xred | 9eb4b11792b3467349e163d207066fc65e911d77d317456bf58f96cc1913e4f2

Analysis

max time kernel
117s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-01-2025 02:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9eb4b11792b3467349e163d207066fc65e911d77d317456bf58f96cc1913e4f2N.exe
Size

2.0MB
MD5

6f57023af56c6fc3c083bbec7fffa520
SHA1

a19799c5604932b425fa221bad31051f32896cc6
SHA256

9eb4b11792b3467349e163d207066fc65e911d77d317456bf58f96cc1913e4f2
SHA512

0bf3ea3f9b77de66c3dfa5a1417fc7e74c3b91a2b827101b02d034945b7e85ed62e37cec8cf7706b0ff8c6cabae40f58b9f937876c991efab15b4d345a2ac381
SSDEEP

49152:qnsHyjtk2MYC5GDczMmPITYbNbNWo4kSH3OqtwIzt:qnsmtk2aFzFPIT4bNJFY3OqtPt

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 3 IoCs

pid	Process
2516	._cache_9eb4b11792b3467349e163d207066fc65e911d77d317456bf58f96cc1913e4f2N.exe
2972	Synaptics.exe
2468	._cache_Synaptics.exe

Loads dropped DLL 5 IoCs

pid	Process
2932	9eb4b11792b3467349e163d207066fc65e911d77d317456bf58f96cc1913e4f2N.exe
2932	9eb4b11792b3467349e163d207066fc65e911d77d317456bf58f96cc1913e4f2N.exe
2932	9eb4b11792b3467349e163d207066fc65e911d77d317456bf58f96cc1913e4f2N.exe
2972	Synaptics.exe
2972	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	9eb4b11792b3467349e163d207066fc65e911d77d317456bf58f96cc1913e4f2N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9eb4b11792b3467349e163d207066fc65e911d77d317456bf58f96cc1913e4f2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_9eb4b11792b3467349e163d207066fc65e911d77d317456bf58f96cc1913e4f2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Enumerates system info in registry 2 TTPs 7 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	._cache_9eb4b11792b3467349e163d207066fc65e911d77d317456bf58f96cc1913e4f2N.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	._cache_9eb4b11792b3467349e163d207066fc65e911d77d317456bf58f96cc1913e4f2N.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	._cache_9eb4b11792b3467349e163d207066fc65e911d77d317456bf58f96cc1913e4f2N.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	._cache_Synaptics.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d3d5575fb3826545aedceabe0efff8c00000000002000000000010660000000100002000000071126566b444925a5558a14b96d3a9254e8486871ebd8604ce7b2c6824e1d345000000000e800000000200002000000050b103e8b71fba7141a297e23bb8f1141602f8bf716e4f86fcb856f647750e2890000000cd1451929ddcdd1c60d013dc64f8dfb33b72deaa12915c0a74954b6882709bb3f6d1214b3745065591d78f2e9cd7b4cc382c2a5e25884c8a8bebebe91710608e1fbf255c10635758db1820400e6a18cd6ca21ee4050cec94ffc406fcf20dab0b56e5a18a93840281a69b744addb763b192f3ce81b4ab0ab57a75c8f78aaf628817103c3354cac0b52a5c7d4371a1110340000000c3b14f5215aad579d0f6af6913dfad241357d972cd7b2477cabc24a5b8fd43480be440b3761192465322b1a6e7be0029678ece3f32312260cfe2dc2f494cf030	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{19B38A11-D6DA-11EF-86F5-E699F793024F} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "443503636"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{19B825C1-D6DA-11EF-86F5-E699F793024F} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2408	EXCEL.EXE

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1444	iexplore.exe
812	iexplore.exe
1320	iexplore.exe
2372	iexplore.exe

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
2408	EXCEL.EXE
1444	iexplore.exe
1444	iexplore.exe
2372	iexplore.exe
2372	iexplore.exe
812	iexplore.exe
812	iexplore.exe
1320	iexplore.exe
1320	iexplore.exe
3036	IEXPLORE.EXE
3036	IEXPLORE.EXE
1520	IEXPLORE.EXE
1520	IEXPLORE.EXE
1088	IEXPLORE.EXE
1088	IEXPLORE.EXE
1380	IEXPLORE.EXE
1380	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 2516	2932	9eb4b11792b3467349e163d207066fc65e911d77d317456bf58f96cc1913e4f2N.exe	29
PID 2932 wrote to memory of 2516	2932	9eb4b11792b3467349e163d207066fc65e911d77d317456bf58f96cc1913e4f2N.exe	29
PID 2932 wrote to memory of 2516	2932	9eb4b11792b3467349e163d207066fc65e911d77d317456bf58f96cc1913e4f2N.exe	29
PID 2932 wrote to memory of 2516	2932	9eb4b11792b3467349e163d207066fc65e911d77d317456bf58f96cc1913e4f2N.exe	29
PID 2932 wrote to memory of 2972	2932	9eb4b11792b3467349e163d207066fc65e911d77d317456bf58f96cc1913e4f2N.exe	30
PID 2932 wrote to memory of 2972	2932	9eb4b11792b3467349e163d207066fc65e911d77d317456bf58f96cc1913e4f2N.exe	30
PID 2932 wrote to memory of 2972	2932	9eb4b11792b3467349e163d207066fc65e911d77d317456bf58f96cc1913e4f2N.exe	30
PID 2932 wrote to memory of 2972	2932	9eb4b11792b3467349e163d207066fc65e911d77d317456bf58f96cc1913e4f2N.exe	30
PID 2972 wrote to memory of 2468	2972	Synaptics.exe	31
PID 2972 wrote to memory of 2468	2972	Synaptics.exe	31
PID 2972 wrote to memory of 2468	2972	Synaptics.exe	31
PID 2972 wrote to memory of 2468	2972	Synaptics.exe	31
PID 2468 wrote to memory of 1444	2468	._cache_Synaptics.exe	33
PID 2468 wrote to memory of 1444	2468	._cache_Synaptics.exe	33
PID 2468 wrote to memory of 1444	2468	._cache_Synaptics.exe	33
PID 2468 wrote to memory of 1444	2468	._cache_Synaptics.exe	33
PID 2516 wrote to memory of 812	2516	._cache_9eb4b11792b3467349e163d207066fc65e911d77d317456bf58f96cc1913e4f2N.exe	34
PID 2516 wrote to memory of 812	2516	._cache_9eb4b11792b3467349e163d207066fc65e911d77d317456bf58f96cc1913e4f2N.exe	34
PID 2516 wrote to memory of 812	2516	._cache_9eb4b11792b3467349e163d207066fc65e911d77d317456bf58f96cc1913e4f2N.exe	34
PID 2516 wrote to memory of 812	2516	._cache_9eb4b11792b3467349e163d207066fc65e911d77d317456bf58f96cc1913e4f2N.exe	34
PID 2468 wrote to memory of 2372	2468	._cache_Synaptics.exe	35
PID 2468 wrote to memory of 2372	2468	._cache_Synaptics.exe	35
PID 2468 wrote to memory of 2372	2468	._cache_Synaptics.exe	35
PID 2468 wrote to memory of 2372	2468	._cache_Synaptics.exe	35
PID 2516 wrote to memory of 1320	2516	._cache_9eb4b11792b3467349e163d207066fc65e911d77d317456bf58f96cc1913e4f2N.exe	36
PID 2516 wrote to memory of 1320	2516	._cache_9eb4b11792b3467349e163d207066fc65e911d77d317456bf58f96cc1913e4f2N.exe	36
PID 2516 wrote to memory of 1320	2516	._cache_9eb4b11792b3467349e163d207066fc65e911d77d317456bf58f96cc1913e4f2N.exe	36
PID 2516 wrote to memory of 1320	2516	._cache_9eb4b11792b3467349e163d207066fc65e911d77d317456bf58f96cc1913e4f2N.exe	36
PID 1444 wrote to memory of 3036	1444	iexplore.exe	37
PID 1444 wrote to memory of 3036	1444	iexplore.exe	37
PID 1444 wrote to memory of 3036	1444	iexplore.exe	37
PID 1444 wrote to memory of 3036	1444	iexplore.exe	37
PID 2372 wrote to memory of 1520	2372	iexplore.exe	38
PID 2372 wrote to memory of 1520	2372	iexplore.exe	38
PID 2372 wrote to memory of 1520	2372	iexplore.exe	38
PID 2372 wrote to memory of 1520	2372	iexplore.exe	38
PID 812 wrote to memory of 1088	812	iexplore.exe	39
PID 812 wrote to memory of 1088	812	iexplore.exe	39
PID 812 wrote to memory of 1088	812	iexplore.exe	39
PID 812 wrote to memory of 1088	812	iexplore.exe	39
PID 1320 wrote to memory of 1380	1320	iexplore.exe	40
PID 1320 wrote to memory of 1380	1320	iexplore.exe	40
PID 1320 wrote to memory of 1380	1320	iexplore.exe	40
PID 1320 wrote to memory of 1380	1320	iexplore.exe	40

C:\Users\Admin\AppData\Local\Temp\9eb4b11792b3467349e163d207066fc65e911d77d317456bf58f96cc1913e4f2N.exe
"C:\Users\Admin\AppData\Local\Temp\9eb4b11792b3467349e163d207066fc65e911d77d317456bf58f96cc1913e4f2N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Users\Admin\AppData\Local\Temp\._cache_9eb4b11792b3467349e163d207066fc65e911d77d317456bf58f96cc1913e4f2N.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_9eb4b11792b3467349e163d207066fc65e911d77d317456bf58f96cc1913e4f2N.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Enumerates system info in registry
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://youtube.com/watch?v=RfDTdiBq4_o
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:812
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:812 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1088
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://keyauth.cc/app/
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1320
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1320 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1380
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Enumerates system info in registry
    - Suspicious use of WriteProcessMemory
    PID:2468
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://youtube.com/watch?v=RfDTdiBq4_o
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1444
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1444 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:3036
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://keyauth.cc/app/
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2372
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2372 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1520

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
2.0MB

MD5
6f57023af56c6fc3c083bbec7fffa520

SHA1
a19799c5604932b425fa221bad31051f32896cc6

SHA256
9eb4b11792b3467349e163d207066fc65e911d77d317456bf58f96cc1913e4f2

SHA512
0bf3ea3f9b77de66c3dfa5a1417fc7e74c3b91a2b827101b02d034945b7e85ed62e37cec8cf7706b0ff8c6cabae40f58b9f937876c991efab15b4d345a2ac381

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
854B

MD5
e935bc5762068caf3e24a2683b1b8a88

SHA1
82b70eb774c0756837fe8d7acbfeec05ecbf5463

SHA256
a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d

SHA512
bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
844719183559264c7861950b2e09b725

SHA1
177b06ef6251228109f9902a6d85e8e12a4a7f14

SHA256
942d74e677e8955ad9e7b667e9f6f101ca67d6392fcba4252a5439ed2dc20b01

SHA512
0627bb9f84ed7fc1530c92cf18ed44bc9c601d644377cd8ee852a539dbd818b74d664b58ce2e931e4de1631f3ac04d404da341f027f10f9b679b26317c9a5e73

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_E4543EAB994D579360C32C5CC59A22C6

Filesize
472B

MD5
9017a86404a971a5217381a042725c50

SHA1
6c95543ae7245caf2749ab8f47f3a7a61cb881e6

SHA256
4526ede12072e25cabbf70dc73d31c27cd172831891e6aa5ac26cef171a46562

SHA512
e7ff2f6a82ee6059eb4f860608e910b16c3b175bd55a3162f73076a5617ee8805d0dba66df14bfb76736ee6341e8f330d1035c76f56a74c94de1c4bab7c7fd6f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
c9be626e9715952e9b70f92f912b9787

SHA1
aa2e946d9ad9027172d0d321917942b7562d6abe

SHA256
c13e8d22800c200915f87f71c31185053e4e60ca25de2e41e160e09cd2d815d4

SHA512
7581b7c593785380e9db3ae760af85c1a889f607a3cd2aa5a2695a0e5a0fe8ee751578e88f7d8c997faeda804e2fc2655d859bee2832eace526ed4379edaa3f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C02877841121CC45139CB51404116B25_252B35A0C9E78A87AECDDBB68FF7B1F0

Filesize
472B

MD5
770e5b0746fd70f6d9623baf8ea0694f

SHA1
6777ed59c628969dc003a564028d6d2eb7b360f9

SHA256
438c76085747f65bed5b33f3372a0928984c2563bb7a27b21352ede3ea79271d

SHA512
580f5d03ef69d728d8dff9c3070c3fc7e1ccf93a1c81749f3f4dd5d532146353f7626e8c016fe93fdc480821dcbfcb695e5016d8ef23352c644268c35b90bb4c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C02877841121CC45139CB51404116B25_55209007C2DA2D56C1F9D41F7B3BBB66

Filesize
472B

MD5
68b8aadc1180184cc0a169dd6a927412

SHA1
f237a0012341737791c58832c9b56cdff5519375

SHA256
dff3c37502b3dcf470f1c03d726043442c0ba8c95279b868c443a9175c313a6e

SHA512
b098097f38928c80b7554bd9384ddeb7c904f86a10e775bf83d29e32678d6a3db17e96f72138826f0bb0c0b7df2bf63e0891d1f56649e8f9551a5d7009a05a64

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
170B

MD5
bf718df1310c0628d5e82d12a26f5494

SHA1
32dd21e95cd1c6c142bedc25fb3727b44e301ae4

SHA256
a24af03a3ddf94dbee644fbe9aa0c412069b80eee2e68bc6c9bd3dec6bbc56f7

SHA512
9ba2def9d942b3b88d2feffdafac3df88ef36c94d5ba29f1ba449a99a0bad477f30b47e0d6fecc44de5be168678b4865cd6a1a028619442453cbbba2f7506217

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
170B

MD5
39b9ea7cf29c472c6f138cb5013bffc4

SHA1
2714a550da072ddb1c6a6ad134801b7c44c82b80

SHA256
d5723daed7f191e675f0ebde2468f8c7fd2e46e3c7513fd67cedbe6751961aed

SHA512
d452c9bb80c24a3e24e3179e47e8de5b77b57bbc0cc0c7b215bfc0a4e6b2b4e7b22355212877c1af3d8868df8ef1e861d6acea9afee61470a158b4162b8e20c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
b04e5b82883e0d245db3369a45b879a7

SHA1
90d3d17fdd5408a629a9be42450c2568f589d675

SHA256
9279d72a1d52b61bf9943e026e7147d899ad29d6b94f1ca9c5a01588e3b3794a

SHA512
9ab39c59b108572fc6763293ab2cc476f01f1d36b1af990ec370739a9f71922d2d18c3705f15f0a5e37234bad7a116371330e91c947b784290dbcfcb9d808eed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
c104891233892c750d534930e212d1cd

SHA1
716f63d49654099e01e1533447a6298cf54f00d1

SHA256
5777ab43d6772b1c33d91a4c18422d96a2c3d5d5590862dc00f3fe3f6adf235d

SHA512
84c8835aacc797763c3fb806927a7933b5dbaa1c69588a8597ad6813a918860a10b4cfe6ad1d24ebe31bdfab93abef6caab7864f114449514e375b24c46ecf8d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_E4543EAB994D579360C32C5CC59A22C6

Filesize
398B

MD5
2dc7cf83d7f5e4f2a5a71175eae1351f

SHA1
1b534124484185da3ccfc498e248fbeeb003e508

SHA256
3576e83c4ab2503e7ea50b5db1b2a8b2e53f9545dead8ce4832b29721ad23bab

SHA512
f4fec0bc32db813a4aa5d98f634430f93aeb69fb35835e26a07ef87670706ad918cc9d4edab04c3824bf4010649a8255400c0bcaf420e8e92e3c5161574d2592

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_E4543EAB994D579360C32C5CC59A22C6

Filesize
398B

MD5
869ba353270959168c142c3b5c7df9b7

SHA1
e7f2c0c23c6bb844a269e28b50a1d04a85a91e34

SHA256
9d2d9fc9b4ed3c441697ca0c70f127a3255ee52030123d3bc91696cb501179bb

SHA512
ddd950ccfaa48c1f0fe8a70c757eda3f5c211cd19c8cb5d2e1e760578215b288a1176b70b4a061994516e29029882311718347e8a7bb8f4e8f707828793a3391

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_E4543EAB994D579360C32C5CC59A22C6

Filesize
398B

MD5
05f4a304e2023bd6573b34b1cb236cbf

SHA1
ed85baa5a0c0a1ac6c6e67fe6a9ad5aef48dc13c

SHA256
d7e37cf5114ce5e4b7d64596ebc9fa9d1548ef5d5d20c6909078644d579c5ee0

SHA512
f4e2e8de255c36c678716a63ca5ea8fbd67061770542566b20f7184086d6539699cf695b4a1f3b29666cc95645e0d7120a6b37253d3ec45c800fe9f9fcd52d04

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
ec2f9d3a895ad66b2ba2cae945353dac

SHA1
f8b0d5fe57c92dd907368840251e0475238dd85f

SHA256
f08460e6e3e3e6e74ebf1aced3b2f163672329c74313501e54b4ec0e42a85090

SHA512
69ec3558000d89813f306590688ca8af208600d4ffb8de4c3b36f2e4635fb366ee4bcad440ebb73908b09ad48c21879181ae73f55dac21b96a4104777ed22772

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2d56509881340b366e8b36c4e5863df7

SHA1
5b41d2a0160e73e84501e3a2c746fae4bac448de

SHA256
22e235d44472e5593cf13d12eb5d6e49420099e564401bda1c26bac4b437600d

SHA512
dd685f90c09179566906f3541a28813310edb30f0306d704bf83d2559666c7a954563ac25bc7f1837921bb747e457e8a85a14512421a3c577764c17a3fa1252f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c4254e1a99be1828a9d29696550faf8d

SHA1
4cb5d55a2590960e7af2a234500b8cb362e8ef2a

SHA256
77a0f46d20e28bb472e71d07398f2cf86baa04e20026958b2632daac317d0976

SHA512
47ed710d39624ab885f3be8c304cc591263144718ffe67073f200e66f17114dd9718c41f49b615540409c85b006194dbd8b776f3f0d47ea87349588bf2b568ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
37f002020aacc03a6d29b1c686b14d7f

SHA1
a85109b98b8bbfc2db1d3825a4c70d7f4b17edf3

SHA256
13eac0eda5d1e47b90e88df3283cbc66f0258e8f2c7e9cb66ce1ab38d396309a

SHA512
01a127c3d6f9e46f64f8d113e3a6d0f4c37118298c64d2d8176b0d6ecfb089725cff7ab71d90e998d6b43913c82b277d87388477493ac8c11a7ca6fad5a71722

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a765b4064f22560fb53be5031ec69252

SHA1
3a8452a9ba82f6367d45e9ccda1b1e21580c0e15

SHA256
aa6282c286ec4f1de67df37ab865c3a06fa45feec0eb10912fc2f242512e11c0

SHA512
cc7fd9a1a267a5a5e1fc01523ddaa98a0475c5d36cbfc59c3d97d2c9f153e1b9badf9c7ae5006d1fa603eb85289c4e1ecc37b519a41f54ba71351212098e3e7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1b1d1aa63272a1e89e15f68efd8cabf6

SHA1
9f29a8c5d747fd555d3eaedafbc13f38cde25fde

SHA256
a97bd8d9b1ab9f84b2f425ba98be97fd4c74d617357bb795f3c41f2c4ff6462b

SHA512
d2785a21eeb1828ab1181310333b488e560f38facb5b335ae5472bd609a1b7bb19b47b906744098d0c5b5bd56e889e91b1a24cec5dfc6b89f75f6db8f3b2abef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fdbd2b3b127270b6cf08415383d4ab24

SHA1
106a25066a28bf9b6d3fa000657c764b755160f5

SHA256
699d899c9874672b48ce5606c270d11252389a77d05c9296e6a9b558d2608fcd

SHA512
567a6dc935df5113c3352b9ad33d3141d74ab258b3d29683270133cf898c7b19e7b1686ddbcbf6fb78220e40c943b3da5664b8c9a67b86420d5212739b3888fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1894fd0b812d03792f0ea8e192298969

SHA1
2109b868da4c6e19ff2992f6f6fe27a383bdd1b2

SHA256
aed1c88aa1afd4a15d50e2b3d488ba6fcc515e4e393614c51bb610b9ec38fc5c

SHA512
7fb0ba1a5e0051dc25e77ee8a6152ab04e44799c4df4ca8e022cce5e138abdd06e95411040bb24075c6cd37f00493302f7a48e5ac9921aa3296afee91d358e80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
074258daee4f609c065929cd930b08bb

SHA1
f77f461787e173bd0a0360178ca8c732f73b05a0

SHA256
2788fea073d10ff4aa76d72c79fd873c402f570cd6c7966029d87ef41eba5656

SHA512
a85d51469c864c6a821173ed17eac255a93298250bf7ca1727cf9f962c5240663414f295d2fed1161837479c487e2384ddd205ed278eda6b3a09fea96120e9bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
53a7c3fbf5fb79605c543a6e77bbcd99

SHA1
2b25d0bdb303ea6ec09979b57c90646b2e723e77

SHA256
3719ffa2b2a38552f3473e25367b6853ca37534e5b425f64aaa73185c1c22d88

SHA512
3f536323243fec0a72203a338093e9b2b4ae30c160b0d60390929dcdf8bbb68a9107859a47c99d5ca89da3a92f9a4b794cdeb8ece0ad75da1ee70c4da88dc2d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
06ebc45300d75e2e0d96f751144e0849

SHA1
99a969139c70ce4f64bcf68a0af79010d6965387

SHA256
abca7fc07fdee3cda305c18310efbf835b0be834b7eaaad9ebaed4cb99a043df

SHA512
64033a595461a9217ab4d51556c5f9629cfac702857b93b5df18fbed545c46d58e1a2763aaa01db4173551ed1dad81c4d2daeec4ffaecface172592d8ba33126

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
305f0ff0d81c73632aa6d84bafa9307f

SHA1
fec9fa388d2c1c9258acaf53c22ddc4a681c35e8

SHA256
39cd22eada01ac6b686d848a045175320aaf9ccd7231c55a7c13c205ccc535ac

SHA512
220aeff73a936319d2db19b1e086f47c72b8edf4fc31a87f0c8246065131256b5c306876911f18940e1b66b533b6ea60524b233ec9132257406ee587afcc6997

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
989a79261299614778c08448e648c322

SHA1
eb677dcd340b7be7e1497e18370a90adfd1aec6a

SHA256
b81c905957a3a016198b23155ed5dfdc1c21c8f00c438fce50537eab4df69f4e

SHA512
392763e36e5bee33aa9debdbd3b0cab46b0a96a5af95625253305ee8c323e1a6dbc80ba9b15ddb61def1c22ac25e80e5bfb9eb36ac7d8269f569b6c6480d099f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ea685eab91599978940c96452468b780

SHA1
98c8cfd41e7f6d928db382f0b5ca4339265d1349

SHA256
509123659d59c7a9a5c4d0ec65b4e6b146c6c51cccf82110594d7bbaccec1a64

SHA512
6345b144d9b9f43874ddd975c525b8366b0b3a0dd8011cb6833c6e6a76d105beea9cb858f409abaa6580170f3ba7468b032d41218aa1202e04d7964d2c755983

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
99e73ff75ceef64fd8e0a29cd1912dfe

SHA1
c77ca74d3b8125510444d807c5a54109d14637d8

SHA256
9696aeb5558229f252f55970a0bc62a895214abd9624f0e469a43c72b50b9038

SHA512
1c7d22b623e916729d15e83778aa203df24be6369f37648e429bfa7244958e9d1b1950b251a50d18f44249610e849fc6513fe8e3f1c58b629785a30b73e74fb7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e7050505b97ab53fb330a32506329e87

SHA1
97e2557b8ebd1d288a339d74d5fb05e27ca5beda

SHA256
880b04fecc5d26ba9b884cefa8f46776d1fd9955e41bdc7c2cbc70574955d4dc

SHA512
9b5d2a2bf995901a9a7ef7df0733cd8c2a12e253a61b0a312d50f09da5863946462081ed2b8f4ec96d0ef11e8de377d0b1e3c7232fb98662664dc75fc324376c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cdfbbdf4b5c0e1ab30c99ee45965e6dc

SHA1
9509fc8445c6a7f233b57db62eb420ca7c900698

SHA256
5959dc132ddc3eaf438dc329859aaa1b5fe70d0e06ddb23e8a347a6f1511dd2c

SHA512
6c2461b515558bf150c50f82113cd54cbca047bbcba4db36062d241852c5ca4a2460fa9aa4cc456ca94f054a0000101d223fead9dff8b3b479d0314af7fcdf5e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b381f90f6a5d5fba4c6196891b73b172

SHA1
b9d85b5f8e0fcbe1406089d0ded30a706a7dd2ec

SHA256
1333ae420b4dd9b3140c961cecc449e77d33c36559269ddf7bf5118d40b49ab6

SHA512
2acb662c1eaaf0c1cb79685d75531d983b2860c200d388b06d084779186a44cb7fdd0e89dc6bcc15e42b2b834a2a5c7a2e9d4cb1d8328af68a9247df5db882c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7b56890b5fa2ad038d527e7cd5de330e

SHA1
48eb7322d828d9e12d06f69c40ae1695e0d07d63

SHA256
58f612da02cf3a531d1e435f125e8cdd8c322e46196a37c5a55ffb0b57272fcc

SHA512
2294fd596636029d6e585612c75d4d9c69a11b943f858276cdbdb38630bb33cc0a4dd8f8e1bb5bd4c1a87be4be07cfa556112c574c5660483189a688666c5842

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
95e3ef12f9f6a5d90e2e03be15ac4a10

SHA1
3a924f705c4a3270895448254208f4a17434e728

SHA256
d6167e25a1e1a7ddd06144d98fc3efa7a7626d372de67ebc337e18a74a80d7c3

SHA512
9ecb037d168cafd35cbddbc066b63453360a94621e073ca1c37b303a1fba16a6a374b302e3579738f7cf720f37e18e905b94174c08b2a0d3e81a6251e6290472

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ecc637835a322de92544d2681e626e06

SHA1
f62e30fcce2e631156fc6e37d8f9b576c49f66bb

SHA256
466293ba438fc9829cec11252d4eaa00cb73f9b73ef8df4aefb144e43e77b2d2

SHA512
52c4c7da77e155a3099ef8ac75cffcd7f3c43ff045c7d559ed40430d841543674dd0723711838374ad19b6658c6f6ae8ce52c8a7a3883a09d33a7a21be573792

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6bec09edb8c9b4bbacb9b385b939f36b

SHA1
f8223d361d0b28bec98e817137de0cbd493229c7

SHA256
cfe6833136ecfc5557e9d4351de8d9a1c7d3d5c412b74d9d6614ae63f5d12577

SHA512
1948b2f8cca3ed54d82c3b19d698f3f8dff93e30bb34ee132420b69186f319c7fdff75c9cd1271e1f9ce3aa001570a21edffc585886d1f817fa5d86097e5af08

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6d10ae8a1ad7275db918efbd69490442

SHA1
e3ff232443232c953089660691b9df450cc78687

SHA256
c046ab9ee6effc46810d72dfd49d2bd0085010dc55c7d4b7e2e37d2934c727fd

SHA512
520f40e65760d99d03a24fae5a627731de8239b08b7b0e05e21c0612b352deb81c8e09194c41eecc68c145453c3bb7e336642ca3ffd98d3c95ba3cfdafc7c551

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d2652637a3aeaf741b16ea92281319b1

SHA1
79a6eefc54989222b6c273d2c76d0cf9f82e2cd5

SHA256
b0ca8bbbcc4a63c742f909d04763df65615f410e2c49f40082d96dcd22fc9119

SHA512
db7d6e7ee50bb601380bb1db1c99a24b8d39ae05cdf9263e5f0ce9b20b8af136a31d64edb98967e2cb59fa5ecf560c5420f1a585619297701a8616048abeeee9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
04934b45c397d600a62fbd48ee21d421

SHA1
96ca3865d70d972f75f0e43e212dc0deb6d45605

SHA256
21e53ba01daee900306cd480138cd44b69e8af4c24e3c848e256c80b74398cd7

SHA512
e432591aa8f9c52b85625e672af881e802b9f5f0655fe4eaceef9b38978120be2c67d342581f0aed78ae234097495b0cf2edce6fa1cb5c5e6d895fa50b3f2202

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C02877841121CC45139CB51404116B25_252B35A0C9E78A87AECDDBB68FF7B1F0

Filesize
398B

MD5
481c4ee6a35e0d531d2450319c21dc46

SHA1
98f10123220a3a43df75065a300b13d37033ce5b

SHA256
227e1c3cb22dd6ae98a9cf7bfd0be714a46a9541e542f8d2404c3352c40a1b62

SHA512
927b6e33987ed0914914478497e0d83267944ebe07797af943cd1a8e97c7631fe2c98e2de4bf02d2302618899f3223d035cb5056c4261a65f9684efb6b775d85

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C02877841121CC45139CB51404116B25_252B35A0C9E78A87AECDDBB68FF7B1F0

Filesize
398B

MD5
7b667ac525d4e9594db010d5338e9a83

SHA1
8cb08f76b290f681338942a6447bb95abc108623

SHA256
b3a7218697c813cb06e2e08d3bc78844fd40a4b53db274acf11013452559caa8

SHA512
8865f28fcf0232b7f7d82109449f031c4e08f4e2730e95d0f1b929bc1fef7e4c5634a143f44683bbcc3ef0def5af1b8a9396db79f9d96712a920e1b155172ead

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C02877841121CC45139CB51404116B25_252B35A0C9E78A87AECDDBB68FF7B1F0

Filesize
398B

MD5
2cdd30e2c753d8f2dec0d5395b348abf

SHA1
5663ae8e99ccfdcc1c881618352a55b4a0aab053

SHA256
14440c5cb0b181df30b2ce981fd42e6e940aeb26684a766ba39e02db12aa1289

SHA512
d265de061498b711d7ccc287d14856aa4c90d4734f03156a515efbc83231ca791e1fe44b5149c353c5e3e0675a5fc374681624bd7ff2100cdba9a64bf394441e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C02877841121CC45139CB51404116B25_55209007C2DA2D56C1F9D41F7B3BBB66

Filesize
406B

MD5
7b77ce67509eb32697d4f4245f9ded0c

SHA1
099fd6ca573374f1ff6a15a798fc065000abdf41

SHA256
3ef232eca58d168a32774230a70e8f05fa140e1b0a7b7ef1b6c9091a582a3ae8

SHA512
6eabfc47ae0cc3e3c04bb128571c00cfc36c18f29ce408b8645d6e11af0a1f399343f9981ece3df8bf3032cdac01c6cb86aaac7dc69516c482048406877867b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
5381d243131e4449a25e0c440d6eec24

SHA1
8f3520e3bca0ced09dc25a4ab2766363f1a04276

SHA256
5fb5f9f99aed19701b2bb8f3f620e8b135354a5ab4cb6b497754765f77b6dfa1

SHA512
72ef219e823e7f77e7f2839a49b2192d9a99700fddd5997fb55c72d583a6c099b78e9de34cc646986ca502e7125525d8403413440fbb628c6657b3cfd848d06d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{19B36301-D6DA-11EF-86F5-E699F793024F}.dat

Filesize
5KB

MD5
b34c51393e462c3487fd7307a20b6fbe

SHA1
4b8155a832ed22b95100b4cbcdc0358f2aa2873d

SHA256
c0dbbebd40dda9e9153dad1a6adf55aaf7adab9872cd8a7283f9df25087261d5

SHA512
5a063c42f4c56944764b38312fe91daf67fa453c8c24504e2dee11b5a3d5789bc61c818b6a9666c80ad595cb8a3fbd61c19f15f209a05d124461b0c25d9ec55a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{19B5C461-D6DA-11EF-86F5-E699F793024F}.dat

Filesize
4KB

MD5
c5f6175fdac4159ed385f164e85e54f2

SHA1
e0cb83781c7a5b81bae508d90073c3dbb5639f17

SHA256
d44e0b6e8a4ab77bf628f3b0d8c1f88c0b8e4017b86016b6b7bccaff57a74c96

SHA512
d1eea4d86b101ef1a4597d0f91b500fb7947f07bb88eb6c1d7764ee148d1826f1d6010813ae0e7351c613ebfedab7ff77167e71a8fe61af3f4718d2fdcff6417

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{19B5C461-D6DA-11EF-86F5-E699F793024F}.dat

Filesize
3KB

MD5
e6901f4b018e9e86cd747bd1f4ddf4e2

SHA1
a9248fbf37c92a70b684ce431562175e1f988a45

SHA256
3a7edefc16c30ce985273afcf4175f8406163738592fab687b4f54700ae79d86

SHA512
0e3fbcb1925beb511fe051abbea4aa9141caa969a5c40259cb092bc371532c7c12e2fbadadcd2e9cd7f8e12377b1acedb2f0e13b57b9d01bf252b810ac361332

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{19B825C1-D6DA-11EF-86F5-E699F793024F}.dat

Filesize
5KB

MD5
d01c60fa28289ed95ca6076c2ff42520

SHA1
541529cc3cba1533fac7b161798b031b16c686b0

SHA256
0698065c8d3dcac6d08af7a010d7eaf3b8c90898226b5574947457426ac6c06c

SHA512
043c69aea6f43336f1c015326f563fba1de05425f0a027d42f13847b6db48f2122f57ccf4c20b79199d9bbccb9074e4932ea4f8773909aa20bfa2f1cc154f7a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\gsz3hkd\imagestore.dat

Filesize
1KB

MD5
8c02b3c7a42111686df19885449ce534

SHA1
d99508203cb2d1fdba6913887e00e14c3e2de297

SHA256
e0918217a8c03441a6af9f11943046bb02c51953d85f1dc0e801e9d9a99a5761

SHA512
39cce5ab9a904e315ef49739c00be6e41e2108b742c9ea530198bba99f2641e3be7fbbc77d82829ff24f430c4e9151e27c399b3ed5a1f67e08bf3f217cb26e59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\gsz3hkd\imagestore.dat

Filesize
2KB

MD5
9df578d66dffa497a3b2b6400e166395

SHA1
2861efbe78aacac42060c225498c9388243bcc6a

SHA256
41eb6c2eb654bd708a059a8d527393c79ad317a89fcc522fadb39227b3df59ed

SHA512
65f2a32d83eb6326a550fbb03df84d73288aa0d042e187dfaf314e113fd61ce2efa4a491534e8a358e56c3785d74a597464d9799dd1dde170735e4941c309d51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8452S9S3\favicon[1].ico

Filesize
1KB

MD5
f2a495d85735b9a0ac65deb19c129985

SHA1
f2e22853e5da3e1017d5e1e319eeefe4f622e8c8

SHA256
8bb1d0fa43a17436d59dd546f6f74c76dc44735def7522c22d8031166db8911d

SHA512
6ca6a89de3fa98ca1efcf0b19b8a80420e023f38ed00f4496dc0f821cea23d24fb0992cee58c6d089f093fdefca42b60bb3a0a0b16c97b9862d75b269ae8463b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IAE3FJ0M\vcd15cbe7772f49c399c6a5babf22c1241717689176015[2].js

Filesize
19KB

MD5
ec18af6d41f6f278b6aed3bdabffa7bc

SHA1
62c9e2cab76b888829f3c5335e91c320b22329ae

SHA256
8a18d13015336bc184819a5a768447462202ef3105ec511bf42ed8304a7ed94f

SHA512
669b0e9a545057acbdd3b4c8d1d2811eaf4c776f679da1083e591ff38ae7684467abacef5af3d4aabd9fb7c335692dbca0def63ddac2cd28d8e14e95680c3511

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1F4.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jp3qM9KH.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jp3qM9KH.xlsm

Filesize
27KB

MD5
9902d2997815a2375feaac6737469eba

SHA1
2fd304ac4c26a4970e295f9daf3e4c7499641cb9

SHA256
600926e362b8616d2cbfe38500d859cd252f4cde7202e351ea3f28d3d7d3403c

SHA512
2dc9dec6c1b317257f7adfa1c8dd886855702ce9630fb0a3af5a5c6cf0ba82708aa72a083e9d5d65243def57f61ab15095df5038cad5226d89473fb4d2d0c07f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar205.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_9eb4b11792b3467349e163d207066fc65e911d77d317456bf58f96cc1913e4f2N.exe

Filesize
1.3MB

MD5
b9773451b024cd03b844bc09cd17a3f4

SHA1
c3b11a40d7e141b1712e89ec6f4d0a7a273f7e6f

SHA256
8a1cda86fda420345e59cf46954aa2ac713a4549d2d2a2f36f27c0f5f01a1a82

SHA512
44923981b897fa080684960375eb5dcf562e86b1de012126ccad8bcd147e0b78eded1dec00faacef8a273355d553829f6e7c1ac101c6ccde8d976426b952312b

Download Submit
memory/2408-40-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2468-39-0x0000000000970000-0x0000000000ABE000-memory.dmp

Filesize
1.3MB

Download
memory/2516-18-0x00000000739CE000-0x00000000739CF000-memory.dmp

Filesize
4KB

Download
memory/2516-731-0x00000000739CE000-0x00000000739CF000-memory.dmp

Filesize
4KB

Download
memory/2516-41-0x0000000005060000-0x0000000005274000-memory.dmp

Filesize
2.1MB

Download
memory/2516-28-0x0000000001300000-0x000000000144E000-memory.dmp

Filesize
1.3MB

Download
memory/2932-0-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2932-27-0x0000000000400000-0x000000000060A000-memory.dmp

Filesize
2.0MB

Download
memory/2972-730-0x0000000000400000-0x000000000060A000-memory.dmp

Filesize
2.0MB

Download
memory/2972-1211-0x0000000000400000-0x000000000060A000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads