xred | 5de180ff35a8a0835dc704f4b8551fb1bb196837358c2020f84849c4f517fad8

Analysis

max time kernel
141s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07/12/2024, 22:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Discord Account Generator v2/RDXService/Jint.exe
Size

959KB
MD5

68a9f00a8e353b412f6f874c319aa5f1
SHA1

53a0e6f2ee1405c98871c5f5eb1fd2bf4b8d8d7d
SHA256

4de87cf5d3b6e29a4f5a870d2f267eb9628ca158ef9504508dec6e06503406cd
SHA512

f00123c27153f0bb540237f80e3526d0d36d7cf873d061a4db3d68de6b10827d6dec5fe2aca43d30365416f6caa7537686ca8c9a78de18aad333d90e188a357b
SSDEEP

12288:3MSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9CltSGCFuJ9lTDd6S7sQoh:3nsJ39LyjbJkQFMhmC+6GD9mtSa7s1h

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Jint.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 4 IoCs

pid	Process
216	._cache_Jint.exe
1064	Synaptics.exe
3612	Runtime Broker.exe
944	._cache_Synaptics.exe

Loads dropped DLL 35 IoCs

pid	Process
1932	AlphaFS.lib
1932	AlphaFS.lib
1932	AlphaFS.lib
1932	AlphaFS.lib
1932	AlphaFS.lib
1932	AlphaFS.lib
1932	AlphaFS.lib
1932	AlphaFS.lib
1932	AlphaFS.lib
1932	AlphaFS.lib
1932	AlphaFS.lib
1932	AlphaFS.lib
1932	AlphaFS.lib
1932	AlphaFS.lib
1932	AlphaFS.lib
1456	AlphaFS.lib
1456	AlphaFS.lib
1456	AlphaFS.lib
1456	AlphaFS.lib
1456	AlphaFS.lib
1456	AlphaFS.lib
1456	AlphaFS.lib
1456	AlphaFS.lib
1456	AlphaFS.lib
1456	AlphaFS.lib
1456	AlphaFS.lib
1456	AlphaFS.lib
1456	AlphaFS.lib
1456	AlphaFS.lib
1456	AlphaFS.lib
1456	AlphaFS.lib
1456	AlphaFS.lib
1456	AlphaFS.lib
1456	AlphaFS.lib
1456	AlphaFS.lib

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	Jint.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jint.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Jint.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Runtime Broker.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Jint.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3612	Runtime Broker.exe
868	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 35	1932	AlphaFS.lib
Token: 35	1456	AlphaFS.lib

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
868	EXCEL.EXE
868	EXCEL.EXE
868	EXCEL.EXE
868	EXCEL.EXE
868	EXCEL.EXE
868	EXCEL.EXE
868	EXCEL.EXE
868	EXCEL.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1516 wrote to memory of 216	1516	Jint.exe	83
PID 1516 wrote to memory of 216	1516	Jint.exe	83
PID 1516 wrote to memory of 216	1516	Jint.exe	83
PID 1516 wrote to memory of 1064	1516	Jint.exe	85
PID 1516 wrote to memory of 1064	1516	Jint.exe	85
PID 1516 wrote to memory of 1064	1516	Jint.exe	85
PID 216 wrote to memory of 3612	216	._cache_Jint.exe	86
PID 216 wrote to memory of 3612	216	._cache_Jint.exe	86
PID 216 wrote to memory of 3612	216	._cache_Jint.exe	86
PID 216 wrote to memory of 2552	216	._cache_Jint.exe	87
PID 216 wrote to memory of 2552	216	._cache_Jint.exe	87
PID 1064 wrote to memory of 944	1064	Synaptics.exe	88
PID 1064 wrote to memory of 944	1064	Synaptics.exe	88
PID 1064 wrote to memory of 944	1064	Synaptics.exe	88
PID 2552 wrote to memory of 1932	2552	AlphaFS.lib	91
PID 2552 wrote to memory of 1932	2552	AlphaFS.lib	91
PID 944 wrote to memory of 2484	944	._cache_Synaptics.exe	92
PID 944 wrote to memory of 2484	944	._cache_Synaptics.exe	92
PID 2484 wrote to memory of 1456	2484	AlphaFS.lib	93
PID 2484 wrote to memory of 1456	2484	AlphaFS.lib	93
PID 1456 wrote to memory of 228	1456	AlphaFS.lib	99
PID 1456 wrote to memory of 228	1456	AlphaFS.lib	99
PID 1456 wrote to memory of 2152	1456	AlphaFS.lib	100
PID 1456 wrote to memory of 2152	1456	AlphaFS.lib	100

C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\RDXService\Jint.exe
"C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\RDXService\Jint.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1516
- C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\RDXService\._cache_Jint.exe
  "C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\RDXService\._cache_Jint.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:216
- - C:\ProgramData\Windows Portable Clipboard\Runtime Broker.exe
    "C:\\ProgramData\\Windows Portable Clipboard\\Runtime Broker.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    PID:3612
- - C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\RDXService\AlphaFS.lib
    "AlphaFS.lib"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2552
  - - C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\RDXService\AlphaFS.lib
      "AlphaFS.lib"
      4⤵
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:1932
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1064
- - C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\RDXService\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\RDXService\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:944
  - - C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\RDXService\AlphaFS.lib
      "AlphaFS.lib"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2484
    - - C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\RDXService\AlphaFS.lib
        
        "AlphaFS.lib"
        5⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1456
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        6⤵
        
        PID:228
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c title Discord Generator ^| coded by Nightfall#2512
        6⤵
        
        PID:2152

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
959KB

MD5
68a9f00a8e353b412f6f874c319aa5f1

SHA1
53a0e6f2ee1405c98871c5f5eb1fd2bf4b8d8d7d

SHA256
4de87cf5d3b6e29a4f5a870d2f267eb9628ca158ef9504508dec6e06503406cd

SHA512
f00123c27153f0bb540237f80e3526d0d36d7cf873d061a4db3d68de6b10827d6dec5fe2aca43d30365416f6caa7537686ca8c9a78de18aad333d90e188a357b

Download Submit
C:\ProgramData\Windows Portable Clipboard\Runtime Broker.exe

Filesize
255KB

MD5
8629c65903ca26e7ffada84c69ae0972

SHA1
015673ba0498ae35bd4da1c3ba45bab5fbfa18ce

SHA256
adc6887d772f9f47ab67406cc9ea7dd0177b94d84f98124fc712b9e66208dd0d

SHA512
6a3b8717daeaed8dde18cedcb1c6fc31932f01234a63b80f37c6960f7212255cd32d1c3135d84da773e7b94ad1f326cc965463b9fc68f35b8b5449ff70d79af7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1CiDTqjw.xlsm

Filesize
21KB

MD5
20d746bbba62ad7910f263e4fd0200ec

SHA1
ad91fe2d35ba5fed535c79e9ff9c124d0a58952c

SHA256
3bae3b150c8936a1955401ebfec89d40507493fbe0b000da99f9557b106360b3

SHA512
9de14050e64b2fd20dfba9f6f781bb290c01d5af3841915d2ffccd8a78077715a3f8eddde9c824534dc3c15cd4155b2c00493b340265cc8fd06c7583f1b75b43

Download Submit
C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\RDXService\._cache_Jint.exe

Filesize
206KB

MD5
01954f322fc670b93d59b9bdf710d3f5

SHA1
7c9e9af5da35de32c41d9a883c61d6a773905059

SHA256
43a1c5f3292787add7507c3aa57179682b69dc499965039c1179560bd2b567fd

SHA512
c160714b91ee7f86edb3462d7b88b8121ef369aa24499708e2e05c41cf31f4677d4e8da56b0b495cc60eae98768b7110722790f316da88eb51c3a9100f7baa05

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24842\VCRUNTIME140.dll

Filesize
87KB

MD5
0e675d4a7a5b7ccd69013386793f68eb

SHA1
6e5821ddd8fea6681bda4448816f39984a33596b

SHA256
bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

SHA512
cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24842\_ctypes.pyd

Filesize
131KB

MD5
9a69561e94859bc3411c6499bc46c4bd

SHA1
3fa5bc2d4ffc23c4c383252c51098d6211949b99

SHA256
6bbde732c5bcb89455f43f370a444bb6bca321825de56f9a1f2e947b0a006f1c

SHA512
31d9e3844f1b8e72ec80acd1e224a94d11039c130e69c498a668e07e0d8bba8d1ed1ebe0b7a16376ca597d0e2b74a0d5e3bf53d1cbadf5bf099d3bf78db659a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24842\_socket.pyd

Filesize
74KB

MD5
0ea1df6137ee3369546a806a175aecf4

SHA1
95fd1ad45892cb9e655bfa62ca1be80a0b9b2d43

SHA256
6fcc31573ae6b380db1d4e23731755465fd2cee0856e7a6c0e396759bcbf73b5

SHA512
6497fdb86ac69f6551a7794c090ca695bf22eb647b7a503fa23d7944ad375f061429f17e2ea043c809460e7cb9fc3df77c7bfe0b64f00ddd65de1aa744d3adcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24842\_ssl.pyd

Filesize
121KB

MD5
0e970f3353e65094165edcdfcaf1c299

SHA1
e86d2c4723ae09890f69ab1a6f4a1a935dc0a0e7

SHA256
4fed9f05da139d66e0582b47c20ee91c91be44d379c225f89b22462bedc989d3

SHA512
4621d1add268f9aadf0119055d6cce23739eec969ab031fc0a510c40cf4cce60230a89735fd85c38f28c22ed9dc829ff294ef48590fc56191464e1fec1fa4595

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24842\libcrypto-1_1.dll

Filesize
3.2MB

MD5
bf83f8ad60cb9db462ce62c73208a30d

SHA1
f1bc7dbc1e5b00426a51878719196d78981674c4

SHA256
012866b68f458ec204b9bce067af8f4a488860774e7e17973c49e583b52b828d

SHA512
ae1bdda1c174ddf4205ab19a25737fe523dca6a9a339030cd8a95674c243d0011121067c007be56def4eaeffc40cbdadfdcbd1e61df3404d6a3921d196dcd81e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24842\libssl-1_1.dll

Filesize
670KB

MD5
fe1f3632af98e7b7a2799e3973ba03cf

SHA1
353c7382e2de3ccdd2a4911e9e158e7c78648496

SHA256
1ce7ba99e817c1c2d71bc88a1bdd6fcad82aa5c3e519b91ebd56c96f22e3543b

SHA512
a0123dfe324d3ebf68a44afafca7c6f33d918716f29b063c72c4a8bd2006b81faea6848f4f2423778d57296d7bf4f99a3638fc87b37520f0dcbeefa3a2343de0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25522\_bz2.pyd

Filesize
87KB

MD5
8b40a68ae537c0aab25a8b30b10ab098

SHA1
1c8ac1f7f5c3697c457dd98f05296c2354ff7f55

SHA256
0b86ef4810d53e79f1d934b427fdbacf3792eebb37ed241bc89148238af763fa

SHA512
620ad61ff05c73adee4ac8f4b88a3880c11893eaac77ccca4e88edb29b492366a5bcf813d18628f005730f7e45ce373af9275776ea768b67b8d0e3bc62949229

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25522\_hashlib.pyd

Filesize
38KB

MD5
1f77f7a5f36c48e7c596e7031c80e4ff

SHA1
79f86e31203b60b3388047e39a2a26275da411f5

SHA256
30dfbd97883b1545513ca5bb857a9aad6e9bf4b8b4272569818346eaf25033f7

SHA512
b647e820ae4854921839a6cc92610fd63ef79623d442fd17503a39ca145dfd6cde3719c50473c0c74fe487f980b12e90bd3d3beb5729fa5498a357d44f81809c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25522\_lzma.pyd

Filesize
251KB

MD5
16fb5a2363ce8dd12a65a9823a517b59

SHA1
59979d9195259f48c678cdaa36b5efee13472ff5

SHA256
bb78ca0dd1478027e2e9f06f56fc7c3cc6f157b4151562d58a7f6646e463fcc2

SHA512
d9801cdd8cc9809781b79882a226ee7a56d93eac0181295c80cb1f088f0fbf46e3eb35c7d8ff208dbd5a3e93a190a04c48fd254c9971a3740b020547973683e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25522\_queue.pyd

Filesize
27KB

MD5
94b57996008875822a0b13fa089ae513

SHA1
340ab82c3653c7e664f28d2dffb6863f1df20709

SHA256
28136612834be0dd236f085f46c1d9b8a1830b9c073557464e22bc006d81e494

SHA512
aa9db065609dbae700a5c04266afa99ef838a9f5dc58acdca1c9b95c5d845195cfce895b81d718e761e69b5cfaeb71e9e8450fb76c590f991850e67f65b32abe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25522\base_library.zip

Filesize
768KB

MD5
eb723b4c1b48d3e8969ff3f4d897b79e

SHA1
a03479e7a916d0ee5e3647322307aceb0b1c30b9

SHA256
ed6356556e3a86b92f9995bce5b1c3182d5df8976a2ca2e400ebf4eaed592ef5

SHA512
4c9902b5698e4e3d8837d594e337a6696ce03d9f6d0d3fc7f5f144c53c2fb7494ac10d303ea597c25c159076f74a7b7c59eb2d29db068878ab6f4bbb510fd13f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25522\certifi\cacert.pem

Filesize
257KB

MD5
1ba3b44f73a6b25711063ea5232f4883

SHA1
1b1a84804f896b7085924f8bf0431721f3b5bdbe

SHA256
bb77f13d3fbec9e98bbf28ac95046b44196c7d8f55ab7720061e99991a829197

SHA512
0dd2a14331308b1de757d56fab43678431e0ad6f5f5b12c32fa515d142bd955f8be690b724e07f41951dd03c9fee00e604f4e0b9309da3ea438c8e9b56ca581b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25522\python37.dll

Filesize
3.6MB

MD5
86af9b888a72bdceb8fd8ed54975edd5

SHA1
c9d67c9243f818c0a8cc279267cca44d9995f0cf

SHA256
e11aa3893597d7c408349ebb11f47a24e388fd702c4d38b5d6f363f7ad6e8e5f

SHA512
5d8fd9040f466e23af7f17772e3769ad83c5f55f8c70dcc3cfb1f827e105f0f4e6133f0e183fabc67dd44799495c47f931bf92546342b30b9c4a5c2b4aeee7c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25522\pywintypes37.dll

Filesize
136KB

MD5
77b6875977e77c4619bbb471d5eaf790

SHA1
f08c3bc5e918c0a197fbfd1b15e7c0491bd5fade

SHA256
780a72ba3215ff413d5a9e98861d8bb87c15c43a75bb81dc985034ae7dcf5ef6

SHA512
783939fc97b2445dfe7e21eb6b71711aba6d85e275e489eddcc4f20c2ed018678d8d14c9e1856f66e3876f318312d69c22cee77f9105a72e56a1be4f3e8a7c2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25522\select.pyd

Filesize
26KB

MD5
e1d0d18a0dd8e82f9b677a86d32e3124

SHA1
96a00541d86d03529b55c1ac5ff1c6cfb5e91d1e

SHA256
4595675949851bd0ff65521e936647fcc5c8d2f32f0ac2641a262fb6323896dd

SHA512
38e3b6b23ebcbdc60eeeed0bf3dddc69004a1ccd4a2486f3a9f8c0d4624b690e2e5704e3fe05bf1bf2c900bf4f5bc9439f45f3c02fd4c67783056b3da15e0f56

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25522\selenium\webdriver\remote\getAttribute.js

Filesize
6KB

MD5
e6b3169414f3b9c47a9b826bb71a0337

SHA1
d22278a492d03863ce51569482dcfb30a0b006e9

SHA256
1198a9999dde24dd2da0d9877cc2e8f8dd70bfdaeee0b5012b24e5474b50e88c

SHA512
bf9e48caf03e19274b5020d5eae6a3d6d75b611676f307346cf28117da71410e6022a72da0f82a8f2c6ca06a2c503c8e6528c6a164c4fb488c5195d6aa3e3819

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25522\selenium\webdriver\remote\isDisplayed.js

Filesize
42KB

MD5
313589fe40cbb546415aec5377da0e7d

SHA1
bc2b6e547b1da94682e379af1ea11579e26de65b

SHA256
c1a04024e5414fca8c1deedb452be77a8b9d13bb3cf67ff4230d5983537a3096

SHA512
bbdfa98ecd07a27f20966b5eb0cdcc0fac6085bebd6868a061563d210262f61d630b823e6eabd3217175b7f01516cda9c162adbfe063130d6510e0a3f4be2f7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25522\ucrtbase.dll

Filesize
987KB

MD5
61eb0ad4c285b60732353a0cb5c9b2ab

SHA1
21a1bea01f6ca7e9828a522c696853706d0a457b

SHA256
10521fe73fe05f2ba95d40757d9f676f2091e2ed578da9d5cdef352f986f3bcd

SHA512
44cd871f48b5193abb3b9664dbea8cdad19e72c47b6967c685cf1cc803bc9abb48a8a93009c972ef4936e7f78e3c92110828790aa0a9d26b80e6a523bbcd830d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25522\unicodedata.pyd

Filesize
1.0MB

MD5
23bba751c8a182262856eeba20db3341

SHA1
0120468629aa035d92ebdf97f9f32a02085fbccf

SHA256
96eafcb208518f6df0674ef6f1a48f4687eb73f785c87b11cb4a52dcf1ce5c66

SHA512
482fdb6f542be27d6bf3b41bc7aa7d7fda3077cd763f32bb25e0c50cf8ae11ebd8173d18cb0a52126b2150fc737109d384971298e8e2cf8a199ad1f1956d9326

Download Submit
memory/868-307-0x00007FFAB6020000-0x00007FFAB6030000-memory.dmp

Filesize
64KB

Download
memory/868-262-0x00007FFAB8190000-0x00007FFAB81A0000-memory.dmp

Filesize
64KB

Download
memory/868-341-0x00007FFAB6020000-0x00007FFAB6030000-memory.dmp

Filesize
64KB

Download
memory/868-263-0x00007FFAB8190000-0x00007FFAB81A0000-memory.dmp

Filesize
64KB

Download
memory/868-257-0x00007FFAB8190000-0x00007FFAB81A0000-memory.dmp

Filesize
64KB

Download
memory/868-256-0x00007FFAB8190000-0x00007FFAB81A0000-memory.dmp

Filesize
64KB

Download
memory/868-252-0x00007FFAB8190000-0x00007FFAB81A0000-memory.dmp

Filesize
64KB

Download
memory/1064-103-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/1064-538-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/1064-537-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/1064-569-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/1516-0-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/1516-102-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads