xred | bc24fa45f522637e923c1e64346be2a9b0d02f64a1beeed3a0e70170ddea0206

Analysis

max time kernel
143s
max time network
146s
platform
windows7_x64
resource
win7-20250207-en
resource tags

arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
submitted
21-02-2025 06:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc24fa45f522637e923c1e64346be2a9b0d02f64a1beeed3a0e70170ddea0206.exe
Size

1.1MB
MD5

2168efe511da4705864cc5ddef26edd1
SHA1

d934033eb8f74c47e69063d13574bf571a19ee2e
SHA256

bc24fa45f522637e923c1e64346be2a9b0d02f64a1beeed3a0e70170ddea0206
SHA512

a3d23b94a8f0620c1ed0d1ed3529794ad2ae6909de5f0b9c79eb33af47a47d3f562d107e7e70dc7cef7ba4a8b27b76669e1679fefec3d12f1cc4db4cfa66ac2d
SSDEEP

24576:iap2f3ptaCOa6hw+6GD9kuu1OUjezCk4o5BSj17Qd:ufaC76hw5GDauukUjez+PpQd

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 6 IoCs

pid	Process
2756	svchost.exe
2896	bc24fa45f522637e923c1e64346be2a9b0d02f64a1beeed3a0e70170ddea0206.exe
2448	svchost.exe
2504	._cache_bc24fa45f522637e923c1e64346be2a9b0d02f64a1beeed3a0e70170ddea0206.exe
2808	Synaptics.exe
1620	._cache_Synaptics.exe

Loads dropped DLL 23 IoCs

pid	Process
2756	svchost.exe
2756	svchost.exe
2896	bc24fa45f522637e923c1e64346be2a9b0d02f64a1beeed3a0e70170ddea0206.exe
2896	bc24fa45f522637e923c1e64346be2a9b0d02f64a1beeed3a0e70170ddea0206.exe
2504	._cache_bc24fa45f522637e923c1e64346be2a9b0d02f64a1beeed3a0e70170ddea0206.exe
2896	bc24fa45f522637e923c1e64346be2a9b0d02f64a1beeed3a0e70170ddea0206.exe
2896	bc24fa45f522637e923c1e64346be2a9b0d02f64a1beeed3a0e70170ddea0206.exe
2504	._cache_bc24fa45f522637e923c1e64346be2a9b0d02f64a1beeed3a0e70170ddea0206.exe
2808	Synaptics.exe
2808	Synaptics.exe
1620	._cache_Synaptics.exe
1620	._cache_Synaptics.exe
1620	._cache_Synaptics.exe
1620	._cache_Synaptics.exe
1620	._cache_Synaptics.exe
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
2504	._cache_bc24fa45f522637e923c1e64346be2a9b0d02f64a1beeed3a0e70170ddea0206.exe
2504	._cache_bc24fa45f522637e923c1e64346be2a9b0d02f64a1beeed3a0e70170ddea0206.exe
2504	._cache_bc24fa45f522637e923c1e64346be2a9b0d02f64a1beeed3a0e70170ddea0206.exe
1244	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	bc24fa45f522637e923c1e64346be2a9b0d02f64a1beeed3a0e70170ddea0206.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 19 IoCs

description	ioc	Process
File created	C:\Program Files\Mem Reduct\Readme.txt	._cache_Synaptics.exe
File opened for modification	C:\Program Files\Mem Reduct\memreduct.sig	._cache_bc24fa45f522637e923c1e64346be2a9b0d02f64a1beeed3a0e70170ddea0206.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	svchost.exe
File created	C:\Program Files\Mem Reduct\memreduct.lng	._cache_Synaptics.exe
File opened for modification	C:\Program Files\Mem Reduct\History.txt	._cache_bc24fa45f522637e923c1e64346be2a9b0d02f64a1beeed3a0e70170ddea0206.exe
File opened for modification	C:\Program Files\Mem Reduct\uninstall.exe	._cache_bc24fa45f522637e923c1e64346be2a9b0d02f64a1beeed3a0e70170ddea0206.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	svchost.exe
File created	C:\Program Files\Mem Reduct\memreduct.exe	._cache_Synaptics.exe
File opened for modification	C:\Program Files\Mem Reduct\memreduct.exe	._cache_bc24fa45f522637e923c1e64346be2a9b0d02f64a1beeed3a0e70170ddea0206.exe
File opened for modification	C:\Program Files\Mem Reduct\License.txt	._cache_bc24fa45f522637e923c1e64346be2a9b0d02f64a1beeed3a0e70170ddea0206.exe
File opened for modification	C:\Program Files\Mem Reduct\Readme.txt	._cache_bc24fa45f522637e923c1e64346be2a9b0d02f64a1beeed3a0e70170ddea0206.exe
File created	C:\Program Files\Mem Reduct\memreduct.sig	._cache_Synaptics.exe
File created	C:\Program Files\Mem Reduct\uninstall.exe	._cache_Synaptics.exe
File opened for modification	C:\Program Files\Mem Reduct\memreduct.lng	._cache_bc24fa45f522637e923c1e64346be2a9b0d02f64a1beeed3a0e70170ddea0206.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	svchost.exe
File created	C:\Program Files\Mem Reduct\History.txt	._cache_Synaptics.exe
File created	C:\Program Files\Mem Reduct\License.txt	._cache_Synaptics.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	bc24fa45f522637e923c1e64346be2a9b0d02f64a1beeed3a0e70170ddea0206.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bc24fa45f522637e923c1e64346be2a9b0d02f64a1beeed3a0e70170ddea0206.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bc24fa45f522637e923c1e64346be2a9b0d02f64a1beeed3a0e70170ddea0206.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_bc24fa45f522637e923c1e64346be2a9b0d02f64a1beeed3a0e70170ddea0206.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1656	EXCEL.EXE

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1620	._cache_Synaptics.exe
2504	._cache_bc24fa45f522637e923c1e64346be2a9b0d02f64a1beeed3a0e70170ddea0206.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1656	EXCEL.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 2756	2872	bc24fa45f522637e923c1e64346be2a9b0d02f64a1beeed3a0e70170ddea0206.exe	31
PID 2872 wrote to memory of 2756	2872	bc24fa45f522637e923c1e64346be2a9b0d02f64a1beeed3a0e70170ddea0206.exe	31
PID 2872 wrote to memory of 2756	2872	bc24fa45f522637e923c1e64346be2a9b0d02f64a1beeed3a0e70170ddea0206.exe	31
PID 2872 wrote to memory of 2756	2872	bc24fa45f522637e923c1e64346be2a9b0d02f64a1beeed3a0e70170ddea0206.exe	31
PID 2756 wrote to memory of 2896	2756	svchost.exe	32
PID 2756 wrote to memory of 2896	2756	svchost.exe	32
PID 2756 wrote to memory of 2896	2756	svchost.exe	32
PID 2756 wrote to memory of 2896	2756	svchost.exe	32
PID 2896 wrote to memory of 2504	2896	bc24fa45f522637e923c1e64346be2a9b0d02f64a1beeed3a0e70170ddea0206.exe	34
PID 2896 wrote to memory of 2504	2896	bc24fa45f522637e923c1e64346be2a9b0d02f64a1beeed3a0e70170ddea0206.exe	34
PID 2896 wrote to memory of 2504	2896	bc24fa45f522637e923c1e64346be2a9b0d02f64a1beeed3a0e70170ddea0206.exe	34
PID 2896 wrote to memory of 2504	2896	bc24fa45f522637e923c1e64346be2a9b0d02f64a1beeed3a0e70170ddea0206.exe	34
PID 2896 wrote to memory of 2808	2896	bc24fa45f522637e923c1e64346be2a9b0d02f64a1beeed3a0e70170ddea0206.exe	35
PID 2896 wrote to memory of 2808	2896	bc24fa45f522637e923c1e64346be2a9b0d02f64a1beeed3a0e70170ddea0206.exe	35
PID 2896 wrote to memory of 2808	2896	bc24fa45f522637e923c1e64346be2a9b0d02f64a1beeed3a0e70170ddea0206.exe	35
PID 2896 wrote to memory of 2808	2896	bc24fa45f522637e923c1e64346be2a9b0d02f64a1beeed3a0e70170ddea0206.exe	35
PID 2808 wrote to memory of 1620	2808	Synaptics.exe	36
PID 2808 wrote to memory of 1620	2808	Synaptics.exe	36
PID 2808 wrote to memory of 1620	2808	Synaptics.exe	36
PID 2808 wrote to memory of 1620	2808	Synaptics.exe	36

C:\Users\Admin\AppData\Local\Temp\bc24fa45f522637e923c1e64346be2a9b0d02f64a1beeed3a0e70170ddea0206.exe
"C:\Users\Admin\AppData\Local\Temp\bc24fa45f522637e923c1e64346be2a9b0d02f64a1beeed3a0e70170ddea0206.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Windows\svchost.exe
  "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\bc24fa45f522637e923c1e64346be2a9b0d02f64a1beeed3a0e70170ddea0206.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Users\Admin\AppData\Local\Temp\bc24fa45f522637e923c1e64346be2a9b0d02f64a1beeed3a0e70170ddea0206.exe
    "C:\Users\Admin\AppData\Local\Temp\bc24fa45f522637e923c1e64346be2a9b0d02f64a1beeed3a0e70170ddea0206.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Users\Admin\AppData\Local\Temp\._cache_bc24fa45f522637e923c1e64346be2a9b0d02f64a1beeed3a0e70170ddea0206.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_bc24fa45f522637e923c1e64346be2a9b0d02f64a1beeed3a0e70170ddea0206.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      PID:2504
  - - C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2808
    - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:1620

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2448

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bc24fa45f522637e923c1e64346be2a9b0d02f64a1beeed3a0e70170ddea0206.exe

Filesize
1.1MB

MD5
46fe00b3d1eadceba58ded687916b27f

SHA1
f08fb994e842a4cfc62e7bd942a0879b27a94774

SHA256
d3bf3fae35f44dcd791049693ebb9985dc97400cd882a12ec06cfbbe50b88ee3

SHA512
a12458c6ab2a9a45d21133491574a9c027bb7745261c1ea670ff07736ded618c9ee9f68da066cedfd104cbb108301b43fe24848de17c37e62d268006b8ea8b8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstDE21.tmp\modern-wizard.bmp

Filesize
150KB

MD5
52ff52eee3b944b862c11c268a02c196

SHA1
8d041966e6fba10aa5e10ce5dc1dc5175f11b2fe

SHA256
2079f7a3eba60e0d9ee827a7208aa052a71b384873b641de5e299aeb8e733109

SHA512
2861ae5a06f8413810947c08994f4c0da54a1acee8c4df72cd8b03a9503b26e5512809f8d70fd584239b04a651e7329a701bf7ddcee2dec2c2e14d05ae74f220

Download Submit
C:\Users\Admin\AppData\Local\Temp\vUaYhogt.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\vUaYhogt.xlsm

Filesize
20KB

MD5
674fcffa53745c95a4e2f3df570c916b

SHA1
7d2331cbad5e081346e57fdf0a8d7c5903a5ae64

SHA256
62fe7ac2a5fd4a8c629707682ed2c1e40e453580e99ffe91990e21a079d61d6f

SHA512
6959890a2657dccfae409c3831865fb6dd8fc54b1d924d9edb9d9b964a98fe25878660d211b2e20f1a93772ab488cf27fb706dbef65034f5ad3346d95157bb04

Download Submit
C:\Users\Admin\AppData\Local\Temp\vUaYhogt.xlsm

Filesize
24KB

MD5
27567b135557252de91fef59f3382f8f

SHA1
b9324a2caeaed776d00e0ba201fdc1a3a4740c50

SHA256
2174cc3ef2be143f80737f72744649c4ed87e26a4e58c6c9088f3d7990a17e5a

SHA512
52de2a38314a240280bee4a349c5cfd1f70cd15966c83c56d9d45019d40f0662854b754b2025c28da211c5721067b47646eb7260e5b0af3d4ea05304b48e8be9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vUaYhogt.xlsm

Filesize
23KB

MD5
e431cea92900359f8566c4ab1130dc58

SHA1
7408f5842b4d48af7d62f22c803bf6e1d0fc500b

SHA256
564c713c6b652c240b6e49e26a2ccb001171ef37c64b0a6b144877ddf577fcf0

SHA512
a7662eed60620e92b1a9708173f82d8be1b0d977ff8d64a9a6988cfe4c57fc451c738e1e8df81761dc0108ced1b03a94699b093ee32b0de3787c3e769ef69c16

Download Submit
C:\Users\Admin\AppData\Local\Temp\vUaYhogt.xlsm

Filesize
28KB

MD5
808052c10cc66bad6f8633e289fc8ccc

SHA1
b0d74a1a5764b50288b0252e2f919a454a7116bb

SHA256
39a64172287bb9969d7acd94bcacc066ca5ce7f0f638196050cac02010907687

SHA512
5448566fdb39b027c6e8b418b39ab3629106cb613d0d019c650a96af8801597341bd34d7bc1ed58641eb51e97a8946af7a986b74e16fe81cef2d920390bbc6c7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Mem Reduct\History.lnk

Filesize
862B

MD5
b8ca769f7f11aa31bf349032976e0197

SHA1
a6607e4fe7f678f57dcfd9d5bb5c8f4fee0730ba

SHA256
94281226e894d69ee864ff25e87e589cf533e0f25a4d5af5b4e28a2ea6b4a0c9

SHA512
1321c2e060cee20bd454d80e0c4c1fc033a8258ffce10160359ada457160e3b11addad7e4da5481aa8bed8bdd08b31d383c7f9f19323ba64fe95e3280bee68c8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Mem Reduct\License.lnk

Filesize
862B

MD5
2038f3204d5e99077b74d905701f65db

SHA1
da5a7c25f3ba729b2c48b12ccb660d029e35cb89

SHA256
eb451fcf3b1b99eccb0cc15f2430b3b3c2714a5e100fe2e1adb7c336155470bb

SHA512
df50a00f5f54127812d6e99830aeaa8c0b407349c6540ce4588990f80cc3850a95283c08dc7cf664030a6fada0e9c596eb46bf6a7f0c315aee5e1b4baf3f5b57

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Mem Reduct\Mem Reduct.lnk

Filesize
874B

MD5
0783c3f87bfe80962ecb08667dd505e1

SHA1
fb85f46df5cf7066c089702d89afaef89de23a51

SHA256
a9e0c9193c8279d6c28f96143ed3d80788f0f893703ad32b4a3a364ce9d2a5b7

SHA512
4453858e60695efbc5e9362a731ddbead0f19dd3120726a75f828c11439b6b3881fb385af6ef87c402f7aa79f3c2db5c5ac68946b7493948dd52422e1e042038

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Mem Reduct\Readme.lnk

Filesize
857B

MD5
8f5925f4a5fbf15f8b1d8a4f48b10250

SHA1
100ea6af217ad90bfd7fddf078e535d472eccb8f

SHA256
fbd4948c20a4a3738cc3a52ddd566babb9031f861cbab2f3d4abd3e79526f396

SHA512
cf2a71682806aa0c26e2c7a19666f3ef30007ea5c181f25d2bed8e8ea43bad309fdfd7d327c535c0780dbec04bf93db30eb8d42a9726e69e39ccc1887a0df08d

Download Submit
C:\Users\Admin\Desktop\Mem Reduct.lnk

Filesize
838B

MD5
e4ee8e123b01af845dd1616d94c4cc0e

SHA1
19998eaef5d47f54999f07b353a8c7680f093ba1

SHA256
6141dfcd752a07fae3cdcd752584263c737f3cb726957b775bd6baf384cd8b7e

SHA512
a3d9863b332e92cc2e71c3ec32bbf1bb61c4a5248fbb716f9514029ee3137ef2858d7170ef40ba5015191f526cd8c04ba474b9cebe9036b945a90e27f299602f

Download Submit
C:\Users\Admin\Documents\~$UsePush.xlsx

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
\Program Files\Mem Reduct\memreduct.exe

Filesize
302KB

MD5
fe8eb129610e454ad17b9d6ccbf1df8b

SHA1
28cfddbc7faf2e66aee0eec673c7eb7beab25510

SHA256
8cea4adf5febfa9528d01259bf9b70afdb814ce8b41605b8c619a9738a9c9414

SHA512
4aa488a5844eb65fe0f72d1ab325ba07a40fa0cae658bba38f59260c1467d5c902ae8bcd6d8e2f15a5c81139147155948f99a0e303ecca001f24a58d5c5de399

Download Submit
\Program Files\Mem Reduct\uninstall.exe

Filesize
86KB

MD5
6d97f86c3bfdd7932c664992c719b7ac

SHA1
0ebe79050d7d22ad7031d1a6b68907f7452e00ea

SHA256
b6fd255bf6f0bd9ac665c7f2e930e5779f98059dbdbfa9656466b9bd484faacd

SHA512
64fcf3dc8f8b08472b7b334872ada5269b993ed62829356b11912d81a7d655ca3fc56879a5915923d8552b4b96a9322e36ffedb254ddeccb015fb381fbbdf744

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_bc24fa45f522637e923c1e64346be2a9b0d02f64a1beeed3a0e70170ddea0206.exe

Filesize
357KB

MD5
25db35058f16b6fe4b1425b0986ba716

SHA1
17b4f5bca2480079e68ea41a52651f34c3cd6a37

SHA256
3555b6148f8bf9415c1b0db8b03c649b530670c7775631d6f26fda5eee547f24

SHA512
735b58bcafb9382c5d9846756ffa079bc4aac0fd4ff039883382cc0251fdf77bb660e51b9b133dc2fcdc2bfa93c75b6148e0c2cc71ea949c8694407a29fac679

Download Submit
\Users\Admin\AppData\Local\Temp\nstDBFF.tmp\System.dll

Filesize
11KB

MD5
75ed96254fbf894e42058062b4b4f0d1

SHA1
996503f1383b49021eb3427bc28d13b5bbd11977

SHA256
a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7

SHA512
58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4

Download Submit
\Users\Admin\AppData\Local\Temp\nstDBFF.tmp\nsDialogs.dll

Filesize
9KB

MD5
ca95c9da8cef7062813b989ab9486201

SHA1
c555af25df3de51aa18d487d47408d5245dba2d1

SHA256
feb6364375d0ab081e9cdf11271c40cb966af295c600903383b0730f0821c0be

SHA512
a30d94910204d1419c803dc12d90a9d22f63117e4709b1a131d8c4d5ead7e4121150e2c8b004a546b33c40c294df0a74567013001f55f37147d86bb847d7bbc9

Download Submit
memory/1656-79-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2448-168-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2448-293-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2756-19-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2808-171-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2808-169-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2808-241-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2808-284-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2872-6-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2896-65-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2896-18-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads