xred | a93af81e3c7dd12fdb59341ed537bacf91409b2b05a81a66801f9437549b07a5

Analysis

max time kernel
120s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-12-2024 10:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a93af81e3c7dd12fdb59341ed537bacf91409b2b05a81a66801f9437549b07a5N.exe
Size

8.4MB
MD5

f49baad4ad66bebb8a10d259d4181700
SHA1

4d718beacef919078e5aec880fc38444b9ae876b
SHA256

a93af81e3c7dd12fdb59341ed537bacf91409b2b05a81a66801f9437549b07a5
SHA512

c1f670240ed7e62b9b3c3e8375a2f5ed17b2a76e32b55bb235bda36f4e45c92cf990493c3c0a30a30eb75287d2b01e2cfb418b22144b2a9594e19fb3e3f065db
SSDEEP

196608:tLUdwAmXaSMDdu+FtEF+mt6faSbMdoQDrCqIgxf0OKt7C:tW5mKRDdu+MF+xfaSbuoQPLxFKtC

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	a93af81e3c7dd12fdb59341ed537bacf91409b2b05a81a66801f9437549b07a5N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 5 IoCs

pid	Process
3920	._cache_a93af81e3c7dd12fdb59341ed537bacf91409b2b05a81a66801f9437549b07a5N.exe
4900	TeamViewer_.exe
1316	Synaptics.exe
2600	._cache_Synaptics.exe
4076	TeamViewer_.exe

Loads dropped DLL 24 IoCs

pid	Process
3920	._cache_a93af81e3c7dd12fdb59341ed537bacf91409b2b05a81a66801f9437549b07a5N.exe
4900	TeamViewer_.exe
4900	TeamViewer_.exe
4900	TeamViewer_.exe
4900	TeamViewer_.exe
2600	._cache_Synaptics.exe
4076	TeamViewer_.exe
4076	TeamViewer_.exe
4076	TeamViewer_.exe
4076	TeamViewer_.exe
4900	TeamViewer_.exe
4900	TeamViewer_.exe
4900	TeamViewer_.exe
4900	TeamViewer_.exe
4900	TeamViewer_.exe
4900	TeamViewer_.exe
4900	TeamViewer_.exe
4076	TeamViewer_.exe
4076	TeamViewer_.exe
4076	TeamViewer_.exe
4076	TeamViewer_.exe
4076	TeamViewer_.exe
4076	TeamViewer_.exe
4076	TeamViewer_.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	a93af81e3c7dd12fdb59341ed537bacf91409b2b05a81a66801f9437549b07a5N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TeamViewer_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TeamViewer_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a93af81e3c7dd12fdb59341ed537bacf91409b2b05a81a66801f9437549b07a5N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_a93af81e3c7dd12fdb59341ed537bacf91409b2b05a81a66801f9437549b07a5N.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	a93af81e3c7dd12fdb59341ed537bacf91409b2b05a81a66801f9437549b07a5N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3192	EXCEL.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3192	EXCEL.EXE
3192	EXCEL.EXE
3192	EXCEL.EXE
3192	EXCEL.EXE
3192	EXCEL.EXE
3192	EXCEL.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3728 wrote to memory of 3920	3728	a93af81e3c7dd12fdb59341ed537bacf91409b2b05a81a66801f9437549b07a5N.exe	83
PID 3728 wrote to memory of 3920	3728	a93af81e3c7dd12fdb59341ed537bacf91409b2b05a81a66801f9437549b07a5N.exe	83
PID 3728 wrote to memory of 3920	3728	a93af81e3c7dd12fdb59341ed537bacf91409b2b05a81a66801f9437549b07a5N.exe	83
PID 3920 wrote to memory of 4900	3920	._cache_a93af81e3c7dd12fdb59341ed537bacf91409b2b05a81a66801f9437549b07a5N.exe	84
PID 3920 wrote to memory of 4900	3920	._cache_a93af81e3c7dd12fdb59341ed537bacf91409b2b05a81a66801f9437549b07a5N.exe	84
PID 3920 wrote to memory of 4900	3920	._cache_a93af81e3c7dd12fdb59341ed537bacf91409b2b05a81a66801f9437549b07a5N.exe	84
PID 3728 wrote to memory of 1316	3728	a93af81e3c7dd12fdb59341ed537bacf91409b2b05a81a66801f9437549b07a5N.exe	85
PID 3728 wrote to memory of 1316	3728	a93af81e3c7dd12fdb59341ed537bacf91409b2b05a81a66801f9437549b07a5N.exe	85
PID 3728 wrote to memory of 1316	3728	a93af81e3c7dd12fdb59341ed537bacf91409b2b05a81a66801f9437549b07a5N.exe	85
PID 1316 wrote to memory of 2600	1316	Synaptics.exe	86
PID 1316 wrote to memory of 2600	1316	Synaptics.exe	86
PID 1316 wrote to memory of 2600	1316	Synaptics.exe	86
PID 2600 wrote to memory of 4076	2600	._cache_Synaptics.exe	88
PID 2600 wrote to memory of 4076	2600	._cache_Synaptics.exe	88
PID 2600 wrote to memory of 4076	2600	._cache_Synaptics.exe	88

C:\Users\Admin\AppData\Local\Temp\a93af81e3c7dd12fdb59341ed537bacf91409b2b05a81a66801f9437549b07a5N.exe
"C:\Users\Admin\AppData\Local\Temp\a93af81e3c7dd12fdb59341ed537bacf91409b2b05a81a66801f9437549b07a5N.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3728
- C:\Users\Admin\AppData\Local\Temp\._cache_a93af81e3c7dd12fdb59341ed537bacf91409b2b05a81a66801f9437549b07a5N.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_a93af81e3c7dd12fdb59341ed537bacf91409b2b05a81a66801f9437549b07a5N.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3920
- - C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe
    "C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:4900
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1316
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe
      "C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe" InjUpdate
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:4076

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
8.4MB

MD5
f49baad4ad66bebb8a10d259d4181700

SHA1
4d718beacef919078e5aec880fc38444b9ae876b

SHA256
a93af81e3c7dd12fdb59341ed537bacf91409b2b05a81a66801f9437549b07a5

SHA512
c1f670240ed7e62b9b3c3e8375a2f5ed17b2a76e32b55bb235bda36f4e45c92cf990493c3c0a30a30eb75287d2b01e2cfb418b22144b2a9594e19fb3e3f065db

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_a93af81e3c7dd12fdb59341ed537bacf91409b2b05a81a66801f9437549b07a5N.exe

Filesize
7.7MB

MD5
6ff62388b265f3682a390417ae4b47d6

SHA1
8e7afffd442a54ce004972181b0eec6d34270634

SHA256
b0edb941157eb8bb6b1e80d53b0ad2bce180f54abffddc08b7e7b2d20be445c1

SHA512
3429572e0d634ea4eeb01cf903e6ca654b993a0abe698bb6e682a86c4d3405216c58da70a9d58aaf81cb19dad51a009974f746885a5545d44809db3257a81a68

Download Submit
C:\Users\Admin\AppData\Local\Temp\F8975E00

Filesize
22KB

MD5
8bc35cdf1c56cd1bc1fc69766bcbdffb

SHA1
6ffd443a77ebce436e2cae2ca8cff7f1d3605c66

SHA256
b85e170d345cb95df6d63aa758b190ae87bd1779b2e53ee27adb3c9d7ec931e0

SHA512
ccb5f3533a92e7e25e04a1043bcf3946ad8431f102ef47405dcb4f25b60c43b383e34d546382c24ccab109bff1e03892da91ceeb408e186f6fbdaea699f3f5b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sz4pcwSz.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe

Filesize
7.5MB

MD5
2f33659e551eac0332b2bd9f228fb811

SHA1
5e8c5e0e5e6d871740d163b7a81beeae709b3942

SHA256
a52f02c33354022b329f86f6283235aa7a58942e60659dcce3069d3a873845bb

SHA512
653b8632c1aeddfbe90a9a8e94966a8f3660bb42edb7dcce303f23f5d95f568a7e2d7dc3d7b3a2ba0657877812829f7aae49a08c1a4da792d450f2d4a9b5df51

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeamViewer\tvinfo.ini

Filesize
103B

MD5
ccf0e51a58289f222acccc2fef2eceba

SHA1
c0d82a28ed1cecb5f026a3e43ed65fcf2c8f0aaa

SHA256
2a630b80bbbcc37a645ed461b93f84fb9245269ffdc16cf6892964e300769178

SHA512
3250d115e9fea73e4b6c8740cc63f173c9c48716a5ff48c52ec5396ef7050ec2f79f2c7b320f96fdfc9ae638e7d429f0e614415213a6609745ce32c96fa30d7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeamViewer\tvinfo.ini

Filesize
47B

MD5
b79df1c7a14576aeee74a58fdac22c69

SHA1
3cb7c8558f62f0c7b641c451d5c871cbd1bb951c

SHA256
6fc06809746090e4c55613cc16b7f673b89e4dd49a34f0f72c6f3d54225a5f75

SHA512
cfc5207320b56f5df83d5afc6256a9a594bcdc3de846747e09306ecfa5a4d1ff33f14327e5e4dddb26fab2b4fbd59dc912c5e7d5d9791e88179cfc3b3d919930

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn8157.tmp\InstallOptions.dll

Filesize
15KB

MD5
89351a0a6a89519c86c5531e20dab9ea

SHA1
9e801aaaae9e70d8f7fc52f6f12cedc55e4c8a00

SHA256
f530069ef87a1c163c4fd63a3d5b053420ce3d7a98739c70211b4a99f90d6277

SHA512
13168fa828b581383e5f64d3b54be357e98d2eb9362b45685e7426ffc2f0696ab432cc8a3f374ce8abd03c096f1662d954877afa886fc4aa74709e6044b75c08

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn8157.tmp\System.dll

Filesize
11KB

MD5
bf712f32249029466fa86756f5546950

SHA1
75ac4dc4808ac148ddd78f6b89a51afbd4091c2e

SHA256
7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af

SHA512
13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn8157.tmp\UserInfo.dll

Filesize
4KB

MD5
c7ce0e47c83525983fd2c4c9566b4aad

SHA1
38b7ad7bb32ffae35540fce373b8a671878dc54e

SHA256
6293408a5fa6d0f55f0a4d01528eb5b807ee9447a75a28b5986267475ebcd3ae

SHA512
ee9f23ea5210f418d4c559628bbfb3a0f892440bcd5dc4c1901cb8e510078e4481ea8353b262795076a19055e70b88e08fee5fb7e8f35a6f49022096408df20e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn8157.tmp\advanced_unicode.ini

Filesize
1KB

MD5
8b3e104f11c5d046bd93df4e9fb40f4e

SHA1
0362bb65744a07563dc05cd612dd54a865233d79

SHA256
cc18c611578d796a879cac46746406dbaa96eddd544d7a12d4fa56856cb2cbc1

SHA512
edc08be542234c3ed6a94c46c610eb5398782c580859eda11f35df6112b3dfee10cf4be068c7a87f39a339f10a9176350cae9f657857375d641a35d5d151ced8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn8157.tmp\linker.dll

Filesize
45KB

MD5
4ac3f0ab2e423515ed9c575333342054

SHA1
a3e4f2b2135157f964d471564044b023a64f2532

SHA256
f223d6c72f86544b358a6301daf60ccdd86198f32e3447a1860acf3f59f2dae9

SHA512
8fbd5b4989be51c27fa15af155d2921bea9aa5d0557a22d4224256e678dfe7dcaa5f80917a748c31dc9c9a91573e4618e2497ccfd47eefd7a0fa08c12366a1e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn8157.tmp\start_unicode.ini

Filesize
2KB

MD5
25bc040e83b5565e5ac49b5372e6621c

SHA1
b08102efc5621f444954a72305f1e8127bcd451a

SHA256
725880c4b5a0d69d9d2d5b0f4493563bacff364a69ead7576f6324c5fa7d7b05

SHA512
aed9cb62b4ab26e77f987478b20d36e4a612fd2774b080a397122594950742affa47015396003d327600a53802e0ec7bf25af3fb071e81b4f0d65086c29a2a83

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn8157.tmp\start_unicode.ini

Filesize
2KB

MD5
59b0b6538f2cde5c9c94717b5d4e4e3b

SHA1
0aa7d17e01c1fcd2470b4113e6b98dceda28c09f

SHA256
26178785b0a5915e9b5efb364119207025d81ee5bd1819be6befe163f883109b

SHA512
792b3f5bd68942b0e96570f55d663fba0430717120435857d43ce7f17d921d31e6b642de9d771060d410613f93f74fac1eb1060f630e56fa992f09daa897d61d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn8157.tmp\start_unicode.ini

Filesize
2KB

MD5
b28a3a91775bec3b6618bde7f8ca004c

SHA1
2d2899139dfc4f4c477115a2985afb1b867886c9

SHA256
e25b94f4b5c33352d9a3572cecf4432ed84057223cbb6239e7519a46c5ebcdba

SHA512
3b17d94c37cbc86ba1515abe97731ccb0c81dff9fbc18aa6c8203bf5a8aff5c6b371126f6d161678fda1cb08e15a904bcea815e17a852d1e0dc782c87eb1cb05

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn8157.tmp\start_unicode.ini

Filesize
2KB

MD5
001fd359d7bff61cb4f80b98b4f7afa3

SHA1
8cccea623b1a2ca77b43a054a117aa05a80ada20

SHA256
5b196c733a2ce20203a1f97f6ad1c1e521b7e50570df45100dc4070d8753bcae

SHA512
74fea4cdd91438905d52e6a83af5ab317cdf0730ad441c696614d7b76a2605ff36d9391f5e32c8947117eb36c094fa0f0d9f6b5de6b66e259e17b030c59b3940

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn8157.tmp\start_unicode.ini

Filesize
2KB

MD5
87253c21fa0aba2f998a27bcd0ee2dec

SHA1
fba9489aeff8a7d9217be81f8fe326611495fc33

SHA256
8f727b8914cb269eb14198937b861c2e18dc4bcf6d843452c891a617ff35eae2

SHA512
fdcd4db853b921e655ee6a58a82da20d8eb5732770f27c015f2e9cbe7cf9b4f16dbe21cb508e3c4cbf81db0d63b35e3aee6f9fe00944c578ef204791dd5a0e1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn8157.tmp\start_unicode.ini

Filesize
2KB

MD5
f3fce4b454023a4c537bb9d267dafc1b

SHA1
563ee0f0871065d24bdad78de26dc52c0abfed29

SHA256
24299cbec34a07ebad29d736277c96e64a94bc61f50e828b9544dd8bf49aeaac

SHA512
4b5734870b9798adcb682c474a5c994dd34af9f8bc067f014c940921026bcc6c0c4039a29593b0881601bf309e3f062293e48e1651e339918b3fe8041bc43aa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn8157.tmp\start_unicode.ini

Filesize
2KB

MD5
de309efc38ca910a4383e7d63cae4554

SHA1
7b83ddef76081b57ed772b5828312a8690abb3aa

SHA256
c12291161d4a2a0df5612fff4a1445cf907c04a757386dbe07df290342d1f1d7

SHA512
4c44625fc82a81ba32d231f1f115f6f79fd63f99bc42af30e19ee0b4a5aaccdb4e341f848fee6a5a2648d92f8c23949a250723ec284e5579f3f506eea5896dd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn8157.tmp\start_unicode.ini

Filesize
2KB

MD5
9cae534c8607f1a85ee73c970fe16acb

SHA1
a7b16527a9cbf262b612f601698edfa08a302a74

SHA256
837043771fe1b7d44e1141b118724ad57889b1203e0f814b444fa3976c42b840

SHA512
a7b9a84db956c172f9c4bec075c6450a8c9e5d3dc78a4f385bd27af9004358327ef2630fc01f3554ba4055398b04e975387c8bd531fb3fd25d91dd6f11e3b577

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss7FA1.tmp\TvGetVersion.dll

Filesize
153KB

MD5
a366cd40b73d191cdb1aa7b14267213f

SHA1
d7bad68f24127972b1363c44ad3a225fdf3d3659

SHA256
3d661aaac7698a5b4611ca22bda5e0194d90ec238d9dfe7e4ab38a8d866176b0

SHA512
96ea62df2ec21d80eae9a48c23fe38601564aa942e1e02013f1d78497ff4d9a332f41a4105c4d79e632b24bb7e75b1532d1a58e790c929570da51d6584e2eb8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu8658.tmp\start_unicode.ini

Filesize
2KB

MD5
6268e10f81299d2e9795deb4ad9a8c33

SHA1
ce2951b914512ecb2ca87fdf56f37fb156437e27

SHA256
8f9ed6bd2d940947aa678907f3fca00df21700e6c75ef40ae8797663bda55d75

SHA512
9cbc983e26c057f7fa865bcf836cae0580dd960ad0f63dbd02c85f59410155eb0626f1c2f999f70d833b839cd4fc4f33ccdb3f926a60dd782283b8a7478992a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu8658.tmp\start_unicode.ini

Filesize
2KB

MD5
53d1a1c4cd8a225a118f38a67403fc9b

SHA1
28e9dd1a11c7dd2d5da16712157f804b81aea923

SHA256
07bd02503df4401b8dd7e7805aee0eee0423db45f5b854dca9e23c7ffcace627

SHA512
8645f53110442517b974a7e6f3ffaea0eb70a7ca988e581278f87c25082ed8ee00d821d4f2a44b00c1dff7b2a77dae1aa685298606c05e96e23a4b56ed2f118e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu8658.tmp\start_unicode.ini

Filesize
2KB

MD5
0ddb53b99003aa85cf5fda7bf1188e4d

SHA1
75c3ed86357ee9df98b3a205fab3f56b64687c7a

SHA256
66fa562539759b95e43326a6d1224e526a4917c78ab5b9c974b5f74a16a4666d

SHA512
7e3c8c34e615cbb3a98ba8c746d6a51ad00c18e1b0db4d8e57b082a8208b5f4413704b0b211c7db936ad9696950daf6ba1c65fdde085301633307fe3591770d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu8658.tmp\start_unicode.ini

Filesize
2KB

MD5
73b6d34f75bf69277902e121c7e4d3db

SHA1
fca6dc178462c9033738966bbb8b92ea066ffb62

SHA256
8d1efe2223071b3fff5b81de3c2636067e648e4e9a0d48c559cb5e4b6c8c5850

SHA512
01682dc4240dc19ba84efad3ab5a4e46c35b9fcf69455df98c2abe8025feaf78d38f1f54433bbbd0588e7d484182f0022cf9ebd0e5d0b60dae3ba52d7f2b52e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu8658.tmp\start_unicode.ini

Filesize
2KB

MD5
4f67016feda04397d2fe5aa90598d4e8

SHA1
74ab481de4612e9e43f5b9b6775e277f5b1cc82a

SHA256
09904d7525ae789271d3ad76c36160f81af896f370bb97f6aefe55bf7eaa487a

SHA512
44e3824711316df1d44bb8c7c2f2e43ac23369a54bb942057f78dd7ca0db9c4b22a445b130fd2a4630467f17181f8b80825ce334e8da54508a583c2b0a762b28

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu8658.tmp\start_unicode.ini

Filesize
2KB

MD5
47fc70090d461b3afaeacbd401151d01

SHA1
294b9cc8b1ca95cdd655367de06986cff4b374e2

SHA256
3e7dac7caeef7939fda03e32b1dea8d49ee9889bb0a1b588101f1535a0eabf9c

SHA512
c7c5ba028fb409e03d8d36d5b45e3cb88a1778768b51ea31b7d57f5039c6c85a983acc52d4f32a9878d9d386fbebd179d6f5fc51de44cd0bf3237bd097404c14

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu8658.tmp\start_unicode.ini

Filesize
2KB

MD5
f2832892ae95397800cfab027d52533d

SHA1
afaf6ce5670618684cd607f7f795bcb9d6081691

SHA256
13d61d071be9d61adc763f074841dc33eb332bf5e2ce37537f3efebd3d3bc487

SHA512
d9f1784d6463a9dd2f4811e208f309c04f0ad2fc885abdb318cbbcde21f104d08295cbe11d61903105b06975089596ec76d00f5ea730d9cfaf826e56b19da507

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu8658.tmp\start_unicode.ini

Filesize
2KB

MD5
dc8412894982b72b5d0a05de1944da15

SHA1
53e1ce8f0b0b15795f95c3dca927f749f8a16ddf

SHA256
f0a165563ed8eab0691d55fc6928498a9e989519c9324cae887d27231c1a8092

SHA512
f8c727515c64c87ec498781d562048c2e86fed8aee4896b4da936140e89c350a063032c3576e76bc1f04ae094ae137060d8aa1039a16810d8d21f1da354fd7ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu8658.tmp\start_unicode.ini

Filesize
2KB

MD5
cf0c65139837d295ef80d73bf8f73106

SHA1
504e82df463dce010f018a6d499591f4d86754b2

SHA256
0ab7958774057c05be27a4b4649747987cc9dd2cd497992ac80c29038b5ef771

SHA512
8bb67fb115b339fcc0ea2a072357f586dee5ef0617f363c05b1bdfff11b206ca18e0309dbb67a797fc45d4731000ad720605ccc8f02a1a4bba56c0520d2f69ed

Download Submit
memory/1316-898-0x0000000000400000-0x0000000000C70000-memory.dmp

Filesize
8.4MB

Download
memory/1316-2001-0x0000000000400000-0x0000000000C70000-memory.dmp

Filesize
8.4MB

Download
memory/1316-1095-0x0000000000400000-0x0000000000C70000-memory.dmp

Filesize
8.4MB

Download
memory/3192-258-0x00007FFBA0D50000-0x00007FFBA0D60000-memory.dmp

Filesize
64KB

Download
memory/3192-895-0x00007FFBA0D50000-0x00007FFBA0D60000-memory.dmp

Filesize
64KB

Download
memory/3192-896-0x00007FFBA0D50000-0x00007FFBA0D60000-memory.dmp

Filesize
64KB

Download
memory/3192-897-0x00007FFBA0D50000-0x00007FFBA0D60000-memory.dmp

Filesize
64KB

Download
memory/3192-894-0x00007FFBA0D50000-0x00007FFBA0D60000-memory.dmp

Filesize
64KB

Download
memory/3192-295-0x00007FFB9E3F0000-0x00007FFB9E400000-memory.dmp

Filesize
64KB

Download
memory/3192-274-0x00007FFB9E3F0000-0x00007FFB9E400000-memory.dmp

Filesize
64KB

Download
memory/3192-259-0x00007FFBA0D50000-0x00007FFBA0D60000-memory.dmp

Filesize
64KB

Download
memory/3192-270-0x00007FFBA0D50000-0x00007FFBA0D60000-memory.dmp

Filesize
64KB

Download
memory/3192-263-0x00007FFBA0D50000-0x00007FFBA0D60000-memory.dmp

Filesize
64KB

Download
memory/3192-260-0x00007FFBA0D50000-0x00007FFBA0D60000-memory.dmp

Filesize
64KB

Download
memory/3728-0-0x0000000000D70000-0x0000000000D71000-memory.dmp

Filesize
4KB

Download
memory/3728-157-0x0000000000400000-0x0000000000C70000-memory.dmp

Filesize
8.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads