xred | 321322d58436bdd27eb8c086014cf60cb8be4ac966e728a0919fa941faf2f0d5

Analysis

max time kernel
111s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2024 21:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

321322d58436bdd27eb8c086014cf60cb8be4ac966e728a0919fa941faf2f0d5N.exe
Size

2.8MB
MD5

8354dc3462309aedd0e2bcfa72410f00
SHA1

98cc86359335052835ec0bebad33957cec8905e8
SHA256

321322d58436bdd27eb8c086014cf60cb8be4ac966e728a0919fa941faf2f0d5
SHA512

c45fb93f91eeaef92e5395b6dc8db4a704a055984756b4e842a939328af3bd9b91daaa203b51526e16f04d30d8f3ba47209a8a8a6370dd7a591e7568145dd87c
SSDEEP

49152:hnsHyjtk2MYC5GDwJUQxE87vxpsrFpIvFbJo+McPe3Nsv2kYKcNTXxicbd:hnsmtk2a3GyPN+TIvFby0ed8QKMMq

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	321322d58436bdd27eb8c086014cf60cb8be4ac966e728a0919fa941faf2f0d5N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 5 IoCs

pid	Process
2760	._cache_321322d58436bdd27eb8c086014cf60cb8be4ac966e728a0919fa941faf2f0d5N.exe
2684	Synaptics.exe
4184	._cache_Synaptics.exe
2288	OWinstaller.exe
2580	OWinstaller.exe

Loads dropped DLL 22 IoCs

pid	Process
2760	._cache_321322d58436bdd27eb8c086014cf60cb8be4ac966e728a0919fa941faf2f0d5N.exe
2760	._cache_321322d58436bdd27eb8c086014cf60cb8be4ac966e728a0919fa941faf2f0d5N.exe
2760	._cache_321322d58436bdd27eb8c086014cf60cb8be4ac966e728a0919fa941faf2f0d5N.exe
2760	._cache_321322d58436bdd27eb8c086014cf60cb8be4ac966e728a0919fa941faf2f0d5N.exe
2760	._cache_321322d58436bdd27eb8c086014cf60cb8be4ac966e728a0919fa941faf2f0d5N.exe
2760	._cache_321322d58436bdd27eb8c086014cf60cb8be4ac966e728a0919fa941faf2f0d5N.exe
2760	._cache_321322d58436bdd27eb8c086014cf60cb8be4ac966e728a0919fa941faf2f0d5N.exe
4184	._cache_Synaptics.exe
4184	._cache_Synaptics.exe
4184	._cache_Synaptics.exe
4184	._cache_Synaptics.exe
2288	OWinstaller.exe
2288	OWinstaller.exe
4184	._cache_Synaptics.exe
4184	._cache_Synaptics.exe
4184	._cache_Synaptics.exe
2288	OWinstaller.exe
2288	OWinstaller.exe
2580	OWinstaller.exe
2580	OWinstaller.exe
2580	OWinstaller.exe
2580	OWinstaller.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	321322d58436bdd27eb8c086014cf60cb8be4ac966e728a0919fa941faf2f0d5N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	321322d58436bdd27eb8c086014cf60cb8be4ac966e728a0919fa941faf2f0d5N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_321322d58436bdd27eb8c086014cf60cb8be4ac966e728a0919fa941faf2f0d5N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	321322d58436bdd27eb8c086014cf60cb8be4ac966e728a0919fa941faf2f0d5N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1644	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2288	OWinstaller.exe
Token: SeDebugPrivilege	2580	OWinstaller.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
2288	OWinstaller.exe
2288	OWinstaller.exe
2580	OWinstaller.exe
2580	OWinstaller.exe
2288	OWinstaller.exe
2580	OWinstaller.exe
1644	EXCEL.EXE
1644	EXCEL.EXE
1644	EXCEL.EXE
1644	EXCEL.EXE
1644	EXCEL.EXE
1644	EXCEL.EXE
1644	EXCEL.EXE
1644	EXCEL.EXE

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 3484 wrote to memory of 2760	3484	321322d58436bdd27eb8c086014cf60cb8be4ac966e728a0919fa941faf2f0d5N.exe	82
PID 3484 wrote to memory of 2760	3484	321322d58436bdd27eb8c086014cf60cb8be4ac966e728a0919fa941faf2f0d5N.exe	82
PID 3484 wrote to memory of 2760	3484	321322d58436bdd27eb8c086014cf60cb8be4ac966e728a0919fa941faf2f0d5N.exe	82
PID 3484 wrote to memory of 2684	3484	321322d58436bdd27eb8c086014cf60cb8be4ac966e728a0919fa941faf2f0d5N.exe	83
PID 3484 wrote to memory of 2684	3484	321322d58436bdd27eb8c086014cf60cb8be4ac966e728a0919fa941faf2f0d5N.exe	83
PID 3484 wrote to memory of 2684	3484	321322d58436bdd27eb8c086014cf60cb8be4ac966e728a0919fa941faf2f0d5N.exe	83
PID 2684 wrote to memory of 4184	2684	Synaptics.exe	84
PID 2684 wrote to memory of 4184	2684	Synaptics.exe	84
PID 2684 wrote to memory of 4184	2684	Synaptics.exe	84
PID 2760 wrote to memory of 2288	2760	._cache_321322d58436bdd27eb8c086014cf60cb8be4ac966e728a0919fa941faf2f0d5N.exe	85
PID 2760 wrote to memory of 2288	2760	._cache_321322d58436bdd27eb8c086014cf60cb8be4ac966e728a0919fa941faf2f0d5N.exe	85
PID 4184 wrote to memory of 2580	4184	._cache_Synaptics.exe	86
PID 4184 wrote to memory of 2580	4184	._cache_Synaptics.exe	86

C:\Users\Admin\AppData\Local\Temp\321322d58436bdd27eb8c086014cf60cb8be4ac966e728a0919fa941faf2f0d5N.exe
"C:\Users\Admin\AppData\Local\Temp\321322d58436bdd27eb8c086014cf60cb8be4ac966e728a0919fa941faf2f0d5N.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3484
- C:\Users\Admin\AppData\Local\Temp\._cache_321322d58436bdd27eb8c086014cf60cb8be4ac966e728a0919fa941faf2f0d5N.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_321322d58436bdd27eb8c086014cf60cb8be4ac966e728a0919fa941faf2f0d5N.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Users\Admin\AppData\Local\Temp\nsg9607.tmp\OWinstaller.exe
    "C:\Users\Admin\AppData\Local\Temp\nsg9607.tmp\OWinstaller.exe" Sel=0&Extension=mgkabooemhaamambocobpeoeelpadcjhjgbcfhlc&Name=Hone&Referer=hone.gg&Browser=firefox -partnerCustomizationLevel 1 -customPromoPages --owelectronUrl=https://download.overwolf.com/setup/electron/mgkabooemhaamambocobpeoeelpadcjhjgbcfhlc --disable-change-location --disable-ow-shortcut-ui --disable-app-shortcut-ui --enable-app-shortcut --eula-url=https://hone.gg/terms --privacy-url=https://hone.gg/privacy --silent-setup --app-name="Hone" --auto-close -exepath C:\Users\Admin\AppData\Local\Temp\._cache_321322d58436bdd27eb8c086014cf60cb8be4ac966e728a0919fa941faf2f0d5N.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2288
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4184
  - - C:\Users\Admin\AppData\Local\Temp\nsm9849.tmp\OWinstaller.exe
      "C:\Users\Admin\AppData\Local\Temp\nsm9849.tmp\OWinstaller.exe" Sel=0&Extension=mgkabooemhaamambocobpeoeelpadcjhjgbcfhlc&Name=Hone&Referer=hone.gg&Browser=firefox InjUpdate -partnerCustomizationLevel 1 -customPromoPages --owelectronUrl=https://download.overwolf.com/setup/electron/mgkabooemhaamambocobpeoeelpadcjhjgbcfhlc --disable-change-location --disable-ow-shortcut-ui --disable-app-shortcut-ui --enable-app-shortcut --eula-url=https://hone.gg/terms --privacy-url=https://hone.gg/privacy --silent-setup --app-name="Hone" --auto-close -exepath C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2580

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
2.8MB

MD5
8354dc3462309aedd0e2bcfa72410f00

SHA1
98cc86359335052835ec0bebad33957cec8905e8

SHA256
321322d58436bdd27eb8c086014cf60cb8be4ac966e728a0919fa941faf2f0d5

SHA512
c45fb93f91eeaef92e5395b6dc8db4a704a055984756b4e842a939328af3bd9b91daaa203b51526e16f04d30d8f3ba47209a8a8a6370dd7a591e7568145dd87c

Download Submit
C:\Users\Admin\AppData\Local\Overwolf\OWInstall.log

Filesize
18B

MD5
07e605d2d7609cf336ea1708e86b5a0c

SHA1
e7454461893e305ecdb72556e16e001617d718f9

SHA256
c69ad6c6a1d6d89336e18db86a6c852ab60c0ceb367c79922807e55de7be49dd

SHA512
5a8933d0b2e3441b6cc6e1881bd513d0f5fec939f0108b46d3578a6315283d44af65b60329e5cd528bac308dd21f1ea71daa618a9553a06b77ccba278d23496d

Download Submit
C:\Users\Admin\AppData\Local\Overwolf\Settings\SettingsPageBasic.xml

Filesize
752B

MD5
e46a0abb091fc7c402c4d19997877040

SHA1
50afc60a1f45d60cd13d666693c511507bc21295

SHA256
45fe8c1e336d71df436dfc8566bffd6e2082d214768254aa4757102c46a7b994

SHA512
ebaaf697f6bbec264a02f6c6dfc2bc1c99564e0c497cf0e951d34f884b0d81ed6d1133aa198424f3e842654c7583e72ca6caa762477324f53a6609c0371e686e

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_321322d58436bdd27eb8c086014cf60cb8be4ac966e728a0919fa941faf2f0d5N.exe

Filesize
2.1MB

MD5
4a615108909cb8d7a1b18ae0f0653d63

SHA1
43fdc0d43509afffab586c55b0bef004b2a8b828

SHA256
ac966dfd2b7d8a7ff86e2cf3b2f8c4d2b99108f3c5af5e4ce5c74ffecc5566d6

SHA512
7f32326685778fbd6280a4d72d4e1a86ed6645750de0538b44b1e7f402d7255d77520da46b4645575e803e1f2119647bd86181b60d466bd70719644a59ea2e8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\93B75E00

Filesize
21KB

MD5
24914eb7561025c7e88f23ebb72c8316

SHA1
7d9fe9574f05fc4366a8a34ad195bcbfab2141ec

SHA256
eed99996d469468060dbbe6ed8bdd4574a1597f044990c4f05ba5347bea83492

SHA512
55f204faa82870e58c6d71322e95e9430cd0ab88a530a760848235ba5dd5378056ff698bf1d1c3b6d7fffd734fb65e2f64c5f973ea31213f3d9877c0cb6bbd05

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg9607.tmp\CommandLine.dll

Filesize
71KB

MD5
6d11c677cae02caa249a4f7f35fff112

SHA1
b417114c9b95ac2f3a2e9a68bf669f7342cd4cdb

SHA256
dde08c1db1ff43b08c7de59ae14045cb6fec13bec7ac65e142142453b8ab1ad4

SHA512
f992c2ad42372d0981e8512b34516b88c8ecacd89ade1027600ad883a6346c2b9d448fb027d38915b15f15f39c6b7f7d25c9af0c36835ff85224e48034609857

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg9607.tmp\INetC.dll

Filesize
34KB

MD5
87050902acf23fa5aa6d6aa61703db97

SHA1
d5555e17151540095a8681cd892b79bce8246832

SHA256
0ecf8b76a413726d2a9c10213ad6e406211330e9e79cfde5024968eedc64a750

SHA512
d75d3fc84a61887ee63bad3e5e38f6df32446fd5c17bedce3edca785030b723b13134b09a9bbbbaca86d5ea07405b8c4afd524cc156a8c1d78f044a22dee9eab

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg9607.tmp\OWInstaller.exe

Filesize
305KB

MD5
1b49aa2792bae165b1a8edb20cb5d675

SHA1
e0024928c09174ca74115fc43ad7107e4e30c9d3

SHA256
522a50b813b24eaca425dbf17cf4abfad8acf75ac3071d4d0569efdc8f5f4f92

SHA512
5f7160a08d212c633da44cd3b7fea806d00dfb798ebfb5b79642112dea08e8c07d8bd9999ae9ce981246cb68d42b900ed052c02815d98f0bacb37d093ce36498

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg9607.tmp\OWinstaller.exe.config

Filesize
632B

MD5
82d22e4e19e27e306317513b9bfa70ff

SHA1
ff3c7dd06b7fff9c12b1beaf0ca32517710ac161

SHA256
272e4c5364193e73633caa3793e07509a349b79314ea01808b24fdb12c51b827

SHA512
b0fb708f6bcab923f5b381b7f03b3220793eff69559e895d7cf0e33781358ec2159f9c8276bf8ba81302feda8721327d43607868de5caaa9015d7bb82060a0b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg9607.tmp\OverWolf.Client.CommonUtils.dll

Filesize
655KB

MD5
9562911e11231c09a4d420378c286f64

SHA1
a093e50dfb3cd7b71265d20c78c6182857ea518f

SHA256
c44259feeeae0f009deeffe5b83ed7e72727b8c409c7b62ef6ecb7b24b78b12a

SHA512
6cc6baeb2ca726856c7ba4cfe5a9bf247584a28470dd0de3794274883693d6a0efe922af492e487beae21b53198413e61596ad0e70d448c92acdb06dd9143e5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg9607.tmp\SharpRaven.dll

Filesize
82KB

MD5
f2f1cd4e9b1f772b7b7955c3310a126a

SHA1
6ea2b5ee4461053ad353d4826ba61388f98c28fc

SHA256
a8cd61fc4478da0464967f5c74b6ecc6a880e879f49ba552f7c3056d3d0d562a

SHA512
587aec3e0b2c913eb40259928dee536ffdb4f51c693682bf926351c86e1ace020bfff3fd9f279a48ecb0d2a46a460aa5d8adeddb3e268c7a5e5dae220100b66d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg9607.tmp\System.dll

Filesize
21KB

MD5
51bd16a2ea23ae1e7a92cedc6785c82e

SHA1
a9fbaeb9a695b9f2ba8a3ed8f0d95d2bf6a3d36c

SHA256
4dbc79d2b1c7987cc64bb5d014db81bb5108bdd6d8bf3a5f820fac1ded62be33

SHA512
66ffc18b2daf6c4cba01aef0e4af2f006a51aa218eab0f21dc66e47eea0389d2b1748ef0e30d2ec9f0123fd7f38ed3aee964dd6bde5779aaee19ebf55369af79

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg9607.tmp\UserInfo.dll

Filesize
14KB

MD5
1dd4ca0f4a94155f8d46ec95a20ada4a

SHA1
5869f0d89e5422c5c4ad411e0a6a8d5b2321ff81

SHA256
a27dc3069793535cb64123c27dca8748983d133c8fa5aaddee8cdbc83f16986d

SHA512
f4914edc0357af44ed2855d5807c99c8168b305e6b7904dc865771ad0ee90756038612fe69c67b459c468396d1d39875395b1c8ec69e6da559fb92859204763e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg9607.tmp\app\images\icon.ico

Filesize
14KB

MD5
9a03fbfd56d8e501797359aac3d72ed1

SHA1
b31e87a87486c00f9266559707e2cae4831f9d44

SHA256
81c69b545c347e1708603fb912511d8eddf755cb27f37fdc6a6fd959c6cfb94e

SHA512
29eb96fe4bdded257f3330672b1f9f2086c28e1e863a093a6fb750b6e59210b47b5ed481e3828442f38c5c6d63ef37709716af1e3913afdf37bf8e574f976fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg9607.tmp\app\index.html

Filesize
20KB

MD5
6d8c9edde0ce101ce0abd73be45c684a

SHA1
ce6d94d2d1a7f4761438781affd3aa991018e4f5

SHA256
f15c54f4ac4f55bcfa281b668220eb144e63b9de2292e970095a4dc566209682

SHA512
06f35ece48e4e19174da18ecc5dcac3a7e4d7ffbb102c4859221c7c569027ca72e40c9ed945872bf4396bc02ced7ae46655c88e3ec40d0a2f2e3bd0fcec80203

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg9607.tmp\app\js\block_inputs.js

Filesize
789B

MD5
b5b52c92b90f4283a761cb8a40860c75

SHA1
7212e7e566795017e179e7b9c9bf223b0cdb9ec2

SHA256
f8dbd6793b35f7a26806f4dabad157aaafdf6d66fad094b50c77d60f223fd544

SHA512
16ad53ede5424ca1384e3caea25225589e9eec9e80e2d845948802db90fad222f709a7b651cd7601a34ba67a0627433f25764638fd542cbd4612871308e7b353

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg9607.tmp\app\js\libs\cmp.bundle.js

Filesize
347KB

MD5
deb60b40df89edecd35ea3d1410ef7a6

SHA1
9899f48d1b29c6a51e4b80ce0579ec4f51b72c74

SHA256
2eed337a035bfcba83bdf00686f236319bfdcdc5c5b4d57541cf855bfe4fd67a

SHA512
484daa9e6423c4aa90b310f7c957f850109afd4ef30ff0dc57e05d7ea30f9ae12dbed862197ac9f1ee99b26a7204ba14d1a95d8a8a6f5064a825e5d861fb8705

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg9607.tmp\app\js\libs\jquery-1.10.2.min.js

Filesize
90KB

MD5
44e3f0db3e4ab6fedc5758c05cf27591

SHA1
2d408aa1d35661019c95adcc60b78c0727ed25b4

SHA256
bc44d3631ffef1df7960e359f02002d3ada45ee05205c2cf1edd85da2f518144

SHA512
4d4844e53e686fc59a52e86588f328dca3ed6fdad7195c58942a98c51755a24981b903ee7c7b27785375eaad5a7d9501cf74b999674b79f214e66103bad9efdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg9607.tmp\app\js\models\notifications.js

Filesize
5KB

MD5
911451f65b2503d23bc27c6a6aa6af72

SHA1
01d3654b23ef7f5adeb4097bd851e8c100a7b2ab

SHA256
c32495d55eed52f47dc7268eeccb90fb6bdc5686135ed089416c6bb8f703a578

SHA512
06edaebb0bb2980a7b6d6baa31a9c0894a9bb5f14a91468ffb8f182d98f04bb811df2a4c37f0b56d612603528aa21f390eaa7cf885874ae770a24dce2f9b249c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg9607.tmp\app\js\utils\analytics.js

Filesize
4KB

MD5
525281e9959af4c1c0d11b9243c798a1

SHA1
237a84c5b57bd132f48446d718b20640cb28c263

SHA256
c37f0699cf8ba7d9e3e0f73f1b2af65f4bdc2a31f44594ffc8c73e98b6c2fd1d

SHA512
fe5bafda7773e69c65dd63270e0306abcd39cb2d886b675ab8c714ae0833efde963b69623d468551a1ab37f1db1a1d457f1568f7a29d9cf0bb23bb0edcab5fc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg9607.tmp\app\js\utils\commands.js

Filesize
13KB

MD5
186f2a801c3d12b8b53e4b8f0510bd35

SHA1
567932df79e60d27d62752b1a1d72d6bf386c6b0

SHA256
bd6e86d0e6b33a44a1617458f0adff34a5cb0fc52568e03e5d74b8c72b5f379e

SHA512
eb87666e8fb40f81d9f14f61a6cffdba57edce1ab9b62c1df3ea3ffb0f96747f90465b2bee956c096f3762d25e90f5f130537046d8deba388d183cee1cc473c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg9607.tmp\app\js\utils\cookies.js

Filesize
1KB

MD5
6c60e675f8c8c68c0174b644d3a63a2a

SHA1
3635a3fe07ccc4a6f33a986ddb690522d0611abb

SHA256
9d3cb3822e20d6f5157faa02dc69bdaef44576c3fb5523e00aa152107ce30287

SHA512
1dc9ec7b139bcf37107ecd673c01e4fcc606332ea1645a4a1b4e5d95f817d4c99d5964cd3d941a6a526689341d9623b17b4efc002cdf4c73404299d52b1be452

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg9607.tmp\app\js\utils\modal-events-delegate.js

Filesize
1KB

MD5
117e4fdbdb0ecf211c8bd909efd337d1

SHA1
9f8684d856b7c95bdffb139217dfd89f41373187

SHA256
267661f932a2ea78d8c7a98cc03d1b18d7cb8132deb84636772ecd1fcfbe4857

SHA512
f474ee20b59d3d0c11f9f6aee6b6e2b66f7025beaec9841f88455e60533dc96cb4e27910be0dae92b0028c5578932b7f459fdb91d594ad010f72a3b3af6addb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg9607.tmp\app\js\utils\strings-loader.js

Filesize
5KB

MD5
9c94eb933d8a43dd3825e67a7e30c980

SHA1
7ec7b16af6f399219209ba5967d377040486a11b

SHA256
96445709fde2613af50f4b8908296d4bfccdccb2d9db9febc34a9bf4dcc70ecf

SHA512
a662a299e31633f71a9b9675970359430fdac06dcc284fd7ce92919f244c7f921639f97a42356e993a95865e6c9f198dcba82c126f82065bf2009a31ec9b02f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg9607.tmp\app\js\utils\utils.js

Filesize
118B

MD5
a0952ebeab701c05c75710c33d725e7e

SHA1
1da8a2e889f1213d481ae3cd5571670c01e64adc

SHA256
b4f0c48cbfeaf8141fd44b12031e3f0410cb0cdc313888ffdb14fdf1d2341246

SHA512
5e5ae616d3fded7d2bf47a326242c4477ca3119fb52897bfb41de0be230ccbd6c3da2c00268b3973e9bf7b4f2886aba64fd9719b448662e4130ee66d87913389

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg9607.tmp\app\js\windows\cri\cri-controller.js

Filesize
3KB

MD5
4e4b4a9e2d86ae3c108105078db6d730

SHA1
826946be793c999316af6c1db10523950b18ea2c

SHA256
cee7fc5a36a01a439125be031923d7e7415ec56194255048098169a0108034b7

SHA512
1420065cd000ce9b9c39d27b5dc5f4055f67146e06573a03184649851c9745f0c0af2b5e35b41b5923703dd74e32f9ed95fc59a43db25f854584e319950beffe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg9607.tmp\app\js\windows\cri\template.js

Filesize
1KB

MD5
76c1ef0cb437db144c2bed53a5a8a5d7

SHA1
aaab8fff649f8e46d1e9510018118ee9abe01498

SHA256
505d3c4de7d9cf8f0155b5b1a3c8792bc0ca2eda6781b441bd85455f144be22e

SHA512
822bf9feda91c89539d263c6c9053163e8dfa3c511195bc61a9b608b4687fb4048733323f03dd30a7ab661a4be4acf6c8d8ae7bb6723771122540a9551899c3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg9607.tmp\app\js\windows\modal\modal-controller.js

Filesize
2KB

MD5
b04bdfd1c7d09bdbdb94a2455fdd677b

SHA1
f000ba4866ff16d75bfd6cf446763498e19b12b1

SHA256
4565ee81ffe222b31982088b1c18850076e3acf59198ebce08118e12cbd87ea1

SHA512
3cb6ef0a16309046e7f407e7321eb12212b0eec09ec1a04b1d813f6c7a04546714865c3b398a93985041f598156ed905ebd23a64260801281b29ada9bc19ec5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg9607.tmp\app\manifest.json

Filesize
691B

MD5
b22a7aee785fd57c82dd5f7f76a0b300

SHA1
97528822fed8e42faa0de1f4d4c3de61cc6ce1e3

SHA256
53faf2f62e7aa22b60bc926803461213ce4230e114fce86acfe5cfd720f1dfb4

SHA512
4c66855ae30762b53f6f31bcfd3a24183614f8be716dc08180d5df2c71729ff0f1957ab04fc43b70e73c7e95511143e42dfde8150d2feb758804fecb12dd877d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg9607.tmp\log4net.dll

Filesize
270KB

MD5
f15c8a9e2876568b3910189b2d493706

SHA1
32634db97e7c1705286cb1ac5ce20bc4e0ec17af

SHA256
ae9c8073c3357c490f5d1c64101362918357c568f6b9380a60b09a4a4c1ff309

SHA512
805cd0a70aba2f1cf66e557d51ad30d42b32fbafcfbc6685ec204bc69847619479f653f4f33a4e466055707880d982eb1574ddab8edfa3c641e51cda950e2a0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg9607.tmp\uac.dll

Filesize
24KB

MD5
861f7e800bb28f68927e65719869409c

SHA1
a12bfcd2b9950e758ead281a9afbf1895bf10539

SHA256
10a0e8cf46038ab3b2c3cf5dce407b9a043a631cbde9a5c8bcf0a54b2566c010

SHA512
f2bf24a0da69bbe4b4a0f0b1bfc5af175a66b8bcc4f5cc379ed0b89166fa9ffe1e16206b41fca7260ac7f8b86f8695b76f016bb371d7642aa71e61e29a3976eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg9607.tmp\utils.dll

Filesize
58KB

MD5
c6b46a5fcdccbf3aeff930b1e5b383d4

SHA1
6d5a8e08de862b283610bad2f6ce44936f439821

SHA256
251ab3e2690562dcfcd510642607f206e6dcf626d06d94b74e1fa8297b1050a0

SHA512
97616475ef425421959489b650810b185488fcb02a1e90406b3014e948e66e5101df583815fd2be26d9c4d293a46b02ba4025426f743e682ed15d228f027f55c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm9849.tmp\DotNetZip.dll

Filesize
467KB

MD5
190e712f2e3b065ba3d5f63cb9b7725e

SHA1
75c1c8dd93c7c8a4b3719bb77c6e1d1a1620ae12

SHA256
6c512d9943a225d686b26fc832589e4c8bef7c4dd0a8bdfd557d5d27fe5bba0f

SHA512
2b4898d2d6982917612d04442807bd58c37739b2e4b302c94f41e03e685e24b9183b12de2057b3b303483698ad95e3a37795e6eb6d2d3b71e332b59deeca7d02

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm9849.tmp\Microsoft.Win32.TaskScheduler.dll

Filesize
126KB

MD5
85f06c0b15781744fcf55c4e9bcca80d

SHA1
2e0cb9a364d7cfe1371a5917b2af6aee58145ef3

SHA256
42cde788e9d0f85ed71b4d1adaa313dc054ac2af58415d6d508507a661c8c70c

SHA512
408618f635b9a800ebd3d019f5037c418f38e06891ba9404bf39f88ebe6363d34c7ab49ca2bf448c86f9ee67881c018b0f18d028c2bae6d0351c04478abd2bcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm9849.tmp\Newtonsoft.Json.dll

Filesize
692KB

MD5
98cbb64f074dc600b23a2ee1a0f46448

SHA1
c5e5ec666eeb51ec15d69d27685fe50148893e34

SHA256
7b44639cbfbc8ddac8c7a3de8ffa97a7460bebb0d54e9ff2e1ccdc3a742c2b13

SHA512
eb9eabee5494f5eb1062a33cc605b66d051da6c6990860fe4fd20e5b137458277a636cf27c4f133012d7e0efaa5feb6f48f1e2f342008482c951a6d61feec147

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm9849.tmp\nsis7z64.dll

Filesize
514KB

MD5
284c46af1fd2ec3a60ee0c28f276f2a4

SHA1
4d4d41c0af12d928e4e553ab6b80e6b4ab8007bc

SHA256
2368be6d8b21e0047146d3f61f90966a71d0737eed0146bc692b59f3cac97793

SHA512
ca9e4ef79c9c7c5f2282ddeee34ec39a51cddf26dcad4e9f2e42230499b0b898ac2dfd33f25438aa995741d23037fa01a0269823c283b234ecec0f155d3c05ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm9849.tmp\websocket-sharp.dll

Filesize
270KB

MD5
bd907f40168a3bc1590ee1f22be99014

SHA1
bd3324408817dcfef89595fa2a78acc5497a3f3f

SHA256
0c55480ef4020fddb567cf4487c5a44077a966ec6079b19faecd3e69dd991ad4

SHA512
af669cabcdaf405dde0aa42e04c7ff2234121ff87112b3b30479d24e1f77e120be72e257c1e4d1b436882879cd8c4657634f6f155548f4aa48bdc8fb51ee0065

Download Submit
C:\Users\Admin\AppData\Local\Temp\ow-electron\InstallerTrace_2024-12-19_21-30_2288.log

Filesize
1KB

MD5
cb246f2d3520c3ed4b3404bfd0853c02

SHA1
bbce9557d056817296d359ca1d3fbf883ebab0d0

SHA256
e74ced6e74a1943c12370dc691191c7e920a2530adb81b3ea8c9c7e3bf7a1425

SHA512
2d9470e92a5c42b845589199d2a450fd9d773185c300b6dd2ed124ebc8cd3fd19716816923bbc047d1bcd4080016a222b623672004453e6494c3123d0b58847c

Download Submit
memory/1644-776-0x00007FFCDB270000-0x00007FFCDB280000-memory.dmp

Filesize
64KB

Download
memory/1644-782-0x00007FFCD9210000-0x00007FFCD9220000-memory.dmp

Filesize
64KB

Download
memory/1644-781-0x00007FFCD9210000-0x00007FFCD9220000-memory.dmp

Filesize
64KB

Download
memory/1644-780-0x00007FFCDB270000-0x00007FFCDB280000-memory.dmp

Filesize
64KB

Download
memory/1644-779-0x00007FFCDB270000-0x00007FFCDB280000-memory.dmp

Filesize
64KB

Download
memory/1644-778-0x00007FFCDB270000-0x00007FFCDB280000-memory.dmp

Filesize
64KB

Download
memory/1644-777-0x00007FFCDB270000-0x00007FFCDB280000-memory.dmp

Filesize
64KB

Download
memory/2288-463-0x00000290CB4D0000-0x00000290CB516000-memory.dmp

Filesize
280KB

Download
memory/2288-489-0x00000290CB8F0000-0x00000290CB9A0000-memory.dmp

Filesize
704KB

Download
memory/2288-373-0x00000290CB420000-0x00000290CB4C6000-memory.dmp

Filesize
664KB

Download
memory/2288-467-0x00000290CB540000-0x00000290CB558000-memory.dmp

Filesize
96KB

Download
memory/2288-367-0x00000290B0FD0000-0x00000290B101E000-memory.dmp

Filesize
312KB

Download
memory/2288-418-0x00000290B2B90000-0x00000290B2BA4000-memory.dmp

Filesize
80KB

Download
memory/2288-461-0x00000290CBAD0000-0x00000290CBFF8000-memory.dmp

Filesize
5.2MB

Download
memory/2288-510-0x00000290CB840000-0x00000290CB862000-memory.dmp

Filesize
136KB

Download
memory/2580-559-0x0000022B436D0000-0x0000022B43E76000-memory.dmp

Filesize
7.6MB

Download
memory/2684-171-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/2684-828-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/2684-827-0x0000000000400000-0x00000000006D9000-memory.dmp

Filesize
2.8MB

Download
memory/2684-832-0x0000000000400000-0x00000000006D9000-memory.dmp

Filesize
2.8MB

Download
memory/2684-857-0x0000000000400000-0x00000000006D9000-memory.dmp

Filesize
2.8MB

Download
memory/3484-0-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/3484-157-0x0000000000400000-0x00000000006D9000-memory.dmp

Filesize
2.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads