xred | a93af81e3c7dd12fdb59341ed537bacf91409b2b05a81a66801f9437549b07a5

Analysis

max time kernel
118s
max time network
100s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
18-12-2024 10:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a93af81e3c7dd12fdb59341ed537bacf91409b2b05a81a66801f9437549b07a5N.exe
Size

8.4MB
MD5

f49baad4ad66bebb8a10d259d4181700
SHA1

4d718beacef919078e5aec880fc38444b9ae876b
SHA256

a93af81e3c7dd12fdb59341ed537bacf91409b2b05a81a66801f9437549b07a5
SHA512

c1f670240ed7e62b9b3c3e8375a2f5ed17b2a76e32b55bb235bda36f4e45c92cf990493c3c0a30a30eb75287d2b01e2cfb418b22144b2a9594e19fb3e3f065db
SSDEEP

196608:tLUdwAmXaSMDdu+FtEF+mt6faSbMdoQDrCqIgxf0OKt7C:tW5mKRDdu+MF+xfaSbuoQPLxFKtC

Score

10^/10

xred backdoor discovery macro persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Suspicious Office macro 1 IoCs

Office document equipped with macros.

macro

resource
behavioral1/files/0x000700000001a4b3-621.dat

Executes dropped EXE 5 IoCs

pid	Process
2820	._cache_a93af81e3c7dd12fdb59341ed537bacf91409b2b05a81a66801f9437549b07a5N.exe
2664	Synaptics.exe
2908	TeamViewer_.exe
556	._cache_Synaptics.exe
3024	TeamViewer_.exe

Loads dropped DLL 31 IoCs

pid	Process
2132	a93af81e3c7dd12fdb59341ed537bacf91409b2b05a81a66801f9437549b07a5N.exe
2820	._cache_a93af81e3c7dd12fdb59341ed537bacf91409b2b05a81a66801f9437549b07a5N.exe
2820	._cache_a93af81e3c7dd12fdb59341ed537bacf91409b2b05a81a66801f9437549b07a5N.exe
2132	a93af81e3c7dd12fdb59341ed537bacf91409b2b05a81a66801f9437549b07a5N.exe
2132	a93af81e3c7dd12fdb59341ed537bacf91409b2b05a81a66801f9437549b07a5N.exe
2908	TeamViewer_.exe
2908	TeamViewer_.exe
2908	TeamViewer_.exe
2908	TeamViewer_.exe
2664	Synaptics.exe
2908	TeamViewer_.exe
2908	TeamViewer_.exe
2908	TeamViewer_.exe
2908	TeamViewer_.exe
2908	TeamViewer_.exe
2908	TeamViewer_.exe
2908	TeamViewer_.exe
2664	Synaptics.exe
556	._cache_Synaptics.exe
556	._cache_Synaptics.exe
3024	TeamViewer_.exe
3024	TeamViewer_.exe
3024	TeamViewer_.exe
3024	TeamViewer_.exe
3024	TeamViewer_.exe
3024	TeamViewer_.exe
3024	TeamViewer_.exe
3024	TeamViewer_.exe
3024	TeamViewer_.exe
3024	TeamViewer_.exe
3024	TeamViewer_.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	a93af81e3c7dd12fdb59341ed537bacf91409b2b05a81a66801f9437549b07a5N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a93af81e3c7dd12fdb59341ed537bacf91409b2b05a81a66801f9437549b07a5N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_a93af81e3c7dd12fdb59341ed537bacf91409b2b05a81a66801f9437549b07a5N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TeamViewer_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TeamViewer_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1036	EXCEL.EXE

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3024	TeamViewer_.exe
2908	TeamViewer_.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1036	EXCEL.EXE

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 2820	2132	a93af81e3c7dd12fdb59341ed537bacf91409b2b05a81a66801f9437549b07a5N.exe	30
PID 2132 wrote to memory of 2820	2132	a93af81e3c7dd12fdb59341ed537bacf91409b2b05a81a66801f9437549b07a5N.exe	30
PID 2132 wrote to memory of 2820	2132	a93af81e3c7dd12fdb59341ed537bacf91409b2b05a81a66801f9437549b07a5N.exe	30
PID 2132 wrote to memory of 2820	2132	a93af81e3c7dd12fdb59341ed537bacf91409b2b05a81a66801f9437549b07a5N.exe	30
PID 2132 wrote to memory of 2664	2132	a93af81e3c7dd12fdb59341ed537bacf91409b2b05a81a66801f9437549b07a5N.exe	32
PID 2132 wrote to memory of 2664	2132	a93af81e3c7dd12fdb59341ed537bacf91409b2b05a81a66801f9437549b07a5N.exe	32
PID 2132 wrote to memory of 2664	2132	a93af81e3c7dd12fdb59341ed537bacf91409b2b05a81a66801f9437549b07a5N.exe	32
PID 2132 wrote to memory of 2664	2132	a93af81e3c7dd12fdb59341ed537bacf91409b2b05a81a66801f9437549b07a5N.exe	32
PID 2820 wrote to memory of 2908	2820	._cache_a93af81e3c7dd12fdb59341ed537bacf91409b2b05a81a66801f9437549b07a5N.exe	31
PID 2820 wrote to memory of 2908	2820	._cache_a93af81e3c7dd12fdb59341ed537bacf91409b2b05a81a66801f9437549b07a5N.exe	31
PID 2820 wrote to memory of 2908	2820	._cache_a93af81e3c7dd12fdb59341ed537bacf91409b2b05a81a66801f9437549b07a5N.exe	31
PID 2820 wrote to memory of 2908	2820	._cache_a93af81e3c7dd12fdb59341ed537bacf91409b2b05a81a66801f9437549b07a5N.exe	31
PID 2820 wrote to memory of 2908	2820	._cache_a93af81e3c7dd12fdb59341ed537bacf91409b2b05a81a66801f9437549b07a5N.exe	31
PID 2820 wrote to memory of 2908	2820	._cache_a93af81e3c7dd12fdb59341ed537bacf91409b2b05a81a66801f9437549b07a5N.exe	31
PID 2820 wrote to memory of 2908	2820	._cache_a93af81e3c7dd12fdb59341ed537bacf91409b2b05a81a66801f9437549b07a5N.exe	31
PID 2664 wrote to memory of 556	2664	Synaptics.exe	33
PID 2664 wrote to memory of 556	2664	Synaptics.exe	33
PID 2664 wrote to memory of 556	2664	Synaptics.exe	33
PID 2664 wrote to memory of 556	2664	Synaptics.exe	33
PID 556 wrote to memory of 3024	556	._cache_Synaptics.exe	35
PID 556 wrote to memory of 3024	556	._cache_Synaptics.exe	35
PID 556 wrote to memory of 3024	556	._cache_Synaptics.exe	35
PID 556 wrote to memory of 3024	556	._cache_Synaptics.exe	35
PID 556 wrote to memory of 3024	556	._cache_Synaptics.exe	35
PID 556 wrote to memory of 3024	556	._cache_Synaptics.exe	35
PID 556 wrote to memory of 3024	556	._cache_Synaptics.exe	35

C:\Users\Admin\AppData\Local\Temp\a93af81e3c7dd12fdb59341ed537bacf91409b2b05a81a66801f9437549b07a5N.exe
"C:\Users\Admin\AppData\Local\Temp\a93af81e3c7dd12fdb59341ed537bacf91409b2b05a81a66801f9437549b07a5N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Users\Admin\AppData\Local\Temp\._cache_a93af81e3c7dd12fdb59341ed537bacf91409b2b05a81a66801f9437549b07a5N.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_a93af81e3c7dd12fdb59341ed537bacf91409b2b05a81a66801f9437549b07a5N.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe
    "C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2908
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:556
  - - C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe
      "C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe" InjUpdate
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      PID:3024

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
8.4MB

MD5
f49baad4ad66bebb8a10d259d4181700

SHA1
4d718beacef919078e5aec880fc38444b9ae876b

SHA256
a93af81e3c7dd12fdb59341ed537bacf91409b2b05a81a66801f9437549b07a5

SHA512
c1f670240ed7e62b9b3c3e8375a2f5ed17b2a76e32b55bb235bda36f4e45c92cf990493c3c0a30a30eb75287d2b01e2cfb418b22144b2a9594e19fb3e3f065db

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMQILug8.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMQILug8.xlsm

Filesize
23KB

MD5
17d0d08d5e61554f800ac89ebb9cf7f5

SHA1
1ee70cdb0663682993353bb4519f427e8fbcae18

SHA256
01aa9949dac869630537a7c10dfa6a2d245b336627e36ad61786e26507573710

SHA512
24dc89e3fb1063115bf4205b6140b8bcd2e7785e2890a0af652002a8f454df6e2e390b544fccae3450e20a06ba347afc1557b59c00632ff887863de1220da2ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMQILug8.xlsm

Filesize
26KB

MD5
94f919dda39659613fd38d69cfccff30

SHA1
4ff3f694898115df450cf2aa7f68dfddc091d752

SHA256
8bc0490c37c191a65c17bec5777635a0e510c7ce022a7a597ee64980e1002612

SHA512
9396a0ad870dd1a3c528d84b62f015aced1d4df9cbfeb77c8f9966b75e15037c1327166d19c50cf69a3400e86658994bfc818201271600026475ea75bd1d1ebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMQILug8.xlsm

Filesize
27KB

MD5
36713858b2c3e9015fcfcf959ff177db

SHA1
431d71d830039609d030219107e1b51b7af5767b

SHA256
84faa4168dbedd82fb9cce39f8f20579ca02ba06ae02b15524516ca0981f8bc4

SHA512
b826bbde414eff60ed4f0159b2c72ae2223a4f443e545e6806cb02b7f7729530d2e6df3fc8b8b2eef38d11ef2074e44730dc2283cd98e95b2e3559a25e8cde86

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeamViewer\tvinfo.ini

Filesize
47B

MD5
b79df1c7a14576aeee74a58fdac22c69

SHA1
3cb7c8558f62f0c7b641c451d5c871cbd1bb951c

SHA256
6fc06809746090e4c55613cc16b7f673b89e4dd49a34f0f72c6f3d54225a5f75

SHA512
cfc5207320b56f5df83d5afc6256a9a594bcdc3de846747e09306ecfa5a4d1ff33f14327e5e4dddb26fab2b4fbd59dc912c5e7d5d9791e88179cfc3b3d919930

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeamViewer\tvinfo.ini

Filesize
103B

MD5
ccf0e51a58289f222acccc2fef2eceba

SHA1
c0d82a28ed1cecb5f026a3e43ed65fcf2c8f0aaa

SHA256
2a630b80bbbcc37a645ed461b93f84fb9245269ffdc16cf6892964e300769178

SHA512
3250d115e9fea73e4b6c8740cc63f173c9c48716a5ff48c52ec5396ef7050ec2f79f2c7b320f96fdfc9ae638e7d429f0e614415213a6609745ce32c96fa30d7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse5BE8.tmp\advanced_unicode.ini

Filesize
1KB

MD5
8b3e104f11c5d046bd93df4e9fb40f4e

SHA1
0362bb65744a07563dc05cd612dd54a865233d79

SHA256
cc18c611578d796a879cac46746406dbaa96eddd544d7a12d4fa56856cb2cbc1

SHA512
edc08be542234c3ed6a94c46c610eb5398782c580859eda11f35df6112b3dfee10cf4be068c7a87f39a339f10a9176350cae9f657857375d641a35d5d151ced8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse5BE8.tmp\start_unicode.ini

Filesize
2KB

MD5
c444b2bd8f37e76cf69680b73276235e

SHA1
aa4e92f2e83922c8032e4fe07fc3c2966d27cccd

SHA256
0cea31398de930836862a22fc1a1571622cca4eb2871174bb47b4a6dc0ffab0b

SHA512
b1c5571d195bcc465a4dc26d1eb4d2d4311c57bd6ed30e45d6beab1e844c8abc3abc1443a07170d60d7e10443459b9fd534e5283ddc0f15acf741feb1b1aee09

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse5BE8.tmp\start_unicode.ini

Filesize
2KB

MD5
fc193c6a0d703b11ad7e146117e876e8

SHA1
cfc1baf6e7395b221d985a0fc606a0e977d183d4

SHA256
73bed91ff785a9b0d72e9bcd12f46da6d373915b37ad81d2d3ab7db39c59e92b

SHA512
e84c65a6f28b62d56086bb44ec2a93a2ed56e4a1c2722ed34960281ddb32b67907f85d19449a16fda03ef1200f971a1557436e94e47541588d01a94986c079dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse5BE8.tmp\start_unicode.ini

Filesize
2KB

MD5
716e98cff746a0554f72c702ea9045ca

SHA1
198c94d8c97314e7791b1cbb1571b5fe43daef00

SHA256
b51d3b8657fd05bf132bd3c7389d0b6874b7e8bf77999e480675b691a04df110

SHA512
b9d00bab87985fa701f5c1cdfdf6a38dd3a32f22992a7017daa7d1ae0afd0d59bc5391c40d83345399c28a0abf2707a707f810ef3a4e9d68bc7cf7a55ef9edf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse5BE8.tmp\start_unicode.ini

Filesize
2KB

MD5
b1565c546381d8d0abdf8b953f8738d7

SHA1
e361dd892daf6a44d4844bf5afe137f366d5bc79

SHA256
f65cf474d2d4fae8f1e2e62b8fee44a9b3186c91ca867bbb24be803efd0ef144

SHA512
77cd5a9070649ca384e52d39689f933826bd09e91a551eb73c986529bb3e7353b4c4561edc91f1f2307b4fa2498251ab4d1956d735d7c41ea70c01ea00ad6a7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse5BE8.tmp\start_unicode.ini

Filesize
2KB

MD5
f60ba03a179bb42f57a2c7fbf5be30c9

SHA1
615d4dba5e3b3986a24b3ca06e8fe69d74b23b20

SHA256
0de75764986550e4a9d807d17797cda7e79dc03b2f5b1e7024c3331d4cdd86e5

SHA512
f07ed829cd70d7cc1437705cceef316b5e2b16c06c7ae6e4297659750483bd920078700d47388627301890734de994611871cb360eba7d4df34109d471e4a659

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso5FCE.tmp\start_unicode.ini

Filesize
2KB

MD5
467329545031f82b0a65fea5388c38df

SHA1
cc08576b015cd462c759f1ac2dae939a910b435a

SHA256
37f02077efb2c999c2d38bad78c3262b8919b44622340cb6e58902e1bb56bb08

SHA512
88add822bd9bd752a433a20cdd78853141b10cf558d622c9b123b8d752084a8758b71326ad22fc9403c4cc7833b27bf5e7d9163198ff98c42eb541f6dd8eafbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso5FCE.tmp\start_unicode.ini

Filesize
2KB

MD5
e396753469302eea9d747d9e66af99c7

SHA1
31c8ea994e302063ae7f619a728d86055fb2c257

SHA256
98876e93044b6a6ea283dbbf73d918373f8c82c37b24075552ea64ccd1570a51

SHA512
25a4875ef67076ff5a70459fb4eab9d5bfb826abb91451e7832fd32f13fb30dc2bb7388ccbc795b46ecaa67c3e4d2d95c9edf3d6ee4e86f50f12f11082bd7675

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso5FCE.tmp\start_unicode.ini

Filesize
2KB

MD5
afa3f22f2260eb9483222f6c0f28565c

SHA1
e1ebf754580df2e8f0fd11e900addffe3f3cd9bb

SHA256
3f061b0402128f2e1a85911213b40fb807fae4f50028902490bba582247ee91a

SHA512
8d61697d54f21a33cfe854e303051925b33a0d1c6580301e5a1da499438d0517be208a2dc3ef21d6f443675208bc7d792cf17ffc4946e63edb05a2302025f7d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso5FCE.tmp\start_unicode.ini

Filesize
2KB

MD5
d780b9920bbecb5ef2a0774c5637125b

SHA1
d58e323eca7e75927b058e42ece1897db2f89278

SHA256
2ad9de194e9782acded1e34a54774c05352b0999a10b0a53bcedc72dd8a89b6e

SHA512
9dd1b739ff276bc0b4a287363f357b7e4d827e9279f0f41f1f2f45bc995ec4012c3c809cf5ef3bfb078ad4f217b2498fe9f804db3c1f78a3db3b5bee4adc2900

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso5FCE.tmp\start_unicode.ini

Filesize
2KB

MD5
31d4e8e35dcd45031fcb2fc7d07a2e1b

SHA1
60adcec22d2b6bf2e7668dfacd13650477eb5ea2

SHA256
c7fe31093881ee568cdb85ad548c5a3e685c45e1985169cc3fd2735a7204bb97

SHA512
8b645b53c0220b54c371674a04f5839d90c6259191593999de237bbf3ebf509cb6edf9b080f5e051836503964c078d17544c98f68be9bccabfc20976b64a9e37

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso5FCE.tmp\start_unicode.ini

Filesize
2KB

MD5
dfbed8c9362e161a2e5b23c9027b35e5

SHA1
1140374df28fd003e66b88760bda2fca679d8b10

SHA256
e3d2675a130d660e7eb5438aadda5a9580ef3767c15dcdc2087c7486ee7b2b13

SHA512
ae75445c60c8090c319fa05502ba2442dc26e33c16832107dc328e03d3397b9aa0d83db91351525293e6ed119a73aefdf0c4eb470e34cd48343a1863dd380b28

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz59F4.tmp\TvGetVersion.dll

Filesize
153KB

MD5
a366cd40b73d191cdb1aa7b14267213f

SHA1
d7bad68f24127972b1363c44ad3a225fdf3d3659

SHA256
3d661aaac7698a5b4611ca22bda5e0194d90ec238d9dfe7e4ab38a8d866176b0

SHA512
96ea62df2ec21d80eae9a48c23fe38601564aa942e1e02013f1d78497ff4d9a332f41a4105c4d79e632b24bb7e75b1532d1a58e790c929570da51d6584e2eb8e

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_a93af81e3c7dd12fdb59341ed537bacf91409b2b05a81a66801f9437549b07a5N.exe

Filesize
7.7MB

MD5
6ff62388b265f3682a390417ae4b47d6

SHA1
8e7afffd442a54ce004972181b0eec6d34270634

SHA256
b0edb941157eb8bb6b1e80d53b0ad2bce180f54abffddc08b7e7b2d20be445c1

SHA512
3429572e0d634ea4eeb01cf903e6ca654b993a0abe698bb6e682a86c4d3405216c58da70a9d58aaf81cb19dad51a009974f746885a5545d44809db3257a81a68

Download Submit
\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe

Filesize
7.5MB

MD5
2f33659e551eac0332b2bd9f228fb811

SHA1
5e8c5e0e5e6d871740d163b7a81beeae709b3942

SHA256
a52f02c33354022b329f86f6283235aa7a58942e60659dcce3069d3a873845bb

SHA512
653b8632c1aeddfbe90a9a8e94966a8f3660bb42edb7dcce303f23f5d95f568a7e2d7dc3d7b3a2ba0657877812829f7aae49a08c1a4da792d450f2d4a9b5df51

Download Submit
\Users\Admin\AppData\Local\Temp\nse5BE8.tmp\InstallOptions.dll

Filesize
15KB

MD5
89351a0a6a89519c86c5531e20dab9ea

SHA1
9e801aaaae9e70d8f7fc52f6f12cedc55e4c8a00

SHA256
f530069ef87a1c163c4fd63a3d5b053420ce3d7a98739c70211b4a99f90d6277

SHA512
13168fa828b581383e5f64d3b54be357e98d2eb9362b45685e7426ffc2f0696ab432cc8a3f374ce8abd03c096f1662d954877afa886fc4aa74709e6044b75c08

Download Submit
\Users\Admin\AppData\Local\Temp\nse5BE8.tmp\UserInfo.dll

Filesize
4KB

MD5
c7ce0e47c83525983fd2c4c9566b4aad

SHA1
38b7ad7bb32ffae35540fce373b8a671878dc54e

SHA256
6293408a5fa6d0f55f0a4d01528eb5b807ee9447a75a28b5986267475ebcd3ae

SHA512
ee9f23ea5210f418d4c559628bbfb3a0f892440bcd5dc4c1901cb8e510078e4481ea8353b262795076a19055e70b88e08fee5fb7e8f35a6f49022096408df20e

Download Submit
\Users\Admin\AppData\Local\Temp\nse5BE8.tmp\linker.dll

Filesize
45KB

MD5
4ac3f0ab2e423515ed9c575333342054

SHA1
a3e4f2b2135157f964d471564044b023a64f2532

SHA256
f223d6c72f86544b358a6301daf60ccdd86198f32e3447a1860acf3f59f2dae9

SHA512
8fbd5b4989be51c27fa15af155d2921bea9aa5d0557a22d4224256e678dfe7dcaa5f80917a748c31dc9c9a91573e4618e2497ccfd47eefd7a0fa08c12366a1e5

Download Submit
\Users\Admin\AppData\Local\Temp\nso5FCE.tmp\System.dll

Filesize
11KB

MD5
bf712f32249029466fa86756f5546950

SHA1
75ac4dc4808ac148ddd78f6b89a51afbd4091c2e

SHA256
7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af

SHA512
13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

Download Submit
memory/1036-333-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1036-625-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2132-36-0x0000000000400000-0x0000000000C70000-memory.dmp

Filesize
8.4MB

Download
memory/2132-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2664-823-0x0000000000400000-0x0000000000C70000-memory.dmp

Filesize
8.4MB

Download
memory/2664-724-0x0000000000400000-0x0000000000C70000-memory.dmp

Filesize
8.4MB

Download
memory/2664-1837-0x0000000000400000-0x0000000000C70000-memory.dmp

Filesize
8.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads