xred | 0606279933789b017a32a8b929f24524647249029e68c51b0b05386bb7c86590

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-01-2025 03:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0606279933789b017a32a8b929f24524647249029e68c51b0b05386bb7c86590.exe
Size

2.0MB
MD5

a163c7bc85bb9c2a1e55cf1bdbc6a334
SHA1

871c64f2c6297038ebbac6616bc535d09db38673
SHA256

0606279933789b017a32a8b929f24524647249029e68c51b0b05386bb7c86590
SHA512

dec52080226cf1f16107750b5cccc500033ecd050d5ae022f640761d3f5f29cb6ba1c86d845c04ed4321319572a8924a9d72ce2c6bf7897c71744c99f9f55d23
SSDEEP

49152:qnsHyjtk2MYC5GDczMmPITYbNbNWo4kSH3OqtwIz3:qnsmtk2aFzFPIT4bNJFY3OqtP3

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 3 IoCs

pid	Process
2728	._cache_0606279933789b017a32a8b929f24524647249029e68c51b0b05386bb7c86590.exe
1012	Synaptics.exe
3012	._cache_Synaptics.exe

Loads dropped DLL 5 IoCs

pid	Process
2684	0606279933789b017a32a8b929f24524647249029e68c51b0b05386bb7c86590.exe
2684	0606279933789b017a32a8b929f24524647249029e68c51b0b05386bb7c86590.exe
2684	0606279933789b017a32a8b929f24524647249029e68c51b0b05386bb7c86590.exe
1012	Synaptics.exe
1012	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	0606279933789b017a32a8b929f24524647249029e68c51b0b05386bb7c86590.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0606279933789b017a32a8b929f24524647249029e68c51b0b05386bb7c86590.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_0606279933789b017a32a8b929f24524647249029e68c51b0b05386bb7c86590.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	._cache_0606279933789b017a32a8b929f24524647249029e68c51b0b05386bb7c86590.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	._cache_0606279933789b017a32a8b929f24524647249029e68c51b0b05386bb7c86590.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	._cache_0606279933789b017a32a8b929f24524647249029e68c51b0b05386bb7c86590.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F0065551-D7A4-11EF-9917-D686196AC2C0} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "443590754"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F003F3F1-D7A4-11EF-9917-D686196AC2C0} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F008DDC1-D7A4-11EF-9917-D686196AC2C0} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90ee6bc5b16bdb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2612	iexplore.exe
2460	iexplore.exe
2540	iexplore.exe
2204	iexplore.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
2612	iexplore.exe
2612	iexplore.exe
2204	iexplore.exe
2204	iexplore.exe
2460	iexplore.exe
2460	iexplore.exe
2540	iexplore.exe
2540	iexplore.exe
2876	IEXPLORE.EXE
2876	IEXPLORE.EXE
1756	IEXPLORE.EXE
1756	IEXPLORE.EXE
2472	IEXPLORE.EXE
2472	IEXPLORE.EXE
2992	IEXPLORE.EXE
2992	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 2728	2684	0606279933789b017a32a8b929f24524647249029e68c51b0b05386bb7c86590.exe	30
PID 2684 wrote to memory of 2728	2684	0606279933789b017a32a8b929f24524647249029e68c51b0b05386bb7c86590.exe	30
PID 2684 wrote to memory of 2728	2684	0606279933789b017a32a8b929f24524647249029e68c51b0b05386bb7c86590.exe	30
PID 2684 wrote to memory of 2728	2684	0606279933789b017a32a8b929f24524647249029e68c51b0b05386bb7c86590.exe	30
PID 2684 wrote to memory of 1012	2684	0606279933789b017a32a8b929f24524647249029e68c51b0b05386bb7c86590.exe	31
PID 2684 wrote to memory of 1012	2684	0606279933789b017a32a8b929f24524647249029e68c51b0b05386bb7c86590.exe	31
PID 2684 wrote to memory of 1012	2684	0606279933789b017a32a8b929f24524647249029e68c51b0b05386bb7c86590.exe	31
PID 2684 wrote to memory of 1012	2684	0606279933789b017a32a8b929f24524647249029e68c51b0b05386bb7c86590.exe	31
PID 1012 wrote to memory of 3012	1012	Synaptics.exe	32
PID 1012 wrote to memory of 3012	1012	Synaptics.exe	32
PID 1012 wrote to memory of 3012	1012	Synaptics.exe	32
PID 1012 wrote to memory of 3012	1012	Synaptics.exe	32
PID 3012 wrote to memory of 2612	3012	._cache_Synaptics.exe	33
PID 3012 wrote to memory of 2612	3012	._cache_Synaptics.exe	33
PID 3012 wrote to memory of 2612	3012	._cache_Synaptics.exe	33
PID 3012 wrote to memory of 2612	3012	._cache_Synaptics.exe	33
PID 2728 wrote to memory of 2460	2728	._cache_0606279933789b017a32a8b929f24524647249029e68c51b0b05386bb7c86590.exe	34
PID 2728 wrote to memory of 2460	2728	._cache_0606279933789b017a32a8b929f24524647249029e68c51b0b05386bb7c86590.exe	34
PID 2728 wrote to memory of 2460	2728	._cache_0606279933789b017a32a8b929f24524647249029e68c51b0b05386bb7c86590.exe	34
PID 2728 wrote to memory of 2460	2728	._cache_0606279933789b017a32a8b929f24524647249029e68c51b0b05386bb7c86590.exe	34
PID 3012 wrote to memory of 2204	3012	._cache_Synaptics.exe	35
PID 3012 wrote to memory of 2204	3012	._cache_Synaptics.exe	35
PID 3012 wrote to memory of 2204	3012	._cache_Synaptics.exe	35
PID 3012 wrote to memory of 2204	3012	._cache_Synaptics.exe	35
PID 2728 wrote to memory of 2540	2728	._cache_0606279933789b017a32a8b929f24524647249029e68c51b0b05386bb7c86590.exe	36
PID 2728 wrote to memory of 2540	2728	._cache_0606279933789b017a32a8b929f24524647249029e68c51b0b05386bb7c86590.exe	36
PID 2728 wrote to memory of 2540	2728	._cache_0606279933789b017a32a8b929f24524647249029e68c51b0b05386bb7c86590.exe	36
PID 2728 wrote to memory of 2540	2728	._cache_0606279933789b017a32a8b929f24524647249029e68c51b0b05386bb7c86590.exe	36
PID 2612 wrote to memory of 2876	2612	iexplore.exe	37
PID 2612 wrote to memory of 2876	2612	iexplore.exe	37
PID 2612 wrote to memory of 2876	2612	iexplore.exe	37
PID 2612 wrote to memory of 2876	2612	iexplore.exe	37
PID 2204 wrote to memory of 2992	2204	iexplore.exe	38
PID 2204 wrote to memory of 2992	2204	iexplore.exe	38
PID 2204 wrote to memory of 2992	2204	iexplore.exe	38
PID 2204 wrote to memory of 2992	2204	iexplore.exe	38
PID 2460 wrote to memory of 1756	2460	iexplore.exe	39
PID 2460 wrote to memory of 1756	2460	iexplore.exe	39
PID 2460 wrote to memory of 1756	2460	iexplore.exe	39
PID 2460 wrote to memory of 1756	2460	iexplore.exe	39
PID 2540 wrote to memory of 2472	2540	iexplore.exe	40
PID 2540 wrote to memory of 2472	2540	iexplore.exe	40
PID 2540 wrote to memory of 2472	2540	iexplore.exe	40
PID 2540 wrote to memory of 2472	2540	iexplore.exe	40

C:\Users\Admin\AppData\Local\Temp\0606279933789b017a32a8b929f24524647249029e68c51b0b05386bb7c86590.exe
"C:\Users\Admin\AppData\Local\Temp\0606279933789b017a32a8b929f24524647249029e68c51b0b05386bb7c86590.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Users\Admin\AppData\Local\Temp\._cache_0606279933789b017a32a8b929f24524647249029e68c51b0b05386bb7c86590.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_0606279933789b017a32a8b929f24524647249029e68c51b0b05386bb7c86590.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Enumerates system info in registry
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://youtube.com/watch?v=RfDTdiBq4_o
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2460
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2460 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1756
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://keyauth.cc/app/
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2540
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2540 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2472
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1012
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Enumerates system info in registry
    - Suspicious use of WriteProcessMemory
    PID:3012
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://youtube.com/watch?v=RfDTdiBq4_o
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2612
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2612 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2876
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://keyauth.cc/app/
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2204
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2204 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
2.0MB

MD5
a163c7bc85bb9c2a1e55cf1bdbc6a334

SHA1
871c64f2c6297038ebbac6616bc535d09db38673

SHA256
0606279933789b017a32a8b929f24524647249029e68c51b0b05386bb7c86590

SHA512
dec52080226cf1f16107750b5cccc500033ecd050d5ae022f640761d3f5f29cb6ba1c86d845c04ed4321319572a8924a9d72ce2c6bf7897c71744c99f9f55d23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
854B

MD5
e935bc5762068caf3e24a2683b1b8a88

SHA1
82b70eb774c0756837fe8d7acbfeec05ecbf5463

SHA256
a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d

SHA512
bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
e916bf18056025baa8a6b8f0e24ed0f0

SHA1
6672ef5df4a2dc7c53c4268756b8ff1c1af7b9d7

SHA256
e0829662f7529ffb3440bb8e4fe23e86635ee65295860eda134c3a681e9243c1

SHA512
5007d0380c4a87542d129a6e30a7cf56ff4c2258534633b14d8fd9409c5016e2ae6d95d33fc0fe85840fd280c0eae87cf0b1e96cd47cf00a2cde308d4dc252c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_E4543EAB994D579360C32C5CC59A22C6

Filesize
472B

MD5
fb20eee716630f1110db217dbfed9550

SHA1
50ae857eacbc3ab32b531abcb31326d5e3304e3c

SHA256
2ccb9757c4ea4b573061ebcac876f4b1a8630316754d887769110238644d6520

SHA512
f56c1fef43c4e85aeb305789093da45ab723c92c69e6ddab05c3d25b87e8a24e60f1e12129c626e9922267ca2f6ef5eee750e3f3d46fe860afafab7f8f431b64

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
c9be626e9715952e9b70f92f912b9787

SHA1
aa2e946d9ad9027172d0d321917942b7562d6abe

SHA256
c13e8d22800c200915f87f71c31185053e4e60ca25de2e41e160e09cd2d815d4

SHA512
7581b7c593785380e9db3ae760af85c1a889f607a3cd2aa5a2695a0e5a0fe8ee751578e88f7d8c997faeda804e2fc2655d859bee2832eace526ed4379edaa3f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C02877841121CC45139CB51404116B25_252B35A0C9E78A87AECDDBB68FF7B1F0

Filesize
472B

MD5
b5331b3e8b9fb7f8440acd5a33d2bf1e

SHA1
18f1e18dab6e669775792838d094325bf13e1f3b

SHA256
4758014e5f265ad20d8cc6eae3b7d89701341a4aa8ff6984dfc43ac8c02f3a5c

SHA512
89ecd97dc3d942e26c7b5c0b58505c460c3be26d2e156e17da3670642c504eeba885cad5ddea862551fec15b5aa573989cbd1b29c7c3f6844cec77bb0c9c5920

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C02877841121CC45139CB51404116B25_55209007C2DA2D56C1F9D41F7B3BBB66

Filesize
472B

MD5
3e578de0066965b8fa685a77b7e8a86f

SHA1
31f76aaf077f0f77acbf24840d531b65e1e7aa60

SHA256
79c3df904c07bb3417ea70dafe63fae6175cb68c1ce1400d4c535830a31f3060

SHA512
4dd2c1fac37c324258f8039c376ee1ceb69d3fbcdbea206bb95084a606f77f71319ebf5003bedf912ef87a9ffee9fc60109b4bac3610f6bd66d34bbd8a095d93

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
170B

MD5
b18e4133d82283f64f9bfa030dd7105c

SHA1
351831926bb4edad73eaa4270cabe8c11595cb5a

SHA256
7d21149a2fd55165c313bb2f9a8f3dc951bcd5130d292952dfd4e6dc6b23bb89

SHA512
f21fa292007d9129d8e23b06d126b5c658a8fc3ee75e1940049ae29c65b76f79ac0c640ea0a7e070fa8caf1b3e438b9048734fd99016990fa6379ab1db1d41d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
c80b5ba634dc22c859ce12cd59eca948

SHA1
0de6ecfb4e5fbfe7ebb9202af07e60e05e8bfaa8

SHA256
7a08b742b9a2778a6294cfdf7cf498cff89b42e76492be1e3d7219555447d038

SHA512
4d3d389d9210da4b122d21789de429c83e47fd672539738ea6310ecb40fb9be516032332159026f69ab54a75e40d2f60fb1dc294fee85dc8ab491f86bed8f4a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
7bf3270ef4c1d15b77c1a0337c94603e

SHA1
6977d63af89faf999458c21cbf9ea4428a951d2b

SHA256
69ad46efcd59b22d76e2e7658ef744c6be57092367b4c13c7b749f9b5f470515

SHA512
3c4ff5ec46ec1f9e9283e2016d1692ee7bdaa257c822521340aa5c26d437eb7b71cd567ad566140efc264ddeb420f9d05fdf142af4b2251ee1bf39ba52017054

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_E4543EAB994D579360C32C5CC59A22C6

Filesize
398B

MD5
f8d947108fb5327dfa9e6017d6bfee5c

SHA1
98dfc3ee7b396359bb28b250b77c8e6450eb8691

SHA256
0160fe8399c398989e20e827315c4e962ef8a0295d894b04d20c03ff3ba50d05

SHA512
0210a4a13e9b4213ba80c5a4a15e8bcf199105dda0c5c2d3e40db7637979a717d9078cffc12076e98d84255c1477565fb50ef84437f62ca003c22e2e218b1d32

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
ea2fd626bc3daa56ab4ff87157e93e9a

SHA1
5e5e4a3e8cc300d32a8ec851677237b1c000b6fd

SHA256
23b4efe0e2c8780bd187af52dbcc4531d819a28d7bfd20ef2959c92c4c99820f

SHA512
6cdd88483e6a5f397f289b0cdbb0d8a2cad8ffa84305c03cc28f3fb546c24b03c771d1ca03c7f9beeac3fea7ae626b2615ea6edeae08ca5c0db30624bab0d9aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e99bd01f994a6659931ecacfdac4809a

SHA1
88de8e381f938a1ddf18025fb749b09a7604b235

SHA256
805d7fd5c2383d12ce515e66d108b73ecf5276acea1c36fe8d6e094ac4c2ad9c

SHA512
39a8dbdccd45c9219b4b67ef31fd883aa758496a417fd736a3f22c1bbdd99e0384a92ab7bd55c6d294476196697e5be682f9283f6155a80705a3f4176d734a28

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3abf0d1ccb7c6e010576f1d3c5dbee27

SHA1
684ba658ae5474f1cec74a5854e13d1a8fa4b72f

SHA256
1d67610c1a5e4024423f96821f9afb02d475b0133377805751a6d721c5f8eded

SHA512
c9e2a8c13270ead4d6e3cdb8a5b3500e0c0663fa3968944eefb17754f771f4bb51dc0126b7a0ba214f26a0a825edd4e5813df70ee0758058d87f0e3a13bacce1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
262f582f7a700f4cf226fdd3207bdef8

SHA1
3ae7e7d670ea50cf8c9aaafe7dc8264b4d1222ce

SHA256
574391c06a0473dcfc088889d9972126cb8341b7c67e4d509cf7839070a680ee

SHA512
65facb0af1b5caac50f29800e22f3bee011509a08a8ac458597227221842ee0ac64f2887103df69c84b33b0515e6c601131b9ca8e25b70ad181c249c5c79236d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e050fcc4cf1ce299dce97c3993915638

SHA1
7ab1ba6e1cd25695a682285e08b074950fc05f14

SHA256
26aa29aa8175702167b89091c2c9d8fc3ee40ab958295dbe316a9e1d46e5f595

SHA512
a713ffc319d8aa502a5ff0aaa949ace3583b9210ff48d87f57bd843533bef157648fb77dff27c2801772d2f9fc022e894c14de88bc0e3d8e18d26007121f1684

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d238c7769db5844224dc24e2406cd04a

SHA1
89a7d56fa94f2d9f82af562ebf0f3efdefb857ed

SHA256
fd2235ed6714007c1ed820a6c622162981b05d1cf3fd6ea1cdeba6a99a8ef4b4

SHA512
b5709933cf88670df5c5d882f81b1f8c4e4dff1c51ec5dd8d835a389864db783cf3ab78f010172ca9bae191e684b0995ee350fc35a237fc5c19d7daddfd22880

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
315fa90c7288baab57b83e91a4948bd4

SHA1
b84f950a4d04271ca57df450ecd0801f5a4c3112

SHA256
fa0b84c4938e425e39b16968b68a261cf04bf44bc999145751b08635d9e827cd

SHA512
546b212c560609fa308fa1745c45e58c0c4a61e5f8e7f169a8fd6b49dd51f17de099e86000da240d792d7600f1402808290f66dc2ec99be42fceb4fbe71be64c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
429c84e880f8cc12d53a3549f72b1621

SHA1
4384d0359e3bda3146afc2cf814d1d3e164e4527

SHA256
3e26243dbdd4f8565fe4e19a0c77e32635bb8e092e03fedd6ef4b259f5b6c602

SHA512
47ed25b6fc53693e183c0ff1a0f1134329755f84e94893db8e471f115fb8b94a9f3ae87bebe7e046ee041887066fe4c2f48c9f80c96953df0a7ccda359dbe081

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0aa1880994aac9dfd7d869f2e2db36ae

SHA1
1b985e1b699bd32a03ddf2add750786fe9d5c9d7

SHA256
8f2f8f81a8fe639741f316eb97d672ef38f26979e89c2674de9d44a6c6513a10

SHA512
7984a26b8ce8bb5329b5135a4f023c7e8dfa68a6b58f5aad66d150777df537ed5bda45578f3e19fafa57889cab5964bbfa22376c4665f30382bbf4d92a30dc4e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5c244d56f557f9b658ad432d57e5a440

SHA1
38fa19090918b558e069f91df42f78de8a69438d

SHA256
999c1a42bd2b611d3903e7adb36870038037f74626616ab004b95d6efadd4657

SHA512
e4806ed4725a52de0fc9e9ed3107834e7e1de3af89779865f179402c645360f431d5ed077752a8682697a6fc53a7a7cabb1fbc55492779975513d7fb5486312c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
47ade7005eda0726deba65bb32d1ce26

SHA1
cda3bb66eff79c54c04d72ed4a57aa216635d1cc

SHA256
ae98c7cfb792719e3b11a8f50f1bb249ab29e33abe5fd4db30aa3441147b04b1

SHA512
918f5eabf71ffc8d24270c6b8f50baa0fee3e4aad99ba4756d966d4401d3fd23395a5579cf9fbc0747874c56ae21d7ae2d68c2094ebf305b36e1e31b563bd75f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0e58a63eca4587f6f671f8a5792c9988

SHA1
8ebfdf11f7399d4552d0d6a535011292c6dd7693

SHA256
3528f6c81fc99dc7fe8d599ff5c0f827ca3922117434053f2a7c8045cf8963f9

SHA512
4801a3e259a40c2a26078e10ea0c3910bfef8f557f8933d4848410987df5c5ca08a1526dea02261bdc211a261fa47a1351fb119131be1acb46276136e53c5cb7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3035ba931787b837f53cd541c18634ff

SHA1
9ffa726b784dc44e4b3bb727681fb73da0f61682

SHA256
ed72f49f1391a428e81a84b586b216e31c9fd6f9289fcf7bb0bb90ec83310305

SHA512
b531fc4b5a34795a053b8c2da35941b13bc7099e024373263e086a5c84139961349812d3ea113a7d8dee7afc04e92e4be1e6204a9a9aab4585566065bdb8097b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0a4322ade393202f73b796233844f28f

SHA1
1a9a52624d490427bcdb190f2d01f155176dbef9

SHA256
7f49b7653b5bbfcadb6058ee24af0fef5dbd195fa2054dbe24a43fa3c86eefff

SHA512
c08ce239508f23efa0905f5821ed73dc7b2354e2a7a29685b742a82762f61113c7ad8e35a789d6165fdf29e96cc2d73bb7abc4dd84ea82fe0c779aa04c8ecf63

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fdb4ba9080ab0087c940367ca98b7848

SHA1
119e48abc6fa486327c3a7b0a59c5688ce2ea7d4

SHA256
6228018e8c21b08d8db12e9fb20af68e1b86c8883d756992a97942ec951ce159

SHA512
d932c100e13b2dc7f887dc7cdc55f064239cdc90fb5e473de92e8fa3cae08d62c5d9397b000b0279b9cd8f367ad05ca39509043f30beb5985f02a7805adb6174

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0231cebae8d8e6bad6152c7357141551

SHA1
ccfe8765bdc0c91b5432a82f90e36a5566b2fcd3

SHA256
0498bbfcfa9a579bd9eaa64d323c0cf4971edb747ca244844b47bebfb8bbe9e5

SHA512
7db5093b3d3f65c2e5693a66d868e101c1f9eb1814e2628a9d5d0fd413acaa6dbee74b4b399d724f6317a34847eed86a39e8897fa1122ef249075c52a2f6f4ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7d59ee2b5e6f3e6f7b57a26c53e1325a

SHA1
ef5152bb0e81b0e9ed810a09787281def740f414

SHA256
ee7d53c0a771653fe6237dfb91545fcda337a8b39f1412bb182dff10464abb07

SHA512
f318f76951f4a477575d7183a4306c643ad465432282fe6d019a8d23b330d88f232eee84561f56e12f1be567bce91f6f31739a0de3c16cf3048ced40be7ef74a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
921c267470b31a88348d0901a4c9c0a8

SHA1
e08247216ed3eedacb1713eafb326c9771ba1143

SHA256
34e6d68beaad1c6aaf298a8a47ff8be36bb66477ef8b1afe82a630f69a99e7c7

SHA512
ee4557a56f7a58dcf905bc07b3484b2b1a1d634728218cb57906b5a89cbd4298dd17ebed02a71e3e3f6b34c6d472e6c7b021f8c1f6234b8fdb354c361b9b3f5e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C02877841121CC45139CB51404116B25_252B35A0C9E78A87AECDDBB68FF7B1F0

Filesize
398B

MD5
b7a11a0ad35a3f33118fc280e004559d

SHA1
9bd9e9cda320a93537e7d359d68c7179685441cd

SHA256
a18d7cd0fecb87dcce991ad05c3fb97dd9453be542ea1b0c371aead6de8952a7

SHA512
584ac4d8a19c5e8eed91bb829f1cd212eba51a9adba80e0999b3c366ffa377d553d21b0f3a0215a39354e2f0c8b6bde45529b8c0ee4786c237cd89bc91fc7241

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C02877841121CC45139CB51404116B25_55209007C2DA2D56C1F9D41F7B3BBB66

Filesize
406B

MD5
34669208fe0dc7573edf0fa4de3252f5

SHA1
2189e9adaff8cfcf6c3ad1aaa5cecb48a9e8c008

SHA256
23821cee4d2f0b47902655362ba74b74c4b5d0728a4f9593a52eaacfb4b9418c

SHA512
8400b7b9931841470edb80e9d7cf2d3db6ae05bba90e0ae50458aaae124eb836c17b577d872de8d52487c4045ed6d0ebe9690d4210902b9add437874310d622f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
a4789e8d2d41cc211a98007985b9eb8b

SHA1
acf24fb004c23d30e59313923226f31e6e8eb542

SHA256
0b38b4ca6e162ea492b4512a9f9b975d5409cfa366fafd1bbf2a4a470f5624b2

SHA512
a6fa2643da536ee0f98ee636b316da1c30e52222f0af938b24a1920e9a029476f4010cdc2b7b27d18d9ed30ba3ffdbe289bcd6c968ac4782732cb8c1f1da0bc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F0065551-D7A4-11EF-9917-D686196AC2C0}.dat

Filesize
5KB

MD5
8beb350a493389430fec2f0300f00454

SHA1
872de524fec15ad338ba75e344ab6ba5ef2925fc

SHA256
c2a2414d724f8c09fc8bc4ec3f5c04b4a71b78ac014d552c781269d6d8da153f

SHA512
9d2483ea6234217050ca55749c65ff64576546860572186568fbe45186015f72b65a3d374c610afbeeed9708f9c35df0556b32b85c82074f25299257f3c62082

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F008B6B1-D7A4-11EF-9917-D686196AC2C0}.dat

Filesize
3KB

MD5
d1b9eaf9a8bcf5d91a8ed7c5da6253d5

SHA1
1426ebed7901055fb44079cf8650ca6a20499cd2

SHA256
632052818b9daa85e6b84023f966052db4adaa0780dfd33db454976548958184

SHA512
bd31a97962bf475c367988d09448ee56b5d9974e0341e005af6186b8b5e805182c9383adab954e5c7cc22a20a6cd7b43fc9773476f4d349893397568d822942f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F008DDC1-D7A4-11EF-9917-D686196AC2C0}.dat

Filesize
4KB

MD5
c98a1041201121c6c7507be6e898b060

SHA1
ab3163b60d1076dc2118b2c581bbe54590b4e7a2

SHA256
90bc43f882c24a59aaea0071a53a8510aaeba789d4db97247146e9b3a2240d63

SHA512
2a27656087f31f69c550c8a31139d61cc689bc697a8414bc0cf056d4eb591630af2aa61c8f42688bbfbf33635aca288d6d506c38436a6c1f5b9bb60959e099f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F008DDC1-D7A4-11EF-9917-D686196AC2C0}.dat

Filesize
3KB

MD5
89617aa29016501c6f1cfe37a5a67da9

SHA1
f093723e69d3b2886eb40ef2c8b8ae9ef06ef3a7

SHA256
186727f46ad499ede18739809dae7fa60cfa57eb17c799889c45a6dadc69b028

SHA512
240db203d7b0f9817db9a1460d38fe3db4384e4e7e1cded15a43298c877fd654ab0b4c1721b7af6abcff578c8fc03684ebf15cdb9f5871fa34df2808ca47c73e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\gsz3hkd\imagestore.dat

Filesize
1KB

MD5
2f00dcebd6b18bf83e5de1c381b44d69

SHA1
0a762e957e1bdd4921fc1ed8ae088dbf87d8bb50

SHA256
158c00836264099e7352403e05affdaae72711250c7574e2b12f43804f3cc183

SHA512
ce225cab9a2a0e271528fc53197f5e2324b493f39a71f60768a2847a265fd0465940d990f0ca53ae14fa81a2da84e60117ef04ff98ca65bbb7f01c8e6f1b5851

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1LNUKNV0\favicon[1].ico

Filesize
1KB

MD5
f2a495d85735b9a0ac65deb19c129985

SHA1
f2e22853e5da3e1017d5e1e319eeefe4f622e8c8

SHA256
8bb1d0fa43a17436d59dd546f6f74c76dc44735def7522c22d8031166db8911d

SHA512
6ca6a89de3fa98ca1efcf0b19b8a80420e023f38ed00f4496dc0f821cea23d24fb0992cee58c6d089f093fdefca42b60bb3a0a0b16c97b9862d75b269ae8463b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1LNUKNV0\firefox[1].png

Filesize
9KB

MD5
7f980569ce347d0d4b8c669944946846

SHA1
80a8187549645547b407f81e468d4db0b6635266

SHA256
39f9942adc112194b8ae13ba1088794b6cb6e83bd05a4ed8ce87b53155d0e2f7

SHA512
17993496f11678c9680978c969accfa33b6ae650ba2b2c3327c45435d187b74e736e1489f625adf7255441baa61b65af2b5640417b38eefd541abff598b793c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1LNUKNV0\opera[1].png

Filesize
2KB

MD5
5cb98952519cb0dd822d622dbecaef70

SHA1
2849670ba8c4e2130d906a94875b3f99c57d78e1

SHA256
02f95fbdb68f232bffd4f2c0fdd033d6c83b829c610cddccc0b1d43e2274e6a7

SHA512
5f29b7459fbd01e16dbd196e4bcddf109af017cccf31337abe1cec6cc5a84711fc2cd34ad7a35d9432a9d7e42ca23d7f6c9d4315396429d7b8e48b9491696afc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8452S9S3\edgium[1].png

Filesize
6KB

MD5
01010c21bdf1fc1d7f859071c4227529

SHA1
cd297bf459f24e417a7bf07800d6cf0e41dd36bc

SHA256
6fb31acdaf443a97183562571d52ce47dd44c1a8dcb4087338d77ea2617b286e

SHA512
8418d5ac3987ee8b6a7491167b0f90d0742e09f12fceb1e305923e60c78628d494fcd0fee64f8a6b5f6884796360e1e3ec1459dc754bbfb874504f9db5b56135

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IAE3FJ0M\chrome[1].png

Filesize
6KB

MD5
ac10b50494982bc75d03bd2d94e382f6

SHA1
6c10df97f511816243ba82265c1e345fe40b95e6

SHA256
846a9b551e74f824fd7ace3439a319b0c0803449e8caec9f16e2666e38a80efd

SHA512
b6666b540aef6c9c221fe6da29f3e0d897929f7b6612c27630be4a33ae2f5d593bc7c1ee44166ce9f08c72e8608f57d66dd5763b17fec7c1fb92fc4d5c6dd278

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IAE3FJ0M\dinosaur[1].png

Filesize
57KB

MD5
bdda3ffd41c3527ad053e4afb8cd9e1e

SHA1
0ad1bb7ce8d8a4dc8ac2a28e1c5155980edfab9b

SHA256
1a9251dc3b3c064cfc5e2b90b6c7dc3c225f7017066db2b77e49dae90a94a399

SHA512
4dc21ef447b54d0e17ccd88db5597171047112ce1f3f228527e6df079ce2a43a463a3a1e4255828b12f802d70a68dbe40b791852134be71c74de97718b2f1d5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IAE3FJ0M\vcd15cbe7772f49c399c6a5babf22c1241717689176015[1].js

Filesize
19KB

MD5
ec18af6d41f6f278b6aed3bdabffa7bc

SHA1
62c9e2cab76b888829f3c5335e91c320b22329ae

SHA256
8a18d13015336bc184819a5a768447462202ef3105ec511bf42ed8304a7ed94f

SHA512
669b0e9a545057acbdd3b4c8d1d2811eaf4c776f679da1083e591ff38ae7684467abacef5af3d4aabd9fb7c335692dbca0def63ddac2cd28d8e14e95680c3511

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K3VL8XEP\yt_logo_rgb_light[1].png

Filesize
8KB

MD5
d654f892f287a28026cd4d4df56c29c8

SHA1
98779a55fe32a66ebec8338c838395d265e45013

SHA256
fc6f5d8f32f13d5855840234dc1bff5c91c35318ee2192d99b13eb3572f0bca8

SHA512
3668902aeaf792ad73ba51e0a4caaa520ebc38177791dfac9a9b28026c3bde99e721bf54d626f266a19cfd045a6d2dc8c8e70e53a2c5ee524c6f2736bb0ce409

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8102.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8105.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_0606279933789b017a32a8b929f24524647249029e68c51b0b05386bb7c86590.exe

Filesize
1.3MB

MD5
b9773451b024cd03b844bc09cd17a3f4

SHA1
c3b11a40d7e141b1712e89ec6f4d0a7a273f7e6f

SHA256
8a1cda86fda420345e59cf46954aa2ac713a4549d2d2a2f36f27c0f5f01a1a82

SHA512
44923981b897fa080684960375eb5dcf562e86b1de012126ccad8bcd147e0b78eded1dec00faacef8a273355d553829f6e7c1ac101c6ccde8d976426b952312b

Download Submit
memory/1012-1099-0x0000000000400000-0x000000000060A000-memory.dmp

Filesize
2.0MB

Download
memory/1012-629-0x0000000000400000-0x000000000060A000-memory.dmp

Filesize
2.0MB

Download
memory/1012-624-0x0000000000400000-0x000000000060A000-memory.dmp

Filesize
2.0MB

Download
memory/1012-523-0x0000000000400000-0x000000000060A000-memory.dmp

Filesize
2.0MB

Download
memory/2684-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2684-28-0x0000000000400000-0x000000000060A000-memory.dmp

Filesize
2.0MB

Download
memory/2728-31-0x0000000005050000-0x0000000005264000-memory.dmp

Filesize
2.1MB

Download
memory/2728-19-0x0000000000DB0000-0x0000000000EFE000-memory.dmp

Filesize
1.3MB

Download
memory/2728-18-0x000000007370E000-0x000000007370F000-memory.dmp

Filesize
4KB

Download
memory/2728-524-0x000000007370E000-0x000000007370F000-memory.dmp

Filesize
4KB

Download
memory/3012-40-0x00000000012A0000-0x00000000013EE000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads