xred | a3ffc389764e9755c427197f1b90872e3763810cdef05c969359d32cba8688dd

Analysis

max time kernel
32s
max time network
41s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-11-2024 21:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SECURE BYTE GUI.exe
Size

3.0MB
MD5

dae063c97ed04c76f5829f04923b6ee0
SHA1

8ceeeab03ba48e72ac7c06494b478ab523feb185
SHA256

a3ffc389764e9755c427197f1b90872e3763810cdef05c969359d32cba8688dd
SHA512

52a26e6614eecb0df6ea0ea50d048c6d2521f84f1691deead159c84f5ecbb2d9b4153a53f10127ebd4a66db78f3263ab592569baa4ce0b858afbf96886e339e1
SSDEEP

24576:ansJ39LyjbJkQFMhmC+6GD9cI/mLGoYsYfGK:ansHyjtk2MYC5GD6GovuX

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred
Executes dropped EXE 3 IoCs

Processes:

._cache_SECURE BYTE GUI.exeSynaptics.exe._cache_Synaptics.exe

pid process

2280 ._cache_SECURE BYTE GUI.exe
2836 Synaptics.exe
2568 ._cache_Synaptics.exe

pid	process
2280	._cache_SECURE BYTE GUI.exe
2836	Synaptics.exe
2568	._cache_Synaptics.exe

Loads dropped DLL 15 IoCs

Processes:

SECURE BYTE GUI.exeSynaptics.exeWerFault.exeWerFault.exe

pid	process
1996	SECURE BYTE GUI.exe
1996	SECURE BYTE GUI.exe
1996	SECURE BYTE GUI.exe
2836	Synaptics.exe
2836	Synaptics.exe
2588	WerFault.exe
2588	WerFault.exe
2588	WerFault.exe
2588	WerFault.exe
2696	WerFault.exe
2696	WerFault.exe
2696	WerFault.exe
2696	WerFault.exe
2696	WerFault.exe
2588	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

SECURE BYTE GUI.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	SECURE BYTE GUI.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2696 2568 WerFault.exe ._cache_Synaptics.exe
2588 2280 WerFault.exe ._cache_SECURE BYTE GUI.exe

pid	pid_target	process	target process
2696	2568	WerFault.exe	._cache_Synaptics.exe
2588	2280	WerFault.exe	._cache_SECURE BYTE GUI.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

._cache_Synaptics.exeEXCEL.EXESECURE BYTE GUI.exe._cache_SECURE BYTE GUI.exeSynaptics.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SECURE BYTE GUI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_SECURE BYTE GUI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEchrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2432 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

2224 chrome.exe
2224 chrome.exe

pid	process
2432	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	2224	chrome.exe
Token: SeShutdownPrivilege	2224	chrome.exe
Token: SeShutdownPrivilege	2224	chrome.exe
Token: SeShutdownPrivilege	2224	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

Processes:

chrome.exe

pid	process
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

chrome.exe

pid	process
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe
2224	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

EXCEL.EXE

pid process

2432 EXCEL.EXE

pid	process
2432	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

SECURE BYTE GUI.exeSynaptics.exe._cache_Synaptics.exe._cache_SECURE BYTE GUI.exechrome.exe

description	pid	process	target process
PID 1996 wrote to memory of 2280	1996	SECURE BYTE GUI.exe	._cache_SECURE BYTE GUI.exe
PID 1996 wrote to memory of 2280	1996	SECURE BYTE GUI.exe	._cache_SECURE BYTE GUI.exe
PID 1996 wrote to memory of 2280	1996	SECURE BYTE GUI.exe	._cache_SECURE BYTE GUI.exe
PID 1996 wrote to memory of 2280	1996	SECURE BYTE GUI.exe	._cache_SECURE BYTE GUI.exe
PID 1996 wrote to memory of 2836	1996	SECURE BYTE GUI.exe	Synaptics.exe
PID 1996 wrote to memory of 2836	1996	SECURE BYTE GUI.exe	Synaptics.exe
PID 1996 wrote to memory of 2836	1996	SECURE BYTE GUI.exe	Synaptics.exe
PID 1996 wrote to memory of 2836	1996	SECURE BYTE GUI.exe	Synaptics.exe
PID 2836 wrote to memory of 2568	2836	Synaptics.exe	._cache_Synaptics.exe
PID 2836 wrote to memory of 2568	2836	Synaptics.exe	._cache_Synaptics.exe
PID 2836 wrote to memory of 2568	2836	Synaptics.exe	._cache_Synaptics.exe
PID 2836 wrote to memory of 2568	2836	Synaptics.exe	._cache_Synaptics.exe
PID 2568 wrote to memory of 2696	2568	._cache_Synaptics.exe	WerFault.exe
PID 2568 wrote to memory of 2696	2568	._cache_Synaptics.exe	WerFault.exe
PID 2568 wrote to memory of 2696	2568	._cache_Synaptics.exe	WerFault.exe
PID 2568 wrote to memory of 2696	2568	._cache_Synaptics.exe	WerFault.exe
PID 2280 wrote to memory of 2588	2280	._cache_SECURE BYTE GUI.exe	WerFault.exe
PID 2280 wrote to memory of 2588	2280	._cache_SECURE BYTE GUI.exe	WerFault.exe
PID 2280 wrote to memory of 2588	2280	._cache_SECURE BYTE GUI.exe	WerFault.exe
PID 2280 wrote to memory of 2588	2280	._cache_SECURE BYTE GUI.exe	WerFault.exe
PID 2224 wrote to memory of 2220	2224	chrome.exe	chrome.exe
PID 2224 wrote to memory of 2220	2224	chrome.exe	chrome.exe
PID 2224 wrote to memory of 2220	2224	chrome.exe	chrome.exe
PID 2224 wrote to memory of 584	2224	chrome.exe	chrome.exe
PID 2224 wrote to memory of 584	2224	chrome.exe	chrome.exe
PID 2224 wrote to memory of 584	2224	chrome.exe	chrome.exe
PID 2224 wrote to memory of 584	2224	chrome.exe	chrome.exe
PID 2224 wrote to memory of 584	2224	chrome.exe	chrome.exe
PID 2224 wrote to memory of 584	2224	chrome.exe	chrome.exe
PID 2224 wrote to memory of 584	2224	chrome.exe	chrome.exe
PID 2224 wrote to memory of 584	2224	chrome.exe	chrome.exe
PID 2224 wrote to memory of 584	2224	chrome.exe	chrome.exe
PID 2224 wrote to memory of 584	2224	chrome.exe	chrome.exe
PID 2224 wrote to memory of 584	2224	chrome.exe	chrome.exe
PID 2224 wrote to memory of 584	2224	chrome.exe	chrome.exe
PID 2224 wrote to memory of 584	2224	chrome.exe	chrome.exe
PID 2224 wrote to memory of 584	2224	chrome.exe	chrome.exe
PID 2224 wrote to memory of 584	2224	chrome.exe	chrome.exe
PID 2224 wrote to memory of 584	2224	chrome.exe	chrome.exe
PID 2224 wrote to memory of 584	2224	chrome.exe	chrome.exe
PID 2224 wrote to memory of 584	2224	chrome.exe	chrome.exe
PID 2224 wrote to memory of 584	2224	chrome.exe	chrome.exe
PID 2224 wrote to memory of 584	2224	chrome.exe	chrome.exe
PID 2224 wrote to memory of 584	2224	chrome.exe	chrome.exe
PID 2224 wrote to memory of 584	2224	chrome.exe	chrome.exe
PID 2224 wrote to memory of 584	2224	chrome.exe	chrome.exe
PID 2224 wrote to memory of 584	2224	chrome.exe	chrome.exe
PID 2224 wrote to memory of 584	2224	chrome.exe	chrome.exe
PID 2224 wrote to memory of 584	2224	chrome.exe	chrome.exe
PID 2224 wrote to memory of 584	2224	chrome.exe	chrome.exe
PID 2224 wrote to memory of 584	2224	chrome.exe	chrome.exe
PID 2224 wrote to memory of 584	2224	chrome.exe	chrome.exe
PID 2224 wrote to memory of 584	2224	chrome.exe	chrome.exe
PID 2224 wrote to memory of 584	2224	chrome.exe	chrome.exe
PID 2224 wrote to memory of 584	2224	chrome.exe	chrome.exe
PID 2224 wrote to memory of 584	2224	chrome.exe	chrome.exe
PID 2224 wrote to memory of 584	2224	chrome.exe	chrome.exe
PID 2224 wrote to memory of 584	2224	chrome.exe	chrome.exe
PID 2224 wrote to memory of 584	2224	chrome.exe	chrome.exe
PID 2224 wrote to memory of 584	2224	chrome.exe	chrome.exe
PID 2224 wrote to memory of 584	2224	chrome.exe	chrome.exe
PID 2224 wrote to memory of 584	2224	chrome.exe	chrome.exe
PID 2224 wrote to memory of 2172	2224	chrome.exe	chrome.exe
PID 2224 wrote to memory of 2172	2224	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\SECURE BYTE GUI.exe
"C:\Users\Admin\AppData\Local\Temp\SECURE BYTE GUI.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Users\Admin\AppData\Local\Temp\._cache_SECURE BYTE GUI.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_SECURE BYTE GUI.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2280
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 624
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2588
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2568
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 624
      4⤵
      Loads dropped DLL
      Program crash
      PID:2696

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7529758,0x7fef7529768,0x7fef7529778
  2⤵
  PID:2220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1164 --field-trial-handle=1220,i,5678284568260851881,18275038102438416572,131072 /prefetch:2
  2⤵
  PID:584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1504 --field-trial-handle=1220,i,5678284568260851881,18275038102438416572,131072 /prefetch:8
  2⤵
  PID:2172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1596 --field-trial-handle=1220,i,5678284568260851881,18275038102438416572,131072 /prefetch:8
  2⤵
  PID:1328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2276 --field-trial-handle=1220,i,5678284568260851881,18275038102438416572,131072 /prefetch:1
  2⤵
  PID:1520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2288 --field-trial-handle=1220,i,5678284568260851881,18275038102438416572,131072 /prefetch:1
  2⤵
  PID:1796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1476 --field-trial-handle=1220,i,5678284568260851881,18275038102438416572,131072 /prefetch:2
  2⤵
  PID:2820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1436 --field-trial-handle=1220,i,5678284568260851881,18275038102438416572,131072 /prefetch:1
  2⤵
  PID:3028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3456 --field-trial-handle=1220,i,5678284568260851881,18275038102438416572,131072 /prefetch:8
  2⤵
  PID:1088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3424 --field-trial-handle=1220,i,5678284568260851881,18275038102438416572,131072 /prefetch:8
  2⤵
  PID:1392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3492 --field-trial-handle=1220,i,5678284568260851881,18275038102438416572,131072 /prefetch:8
  2⤵
  PID:1212

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
3.0MB

MD5
dae063c97ed04c76f5829f04923b6ee0

SHA1
8ceeeab03ba48e72ac7c06494b478ab523feb185

SHA256
a3ffc389764e9755c427197f1b90872e3763810cdef05c969359d32cba8688dd

SHA512
52a26e6614eecb0df6ea0ea50d048c6d2521f84f1691deead159c84f5ecbb2d9b4153a53f10127ebd4a66db78f3263ab592569baa4ce0b858afbf96886e339e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\WW2STkpx.xlsm

Filesize
28KB

MD5
9f0f3020ad0042ccda4bb1f55d8e21b8

SHA1
08e5de163151826bf73dcc33195f7eaf9caa0e93

SHA256
0fdf85e33d7eb83a205631683576ac249678bd5d7ced012c8d363ce417b0bbc6

SHA512
f087c444f581ea5f5f7a869851a8fda70f0d0e418f655ea1019e9182958b5e3270d4450ed05a72b0dd7f6b25a8c7fe6296d017433a9f6d22ec1928b4b88e4391

Download Submit
C:\Users\Admin\AppData\Local\Temp\WW2STkpx.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\WW2STkpx.xlsm

Filesize
25KB

MD5
ace1cf0b9f1db69231bb8f13c678a9ff

SHA1
aa7e233dbf73f789c1596420b4d7e07204aeb177

SHA256
a77681e1cf3e0b8fe604a43c92eeac50844a6929b7570ef419ebc405283f7da8

SHA512
b4ec403ce8404eebea8d920bd1f8f9d373ae009f32df5fceeffeaaaaaeca18a22d454bb6c900cf6b197af040c9fe1ba5b080549af5c30c7bf287c9cad7fdb2d3

Download Submit
\??\pipe\crashpad_2224_TIXLCVCBGSUONLKY

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_SECURE BYTE GUI.exe

Filesize
2.2MB

MD5
d1a24e598eacccd848723c1b2565ebd3

SHA1
d104ce64e66da49ce9f207329e2673217954997d

SHA256
062d410dde708417695a89459d9fec9abbe4c3ccc84f9cebd9d7669da41c7d34

SHA512
bee1c20be1b1b7e54e5dbb6ba22028d465aea034d8d32c82c3f16b18e58bd5e862456210feedd5fee7e14b7a2c40be58fd5c42ea0d4c639ca5a92f6b7cd2278b

Download Submit
memory/1996-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1996-26-0x0000000000400000-0x0000000000702000-memory.dmp

Filesize
3.0MB

Download
memory/2280-29-0x00000000001D0000-0x0000000000416000-memory.dmp

Filesize
2.3MB

Download
memory/2432-47-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2568-38-0x00000000000D0000-0x0000000000316000-memory.dmp

Filesize
2.3MB

Download
memory/2836-103-0x0000000000400000-0x0000000000702000-memory.dmp

Filesize
3.0MB

Download
memory/2836-104-0x0000000000400000-0x0000000000702000-memory.dmp

Filesize
3.0MB

Download