xred | ce63ae9069832ff3b0f2eb76b384c40cd8b70987280d4cc07559493a2b5c04ff

Analysis

max time kernel
124s
max time network
151s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d8cd82fa6662df02eb5af2abbf815d5.exe
Size

14.3MB
MD5

4d8cd82fa6662df02eb5af2abbf815d5
SHA1

9a204dbafb47d5b1e40908011bac6201c4699abc
SHA256

1c96153b02b612f06efaea43f046bc0e3e8d9f2248faf8e4d19026d87a0ce8ba
SHA512

dbd290b3e39f1ab3f8d99241e4d0cdb9645762ca7ca6436f5fc2ebea6db9caff1de5a6788ec0f83ad75e2b4d9af25f72048550b2e1da9b24ea21c7c90aa19fb5
SSDEEP

393216:SGg4a7Gg4anGg4aDGg4aDGg4anGg4aOGg4aS:AbXzzXMS

Score

10^/10

xred backdoor collection discovery execution macro persistence spyware stealer

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2984	powershell.exe
2940	powershell.exe
1640	powershell.exe
2260	powershell.exe

Suspicious Office macro 5 IoCs

Office document equipped with macros.

macro

resource
behavioral21/files/0x0005000000019627-139.dat
behavioral21/files/0x0007000000019627-163.dat
behavioral21/files/0x0008000000019629-174.dat
behavioral21/files/0x000600000001962b-187.dat
behavioral21/files/0x000a000000019629-198.dat

Executes dropped EXE 4 IoCs

pid	Process
2364	._cache_4d8cd82fa6662df02eb5af2abbf815d5.exe
1704	Synaptics.exe
984	Synaptics.exe
1556	._cache_Synaptics.exe

Loads dropped DLL 4 IoCs

pid	Process
2696	4d8cd82fa6662df02eb5af2abbf815d5.exe
2696	4d8cd82fa6662df02eb5af2abbf815d5.exe
984	Synaptics.exe
984	Synaptics.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_4d8cd82fa6662df02eb5af2abbf815d5.exe
Key opened	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_4d8cd82fa6662df02eb5af2abbf815d5.exe
Key opened	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_4d8cd82fa6662df02eb5af2abbf815d5.exe
Key opened	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Synaptics.exe
Key opened	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Synaptics.exe
Key opened	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	4d8cd82fa6662df02eb5af2abbf815d5.exe

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
9	reallyfreegeoip.org
18	reallyfreegeoip.org
4	checkip.dyndns.org
8	reallyfreegeoip.org

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2604 set thread context of 2696	2604	4d8cd82fa6662df02eb5af2abbf815d5.exe	37
PID 1704 set thread context of 984	1704	Synaptics.exe	46

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4d8cd82fa6662df02eb5af2abbf815d5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4d8cd82fa6662df02eb5af2abbf815d5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_4d8cd82fa6662df02eb5af2abbf815d5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2252	schtasks.exe
1448	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
848	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2604	4d8cd82fa6662df02eb5af2abbf815d5.exe
2604	4d8cd82fa6662df02eb5af2abbf815d5.exe
2604	4d8cd82fa6662df02eb5af2abbf815d5.exe
2604	4d8cd82fa6662df02eb5af2abbf815d5.exe
2604	4d8cd82fa6662df02eb5af2abbf815d5.exe
2604	4d8cd82fa6662df02eb5af2abbf815d5.exe
2604	4d8cd82fa6662df02eb5af2abbf815d5.exe
2604	4d8cd82fa6662df02eb5af2abbf815d5.exe
2604	4d8cd82fa6662df02eb5af2abbf815d5.exe
2940	powershell.exe
2984	powershell.exe
2364	._cache_4d8cd82fa6662df02eb5af2abbf815d5.exe
1704	Synaptics.exe
1704	Synaptics.exe
1704	Synaptics.exe
1704	Synaptics.exe
1704	Synaptics.exe
1704	Synaptics.exe
1704	Synaptics.exe
1704	Synaptics.exe
2260	powershell.exe
1640	powershell.exe
1704	Synaptics.exe
1556	._cache_Synaptics.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2604	4d8cd82fa6662df02eb5af2abbf815d5.exe
Token: SeDebugPrivilege	2940	powershell.exe
Token: SeDebugPrivilege	2984	powershell.exe
Token: SeDebugPrivilege	2364	._cache_4d8cd82fa6662df02eb5af2abbf815d5.exe
Token: SeDebugPrivilege	1704	Synaptics.exe
Token: SeDebugPrivilege	2260	powershell.exe
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeDebugPrivilege	1556	._cache_Synaptics.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
848	EXCEL.EXE

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 2940	2604	4d8cd82fa6662df02eb5af2abbf815d5.exe	31
PID 2604 wrote to memory of 2940	2604	4d8cd82fa6662df02eb5af2abbf815d5.exe	31
PID 2604 wrote to memory of 2940	2604	4d8cd82fa6662df02eb5af2abbf815d5.exe	31
PID 2604 wrote to memory of 2940	2604	4d8cd82fa6662df02eb5af2abbf815d5.exe	31
PID 2604 wrote to memory of 2984	2604	4d8cd82fa6662df02eb5af2abbf815d5.exe	33
PID 2604 wrote to memory of 2984	2604	4d8cd82fa6662df02eb5af2abbf815d5.exe	33
PID 2604 wrote to memory of 2984	2604	4d8cd82fa6662df02eb5af2abbf815d5.exe	33
PID 2604 wrote to memory of 2984	2604	4d8cd82fa6662df02eb5af2abbf815d5.exe	33
PID 2604 wrote to memory of 2252	2604	4d8cd82fa6662df02eb5af2abbf815d5.exe	35
PID 2604 wrote to memory of 2252	2604	4d8cd82fa6662df02eb5af2abbf815d5.exe	35
PID 2604 wrote to memory of 2252	2604	4d8cd82fa6662df02eb5af2abbf815d5.exe	35
PID 2604 wrote to memory of 2252	2604	4d8cd82fa6662df02eb5af2abbf815d5.exe	35
PID 2604 wrote to memory of 2696	2604	4d8cd82fa6662df02eb5af2abbf815d5.exe	37
PID 2604 wrote to memory of 2696	2604	4d8cd82fa6662df02eb5af2abbf815d5.exe	37
PID 2604 wrote to memory of 2696	2604	4d8cd82fa6662df02eb5af2abbf815d5.exe	37
PID 2604 wrote to memory of 2696	2604	4d8cd82fa6662df02eb5af2abbf815d5.exe	37
PID 2604 wrote to memory of 2696	2604	4d8cd82fa6662df02eb5af2abbf815d5.exe	37
PID 2604 wrote to memory of 2696	2604	4d8cd82fa6662df02eb5af2abbf815d5.exe	37
PID 2604 wrote to memory of 2696	2604	4d8cd82fa6662df02eb5af2abbf815d5.exe	37
PID 2604 wrote to memory of 2696	2604	4d8cd82fa6662df02eb5af2abbf815d5.exe	37
PID 2604 wrote to memory of 2696	2604	4d8cd82fa6662df02eb5af2abbf815d5.exe	37
PID 2604 wrote to memory of 2696	2604	4d8cd82fa6662df02eb5af2abbf815d5.exe	37
PID 2604 wrote to memory of 2696	2604	4d8cd82fa6662df02eb5af2abbf815d5.exe	37
PID 2604 wrote to memory of 2696	2604	4d8cd82fa6662df02eb5af2abbf815d5.exe	37
PID 2696 wrote to memory of 2364	2696	4d8cd82fa6662df02eb5af2abbf815d5.exe	38
PID 2696 wrote to memory of 2364	2696	4d8cd82fa6662df02eb5af2abbf815d5.exe	38
PID 2696 wrote to memory of 2364	2696	4d8cd82fa6662df02eb5af2abbf815d5.exe	38
PID 2696 wrote to memory of 2364	2696	4d8cd82fa6662df02eb5af2abbf815d5.exe	38
PID 2696 wrote to memory of 1704	2696	4d8cd82fa6662df02eb5af2abbf815d5.exe	39
PID 2696 wrote to memory of 1704	2696	4d8cd82fa6662df02eb5af2abbf815d5.exe	39
PID 2696 wrote to memory of 1704	2696	4d8cd82fa6662df02eb5af2abbf815d5.exe	39
PID 2696 wrote to memory of 1704	2696	4d8cd82fa6662df02eb5af2abbf815d5.exe	39
PID 1704 wrote to memory of 2260	1704	Synaptics.exe	40
PID 1704 wrote to memory of 2260	1704	Synaptics.exe	40
PID 1704 wrote to memory of 2260	1704	Synaptics.exe	40
PID 1704 wrote to memory of 2260	1704	Synaptics.exe	40
PID 1704 wrote to memory of 1640	1704	Synaptics.exe	42
PID 1704 wrote to memory of 1640	1704	Synaptics.exe	42
PID 1704 wrote to memory of 1640	1704	Synaptics.exe	42
PID 1704 wrote to memory of 1640	1704	Synaptics.exe	42
PID 1704 wrote to memory of 1448	1704	Synaptics.exe	44
PID 1704 wrote to memory of 1448	1704	Synaptics.exe	44
PID 1704 wrote to memory of 1448	1704	Synaptics.exe	44
PID 1704 wrote to memory of 1448	1704	Synaptics.exe	44
PID 1704 wrote to memory of 984	1704	Synaptics.exe	46
PID 1704 wrote to memory of 984	1704	Synaptics.exe	46
PID 1704 wrote to memory of 984	1704	Synaptics.exe	46
PID 1704 wrote to memory of 984	1704	Synaptics.exe	46
PID 1704 wrote to memory of 984	1704	Synaptics.exe	46
PID 1704 wrote to memory of 984	1704	Synaptics.exe	46
PID 1704 wrote to memory of 984	1704	Synaptics.exe	46
PID 1704 wrote to memory of 984	1704	Synaptics.exe	46
PID 1704 wrote to memory of 984	1704	Synaptics.exe	46
PID 1704 wrote to memory of 984	1704	Synaptics.exe	46
PID 1704 wrote to memory of 984	1704	Synaptics.exe	46
PID 1704 wrote to memory of 984	1704	Synaptics.exe	46
PID 984 wrote to memory of 1556	984	Synaptics.exe	47
PID 984 wrote to memory of 1556	984	Synaptics.exe	47
PID 984 wrote to memory of 1556	984	Synaptics.exe	47
PID 984 wrote to memory of 1556	984	Synaptics.exe	47

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Synaptics.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Synaptics.exe

C:\Users\Admin\AppData\Local\Temp\4d8cd82fa6662df02eb5af2abbf815d5.exe
"C:\Users\Admin\AppData\Local\Temp\4d8cd82fa6662df02eb5af2abbf815d5.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\4d8cd82fa6662df02eb5af2abbf815d5.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2940
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\sXLAWJKdeDZVj.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2984
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sXLAWJKdeDZVj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1E1B.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2252
- C:\Users\Admin\AppData\Local\Temp\4d8cd82fa6662df02eb5af2abbf815d5.exe
  "C:\Users\Admin\AppData\Local\Temp\4d8cd82fa6662df02eb5af2abbf815d5.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Users\Admin\AppData\Local\Temp\._cache_4d8cd82fa6662df02eb5af2abbf815d5.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_4d8cd82fa6662df02eb5af2abbf815d5.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2364
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1704
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\Synaptics\Synaptics.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2260
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\sXLAWJKdeDZVj.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1640
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sXLAWJKdeDZVj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp97BD.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1448
  - - C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:984
    - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"
        5⤵
        Executes dropped EXE
        Accesses Microsoft Outlook profiles
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        outlook_office_path
        outlook_win_path
        
        PID:1556

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
14.3MB

MD5
4d8cd82fa6662df02eb5af2abbf815d5

SHA1
9a204dbafb47d5b1e40908011bac6201c4699abc

SHA256
1c96153b02b612f06efaea43f046bc0e3e8d9f2248faf8e4d19026d87a0ce8ba

SHA512
dbd290b3e39f1ab3f8d99241e4d0cdb9645762ca7ca6436f5fc2ebea6db9caff1de5a6788ec0f83ad75e2b4d9af25f72048550b2e1da9b24ea21c7c90aa19fb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_4d8cd82fa6662df02eb5af2abbf815d5.exe

Filesize
91KB

MD5
b45e3c4c10da3da0c69e2f90dc3dfb10

SHA1
61a36473ced38978793a9af1aea1fc528eebe457

SHA256
b6fe518ed8ca7ee32f79bb5dd52ab8250cc595d1aa8daec123cef383c6b0bdb6

SHA512
44d0c2e0904702dd22c92004415ef3c821bf63de0fb0cc6d7cca41eab36f32531530dd5fdb48017fc5405c7554ae6387514ef3f4e74eea4b36a14d587742e15b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nbdSjk9d.xlsm

Filesize
21KB

MD5
22f4907b583c2771aeb79ac5dd475dfd

SHA1
ff3858bea918d2c7ae95568a946e35266a7e0247

SHA256
1be6d333f7743909914b8c9ebcf360ae379b2a0fedcb08a332fe00ad3543f9f6

SHA512
c827a4a266fd7cd819bccbaa61f0a12aa0b11313dbf50289f500394227df90ba5a9068c98b0a94ba65d67e45a79036d7bba7a65b2349b73ebc0bd17b419fb9fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nbdSjk9d.xlsm

Filesize
22KB

MD5
eb3ee18db21f684f0720dbebbf4d3860

SHA1
defce84e2475d16d631fe995254fe4d33b4a1c90

SHA256
74fd6592ee2ddbb1473a9ea0e08e2cdd6a96a8f11275a23b7c76e111cce2ed85

SHA512
b628021ac899cbefcbc2156a544f79733e6017a38320d209cb4b38c37f89afa8abbadefa0c1df23d38ec84de6ea99e987ecc71673ab5277cb928ace11b92b573

Download Submit
C:\Users\Admin\AppData\Local\Temp\nbdSjk9d.xlsm

Filesize
22KB

MD5
2348fc086762d3e930299cc05b225129

SHA1
f86d381b3a8852cf6e15b46f96e2611cab7e4bd5

SHA256
91a6ccc1532ef5451bd40afc972f5ce2adee49ce2dbfba02cc8a2591af409e05

SHA512
b029717885b029c3ab06ff15e996be8bd66343cb16903aeb1cd097b7db152948232d10b82811f07cea7d32e353314d9c8955197af9ba0c6a3752ea2c7b7f4328

Download Submit
C:\Users\Admin\AppData\Local\Temp\nbdSjk9d.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\nbdSjk9d.xlsm

Filesize
23KB

MD5
c2911f0cf087d8d17ff985d8c503a0a2

SHA1
0a97e011901c3f02d9bbb30b43e3552104148f18

SHA256
eb4a9e31394eee37a7c5ba83730ff200b031a0ad81f747bbb17afad9652d8508

SHA512
0712d740b025629640d916964b50de4b4d60505f287c163c126179e22088febcab76c66e32aa3a06d997417a053d71e83527d2b516e11486cc85e12deca9c8e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nbdSjk9d.xlsm

Filesize
24KB

MD5
b465f1d11b2b5ac74cfd0c2ae4342a28

SHA1
aef51047528d093aa1427ec9183160eafdd3ee94

SHA256
3c05dd21bcd379ef18c2414b3ba27dd85af5a9af344ddd18c55f5bf7c9d7697e

SHA512
29eb67c56308bc1ef3378194fc54d070c6b20256b4b38e0a1f47e9e5ad31b8cc08d94b3ad1a9e98bf704ac94e4ade8a1dbd4b0b5f6ede1d988e3580e04112fe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nbdSjk9d.xlsm

Filesize
25KB

MD5
9a7697effaf89f768f71d5d6f1533649

SHA1
e00630164ef2baa99e30c9ab40cf9ba8b902b52e

SHA256
5ec1be913847017c6ef156fbc189454451fe17851eb08be57c4316d88eb92508

SHA512
0b1ef8174b07b168f8a32722c1bbe5bbdda0da846c6109a4bed15c7ea35bedfd710f8a1603c24eb5d6515255310fbbb234a0f391cf8447149e50a29fd6eaccf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1E1B.tmp

Filesize
1KB

MD5
291fd49b659a743a35a07ecd6cc41339

SHA1
93e38e28ac3a0e7f0ed33ccebeee46c001d58633

SHA256
b7cd96f0e91293f82c301c50f4c2b4178251b9bdd9379eb65619720504924705

SHA512
0a9f8928c9092404cdf639724510183b3023c78b9880832c82dac26a3991e6d613c1f0ca15dc835c2a8d0f81d43446263abf53d6d7a576c6de33841f992f3b9e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1R4ECGTXBUWLQ5WAT21O.temp

Filesize
7KB

MD5
c8843efa93b59bb18509f0b0707699f3

SHA1
90f2f42a44b70c8d879b0eb6bcf1f1225f0bf93b

SHA256
4ff1af889e636cad74dcd78baa66c7b0cfe5fc8a3b2dd454320fdc222ac0d18c

SHA512
71ad725f16455899831f7684b8328bb4904c82d858fcacd3cfb0559b66e4d0a0c1fb65dda27a02aba6a77b073ed0a27760be849e2542e6567df4b2b676c68f81

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\85C84F6J8G6BX2B35A0C.temp

Filesize
7KB

MD5
fd2551c0f17f0dff4bd51406e3152bde

SHA1
489179d67e2ba8db87f4286a0b51574fe0716da2

SHA256
a1af113c814ae0e69ffd5fa437291317ad887fa6fa96d4abc658b3d0d1a95c45

SHA512
05a6252d26e7f49e868fb6601b406e17e30b4b79f5cf6e10a4f59c1fd17fc8d598391d32e7ad1621ad9eca62e0ce0388c4b388a69db27c61d947664357460fbf

Download Submit
C:\Users\Admin\Desktop\~$LimitTrace.xlsx

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
memory/848-104-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/848-204-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/984-93-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/984-205-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/984-202-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/984-203-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/984-233-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/984-90-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1556-103-0x0000000000A00000-0x0000000000A1E000-memory.dmp

Filesize
120KB

Download
memory/1704-62-0x00000000009B0000-0x0000000001802000-memory.dmp

Filesize
14.3MB

Download
memory/2364-50-0x00000000000E0000-0x00000000000FE000-memory.dmp

Filesize
120KB

Download
memory/2604-5-0x00000000741FE000-0x00000000741FF000-memory.dmp

Filesize
4KB

Download
memory/2604-4-0x0000000000A40000-0x0000000000A5E000-memory.dmp

Filesize
120KB

Download
memory/2604-6-0x00000000741F0000-0x00000000748DE000-memory.dmp

Filesize
6.9MB

Download
memory/2604-7-0x0000000006780000-0x000000000689E000-memory.dmp

Filesize
1.1MB

Download
memory/2604-39-0x00000000741F0000-0x00000000748DE000-memory.dmp

Filesize
6.9MB

Download
memory/2604-3-0x0000000005E60000-0x0000000005FBC000-memory.dmp

Filesize
1.4MB

Download
memory/2604-0-0x00000000741FE000-0x00000000741FF000-memory.dmp

Filesize
4KB

Download
memory/2604-2-0x00000000741F0000-0x00000000748DE000-memory.dmp

Filesize
6.9MB

Download
memory/2604-1-0x0000000000BD0000-0x0000000001A22000-memory.dmp

Filesize
14.3MB

Download
memory/2696-35-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2696-20-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2696-22-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2696-26-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2696-29-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2696-36-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2696-30-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2696-32-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2696-34-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2696-24-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download