xred | 5de180ff35a8a0835dc704f4b8551fb1bb196837358c2020f84849c4f517fad8

Analysis

max time kernel
150s
max time network
154s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
07-12-2024 22:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Discord Account Generator v2/DiscordGenerator.exe
Size

226KB
MD5

768baf6ab6a559b6f01db21660baea67
SHA1

e3ac1aa045def382517ee8ad34f17b73083df128
SHA256

5f87f1ab9a87bd981a4a2c6173989948086ed8681763fec48cdc4fb1ae854237
SHA512

96404cd3a7c42bd6ad98e17f8a790dca48d5287dfb7169bc696870a07a139b16eb1cd3f8c46a281e4e2d93bde06e6c2d6e48be4a6c767c5add7742743471cf5d
SSDEEP

3072:84lRaB+zSSfIF18Gpt+hEjU+dTKye0VNE4+jjjjcjjjjN7uoF:86RakJq+hSE0VNsjjjjcjjjjE

Score

10^/10

xred backdoor discovery execution persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1500	powershell.exe
5904	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	Runtime Explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	DiscordGenerator.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	Windows Services.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Startup.lnk	Launcher.exe

Executes dropped EXE 6 IoCs

pid	Process
772	._cache_Jint.exe
3532	Synaptics.exe
5376	Runtime Broker.exe
1420	Windows Services.exe
1488	Secure System Shell.exe
6124	Runtime Explorer.exe

Loads dropped DLL 19 IoCs

pid	Process
1496	AlphaFS.lib
1496	AlphaFS.lib
1496	AlphaFS.lib
1496	AlphaFS.lib
1496	AlphaFS.lib
1496	AlphaFS.lib
1496	AlphaFS.lib
1496	AlphaFS.lib
1496	AlphaFS.lib
1496	AlphaFS.lib
1496	AlphaFS.lib
1496	AlphaFS.lib
1496	AlphaFS.lib
1496	AlphaFS.lib
1496	AlphaFS.lib
1496	AlphaFS.lib
1496	AlphaFS.lib
1496	AlphaFS.lib
1496	AlphaFS.lib

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	Jint.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Runtime Explorer = "C:\\Windows\\IMF\\\\Windows Services.exe"	Launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Runtime Explorer = "\"C:\\Users\\Admin\\AppData\\Roaming\\Runtime Explorer.exe\""	Runtime Explorer.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\IMF\Runtime Explorer.exe	Launcher.exe
File created	C:\Windows\IMF\Windows Services.exe.tmp	Launcher.exe
File opened for modification	C:\Windows\IMF\Windows Services.exe	Launcher.exe
File created	C:\Windows\IMF\Secure System Shell.exe.tmp	Launcher.exe
File opened for modification	C:\Windows\IMF\Secure System Shell.exe	Launcher.exe
File created	C:\Windows\IMF\LICENCE.zip	Launcher.exe
File created	C:\Windows\IMF\LICENCE.dat	Launcher.exe
File created	C:\Windows\IMF\Runtime Explorer.exe.tmp	Launcher.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DiscordGenerator.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Launcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jint.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Runtime Broker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows Services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Jint.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Secure System Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Runtime Explorer.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Jint.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
5376	Runtime Broker.exe
3596	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4312	Launcher.exe
1500	powershell.exe
1500	powershell.exe
1420	Windows Services.exe
1420	Windows Services.exe
1420	Windows Services.exe
1420	Windows Services.exe
1488	Secure System Shell.exe
5904	powershell.exe
5904	powershell.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeDebugPrivilege	4312	Launcher.exe
Token: SeDebugPrivilege	1500	powershell.exe
Token: 35	1496	AlphaFS.lib
Token: SeIncreaseQuotaPrivilege	1500	powershell.exe
Token: SeSecurityPrivilege	1500	powershell.exe
Token: SeTakeOwnershipPrivilege	1500	powershell.exe
Token: SeLoadDriverPrivilege	1500	powershell.exe
Token: SeSystemProfilePrivilege	1500	powershell.exe
Token: SeSystemtimePrivilege	1500	powershell.exe
Token: SeProfSingleProcessPrivilege	1500	powershell.exe
Token: SeIncBasePriorityPrivilege	1500	powershell.exe
Token: SeCreatePagefilePrivilege	1500	powershell.exe
Token: SeBackupPrivilege	1500	powershell.exe
Token: SeRestorePrivilege	1500	powershell.exe
Token: SeShutdownPrivilege	1500	powershell.exe
Token: SeDebugPrivilege	1500	powershell.exe
Token: SeSystemEnvironmentPrivilege	1500	powershell.exe
Token: SeRemoteShutdownPrivilege	1500	powershell.exe
Token: SeUndockPrivilege	1500	powershell.exe
Token: SeManageVolumePrivilege	1500	powershell.exe
Token: 33	1500	powershell.exe
Token: 34	1500	powershell.exe
Token: 35	1500	powershell.exe
Token: 36	1500	powershell.exe
Token: SeDebugPrivilege	1420	Windows Services.exe
Token: SeDebugPrivilege	1488	Secure System Shell.exe
Token: SeDebugPrivilege	5904	powershell.exe
Token: SeIncreaseQuotaPrivilege	5904	powershell.exe
Token: SeSecurityPrivilege	5904	powershell.exe
Token: SeTakeOwnershipPrivilege	5904	powershell.exe
Token: SeLoadDriverPrivilege	5904	powershell.exe
Token: SeSystemProfilePrivilege	5904	powershell.exe
Token: SeSystemtimePrivilege	5904	powershell.exe
Token: SeProfSingleProcessPrivilege	5904	powershell.exe
Token: SeIncBasePriorityPrivilege	5904	powershell.exe
Token: SeCreatePagefilePrivilege	5904	powershell.exe
Token: SeBackupPrivilege	5904	powershell.exe
Token: SeRestorePrivilege	5904	powershell.exe
Token: SeShutdownPrivilege	5904	powershell.exe
Token: SeDebugPrivilege	5904	powershell.exe
Token: SeSystemEnvironmentPrivilege	5904	powershell.exe
Token: SeRemoteShutdownPrivilege	5904	powershell.exe
Token: SeUndockPrivilege	5904	powershell.exe
Token: SeManageVolumePrivilege	5904	powershell.exe
Token: 33	5904	powershell.exe
Token: 34	5904	powershell.exe
Token: 35	5904	powershell.exe
Token: 36	5904	powershell.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
3596	EXCEL.EXE
3596	EXCEL.EXE
3596	EXCEL.EXE
3596	EXCEL.EXE
3596	EXCEL.EXE
3596	EXCEL.EXE
6124	Runtime Explorer.exe
3596	EXCEL.EXE
3596	EXCEL.EXE

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 3132 wrote to memory of 4312	3132	DiscordGenerator.exe	81
PID 3132 wrote to memory of 4312	3132	DiscordGenerator.exe	81
PID 3132 wrote to memory of 4312	3132	DiscordGenerator.exe	81
PID 3132 wrote to memory of 4404	3132	DiscordGenerator.exe	82
PID 3132 wrote to memory of 4404	3132	DiscordGenerator.exe	82
PID 3132 wrote to memory of 4404	3132	DiscordGenerator.exe	82
PID 4312 wrote to memory of 1500	4312	Launcher.exe	83
PID 4312 wrote to memory of 1500	4312	Launcher.exe	83
PID 4312 wrote to memory of 1500	4312	Launcher.exe	83
PID 4404 wrote to memory of 772	4404	Jint.exe	85
PID 4404 wrote to memory of 772	4404	Jint.exe	85
PID 4404 wrote to memory of 772	4404	Jint.exe	85
PID 4404 wrote to memory of 3532	4404	Jint.exe	87
PID 4404 wrote to memory of 3532	4404	Jint.exe	87
PID 4404 wrote to memory of 3532	4404	Jint.exe	87
PID 772 wrote to memory of 5376	772	._cache_Jint.exe	88
PID 772 wrote to memory of 5376	772	._cache_Jint.exe	88
PID 772 wrote to memory of 5376	772	._cache_Jint.exe	88
PID 772 wrote to memory of 5128	772	._cache_Jint.exe	89
PID 772 wrote to memory of 5128	772	._cache_Jint.exe	89
PID 5128 wrote to memory of 1496	5128	AlphaFS.lib	91
PID 5128 wrote to memory of 1496	5128	AlphaFS.lib	91
PID 4312 wrote to memory of 1420	4312	Launcher.exe	93
PID 4312 wrote to memory of 1420	4312	Launcher.exe	93
PID 4312 wrote to memory of 1420	4312	Launcher.exe	93
PID 1496 wrote to memory of 5184	1496	AlphaFS.lib	94
PID 1496 wrote to memory of 5184	1496	AlphaFS.lib	94
PID 1420 wrote to memory of 1488	1420	Windows Services.exe	96
PID 1420 wrote to memory of 1488	1420	Windows Services.exe	96
PID 1420 wrote to memory of 1488	1420	Windows Services.exe	96
PID 1420 wrote to memory of 6124	1420	Windows Services.exe	97
PID 1420 wrote to memory of 6124	1420	Windows Services.exe	97
PID 1420 wrote to memory of 6124	1420	Windows Services.exe	97
PID 1496 wrote to memory of 2016	1496	AlphaFS.lib	98
PID 1496 wrote to memory of 2016	1496	AlphaFS.lib	98
PID 6124 wrote to memory of 5904	6124	Runtime Explorer.exe	99
PID 6124 wrote to memory of 5904	6124	Runtime Explorer.exe	99
PID 6124 wrote to memory of 5904	6124	Runtime Explorer.exe	99

C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\DiscordGenerator.exe
"C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\DiscordGenerator.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3132
- C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\RDXService\Launcher.exe
  "C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\RDXService\Launcher.exe"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4312
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath C:\Windows\IMF\
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1500
- - C:\Windows\IMF\Windows Services.exe
    "C:\Windows\IMF\Windows Services.exe" {Arguments If Needed}
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1420
  - - C:\Windows\IMF\Secure System Shell.exe
      "C:\Windows\IMF\Secure System Shell.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1488
  - - C:\Windows\IMF\Runtime Explorer.exe
      "C:\Windows\IMF\Runtime Explorer.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:6124
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath C:\Users\Admin\AppData\Roaming\
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5904
- C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\RDXService\Jint.exe
  "C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\RDXService\Jint.exe"
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4404
- - C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\._cache_Jint.exe
    "C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\._cache_Jint.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:772
  - - C:\ProgramData\Windows Portable Clipboard\Runtime Broker.exe
      "C:\\ProgramData\\Windows Portable Clipboard\\Runtime Broker.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: AddClipboardFormatListener
      PID:5376
  - - C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\AlphaFS.lib
      "AlphaFS.lib"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5128
    - - C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\AlphaFS.lib
        
        "AlphaFS.lib"
        5⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1496
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        6⤵
        
        PID:5184
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c title Discord Generator ^| coded by Nightfall#2512
        6⤵
        
        PID:2016
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3532

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
753KB

MD5
85c4062ca855443ba02c2b83503ddc14

SHA1
5fa7451b7808c19a3d28dbbd4f662d0a584b6c77

SHA256
9770a6476b607f28077320caa244bbdde08611769338485faa64ad3bee4616cf

SHA512
851b48968e44604db4d02ec29744e6e2ca006e20bfb8883152860984dd4a648684e20b97b83a0b76afd21a922b3ac1afa9b2d54d9e3125b2e9b6958a8a7f5c7e

Download Submit
C:\ProgramData\Windows Portable Clipboard\Runtime Broker.exe

Filesize
255KB

MD5
8629c65903ca26e7ffada84c69ae0972

SHA1
015673ba0498ae35bd4da1c3ba45bab5fbfa18ce

SHA256
adc6887d772f9f47ab67406cc9ea7dd0177b94d84f98124fc712b9e66208dd0d

SHA512
6a3b8717daeaed8dde18cedcb1c6fc31932f01234a63b80f37c6960f7212255cd32d1c3135d84da773e7b94ad1f326cc965463b9fc68f35b8b5449ff70d79af7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
f811272c20ff6decbbd16ff364334427

SHA1
cb31be66c972daa61d45920fa2fa824c1dfb194d

SHA256
730aff8c9e430a9f9e5e44f1c376e57f42fa5adc744824df2f69855009473592

SHA512
5c68bf3a41c3607cad5abe94f2bb3816f3e69426fa7d43bf7c9787c4e9ce6660b1843a2e505a22a93d7008b76fc564078513fe9ef47051e5b6fc344ab9d0a528

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
21KB

MD5
d2431daa9132e73d5a911228518b35d9

SHA1
32b3d140e1656aaedf3b51c405c761cd65eec619

SHA256
15b0fab2cee8590caa48d4ec6379b1610a60dbfbecf293c3ad268c5d54c6d7bb

SHA512
dde440046631e9af407ebc5b27e371d87b18c2575a6a9785dadc76e4341c240cfd9e37660f438af94abc6b8e4c351e697269142d3cd4890b32e5f74a37efdd7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\45085E00

Filesize
21KB

MD5
5efa4989af50cceec99492f757dad25b

SHA1
e422cef0cbbefb657f980676db2ac1b5e1350806

SHA256
9b0064e30ccb2f45594eb4fe4e1d42c728e4f00006adbc3821e249b877290a5f

SHA512
71dbbeb97d27a6af0c9678a74e0285f5be8456848b9d7afc2e618992ae7ff90dad9916896163bb97e72800d020f1f2136d3e52525e5e141eae2662696950ea85

Download Submit
C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\._cache_Jint.exe

Filesize
206KB

MD5
01954f322fc670b93d59b9bdf710d3f5

SHA1
7c9e9af5da35de32c41d9a883c61d6a773905059

SHA256
43a1c5f3292787add7507c3aa57179682b69dc499965039c1179560bd2b567fd

SHA512
c160714b91ee7f86edb3462d7b88b8121ef369aa24499708e2e05c41cf31f4677d4e8da56b0b495cc60eae98768b7110722790f316da88eb51c3a9100f7baa05

Download Submit
C:\Users\Admin\AppData\Local\Temp\T3oS2iLw.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51282\VCRUNTIME140.dll

Filesize
87KB

MD5
0e675d4a7a5b7ccd69013386793f68eb

SHA1
6e5821ddd8fea6681bda4448816f39984a33596b

SHA256
bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

SHA512
cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51282\_bz2.pyd

Filesize
87KB

MD5
8b40a68ae537c0aab25a8b30b10ab098

SHA1
1c8ac1f7f5c3697c457dd98f05296c2354ff7f55

SHA256
0b86ef4810d53e79f1d934b427fdbacf3792eebb37ed241bc89148238af763fa

SHA512
620ad61ff05c73adee4ac8f4b88a3880c11893eaac77ccca4e88edb29b492366a5bcf813d18628f005730f7e45ce373af9275776ea768b67b8d0e3bc62949229

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51282\_ctypes.pyd

Filesize
131KB

MD5
9a69561e94859bc3411c6499bc46c4bd

SHA1
3fa5bc2d4ffc23c4c383252c51098d6211949b99

SHA256
6bbde732c5bcb89455f43f370a444bb6bca321825de56f9a1f2e947b0a006f1c

SHA512
31d9e3844f1b8e72ec80acd1e224a94d11039c130e69c498a668e07e0d8bba8d1ed1ebe0b7a16376ca597d0e2b74a0d5e3bf53d1cbadf5bf099d3bf78db659a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51282\_elementtree.pyd

Filesize
203KB

MD5
80788d9c36aa4f950d1a71518abfa5fc

SHA1
3bcf2f8df698160d01c74f934ab4c06555ae1f8c

SHA256
75b93ebab7de27022d1d9f468c5051be5ac64b436b6a10928d75b3de19dbcb6b

SHA512
f26187e364c80c5ff423699fbcf62a8035969592a6da339c80fa862185f1f2e674c44325321c6643cb6cb7e2034623e04603a9491d1e8f06a4063efbf85ef48e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51282\_hashlib.pyd

Filesize
38KB

MD5
1f77f7a5f36c48e7c596e7031c80e4ff

SHA1
79f86e31203b60b3388047e39a2a26275da411f5

SHA256
30dfbd97883b1545513ca5bb857a9aad6e9bf4b8b4272569818346eaf25033f7

SHA512
b647e820ae4854921839a6cc92610fd63ef79623d442fd17503a39ca145dfd6cde3719c50473c0c74fe487f980b12e90bd3d3beb5729fa5498a357d44f81809c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51282\_lzma.pyd

Filesize
251KB

MD5
16fb5a2363ce8dd12a65a9823a517b59

SHA1
59979d9195259f48c678cdaa36b5efee13472ff5

SHA256
bb78ca0dd1478027e2e9f06f56fc7c3cc6f157b4151562d58a7f6646e463fcc2

SHA512
d9801cdd8cc9809781b79882a226ee7a56d93eac0181295c80cb1f088f0fbf46e3eb35c7d8ff208dbd5a3e93a190a04c48fd254c9971a3740b020547973683e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51282\_queue.pyd

Filesize
27KB

MD5
94b57996008875822a0b13fa089ae513

SHA1
340ab82c3653c7e664f28d2dffb6863f1df20709

SHA256
28136612834be0dd236f085f46c1d9b8a1830b9c073557464e22bc006d81e494

SHA512
aa9db065609dbae700a5c04266afa99ef838a9f5dc58acdca1c9b95c5d845195cfce895b81d718e761e69b5cfaeb71e9e8450fb76c590f991850e67f65b32abe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51282\_socket.pyd

Filesize
74KB

MD5
0ea1df6137ee3369546a806a175aecf4

SHA1
95fd1ad45892cb9e655bfa62ca1be80a0b9b2d43

SHA256
6fcc31573ae6b380db1d4e23731755465fd2cee0856e7a6c0e396759bcbf73b5

SHA512
6497fdb86ac69f6551a7794c090ca695bf22eb647b7a503fa23d7944ad375f061429f17e2ea043c809460e7cb9fc3df77c7bfe0b64f00ddd65de1aa744d3adcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51282\_ssl.pyd

Filesize
121KB

MD5
0e970f3353e65094165edcdfcaf1c299

SHA1
e86d2c4723ae09890f69ab1a6f4a1a935dc0a0e7

SHA256
4fed9f05da139d66e0582b47c20ee91c91be44d379c225f89b22462bedc989d3

SHA512
4621d1add268f9aadf0119055d6cce23739eec969ab031fc0a510c40cf4cce60230a89735fd85c38f28c22ed9dc829ff294ef48590fc56191464e1fec1fa4595

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51282\base_library.zip

Filesize
768KB

MD5
eb723b4c1b48d3e8969ff3f4d897b79e

SHA1
a03479e7a916d0ee5e3647322307aceb0b1c30b9

SHA256
ed6356556e3a86b92f9995bce5b1c3182d5df8976a2ca2e400ebf4eaed592ef5

SHA512
4c9902b5698e4e3d8837d594e337a6696ce03d9f6d0d3fc7f5f144c53c2fb7494ac10d303ea597c25c159076f74a7b7c59eb2d29db068878ab6f4bbb510fd13f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51282\certifi\cacert.pem

Filesize
257KB

MD5
1ba3b44f73a6b25711063ea5232f4883

SHA1
1b1a84804f896b7085924f8bf0431721f3b5bdbe

SHA256
bb77f13d3fbec9e98bbf28ac95046b44196c7d8f55ab7720061e99991a829197

SHA512
0dd2a14331308b1de757d56fab43678431e0ad6f5f5b12c32fa515d142bd955f8be690b724e07f41951dd03c9fee00e604f4e0b9309da3ea438c8e9b56ca581b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51282\libcrypto-1_1.dll

Filesize
3.2MB

MD5
bf83f8ad60cb9db462ce62c73208a30d

SHA1
f1bc7dbc1e5b00426a51878719196d78981674c4

SHA256
012866b68f458ec204b9bce067af8f4a488860774e7e17973c49e583b52b828d

SHA512
ae1bdda1c174ddf4205ab19a25737fe523dca6a9a339030cd8a95674c243d0011121067c007be56def4eaeffc40cbdadfdcbd1e61df3404d6a3921d196dcd81e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51282\libssl-1_1.dll

Filesize
670KB

MD5
fe1f3632af98e7b7a2799e3973ba03cf

SHA1
353c7382e2de3ccdd2a4911e9e158e7c78648496

SHA256
1ce7ba99e817c1c2d71bc88a1bdd6fcad82aa5c3e519b91ebd56c96f22e3543b

SHA512
a0123dfe324d3ebf68a44afafca7c6f33d918716f29b063c72c4a8bd2006b81faea6848f4f2423778d57296d7bf4f99a3638fc87b37520f0dcbeefa3a2343de0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51282\lxml\_elementpath.cp37-win_amd64.pyd

Filesize
141KB

MD5
3702f8ff3e1af9be72126683fca3a1ce

SHA1
82e6be08797fcd9558cb3e7759c0e3de2ffcea88

SHA256
28fd0337a5251d409d8d8d27383f682ba63b3d52bd0691a22a90b208e23b4f93

SHA512
d18ffd06d6580b52d07749bd6f2927bc1bc445c3a7c8267288b9e4f00de321ad897959519e1aed199e36ff7008be26cc7af486bab0b2c7433a9c72c349a24713

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51282\lxml\etree.cp37-win_amd64.pyd

Filesize
3.7MB

MD5
e685bf02d3b11fa4715a94107a7292be

SHA1
b5822fda8f6ae3b7c5117c524584a490c6e95c91

SHA256
04db5dfd6b41b3245b86d4f97e96664d0199ae2af755b71e011a4e0e92124633

SHA512
c6118cf72c6cadb68b33e37197ac64cf5151f3266e8059619e2a30fc7a12bc9176e2b2a2a8257a7b0a68c96665b566c606ab294e8798d578a62957fe34cf65f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51282\pyexpat.pyd

Filesize
194KB

MD5
ebf42794afd81d3a158f1d4eb4096483

SHA1
9c49d840a600d126b1d0b3a294218f82c2292c8d

SHA256
0cb9ae2dfd64c291de65aee89a524a0bbfe7755c34c8215e8b47a4f409ef3743

SHA512
28db296525d48e970c40bf267523dfdcd823fbd471e606b97cd61af373af9d42bb72765f846df4bf33457124fd1a039e7e06b5e6e863503a26a3efc9b15078f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51282\python37.dll

Filesize
3.6MB

MD5
86af9b888a72bdceb8fd8ed54975edd5

SHA1
c9d67c9243f818c0a8cc279267cca44d9995f0cf

SHA256
e11aa3893597d7c408349ebb11f47a24e388fd702c4d38b5d6f363f7ad6e8e5f

SHA512
5d8fd9040f466e23af7f17772e3769ad83c5f55f8c70dcc3cfb1f827e105f0f4e6133f0e183fabc67dd44799495c47f931bf92546342b30b9c4a5c2b4aeee7c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51282\pywintypes37.dll

Filesize
136KB

MD5
77b6875977e77c4619bbb471d5eaf790

SHA1
f08c3bc5e918c0a197fbfd1b15e7c0491bd5fade

SHA256
780a72ba3215ff413d5a9e98861d8bb87c15c43a75bb81dc985034ae7dcf5ef6

SHA512
783939fc97b2445dfe7e21eb6b71711aba6d85e275e489eddcc4f20c2ed018678d8d14c9e1856f66e3876f318312d69c22cee77f9105a72e56a1be4f3e8a7c2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51282\select.pyd

Filesize
26KB

MD5
e1d0d18a0dd8e82f9b677a86d32e3124

SHA1
96a00541d86d03529b55c1ac5ff1c6cfb5e91d1e

SHA256
4595675949851bd0ff65521e936647fcc5c8d2f32f0ac2641a262fb6323896dd

SHA512
38e3b6b23ebcbdc60eeeed0bf3dddc69004a1ccd4a2486f3a9f8c0d4624b690e2e5704e3fe05bf1bf2c900bf4f5bc9439f45f3c02fd4c67783056b3da15e0f56

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51282\selenium\webdriver\remote\getAttribute.js

Filesize
6KB

MD5
e6b3169414f3b9c47a9b826bb71a0337

SHA1
d22278a492d03863ce51569482dcfb30a0b006e9

SHA256
1198a9999dde24dd2da0d9877cc2e8f8dd70bfdaeee0b5012b24e5474b50e88c

SHA512
bf9e48caf03e19274b5020d5eae6a3d6d75b611676f307346cf28117da71410e6022a72da0f82a8f2c6ca06a2c503c8e6528c6a164c4fb488c5195d6aa3e3819

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51282\selenium\webdriver\remote\isDisplayed.js

Filesize
42KB

MD5
313589fe40cbb546415aec5377da0e7d

SHA1
bc2b6e547b1da94682e379af1ea11579e26de65b

SHA256
c1a04024e5414fca8c1deedb452be77a8b9d13bb3cf67ff4230d5983537a3096

SHA512
bbdfa98ecd07a27f20966b5eb0cdcc0fac6085bebd6868a061563d210262f61d630b823e6eabd3217175b7f01516cda9c162adbfe063130d6510e0a3f4be2f7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51282\ucrtbase.dll

Filesize
987KB

MD5
61eb0ad4c285b60732353a0cb5c9b2ab

SHA1
21a1bea01f6ca7e9828a522c696853706d0a457b

SHA256
10521fe73fe05f2ba95d40757d9f676f2091e2ed578da9d5cdef352f986f3bcd

SHA512
44cd871f48b5193abb3b9664dbea8cdad19e72c47b6967c685cf1cc803bc9abb48a8a93009c972ef4936e7f78e3c92110828790aa0a9d26b80e6a523bbcd830d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51282\unicodedata.pyd

Filesize
1.0MB

MD5
23bba751c8a182262856eeba20db3341

SHA1
0120468629aa035d92ebdf97f9f32a02085fbccf

SHA256
96eafcb208518f6df0674ef6f1a48f4687eb73f785c87b11cb4a52dcf1ce5c66

SHA512
482fdb6f542be27d6bf3b41bc7aa7d7fda3077cd763f32bb25e0c50cf8ae11ebd8173d18cb0a52126b2150fc737109d384971298e8e2cf8a199ad1f1956d9326

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mvy5wjho.kal.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\IMF\Runtime Explorer.exe

Filesize
152KB

MD5
03f5e0141f4519f0c5ac26ce0b036a0f

SHA1
4f7a2a230e7a194a898cc9f2d563ac8777fe99c0

SHA256
78a408c628e33e3332645f480ee7ce01b5dc24fc96cf16ffa0868d43f3d421ef

SHA512
86a68f040654006e06b51c5714e0d7168d0d1bef7f3c39843632068104f773f771d21be4bc251d712f3e915cd1058f89ad31d9e3f3d9e7cf6da6785cbf22d8d7

Download Submit
C:\Windows\IMF\Secure System Shell.exe

Filesize
45KB

MD5
7d0c7359e5b2daa5665d01afdc98cc00

SHA1
c3cc830c8ffd0f53f28d89dcd9f3426be87085cb

SHA256
f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809

SHA512
a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407

Download Submit
C:\Windows\IMF\Windows Services.exe

Filesize
46KB

MD5
ad0ce1302147fbdfecaec58480eb9cf9

SHA1
874efbc76e5f91bc1425a43ea19400340f98d42b

SHA256
2c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3

SHA512
adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53

Download Submit
memory/1420-326-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/1488-369-0x0000000000C70000-0x0000000000C82000-memory.dmp

Filesize
72KB

Download
memory/1500-44-0x0000000005BB0000-0x0000000005C16000-memory.dmp

Filesize
408KB

Download
memory/1500-43-0x0000000005430000-0x0000000005452000-memory.dmp

Filesize
136KB

Download
memory/1500-332-0x0000000007950000-0x00000000079E6000-memory.dmp

Filesize
600KB

Download
memory/1500-330-0x0000000007740000-0x000000000774A000-memory.dmp

Filesize
40KB

Download
memory/1500-327-0x0000000007DB0000-0x000000000842A000-memory.dmp

Filesize
6.5MB

Download
memory/1500-328-0x00000000074D0000-0x00000000074EA000-memory.dmp

Filesize
104KB

Download
memory/1500-325-0x0000000007380000-0x0000000007423000-memory.dmp

Filesize
652KB

Download
memory/1500-129-0x00000000066E0000-0x000000000672C000-memory.dmp

Filesize
304KB

Download
memory/1500-313-0x00000000703A0000-0x00000000703EC000-memory.dmp

Filesize
304KB

Download
memory/1500-323-0x00000000069B0000-0x00000000069CE000-memory.dmp

Filesize
120KB

Download
memory/1500-127-0x0000000006380000-0x000000000639E000-memory.dmp

Filesize
120KB

Download
memory/1500-41-0x0000000004D60000-0x0000000004D96000-memory.dmp

Filesize
216KB

Download
memory/1500-52-0x0000000005DA0000-0x00000000060F7000-memory.dmp

Filesize
3.3MB

Download
memory/1500-42-0x0000000005470000-0x0000000005B3A000-memory.dmp

Filesize
6.8MB

Download
memory/1500-45-0x0000000005CA0000-0x0000000005D06000-memory.dmp

Filesize
408KB

Download
memory/1500-310-0x0000000006950000-0x0000000006982000-memory.dmp

Filesize
200KB

Download
memory/3132-7-0x0000000074A20000-0x00000000751D1000-memory.dmp

Filesize
7.7MB

Download
memory/3132-6-0x0000000005480000-0x00000000054D6000-memory.dmp

Filesize
344KB

Download
memory/3132-0-0x0000000074A2E000-0x0000000074A2F000-memory.dmp

Filesize
4KB

Download
memory/3132-14-0x0000000074A20000-0x00000000751D1000-memory.dmp

Filesize
7.7MB

Download
memory/3132-1-0x00000000008B0000-0x00000000008EE000-memory.dmp

Filesize
248KB

Download
memory/3132-2-0x0000000005120000-0x00000000051BC000-memory.dmp

Filesize
624KB

Download
memory/3132-3-0x0000000005830000-0x0000000005DD6000-memory.dmp

Filesize
5.6MB

Download
memory/3132-4-0x0000000005280000-0x0000000005312000-memory.dmp

Filesize
584KB

Download
memory/3132-5-0x0000000005230000-0x000000000523A000-memory.dmp

Filesize
40KB

Download
memory/3532-446-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3532-425-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3532-415-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3596-191-0x00007FFB0A990000-0x00007FFB0A9A0000-memory.dmp

Filesize
64KB

Download
memory/3596-188-0x00007FFB0A990000-0x00007FFB0A9A0000-memory.dmp

Filesize
64KB

Download
memory/3596-247-0x00007FFB08120000-0x00007FFB08130000-memory.dmp

Filesize
64KB

Download
memory/3596-189-0x00007FFB0A990000-0x00007FFB0A9A0000-memory.dmp

Filesize
64KB

Download
memory/3596-199-0x00007FFB0A990000-0x00007FFB0A9A0000-memory.dmp

Filesize
64KB

Download
memory/3596-190-0x00007FFB0A990000-0x00007FFB0A9A0000-memory.dmp

Filesize
64KB

Download
memory/3596-239-0x00007FFB08120000-0x00007FFB08130000-memory.dmp

Filesize
64KB

Download
memory/4312-9-0x0000000074A20000-0x00000000751D1000-memory.dmp

Filesize
7.7MB

Download
memory/4312-10-0x0000000074A20000-0x00000000751D1000-memory.dmp

Filesize
7.7MB

Download
memory/4312-324-0x0000000074A20000-0x00000000751D1000-memory.dmp

Filesize
7.7MB

Download
memory/4312-293-0x00000000065F0000-0x0000000006666000-memory.dmp

Filesize
472KB

Download
memory/4312-11-0x0000000006940000-0x00000000069BE000-memory.dmp

Filesize
504KB

Download
memory/4312-8-0x0000000000120000-0x0000000000134000-memory.dmp

Filesize
80KB

Download
memory/4312-12-0x0000000074A20000-0x00000000751D1000-memory.dmp

Filesize
7.7MB

Download
memory/4312-294-0x00000000065D0000-0x00000000065EE000-memory.dmp

Filesize
120KB

Download
memory/4404-132-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/5904-395-0x00000000703A0000-0x00000000703EC000-memory.dmp

Filesize
304KB

Download