xred | db0e411a92e50a355454661f59b72cba859f17069a246895e3f4f0c3e62cf137

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-01-2025 17:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
Size

3.1MB
MD5

06de160b924d40d3e9fa1ec4a7a126bb
SHA1

c7e29826c3f4107d3c2494e6bb2a36a7b3a044aa
SHA256

db0e411a92e50a355454661f59b72cba859f17069a246895e3f4f0c3e62cf137
SHA512

87e3a3fba9834253678f69e842b1185ff5510941e91ac4c1a1702e000aa1e5d694e1605f6b3404a97a65f397578fd32da4f8a7987ad9cbb88065ea7ef41fb875
SSDEEP

49152:5dGnsHyjtk2MYC5GDoOU/zXNUfEeXAxhF2rl/IuOryOvKODjj3POMjUfkptVxp/0:TGnsmtk2apOU/jIEeQfoR/IuOFVjUu5W

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	.Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	zgokr00.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	.2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 10 IoCs

pid	Process
2348	zgokr00.exe
4856	.2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
4816	vshost32.exe
3248	._cache_.2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
4360	._cache_.2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
1200	Synaptics.exe
3984	zgokr00.exe
2412	.Synaptics.exe
2836	._cache_.Synaptics.exe
1596	._cache_.Synaptics.exe

Loads dropped DLL 2 IoCs

pid	Process
4816	vshost32.exe
4816	vshost32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	.2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ScdBcd = "C:\\Users\\Admin\\AppData\\Roaming\\Dibifu_9\\vshost32.exe"	vshost32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zgokr00.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vshost32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_.2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zgokr00.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	.Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_.2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_.Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_.Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	.2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	.2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	.Synaptics.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4660	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 49 IoCs

pid	Process
4552	2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
1200	Synaptics.exe
1200	Synaptics.exe
1200	Synaptics.exe
1200	Synaptics.exe
1200	Synaptics.exe
1200	Synaptics.exe
1200	Synaptics.exe
1200	Synaptics.exe
1200	Synaptics.exe
1200	Synaptics.exe
1200	Synaptics.exe
1200	Synaptics.exe
1200	Synaptics.exe
1200	Synaptics.exe
1200	Synaptics.exe
1200	Synaptics.exe
1200	Synaptics.exe
1200	Synaptics.exe
1200	Synaptics.exe
1200	Synaptics.exe
1200	Synaptics.exe
1200	Synaptics.exe
1200	Synaptics.exe
1200	Synaptics.exe
1200	Synaptics.exe
1200	Synaptics.exe
1200	Synaptics.exe
1200	Synaptics.exe
1200	Synaptics.exe
1200	Synaptics.exe
1200	Synaptics.exe
1200	Synaptics.exe
1200	Synaptics.exe
1200	Synaptics.exe
1200	Synaptics.exe
1200	Synaptics.exe
1200	Synaptics.exe
1200	Synaptics.exe
1200	Synaptics.exe
1200	Synaptics.exe
1200	Synaptics.exe
1200	Synaptics.exe
1200	Synaptics.exe
1200	Synaptics.exe
1200	Synaptics.exe
1200	Synaptics.exe
1200	Synaptics.exe
1200	Synaptics.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4552	2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
Token: SeDebugPrivilege	1200	Synaptics.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
4660	EXCEL.EXE
4660	EXCEL.EXE
4660	EXCEL.EXE
4660	EXCEL.EXE
4660	EXCEL.EXE
4660	EXCEL.EXE
4660	EXCEL.EXE
4660	EXCEL.EXE
4360	._cache_.2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
4360	._cache_.2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 4552 wrote to memory of 2348	4552	2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe	82
PID 4552 wrote to memory of 2348	4552	2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe	82
PID 4552 wrote to memory of 2348	4552	2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe	82
PID 4552 wrote to memory of 4856	4552	2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe	83
PID 4552 wrote to memory of 4856	4552	2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe	83
PID 4552 wrote to memory of 4856	4552	2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe	83
PID 2348 wrote to memory of 4816	2348	zgokr00.exe	84
PID 2348 wrote to memory of 4816	2348	zgokr00.exe	84
PID 2348 wrote to memory of 4816	2348	zgokr00.exe	84
PID 2348 wrote to memory of 2472	2348	zgokr00.exe	85
PID 2348 wrote to memory of 2472	2348	zgokr00.exe	85
PID 2348 wrote to memory of 2472	2348	zgokr00.exe	85
PID 2472 wrote to memory of 3556	2472	cmd.exe	87
PID 2472 wrote to memory of 3556	2472	cmd.exe	87
PID 2472 wrote to memory of 3556	2472	cmd.exe	87
PID 4856 wrote to memory of 3248	4856	.2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe	88
PID 4856 wrote to memory of 3248	4856	.2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe	88
PID 4856 wrote to memory of 3248	4856	.2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe	88
PID 3248 wrote to memory of 4360	3248	._cache_.2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe	89
PID 3248 wrote to memory of 4360	3248	._cache_.2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe	89
PID 3248 wrote to memory of 4360	3248	._cache_.2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe	89
PID 4856 wrote to memory of 1200	4856	.2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe	90
PID 4856 wrote to memory of 1200	4856	.2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe	90
PID 4856 wrote to memory of 1200	4856	.2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe	90
PID 1200 wrote to memory of 3984	1200	Synaptics.exe	91
PID 1200 wrote to memory of 3984	1200	Synaptics.exe	91
PID 1200 wrote to memory of 3984	1200	Synaptics.exe	91
PID 1200 wrote to memory of 2412	1200	Synaptics.exe	92
PID 1200 wrote to memory of 2412	1200	Synaptics.exe	92
PID 1200 wrote to memory of 2412	1200	Synaptics.exe	92
PID 2412 wrote to memory of 2836	2412	.Synaptics.exe	93
PID 2412 wrote to memory of 2836	2412	.Synaptics.exe	93
PID 2412 wrote to memory of 2836	2412	.Synaptics.exe	93
PID 2836 wrote to memory of 1596	2836	._cache_.Synaptics.exe	95
PID 2836 wrote to memory of 1596	2836	._cache_.Synaptics.exe	95
PID 2836 wrote to memory of 1596	2836	._cache_.Synaptics.exe	95

C:\Users\Admin\AppData\Local\Temp\2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4552
- C:\Users\Admin\AppData\Local\Temp\zgokr00.exe
  "C:\Users\Admin\AppData\Local\Temp\zgokr00.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Users\Admin\AppData\Roaming\Dibifu_9\vshost32.exe
    "C:\Users\Admin\AppData\Roaming\Dibifu_9\vshost32.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:4816
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del C:\Users\Admin\AppData\Local\Temp\zgokr00.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2472
  - - C:\Windows\SysWOW64\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      System Location Discovery: System Language Discovery
      PID:3556
- C:\Users\Admin\AppData\Local\Temp\.2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
  "C:\Users\Admin\AppData\Local\Temp\.2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4856
- - C:\Users\Admin\AppData\Local\Temp\._cache_.2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_.2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3248
  - - C:\Users\Admin\AppData\Local\Temp\jds240636359.tmp\._cache_.2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe
      "C:\Users\Admin\AppData\Local\Temp\jds240636359.tmp\._cache_.2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4360
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1200
  - - C:\Users\Admin\AppData\Local\Temp\zgokr00.exe
      "C:\Users\Admin\AppData\Local\Temp\zgokr00.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3984
  - - C:\ProgramData\Synaptics\.Synaptics.exe
      "C:\ProgramData\Synaptics\.Synaptics.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2412
    - - C:\Users\Admin\AppData\Local\Temp\._cache_.Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_.Synaptics.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2836
      - C:\Users\Admin\AppData\Local\Temp\jds240639500.tmp\._cache_.Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\jds240639500.tmp\._cache_.Synaptics.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1596

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
3.1MB

MD5
a42708c7d793a3b61ba3c28ddb76565e

SHA1
d6e1ac1372518c6816ad3d1ab7361f8447df2c6e

SHA256
2b34214a8c803520745b29485e34a20d0c12ce81c7356aa11d0e980835e6ef8e

SHA512
658061445bf01f4f06c1e57e373c171061d65efadff36238ec083c6a05ae1a22103414b45dc182a639ed6f9f8d096aea7d6671bdcef20d543bd2b3f21fa7822f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\zgokr00.exe.log

Filesize
1KB

MD5
7ebe314bf617dc3e48b995a6c352740c

SHA1
538f643b7b30f9231a3035c448607f767527a870

SHA256
48178f884b8a4dd96e330b210b0530667d9473a7629fc6b4ad12b614bf438ee8

SHA512
0ba9d8f4244c15285e254d27b4bff7c49344ff845c48bc0bf0d8563072fab4d6f7a6abe6b6742e8375a08e9a3b3e5d5dc4937ab428dbe2dd8e62892fda04507e

Download Submit
C:\Users\Admin\AppData\Local\Temp\.2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe

Filesize
3.0MB

MD5
864aaf86f3c22e6370742fab8821f738

SHA1
21dc4ce7892765671668d7c2b784b14ef7f7bdd1

SHA256
952ec7fec4cfdf64142995052776e8346f082b105cf26c5d0a94995f03582923

SHA512
62c32126de48fe890c5aef5152c7146e07c48aaaa01ae6cfe4d122f23f06b1d6756e52efc6ddea01a0936932669d5863acd7688dab3fef89b188c0bc65ec3b73

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_.2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe

Filesize
2.2MB

MD5
d6d7f90978a6aa6a4bb1eaa53154881d

SHA1
9a2e8a8464bf5b28229faea669f2ae6d6a0973d2

SHA256
5cb03fddbe1e55a14282171eb4768a8cffa1d12a7123a63caba364c8f5495a54

SHA512
ff8190d9fdc1cee5838c31808bf347af089624c9fe971c10fe8cecfd39a6cafde13dfc82694184e854e9e734d66ae1f0a961fcef4afd8b2740eb2c6afbf51e06

Download Submit
C:\Users\Admin\AppData\Local\Temp\56E75E00

Filesize
21KB

MD5
64a6a3e54814128eb7bad220b5b23466

SHA1
cd36f3adfd3771a36292ce351cd3a4008663d140

SHA256
a75646354f2ba45a52892a2a45e16912ae4c6286900149b249a6c3c9ea5decd5

SHA512
113ff12146ad2a239d4bc68559e9294b742cf715ecce58a9aeeec33a08aef4ed9881340a0bc39b8920f5f18fc2ac292396f33e2065553c61f2700cccbc73a99c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fyb7ISdr.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCXD254.tmp

Filesize
182KB

MD5
a72fdeb367d01313d3bb84d705928ae3

SHA1
5d18508c8e09808c3be38c6ecad0f75198eec5c3

SHA256
dc50f43227259376b18c450471ac19a426a21d6ebe5f5bc8b821b053ab0431e6

SHA512
46ef2f75d0762dd64e6d102398a506d1c58848dd23e58dc5e28a2dca2992a32f180c86803f8400cbe62ecafe62b059b291871c8c33b16a32003ec67ac99a95b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds240636359.tmp\._cache_.2025-01-08_06de160b924d40d3e9fa1ec4a7a126bb_avoslocker_hijackloader_luca-stealer.exe

Filesize
1.9MB

MD5
a05dbfbe3a88017f1ec5b2abf96ed0ad

SHA1
7ee98080fe870e6be5828ab4d82982367532ddb3

SHA256
8b73184c395fac04d2dcb40244430a9b9d4e3094a06d8a4d129435e00f147171

SHA512
5a600c2984c761b34e1aacaa73c8e6848bdc488a9582c8f30076f883644a93455fc9f57a9bb142ae8607df2e2ef02522e797712ab35a957238865820a115457a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
166KB

MD5
428e83b57defcde7bb85649df5ad6288

SHA1
2d016660876596a409c52b40653277264e6d1eae

SHA256
5d07575b8ca77b2b8b79e9e33871f3520b3bd5dda2ac6c7bf17abaecbfce7d71

SHA512
2ef75a37a9bee89f5401c1aa811bde2d0ad552009ffe3ce16461139cbb36f221c423959161e2a3f03a178c859d322b3b26fe59425d3934f2e6113bd952e90492

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
192KB

MD5
3a184b5e809fbbf5b25bfbb87f539761

SHA1
f0263c02a0197dd9cc1f82d489e706b1e6af06b4

SHA256
894f7581bcba44d8f28e79f2ec05eb7b4ffc6b8c496340ff2f188320c40bbf6a

SHA512
cd28098a2402a766352295bb92f5a322102385d3d701286e559d9afe6d07f8b3cc02fd454c94dcb5da96fa22bef5c02a45cacb7b18d80654cfb9e526c327b044

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
194KB

MD5
e1f0026148421e244dbcb95fdba7cf0e

SHA1
9a71e6985c246ad8fd43784902c154242947ca11

SHA256
2b193e95425e59c466700833c235be75b2830495b75f3787d29587111d6a1d58

SHA512
b0899fdb404b00ea0acee5f77f76f615eb6352f1a405d6cf3fc5c819c08115704491ff80b261663cb5587eb31ac0ebaff9dc73845a97debbf6247dff2a46e348

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
210KB

MD5
670f72f29d278c418b62b8f4cd86bb0b

SHA1
0f106b668dc16f523f0661547e3c58ee3c869d6d

SHA256
ee1df1825d43a8fe0c748ef6f5cc979eeb30cba722622b785ea62bfb661a2c69

SHA512
41612bdac4f7b162d0e541d7eab65ccd6e995200528636bb28958bf18a72d6252032e493d717f07a256bd6ffe84212cc1b872c34f614ac4d4de05eab5b0e8e64

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
211KB

MD5
afd0062c520cf2819162dda67fc13bfb

SHA1
84dcea78560773a77c05cde2fd0d106169bc28c1

SHA256
3f75712617e1d559e6093920642f1d93fbc4d32989e038fa254924891fc4f8b6

SHA512
f500c4c3ed12d0a064bb29db9b9c37ec1bc41e3d4324c7ad2bb9f966615e6a3d72114fa3ce93f8a25328296b714720a84cebdf54d22b0ae036324101900d8442

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
211KB

MD5
3ec38388bfa20b14349b831a3f3d04f9

SHA1
d3b39b20004333b76676eb9be25c6cc62b0c843d

SHA256
c4d508cebe95447952b979d158656aff86d118c730661476fa18a9e4c0973b36

SHA512
25d64079ea0e50c60cc5c4790190b3290cda724cb084e208a906d12b669b48b2f49bbebd0d172493a61a4e4b7a6154d60f209504f6843be154b83da0c294308c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zgokr00.exe

Filesize
182KB

MD5
12025f53654932a1447f834c8244da33

SHA1
b1c8ac3e2321b0b877259e86f5c1e6185981039e

SHA256
5511656dc76471aff945a98bb037fee4e97a33a2e21d52960d41651cb178ae87

SHA512
4e5852e3222b24813025cdec77994df22d08941e15ef4f408b82f71ae9966e4fb823dc269c9916dd33bff84e14ee35bf0e1e0fc722cfd53f604d42b48b246299

Download Submit
C:\Users\Admin\AppData\Roaming\Dibifu_9\IconExtractor.dll

Filesize
10KB

MD5
a21a157e7f27cb80cdd82cdb02dc2da6

SHA1
90a8a42d7356f06b1c144e657071461ddb224752

SHA256
35ba8730dd874fca3c0348bb38f972c099dbc7ba0f1c9b748dcfebdde1b0004e

SHA512
c4c68a9fa6f130526a0a0ec010d92dae38b81aebcf0fa3256b561987aa7b26e98b69bbc2acad4bafdc29ee2e6f714d81583baac2e28a8a25f62045ad84dba2a5

Download Submit
memory/2348-25-0x0000000074A80000-0x0000000075230000-memory.dmp

Filesize
7.7MB

Download
memory/2348-23-0x0000000074A80000-0x0000000075230000-memory.dmp

Filesize
7.7MB

Download
memory/2348-51-0x0000000074A80000-0x0000000075230000-memory.dmp

Filesize
7.7MB

Download
memory/2348-24-0x0000000000E60000-0x0000000000E94000-memory.dmp

Filesize
208KB

Download
memory/2412-492-0x0000000000400000-0x00000000006FB000-memory.dmp

Filesize
3.0MB

Download
memory/2412-473-0x0000000000400000-0x00000000006FB000-memory.dmp

Filesize
3.0MB

Download
memory/2412-400-0x0000000000400000-0x00000000006FB000-memory.dmp

Filesize
3.0MB

Download
memory/4552-4-0x00000000053E0000-0x00000000053EA000-memory.dmp

Filesize
40KB

Download
memory/4552-3-0x0000000005450000-0x00000000054E2000-memory.dmp

Filesize
584KB

Download
memory/4552-0-0x0000000074A8E000-0x0000000074A8F000-memory.dmp

Filesize
4KB

Download
memory/4552-1-0x0000000000AE0000-0x0000000000B14000-memory.dmp

Filesize
208KB

Download
memory/4552-5-0x0000000074A80000-0x0000000075230000-memory.dmp

Filesize
7.7MB

Download
memory/4552-258-0x0000000074A80000-0x0000000075230000-memory.dmp

Filesize
7.7MB

Download
memory/4552-2-0x0000000005960000-0x0000000005F04000-memory.dmp

Filesize
5.6MB

Download
memory/4660-349-0x00007FF843590000-0x00007FF8435A0000-memory.dmp

Filesize
64KB

Download
memory/4660-355-0x00007FF841130000-0x00007FF841140000-memory.dmp

Filesize
64KB

Download
memory/4660-354-0x00007FF841130000-0x00007FF841140000-memory.dmp

Filesize
64KB

Download
memory/4660-353-0x00007FF843590000-0x00007FF8435A0000-memory.dmp

Filesize
64KB

Download
memory/4660-352-0x00007FF843590000-0x00007FF8435A0000-memory.dmp

Filesize
64KB

Download
memory/4660-350-0x00007FF843590000-0x00007FF8435A0000-memory.dmp

Filesize
64KB

Download
memory/4660-351-0x00007FF843590000-0x00007FF8435A0000-memory.dmp

Filesize
64KB

Download
memory/4816-133-0x0000000005C10000-0x0000000005C18000-memory.dmp

Filesize
32KB

Download
memory/4856-247-0x0000000000400000-0x00000000006FB000-memory.dmp

Filesize
3.0MB

Download