Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
20-01-2025 07:08
General
-
Target
95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4.exe
-
Size
3.6MB
-
MD5
575b18de3bde4f0bac81569918c71040
-
SHA1
fedcaebb7ac62e2cc2f792a6efd7b5feadfd387c
-
SHA256
95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4
-
SHA512
c131d03c17da866ffbb97c56c1fd0798f12ed60c17253f6fdabbb77eadd3650b18d20ad6e16e938219e54899b32c412006d0a2ff2a5aecf4cf572df00d0df6fb
-
SSDEEP
49152:/YZnsHyjtk2MYC5GD/YKnsHyjtk2MYC5GDsYS1Q+09xqoWh5GisYxMGyN0F:QZnsmtk2a/Knsmtk2aGS6bRWTGZYaG8Q
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Xred
Xred is backdoor written in Delphi.
-
Xred family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks computer location settings 2 TTPs 21 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 57 IoCs
-
Loads dropped DLL 36 IoCs
-
Adds Run key to start application 2 TTPs 15 IoCs
-
Drops file in Windows directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 61 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 33 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 33 IoCs
-
Modifies registry class 21 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4.exe"C:\Users\Admin\AppData\Local\Temp\95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\users\admin\appdata\local\temp\95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4.exec:\users\admin\appdata\local\temp\95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\users\admin\appdata\local\temp\._cache_synaptics.exec:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate5⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate6⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\users\admin\appdata\local\temp\._cache_synaptics.exec:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate8⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate9⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\users\admin\appdata\local\temp\._cache_synaptics.exec:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate11⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
\??\c:\users\admin\appdata\local\temp\._cache_synaptics.exec:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate14⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate15⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
\??\c:\users\admin\appdata\local\temp\._cache_synaptics.exec:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate17⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate18⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
\??\c:\users\admin\appdata\local\temp\._cache_synaptics.exec:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate20⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate21⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
\??\c:\users\admin\appdata\local\temp\._cache_synaptics.exec:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate23⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate24⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\users\admin\appdata\local\temp\._cache_synaptics.exec:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate26⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate27⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\users\admin\appdata\local\temp\._cache_synaptics.exec:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate29⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate30⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\users\admin\appdata\local\temp\._cache_synaptics.exec:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate32⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE4⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe5⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\at.exeat 07:10 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\at.exeat 07:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\at.exeat 07:12 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
753KB
MD5ceab064b6d1d8ba57444371889936da1
SHA1ed748ba18c6dadf05e9a6aa008443d055375e71e
SHA2566e0d8597ac91fcebce2757d5ccdff21f256c857b7a3ab06d7da3113ac24c6b3b
SHA512c65afe84060cdf24a8ebca454eca6aa0eb73cb5898c6106dec490f2c37cbac6173d3ea5302812787ff137fea219b4d7506b68f193b4709aff03a46157fc82b24
-
Filesize
177KB
MD51ca4cf0ad26460131c6445075cc77c08
SHA1da3673bb6d7057ec921c37c7f390982f38ae4b0c
SHA2561cfd301ff83225ebcc3ac928511cf318a030c582aa7ba19e4c92060d28b325b6
SHA512495ff279ef6b942739f5f7d19f712d016156d1e22ec4b33ca93b76178621154d155635ff524e71f12ab6fe9cf88f97ff427ebf75f30922713b5650093a1b121a
-
Filesize
2KB
MD5c815be5fe8580055324f8238891f9fd6
SHA11592590568929fc56c9e7103983d273815eaf404
SHA25604aa08fd5eb7eebe02bc5a7cfd4535e51b6d41641bfeda553984fefdbd33bd09
SHA512e636f9e95ea8680f4538c4beeae3eee5edf240545fbeafebfa5ab160a36ca3704928ca3b68bda3aa5464bf103c1244c61c1841030a5d3ef22b35fb81c135609c
-
Filesize
2KB
MD54103d09a6f9d4417457a876be9b219fa
SHA199c7b7f71dcd53543c6a28084ccd977a8e070058
SHA2560d9941f08846a9cc3aae009e31fd2c3dd62c30126719f8f95fa30e52bc0ef4f6
SHA5125380699103c242597fd550fce4aa8c451147a85d5236322ac70372cc45189f7f6a79b05c026925166d11a541fdeb60dd62d8942f9a4e534abdc2d3e8d16dcb27
-
Filesize
1.7MB
MD5bc95b2206dd7637fe20a16798c406745
SHA1e77612a366109cd0359917b9a177aa114ba7ca83
SHA25609b41d9c265effd7b2bc78cbaee81c3e977c718ddcedcb506f69ffa178eb5a74
SHA5121d081aea628f10327649404114fa571cc87b053ae195a90ff5d4d59c21c8a932d716a32ea252aac324fa0c39bdab8c46bcc9fe85dccc7dc7312d1d22fb4f6540
-
Filesize
2.6MB
MD5ffa2e235448687e2b7e37bb8a99f38c9
SHA1153b873d572fb6bc8794f7aeec9c208d50182489
SHA256e6edb39132b26125704af6d10cd43f9153cadafa9e8692b809749ef0bb973161
SHA51232d3829bb1d0e0ac21b7cc3d3d3f0e71a5944ebccbdbe7837b0f8608a91859865cad7b26469ff230a2c7720d2f19784ae51cc62cc27c86553d01451cb72d792b
-
Filesize
21KB
MD507a43275aa8fb10c70140453ba0d31d9
SHA1547972113c519433ea8cbb6a3b4bc10ae1862bf7
SHA256215653fce998dcacec92c677e132dcfd283a894bb39c4a8e67c77c3346d019ae
SHA5125f4eff5bceb8e312cd53b82e8c3ba202cc11867d6f4d364b766ffc38c843ad2a9a68bc8664117594b41da62d0c006da4a829a4be39f3448da0954b68ee81bb7f
-
Filesize
3.4MB
MD5b7de67b0a46cb2b9323b251d34d34708
SHA1993564e1f3bde5422da5b8e74711868725e2c9df
SHA2564c3a7ee11791b181152ba80fc0c29eef05f6a6617aff56ef0edbb4919fde9581
SHA512b407a869cc5b5e86afff7bbfb24ee4c060cd4600d2fc5ef88de3c804299edcf63a0376209a6f2a9175da659608c12ddf0cea5225106646b83dbda10103fdf25f
-
Filesize
206KB
MD5bd7b5016453c5b3414a4eb30747f0f5e
SHA1f143f1bdaaafe645607024424dc8d8178ca89868
SHA256a3a6970b431c34714ee58bccf9668115194262a7e39f19a58fd8d94249568aae
SHA51282af27b4408c84bca5bad2737da410cb64f691131a603aad4aa4029d8b76194077118bd5147208d8a952248e0077de8db6c74aba247abefc6a1eadb2f0fbd139
-
Filesize
206KB
MD53343be9774d2c669a6cd6f1296ebeae8
SHA1cf675b229c99320d12201e2a1a3d7d32d26c8485
SHA256efc65b4655e6adef136bf0413e6fe45f70fe990528887fac719f9a03e945a0e2
SHA512f9048d3b02ed7ee56d48c9aa21e5ef2e7bfe1ae6a7517741238fc765568024de65fe82ac94e19e7ef8ac17666407462ed664be059db6b5f5c734f6f8780c14b1
-
Filesize
206KB
MD5b1e3711b0559d42857dad402f7adb23d
SHA1102fad7a7946e0072df27f1940cd2604531c940e
SHA2561a6e0211dfc6d2a421e5ebbd517bf1f782d437b5352849876837eadacdabfc74
SHA5123998de50da5c1b1c999cd80b7081f65e12969462c93f6a432d7688b2252a4c3b360b4de81cf55fbfddb64cb68576473fb67592e2969c05e67574b709e300ef86
-
Filesize
206KB
MD583e8fd6bdf93fa73b1b4f3ad6e3e9159
SHA16625d3999496440496179c6af2f9804d1fad5e35
SHA25652297f704f544f546f6e7a5d52639c9852c04e11482263ec69db754f0a029d43
SHA512aef53f8064462deed938d16307b12ca1239f8d0a470d8cf3130cf0fc707b9b6fbbe54d147c043a3ebed35addd94d2852293a92bfd13c5a62baf8a18c7902c90d
-
Filesize
206KB
MD57435c43373f5df94417b1d88a0c37069
SHA152e53eae786a0456e84986ffb22dfdc7dbc0de8b
SHA256e8f511114a718774d9ba8f494c2edc9856a73f677dca3e92236a0a98d87348c3
SHA512572fb8dba47ab61d7faad63c0d53733f4d8b9bbab48d914b3ff5282d5d4ebe0a92700f1d21da48a525316296293c0f1ea669149764b3d912d6dc82f611549d9a
-
Filesize
206KB
MD5f52ba1a6e034eafcc79d65165180e319
SHA13d0a8c7ba85ea645200cefac549d157a3ae639ea
SHA256e1413266beaafb7c3262cf9af09f43094956d3c7294a938c8cd51cf2ffad95bc
SHA512bf1c64e075099f65d1fe86639fb77c0bdd27dfbd912b1d6a00445ba412cd0667aa6aebf29a5ecdd76cedfbf652c4a8dc5bd679d03d614a28dfec5c0e21cd6a8d
-
Filesize
2.4MB
MD56aea658a809df0b4e0f2b52204fa1e31
SHA1a1819c28ce05dd8521d74dae1375ad9699791dc0
SHA256ea4087068126db22d789769a45831897cdd3060ea0d7f6368f515b479dde1208
SHA5129ed22b45fdbb4d17fce304d578b3387bfdf1fdca353c2011249987f25d264f443a3b6d1099449fb558f9821c634c2c0a4b5b16dda2c7a1b25076acb4d93c20d3
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
2.5MB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
2.5MB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
3.4MB
-
Filesize
4KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
2.5MB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
2.5MB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
2.5MB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
2.5MB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
2.5MB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
2.5MB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
3.4MB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
2.5MB
-
Filesize
260KB
-
Filesize
2.5MB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
2.5MB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
2.5MB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
260KB
-
Filesize
2.5MB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB