8b

SHA1
9a67ac3df1e783349eab173de4dd7ab74991c88b

SHA256
fc0b85dcca16d70145249dc8eed4d1533f6f5e108157128c7eda5d4df506589b

SHA512
321385d5d1b92974c0d1647421d509f1036dcd2a6cd096ff11ea0ba208bfb7f9e34678e10b7e34d94cd9883abca1c6ef5dacbd61e7e25cf02982da79ac459c28

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc732E.tmp\start_unicode.ini

Filesize
2KB

MD5
7bfe200179fef31f3731d31deb2a4060

SHA1
f9899316d1942af06fef079efa1dfdaef64c8054

SHA256
8069c2ffe6ed58646830fe38f15668cfd380f4777e268d18a2d0b7d0613f8bb9

SHA512
73891565cac7feea61eb4b5304197ad1179d8d10e90c97c3fd44af74401557a383cc50dcac796eeeaa3cf3eb7fa5fdabd3834cef183ca2241ca27b73ff6b6e57

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc732E.tmp\start_unicode.ini

Filesize
2KB

MD5
49f01d413f650dc4efdbace9bc2891b9

SHA1
1bea9fe186deaafff27886e8572cc1aaa3f86a11

SHA256
2ac764a02f611518da7e987e9bc6364086da24a9f06957274820a4d4405bed11

SHA512
5a2dcb478d3e8c5ffed1dc24f6bc81ce99a6beca401a6188268833d6fee94578846128c7d5c7afac5c8fd44d7ac7a7be4fd82bdffd54eda74bd2043af1cd223d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc732E.tmp\start_unicode.ini

Filesize
2KB

MD5
0e9a66f9737ffc887bcda7233fe77166

SHA1
b385260e555a61f82ce925afcf7ec29b47cebc9a

SHA256
522d85a8e3459aa94e7884c27c8d0d72e46ae99167175d2647558b465f8267f3

SHA512
66423f78d2cfa33a6532b0e2192839ebdba72dca05cbe460c432f8b6304ed3407dae41e581c8f6bd2a92ee7bd35ba5494d48162ba3333f63642c3e66cf9fbff5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh712B.tmp\InstallOptions.dll

Filesize
15KB

MD5
89351a0a6a89519c86c5531e20dab9ea

SHA1
9e801aaaae9e70d8f7fc52f6f12cedc55e4c8a00

SHA256
f530069ef87a1c163c4fd63a3d5b053420ce3d7a98739c70211b4a99f90d6277

SHA512
13168fa828b581383e5f64d3b54be357e98d2eb9362b45685e7426ffc2f0696ab432cc8a3f374ce8abd03c096f1662d954877afa886fc4aa74709e6044b75c08

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh712B.tmp\System.dll

Filesize
11KB

MD5
bf712f32249029466fa86756f5546950

SHA1
75ac4dc4808ac148ddd78f6b89a51afbd4091c2e

SHA256
7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af

SHA512
13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh712B.tmp\UserInfo.dll

Filesize
4KB

MD5
c7ce0e47c83525983fd2c4c9566b4aad

SHA1
38b7ad7bb32ffae35540fce373b8a671878dc54e

SHA256
6293408a5fa6d0f55f0a4d01528eb5b807ee9447a75a28b5986267475ebcd3ae

SHA512
ee9f23ea5210f418d4c559628bbfb3a0f892440bcd5dc4c1901cb8e510078e4481ea8353b262795076a19055e70b88e08fee5fb7e8f35a6f49022096408df20e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh712B.tmp\advanced_unicode.ini

Filesize
1KB

MD5
8b3e104f11c5d046bd93df4e9fb40f4e

SHA1
0362bb65744a07563dc05cd612dd54a865233d79

SHA256
cc18c611578d796a879cac46746406dbaa96eddd544d7a12d4fa56856cb2cbc1

SHA512
edc08be542234c3ed6a94c46c610eb5398782c580859eda11f35df6112b3dfee10cf4be068c7a87f39a339f10a9176350cae9f657857375d641a35d5d151ced8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh712B.tmp\linker.dll

Filesize
45KB

MD5
4ac3f0ab2e423515ed9c575333342054

SHA1
a3e4f2b2135157f964d471564044b023a64f2532

SHA256
f223d6c72f86544b358a6301daf60ccdd86198f32e3447a1860acf3f59f2dae9

SHA512
8fbd5b4989be51c27fa15af155d2921bea9aa5d0557a22d4224256e678dfe7dcaa5f80917a748c31dc9c9a91573e4618e2497ccfd47eefd7a0fa08c12366a1e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh712B.tmp\start_unicode.ini

Filesize
2KB

MD5
50f9c98b922e9e57398225b507d0d7d7

SHA1
4c3af16915ea4f6b40cb294b549f497a4da9afec

SHA256
543b9ad566baf602ca9d59657ae1c922069fcb9565b474c5b3ff2f1fa155f30d

SHA512
6861f21244a6039619bc4fe82dd07386fbfe69842705fa7cf6d9f26a3ecf67e6364cd9f95acae1548ee69be20eab03bd870e467ad4b79ec9341bb55757b91f85

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh712B.tmp\start_unicode.ini

Filesize
2KB

MD5
239849dc6fe7dc103b2d33d5bcb96557

SHA1
7fd40e4b6cc00716b4e911b8965e0fd893a97740

SHA256
67b48c5d133138a25566fe1e437e2cc4ebf9855e1ccfbf304cb8f85d5ccc5c66

SHA512
1b4bbee2699802c707acd13833ef2d98ea5bb97c74c498eb5d2aa88d76e36ccd79590b89e69e31f3d40521b58423700b5fd4bd467c9b925abcbe7baa53a8e389

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh712B.tmp\start_unicode.ini

Filesize
2KB

MD5
2a37114bef104ad78a55047b2ca9b60a

SHA1
b546999bc2abec2f5bb0f29ad78709672daa05c4

SHA256
693d55706de4c9516796ec26a236653f3ea87b00f0f9e3a64c0c8546a0bf37b1

SHA512
bff4f5e7ae749de75e59d0f1c0b8c5f1cea302db9e15e7e647bbfe3607b255bd292fc72c057c5815db4743e88900fda7355cb3e3d4ca10ab22d53c4064d1198d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh712B.tmp\start_unicode.ini

Filesize
2KB

MD5
e46dc98faf20996f8d00fa8eb1b1f814

SHA1
0ae6225c3c3069103861f5fb682e21d3324ff3e7

SHA256
c20bceea2f3f658abf0b06989bfbd19ff40ef1a8db8daa33f00859fd5f362074

SHA512
f38d4c1067ea8f3d242e73d8bde0a9e7f457630aff68277e3789edf127bc758a535f3ebbf79b49b3e5b52c767bb9f127f5e9fb0f9e989c09b8ac99bbcdb6026b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh712B.tmp\start_unicode.ini

Filesize
2KB

MD5
cc0649bee1dedc74c4142d55f2739ad1

SHA1
3fe470de128a33831daced5d3fcccc4ed7ee5e58

SHA256
50c5aa5dc23f4b3a34132a95c1077a310fc7622955cd0a0f92266d6d81ca34e6

SHA512
f39f4aabf6894a495d8f91c4c6b9e8dd5bafb0b529c07d91ea1466a26226b89d13c8da69efce7e8a5b268301f4a1c22a40c5b9694728d589fddf69e65d188370

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh712B.tmp\start_unicode.ini

Filesize
2KB

MD5
4f840dc428a3caf28ae54a839024d5b4

SHA1
9b38281932088f0ee8aff71ed756f21038243e7e

SHA256
786536b015d44d73d63f3b1e2aa9444a367e6ed1ac8cf72f87d53ed94070719c

SHA512
2359f249d4bf2e2a064f973066c013717ab5985043f757097c35fc0140402b4a5fa1045822bfbd6b016bedc718d4607c638d373be3c07fa093bc1e009c50ef06

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh712B.tmp\start_unicode.ini

Filesize
2KB

MD5
a0273c564fb2519c7e332c2a0f8b293a

SHA1
623824d07f51e4536e91e9d3db1a29c3641f0a95

SHA256
ca1bd23cb55ebb5043e6e60376f9fedc79f472da023cbd5305b638af1791018f

SHA512
9098b33da66602bc6dbcc49876fac6aac8bf73536591ef987818a406fda65700a4b7bba276381f6b3f1680c68e1505fb166a23926aad804a7f5a69137f036000

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh712B.tmp\start_unicode.ini

Filesize
2KB

MD5
617d911671e1928a1b6aca1d51411320

SHA1
eaac9cb1081e5dc6dde1f28242ef21d925289346

SHA256
4df27439bf3246b0d57fbf3b21e374f14e1f3f87ef3948107ef2d8514b79eadd

SHA512
f90c1698fd7bd9cb0fd11ecfab6e9ec25b66d8772e476453c0221b495b0798764ad0fb0b5fdd0989f8e5d141f175e16a120c2c3799445065ef0b056e72c89c6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vsiNIEKc.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
memory/864-932-0x00007FFA668B0000-0x00007FFA668C0000-memory.dmp

Filesize
64KB

Download
memory/864-934-0x00007FFA668B0000-0x00007FFA668C0000-memory.dmp

Filesize
64KB

Download
memory/864-935-0x00007FFA668B0000-0x00007FFA668C0000-memory.dmp

Filesize
64KB

Download
memory/864-936-0x00007FFA668B0000-0x00007FFA668C0000-memory.dmp

Filesize
64KB

Download
memory/864-937-0x00007FFA64800000-0x00007FFA64810000-memory.dmp

Filesize
64KB

Download
memory/864-938-0x00007FFA64800000-0x00007FFA64810000-memory.dmp

Filesize
64KB

Download
memory/864-933-0x00007FFA668B0000-0x00007FFA668C0000-memory.dmp

Filesize
64KB

Download
memory/3448-833-0x0000000000400000-0x0000000000C70000-memory.dmp

Filesize
8.4MB

Download
memory/3448-1083-0x0000000000400000-0x0000000000C70000-memory.dmp

Filesize
8.4MB

Download
memory/3448-2094-0x0000000000400000-0x0000000000C70000-memory.dmp

Filesize
8.4MB

Download
memory/4264-0-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/4264-157-0x0000000000400000-0x0000000000C70000-memory.dmp

Filesize
8.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads