xred | aec08458d6c65f48f62b1cbf2d06d8b8fa613cc11eb65bee6987046559f35ed8

Analysis

max time kernel
142s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12/01/2025, 07:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-12_d3598f91b2ac9b50fc4ab79d984c289b_darkgate_magniber.exe
Size

6.1MB
MD5

d3598f91b2ac9b50fc4ab79d984c289b
SHA1

b11ce902780e0b06f080b147f1ea6abea7728881
SHA256

aec08458d6c65f48f62b1cbf2d06d8b8fa613cc11eb65bee6987046559f35ed8
SHA512

c5bec3a8afe3414fbc2f7ea3939b165cf5ab3b768ed068988896b3b2be74cb8f6909932061796edc17e9f5dc07a71f5e667691b564e7804c5559601a0522f980
SSDEEP

196608:pLkjkq5tgtRceR9dWcvKgS8ccUjkq5tgtRcA:pp9WcigS/Q

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	2025-01-12_d3598f91b2ac9b50fc4ab79d984c289b_darkgate_magniber.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 11 IoCs

pid	Process
2408	._cache_2025-01-12_d3598f91b2ac9b50fc4ab79d984c289b_darkgate_magniber.exe
1444	setup.exe
1848	Synaptics.exe
5040	._cache_Synaptics.exe
4144	ISBEW64.exe
3444	setup.exe
2132	ISBEW64.exe
4332	ISBEW64.exe
3000	ISBEW64.exe
1344	ISBEW64.exe
4576	ISBEW64.exe

Loads dropped DLL 7 IoCs

pid	Process
1444	setup.exe
1444	setup.exe
1444	setup.exe
1444	setup.exe
1444	setup.exe
1444	setup.exe
1444	setup.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	2025-01-12_d3598f91b2ac9b50fc4ab79d984c289b_darkgate_magniber.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-12_d3598f91b2ac9b50fc4ab79d984c289b_darkgate_magniber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_2025-01-12_d3598f91b2ac9b50fc4ab79d984c289b_darkgate_magniber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	2025-01-12_d3598f91b2ac9b50fc4ab79d984c289b_darkgate_magniber.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2360	EXCEL.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2360	EXCEL.EXE
2360	EXCEL.EXE
2360	EXCEL.EXE
2360	EXCEL.EXE
2360	EXCEL.EXE
2360	EXCEL.EXE

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1216 wrote to memory of 2408	1216	2025-01-12_d3598f91b2ac9b50fc4ab79d984c289b_darkgate_magniber.exe	83
PID 1216 wrote to memory of 2408	1216	2025-01-12_d3598f91b2ac9b50fc4ab79d984c289b_darkgate_magniber.exe	83
PID 1216 wrote to memory of 2408	1216	2025-01-12_d3598f91b2ac9b50fc4ab79d984c289b_darkgate_magniber.exe	83
PID 2408 wrote to memory of 1444	2408	._cache_2025-01-12_d3598f91b2ac9b50fc4ab79d984c289b_darkgate_magniber.exe	84
PID 2408 wrote to memory of 1444	2408	._cache_2025-01-12_d3598f91b2ac9b50fc4ab79d984c289b_darkgate_magniber.exe	84
PID 2408 wrote to memory of 1444	2408	._cache_2025-01-12_d3598f91b2ac9b50fc4ab79d984c289b_darkgate_magniber.exe	84
PID 1216 wrote to memory of 1848	1216	2025-01-12_d3598f91b2ac9b50fc4ab79d984c289b_darkgate_magniber.exe	85
PID 1216 wrote to memory of 1848	1216	2025-01-12_d3598f91b2ac9b50fc4ab79d984c289b_darkgate_magniber.exe	85
PID 1216 wrote to memory of 1848	1216	2025-01-12_d3598f91b2ac9b50fc4ab79d984c289b_darkgate_magniber.exe	85
PID 1848 wrote to memory of 5040	1848	Synaptics.exe	86
PID 1848 wrote to memory of 5040	1848	Synaptics.exe	86
PID 1848 wrote to memory of 5040	1848	Synaptics.exe	86
PID 1444 wrote to memory of 4144	1444	setup.exe	87
PID 1444 wrote to memory of 4144	1444	setup.exe	87
PID 5040 wrote to memory of 3444	5040	._cache_Synaptics.exe	88
PID 5040 wrote to memory of 3444	5040	._cache_Synaptics.exe	88
PID 5040 wrote to memory of 3444	5040	._cache_Synaptics.exe	88
PID 1444 wrote to memory of 2132	1444	setup.exe	89
PID 1444 wrote to memory of 2132	1444	setup.exe	89
PID 1444 wrote to memory of 4332	1444	setup.exe	90
PID 1444 wrote to memory of 4332	1444	setup.exe	90
PID 1444 wrote to memory of 3000	1444	setup.exe	91
PID 1444 wrote to memory of 3000	1444	setup.exe	91
PID 1444 wrote to memory of 1344	1444	setup.exe	92
PID 1444 wrote to memory of 1344	1444	setup.exe	92
PID 1444 wrote to memory of 4576	1444	setup.exe	94
PID 1444 wrote to memory of 4576	1444	setup.exe	94

C:\Users\Admin\AppData\Local\Temp\2025-01-12_d3598f91b2ac9b50fc4ab79d984c289b_darkgate_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-12_d3598f91b2ac9b50fc4ab79d984c289b_darkgate_magniber.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Users\Admin\AppData\Local\Temp\._cache_2025-01-12_d3598f91b2ac9b50fc4ab79d984c289b_darkgate_magniber.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_2025-01-12_d3598f91b2ac9b50fc4ab79d984c289b_darkgate_magniber.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2408
- - C:\Users\Admin\AppData\Local\Temp\{D8890414-5EE6-4068-92CE-B262ADDFC6E0}\setup.exe
    C:\Users\Admin\AppData\Local\Temp\{D8890414-5EE6-4068-92CE-B262ADDFC6E0}\setup.exe -package:"C:\Users\Admin\AppData\Local\Temp\._cache_2025-01-12_d3598f91b2ac9b50fc4ab79d984c289b_darkgate_magniber.exe" -no_selfdeleter -IS_temp -media_path:"C:\Users\Admin\AppData\Local\Temp\{D8890414-5EE6-4068-92CE-B262ADDFC6E0}\Disk1\" -tempdisk1folder:"C:\Users\Admin\AppData\Local\Temp\{D8890414-5EE6-4068-92CE-B262ADDFC6E0}\" -IS_OriginalLauncher:"C:\Users\Admin\AppData\Local\Temp\{D8890414-5EE6-4068-92CE-B262ADDFC6E0}\Disk1\setup.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1444
  - - C:\Users\Admin\AppData\Local\Temp\{9DB071A1-B323-493B-A8B1-3CB82D0FCBDA}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{9DB071A1-B323-493B-A8B1-3CB82D0FCBDA}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F264F75C-1C3F-40C0-8D1E-64D6AD3EEFF6}
      4⤵
      Executes dropped EXE
      PID:4144
  - - C:\Users\Admin\AppData\Local\Temp\{9DB071A1-B323-493B-A8B1-3CB82D0FCBDA}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{9DB071A1-B323-493B-A8B1-3CB82D0FCBDA}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0E15B152-521F-40B1-81F1-A7C57B5B9D21}
      4⤵
      Executes dropped EXE
      PID:2132
  - - C:\Users\Admin\AppData\Local\Temp\{9DB071A1-B323-493B-A8B1-3CB82D0FCBDA}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{9DB071A1-B323-493B-A8B1-3CB82D0FCBDA}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{04E11B66-B023-415B-836F-5F0644C4EABF}
      4⤵
      Executes dropped EXE
      PID:4332
  - - C:\Users\Admin\AppData\Local\Temp\{9DB071A1-B323-493B-A8B1-3CB82D0FCBDA}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{9DB071A1-B323-493B-A8B1-3CB82D0FCBDA}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B50ADECA-293F-43CD-985B-5E12118C7D59}
      4⤵
      Executes dropped EXE
      PID:3000
  - - C:\Users\Admin\AppData\Local\Temp\{9DB071A1-B323-493B-A8B1-3CB82D0FCBDA}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{9DB071A1-B323-493B-A8B1-3CB82D0FCBDA}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7B480A3C-C7BE-4FF0-8862-4336A0F9A0D8}
      4⤵
      Executes dropped EXE
      PID:1344
  - - C:\Users\Admin\AppData\Local\Temp\{9DB071A1-B323-493B-A8B1-3CB82D0FCBDA}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{9DB071A1-B323-493B-A8B1-3CB82D0FCBDA}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{46B24514-71BA-48C5-A97B-2BDD586E2705}
      4⤵
      Executes dropped EXE
      PID:4576
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1848
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5040
  - - C:\Users\Admin\AppData\Local\Temp\{111A8E47-0AB2-4B69-9F3B-40C7AEEEEBBF}\setup.exe
      C:\Users\Admin\AppData\Local\Temp\{111A8E47-0AB2-4B69-9F3B-40C7AEEEEBBF}\setup.exe InjUpdate -package:"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" -no_selfdeleter -IS_temp -media_path:"C:\Users\Admin\AppData\Local\Temp\{111A8E47-0AB2-4B69-9F3B-40C7AEEEEBBF}\Disk1\" -tempdisk1folder:"C:\Users\Admin\AppData\Local\Temp\{111A8E47-0AB2-4B69-9F3B-40C7AEEEEBBF}\" -IS_OriginalLauncher:"C:\Users\Admin\AppData\Local\Temp\{111A8E47-0AB2-4B69-9F3B-40C7AEEEEBBF}\Disk1\setup.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3444

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
6.1MB

MD5
d3598f91b2ac9b50fc4ab79d984c289b

SHA1
b11ce902780e0b06f080b147f1ea6abea7728881

SHA256
aec08458d6c65f48f62b1cbf2d06d8b8fa613cc11eb65bee6987046559f35ed8

SHA512
c5bec3a8afe3414fbc2f7ea3939b165cf5ab3b768ed068988896b3b2be74cb8f6909932061796edc17e9f5dc07a71f5e667691b564e7804c5559601a0522f980

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_2025-01-12_d3598f91b2ac9b50fc4ab79d984c289b_darkgate_magniber.exe

Filesize
5.3MB

MD5
7e90f1980f7ad185b3e672ca4daedeb0

SHA1
80e2516963e6bccde1722ce1b7ca225d58f04f66

SHA256
720375b8d6ce0a58fc4e64398af8acdc4c5e611171fbd60a1b3f0475ae91510f

SHA512
c937879c27ebac8dbad2c7663ea82de275e4a0ef62b83fcc2dca35d4fdef47b638ecc8e70513588a51861ef6c2ddcd600df497d7d56f3391cc5be90cba5b061b

Download Submit
C:\Users\Admin\AppData\Local\Temp\9CD75E00

Filesize
22KB

MD5
bc1732963d327b8db5d4ac99212753b7

SHA1
e06ff3983c2286a4767cff3621b561111820cc42

SHA256
c7ba55db4eda8f1bce1206706c11e72e537d355e7fa638fb3c4d44c264c729ee

SHA512
0852d4aef7b913d2822f0023c84115003b29f67c9d345edb716d3457b9cea5667b199125c2f1ad29345888e59a901b5c78eb35b9244a2a86693b4beafdc524ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\I1KXU6rJ.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9DB071A1-B323-493B-A8B1-3CB82D0FCBDA}\ISBEW64.exe

Filesize
177KB

MD5
8a1e5a6b1c4e0c7d706eb2b36fa6c8ea

SHA1
49199a62de0eda485b5287bad469f92ad8ebd407

SHA256
4104fde5404bfb3c5347b8ecdaec89a2e746b1162dc75186bc79738805818c0a

SHA512
1393bd6c06c30df7414494e5b06242445eb8afdf5467c6a5e875f2c63506b0b581322b6444c6d8f06b39aa5b04d1c55a631ccf932dc6d5043296dd3ed3cd9fc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9DB071A1-B323-493B-A8B1-3CB82D0FCBDA}\{42F05E9E-71D2-418A-9FA9-DBBE3C134E65}\DIFxData.ini

Filesize
84B

MD5
1eb6253dee328c2063ca12cf657be560

SHA1
46e01bcbb287873cf59c57b616189505d2bb1607

SHA256
6bc8b890884278599e4c0ca4095cefdf0f5394c5796012d169cc0933e03267a1

SHA512
7c573896abc86d899afbce720690454c06dbfafa97b69bc49b8e0ddec5590ce16f3cc1a30408314db7c4206aa95f5c684a6587ea2da033aecc4f70720fc6189e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9DB071A1-B323-493B-A8B1-3CB82D0FCBDA}\{42F05E9E-71D2-418A-9FA9-DBBE3C134E65}\FontData.ini

Filesize
37B

MD5
8ce28395a49eb4ada962f828eca2f130

SHA1
270730e2969b8b03db2a08ba93dfe60cbfb36c5f

SHA256
a7e91b042ce33490353c00244c0420c383a837e73e6006837a60d3c174102932

SHA512
bb712043cddbe62b5bfdd79796299b0c4de0883a39f79cd006d3b04a1a2bed74b477df985f7a89b653e20cb719b94fa255fdaa0819a8c6180c338c01f39b8382

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9DB071A1-B323-493B-A8B1-3CB82D0FCBDA}\{42F05E9E-71D2-418A-9FA9-DBBE3C134E65}\_isres_0x0409.dll

Filesize
1.8MB

MD5
a05838872c391e729b414d2b15083983

SHA1
027038259b7c4bfe0066b6f5635e416efbd84157

SHA256
a7c7db8ce84441df150ee880e5bde9c17bc7c85dc87a61b1760738eceb61ad52

SHA512
0b13d56945a381dcfd453e9d21d62b030007d24b89fa6f7eaf75d62ca80f7c7fe1842a44d9deb25e286ac8fb1fe7c3567666c1e116c96dfd641b56e99262125a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9DB071A1-B323-493B-A8B1-3CB82D0FCBDA}\{42F05E9E-71D2-418A-9FA9-DBBE3C134E65}\_isuser_0x0409.dll

Filesize
968KB

MD5
42e6c4a0d3fc291bf3f01b666bf587db

SHA1
6be7b99dae48fafd25bb929ae26dfafbffee096b

SHA256
b9a2a3e9061a7c6e8ab5811cb93abb0358e3df2c882530be98b824b71ce17f6d

SHA512
27b151d3b9637e9d8402ab406a3fb21e9dfb4d6c8aff429ef2059ea16cb3eb314f510660cad45eae4dff7ec76d9be16594c19514ac52bf445e000926d70fef2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9DB071A1-B323-493B-A8B1-3CB82D0FCBDA}\{42F05E9E-71D2-418A-9FA9-DBBE3C134E65}\isrt.dll

Filesize
422KB

MD5
67b3328f3cc34596ec941dda8574f606

SHA1
219a67104a18f71c0ccb7b9d73f435d76e44f584

SHA256
cb80bfdd8263bb9aff04bdc7d6be71ad09800895b616223d8f97048aa0a506f7

SHA512
5e81fac5a4e48353bdd0a60e8882b4b51a79298124d9fe8235940643bf2e4bfb13a881841a69dc479e1658cd42c6772c76a761cc2be8342122e53460357c5091

Download Submit
C:\Users\Admin\AppData\Local\Temp\{D8890414-5EE6-4068-92CE-B262ADDFC6E0}\0x0409.ini

Filesize
21KB

MD5
8586214463bd73e1c2716113e5bd3e13

SHA1
f02e3a76fd177964a846d4aa0a23f738178db2be

SHA256
089d3068e42958dd2c0aec668e5b7e57b7584aca5c77132b1bcbe3a1da33ef54

SHA512
309200f38d0e29c9aaa99bb6d95f4347f8a8c320eb65742e7c539246ad9b759608bd5151d1c5d1d05888979daa38f2b6c3bf492588b212b583b8adbe81fa161b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{D8890414-5EE6-4068-92CE-B262ADDFC6E0}\Disk1\ISSetup.dll

Filesize
788KB

MD5
1c14194bd13d114f8507cc6fa28eb1d1

SHA1
baf3d92a549ec7a419ddc697dafea8282b577960

SHA256
ea231c7a836a666d57752fcb0d50128a9292f7162433ed13a64a0a733c7b46f7

SHA512
b5e4e4b7075ec52a083903b0e96ba6e9901b7f0080eb93f9b2cad0d268c3302c437fd63ee49085fa0819bbd323b872f2b55116f3bd8cf9bb8ff19bcff99b4220

Download Submit
C:\Users\Admin\AppData\Local\Temp\{D8890414-5EE6-4068-92CE-B262ADDFC6E0}\Disk1\data1.cab

Filesize
2.0MB

MD5
3f6c14ddde377b537eb7db19670fb3a9

SHA1
4e1aa09b1460644a97f6e35b13abe41c56c4fa9d

SHA256
7e37cb453c1dc21b36309459c818a447e10d01ae486353726ee85d3ef53c49b4

SHA512
b01e268ebc2f708b51cea635fe9e8b4bc2e7c7f8fcfc7e44648e9bdffa2c0efcb5e9e4bbad4587645ba1d4caf078b83366cb9d0891516b8e6b47891774d6b2a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\{D8890414-5EE6-4068-92CE-B262ADDFC6E0}\Disk1\data1.hdr

Filesize
12KB

MD5
b2dc83da67807e9eeeebc37f1dda488f

SHA1
536460cba50fd5bb718354911b0941ac9d1d78b7

SHA256
88923f58734b4aa924f586e48ceb3f0792290ebf986ba4322732a38be422abec

SHA512
bcfc43df3b23d0d2d4c15e7be061012bc7812cf63e98db566d719d73041dba20b82171f01365c96426201c186cea6ebebce572363bf4a954de46083d162fa9da

Download Submit
C:\Users\Admin\AppData\Local\Temp\{D8890414-5EE6-4068-92CE-B262ADDFC6E0}\Disk1\layout.bin

Filesize
550B

MD5
01afef378eeb930d1f5f486ca40f3b66

SHA1
4a5b7bd54a58e920e95fbbe80ff2c316c4cdbc06

SHA256
2a1c8858a63ae79995fef03a0abe7fdbcf368a53d81e0a41e276c7b9ea949a02

SHA512
f066fcc024407eb96fc4ea8ddfb85c2c4448c9e723863108e588526b3bdba9792c1c24b59fac244ecf18fe739f0bd27f3843f30cd4de1ccbcd397f5ae5b6b246

Download Submit
C:\Users\Admin\AppData\Local\Temp\{D8890414-5EE6-4068-92CE-B262ADDFC6E0}\Disk1\setup.inx

Filesize
229KB

MD5
4990595c81aeaf50f32c5681fbfe4608

SHA1
18c6bb6dc5913e7fcbaf1e2612ecdb59db2b93ac

SHA256
531ade9f6105d5ef1ca0add9cad64fb1025180a6767bb6e30bcdcaddc99b07b8

SHA512
c0ff23670388ca9eed4224368d8eb4c1b2f688fb1cdb25a7ced5dae584088ca5933f181d548c1c876c590c8f0e81d4dcd7c7133bfa84b7bc781ef4b01c11cb95

Download Submit
C:\Users\Admin\AppData\Local\Temp\{D8890414-5EE6-4068-92CE-B262ADDFC6E0}\setup.exe

Filesize
1.2MB

MD5
2c0b1c504d9f05c8423259649681e886

SHA1
d80584711d9c048ca4f0b8680363977fd80022d2

SHA256
365466c2d0e39c68cca25dea949e52cb4cf32ff1658763f22cd807b64a8ed7b0

SHA512
daab508ab804123d8dc09fa69be9b05848590b58a31ebb99a63011051eab476ef09a50902afccf6d312875e1ec9b796e02d012cebab15e0202a5bc364c32830c

Download Submit
C:\Users\Admin\AppData\Local\Temp\{D8890414-5EE6-4068-92CE-B262ADDFC6E0}\setup.ini

Filesize
2KB

MD5
d15600b0ad28b582c04bda4b5ea78a28

SHA1
460f5f77b80b0aa1b996f1e99e433796732a630e

SHA256
578cca02a20d215086110b7c16bcae3e94186a3267506603aed2398e18eb20ad

SHA512
755b0080e378a48ae02d406688f51f5c6ce4ccb530ae0d8a8367806e140040d82b4827fb2d0175f63bbc3a43aa23a5e9b7125c93867bbba8be779722296b4c60

Download Submit
memory/1216-146-0x0000000000400000-0x0000000000A13000-memory.dmp

Filesize
6.1MB

Download
memory/1216-0-0x00000000028B0000-0x00000000028B1000-memory.dmp

Filesize
4KB

Download
memory/1444-281-0x0000000004D10000-0x0000000004E22000-memory.dmp

Filesize
1.1MB

Download
memory/1444-162-0x0000000010000000-0x000000001025B000-memory.dmp

Filesize
2.4MB

Download
memory/1444-352-0x0000000010000000-0x000000001025B000-memory.dmp

Filesize
2.4MB

Download
memory/1444-353-0x0000000004D10000-0x0000000004E22000-memory.dmp

Filesize
1.1MB

Download
memory/1444-294-0x00000000050B0000-0x0000000005277000-memory.dmp

Filesize
1.8MB

Download
memory/1444-280-0x0000000004D10000-0x0000000004E22000-memory.dmp

Filesize
1.1MB

Download
memory/1848-354-0x0000000000400000-0x0000000000A13000-memory.dmp

Filesize
6.1MB

Download
memory/1848-465-0x0000000000400000-0x0000000000A13000-memory.dmp

Filesize
6.1MB

Download
memory/1848-437-0x0000000000400000-0x0000000000A13000-memory.dmp

Filesize
6.1MB

Download
memory/1848-432-0x0000000000400000-0x0000000000A13000-memory.dmp

Filesize
6.1MB

Download
memory/2360-379-0x00007FF96A9D0000-0x00007FF96A9E0000-memory.dmp

Filesize
64KB

Download
memory/2360-385-0x00007FF968070000-0x00007FF968080000-memory.dmp

Filesize
64KB

Download
memory/2360-384-0x00007FF968070000-0x00007FF968080000-memory.dmp

Filesize
64KB

Download
memory/2360-383-0x00007FF96A9D0000-0x00007FF96A9E0000-memory.dmp

Filesize
64KB

Download
memory/2360-382-0x00007FF96A9D0000-0x00007FF96A9E0000-memory.dmp

Filesize
64KB

Download
memory/2360-381-0x00007FF96A9D0000-0x00007FF96A9E0000-memory.dmp

Filesize
64KB

Download
memory/2360-380-0x00007FF96A9D0000-0x00007FF96A9E0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads