xred | 5de180ff35a8a0835dc704f4b8551fb1bb196837358c2020f84849c4f517fad8

Analysis

max time kernel
148s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-12-2024 22:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Discord Account Generator v2/RDXService/Jint.exe
Size

959KB
MD5

68a9f00a8e353b412f6f874c319aa5f1
SHA1

53a0e6f2ee1405c98871c5f5eb1fd2bf4b8d8d7d
SHA256

4de87cf5d3b6e29a4f5a870d2f267eb9628ca158ef9504508dec6e06503406cd
SHA512

f00123c27153f0bb540237f80e3526d0d36d7cf873d061a4db3d68de6b10827d6dec5fe2aca43d30365416f6caa7537686ca8c9a78de18aad333d90e188a357b
SSDEEP

12288:3MSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9CltSGCFuJ9lTDd6S7sQoh:3nsJ39LyjbJkQFMhmC+6GD9mtSa7s1h

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 4 IoCs

pid	Process
2368	._cache_Jint.exe
2348	Synaptics.exe
2844	Runtime Broker.exe
1732	._cache_Synaptics.exe

Loads dropped DLL 64 IoCs

pid	Process
2408	Jint.exe
2408	Jint.exe
2408	Jint.exe
2368	._cache_Jint.exe
2368	._cache_Jint.exe
2348	Synaptics.exe
2348	Synaptics.exe
2324	AlphaFS.lib
2324	AlphaFS.lib
2324	AlphaFS.lib
2324	AlphaFS.lib
2324	AlphaFS.lib
2324	AlphaFS.lib
2324	AlphaFS.lib
2324	AlphaFS.lib
2324	AlphaFS.lib
2324	AlphaFS.lib
2324	AlphaFS.lib
2324	AlphaFS.lib
2324	AlphaFS.lib
2324	AlphaFS.lib
2324	AlphaFS.lib
2324	AlphaFS.lib
2324	AlphaFS.lib
2324	AlphaFS.lib
2324	AlphaFS.lib
2324	AlphaFS.lib
2324	AlphaFS.lib
2324	AlphaFS.lib
2324	AlphaFS.lib
2488	AlphaFS.lib
2488	AlphaFS.lib
2324	AlphaFS.lib
2488	AlphaFS.lib
2324	AlphaFS.lib
2488	AlphaFS.lib
2324	AlphaFS.lib
2488	AlphaFS.lib
2324	AlphaFS.lib
2488	AlphaFS.lib
2488	AlphaFS.lib
2488	AlphaFS.lib
2488	AlphaFS.lib
2488	AlphaFS.lib
2488	AlphaFS.lib
2488	AlphaFS.lib
2488	AlphaFS.lib
2488	AlphaFS.lib
2488	AlphaFS.lib
2488	AlphaFS.lib
2488	AlphaFS.lib
2488	AlphaFS.lib
2324	AlphaFS.lib
2488	AlphaFS.lib
2488	AlphaFS.lib
2324	AlphaFS.lib
2324	AlphaFS.lib
2324	AlphaFS.lib
2488	AlphaFS.lib
2488	AlphaFS.lib
2488	AlphaFS.lib
2324	AlphaFS.lib
2488	AlphaFS.lib
2488	AlphaFS.lib

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	Jint.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jint.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Jint.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Runtime Broker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2844	Runtime Broker.exe
2584	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 35	2324	AlphaFS.lib
Token: 35	2488	AlphaFS.lib

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2584	EXCEL.EXE

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 2368	2408	Jint.exe	30
PID 2408 wrote to memory of 2368	2408	Jint.exe	30
PID 2408 wrote to memory of 2368	2408	Jint.exe	30
PID 2408 wrote to memory of 2368	2408	Jint.exe	30
PID 2408 wrote to memory of 2348	2408	Jint.exe	32
PID 2408 wrote to memory of 2348	2408	Jint.exe	32
PID 2408 wrote to memory of 2348	2408	Jint.exe	32
PID 2408 wrote to memory of 2348	2408	Jint.exe	32
PID 2368 wrote to memory of 2844	2368	._cache_Jint.exe	33
PID 2368 wrote to memory of 2844	2368	._cache_Jint.exe	33
PID 2368 wrote to memory of 2844	2368	._cache_Jint.exe	33
PID 2368 wrote to memory of 2844	2368	._cache_Jint.exe	33
PID 2368 wrote to memory of 2744	2368	._cache_Jint.exe	34
PID 2368 wrote to memory of 2744	2368	._cache_Jint.exe	34
PID 2368 wrote to memory of 2744	2368	._cache_Jint.exe	34
PID 2368 wrote to memory of 2744	2368	._cache_Jint.exe	34
PID 2348 wrote to memory of 1732	2348	Synaptics.exe	35
PID 2348 wrote to memory of 1732	2348	Synaptics.exe	35
PID 2348 wrote to memory of 1732	2348	Synaptics.exe	35
PID 2348 wrote to memory of 1732	2348	Synaptics.exe	35
PID 1732 wrote to memory of 1640	1732	._cache_Synaptics.exe	37
PID 1732 wrote to memory of 1640	1732	._cache_Synaptics.exe	37
PID 1732 wrote to memory of 1640	1732	._cache_Synaptics.exe	37
PID 1732 wrote to memory of 1640	1732	._cache_Synaptics.exe	37
PID 2744 wrote to memory of 2324	2744	AlphaFS.lib	38
PID 2744 wrote to memory of 2324	2744	AlphaFS.lib	38
PID 2744 wrote to memory of 2324	2744	AlphaFS.lib	38
PID 1640 wrote to memory of 2488	1640	AlphaFS.lib	40
PID 1640 wrote to memory of 2488	1640	AlphaFS.lib	40
PID 1640 wrote to memory of 2488	1640	AlphaFS.lib	40
PID 2324 wrote to memory of 2556	2324	AlphaFS.lib	41
PID 2324 wrote to memory of 2556	2324	AlphaFS.lib	41
PID 2324 wrote to memory of 2556	2324	AlphaFS.lib	41
PID 2488 wrote to memory of 2188	2488	AlphaFS.lib	42
PID 2488 wrote to memory of 2188	2488	AlphaFS.lib	42
PID 2488 wrote to memory of 2188	2488	AlphaFS.lib	42
PID 2324 wrote to memory of 2448	2324	AlphaFS.lib	43
PID 2324 wrote to memory of 2448	2324	AlphaFS.lib	43
PID 2324 wrote to memory of 2448	2324	AlphaFS.lib	43
PID 2488 wrote to memory of 2076	2488	AlphaFS.lib	44
PID 2488 wrote to memory of 2076	2488	AlphaFS.lib	44
PID 2488 wrote to memory of 2076	2488	AlphaFS.lib	44

C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\RDXService\Jint.exe
"C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\RDXService\Jint.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\RDXService\._cache_Jint.exe
  "C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\RDXService\._cache_Jint.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\ProgramData\Windows Portable Clipboard\Runtime Broker.exe
    "C:\\ProgramData\\Windows Portable Clipboard\\Runtime Broker.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    PID:2844
- - C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\RDXService\AlphaFS.lib
    "AlphaFS.lib"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\RDXService\AlphaFS.lib
      "AlphaFS.lib"
      4⤵
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2324
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        5⤵
        
        PID:2556
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c title Discord Generator ^| coded by Nightfall#2512
        5⤵
        
        PID:2448
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\RDXService\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\RDXService\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1732
  - - C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\RDXService\AlphaFS.lib
      "AlphaFS.lib"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1640
    - - C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\RDXService\AlphaFS.lib
        
        "AlphaFS.lib"
        5⤵
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2488
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        6⤵
        
        PID:2188
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c title Discord Generator ^| coded by Nightfall#2512
        6⤵
        
        PID:2076

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
959KB

MD5
68a9f00a8e353b412f6f874c319aa5f1

SHA1
53a0e6f2ee1405c98871c5f5eb1fd2bf4b8d8d7d

SHA256
4de87cf5d3b6e29a4f5a870d2f267eb9628ca158ef9504508dec6e06503406cd

SHA512
f00123c27153f0bb540237f80e3526d0d36d7cf873d061a4db3d68de6b10827d6dec5fe2aca43d30365416f6caa7537686ca8c9a78de18aad333d90e188a357b

Download Submit
C:\Users\Admin\AppData\Local\Temp\F7AEzZVr.xlsm

Filesize
24KB

MD5
3a2c29bdbf47a7038670f1d46baa444f

SHA1
f12bfa3c6c75999228126c26ffdf75158f8eb5c4

SHA256
9d12598eb50d8c2ce90a567ebcc19617eba19e7dfb2608b9c66e4e895d05c089

SHA512
8d059870817ab1d7d7067d8a54d41802a55158ca0b81ce404f9d52b5d9206c287b54c633a72d48c43eb7a0ea5126ca4104ffec4f1d4f18536e6aba39458bd5fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\F7AEzZVr.xlsm

Filesize
31KB

MD5
185596d9bb4749d70d2e2a6b04c2c0da

SHA1
3cd75a294b7542e10ece3db67146e4504bdad8b5

SHA256
0a1682b0880856aa194cc8504ff9c32d6fdfaa22cdef869d26bb692bd4d9ea58

SHA512
2d93dae324d7ce3aca6f3351e7a7fb1837d407694e971944b2898b4a307d22b1cb765d98ecc7ffb0619fa4e67ea651ce17f0bcd90fae0bb306555bdcb9d8a72c

Download Submit
C:\Users\Admin\AppData\Local\Temp\F7AEzZVr.xlsm

Filesize
26KB

MD5
5a37ab121ce7fa6fb1dc3a6a44819573

SHA1
996c192e89a3a68bef42f20db2d15a52026dbf2d

SHA256
c065ba5edcd34bff82856a1a893cf25617c1263f71e1748088353aef0dfc18a2

SHA512
b299149370272bc8a046749facf7144fd01c84ae8e7507a247d2b47cf7140652ffcf2d89d2377a72b9a4084f9386b870807741e28cb675633720527635314c4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\F7AEzZVr.xlsm

Filesize
26KB

MD5
e82c0e8a891c6f0e25d0c3325a51ce44

SHA1
0024391ee75c96ec6135098e93567c19c1b41ef4

SHA256
526cea8576aa126a0adfedd411f62e91b42751d39c023c42f9d694951864e7fc

SHA512
9f925751bc0d38c63806d0bd646b8f23adda4a2c57967a9a23dc2904f6dd9954569e9c6bb03a81f8f5e43bdf3368283490e0c2d2e60041f5a6277f728db5c28a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27442\VCRUNTIME140.dll

Filesize
87KB

MD5
0e675d4a7a5b7ccd69013386793f68eb

SHA1
6e5821ddd8fea6681bda4448816f39984a33596b

SHA256
bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

SHA512
cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27442\_ssl.pyd

Filesize
121KB

MD5
0e970f3353e65094165edcdfcaf1c299

SHA1
e86d2c4723ae09890f69ab1a6f4a1a935dc0a0e7

SHA256
4fed9f05da139d66e0582b47c20ee91c91be44d379c225f89b22462bedc989d3

SHA512
4621d1add268f9aadf0119055d6cce23739eec969ab031fc0a510c40cf4cce60230a89735fd85c38f28c22ed9dc829ff294ef48590fc56191464e1fec1fa4595

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27442\api-ms-win-crt-environment-l1-1-0.dll

Filesize
11KB

MD5
5cce7a5ed4c2ebaf9243b324f6618c0e

SHA1
fdb5954ee91583a5a4cbb0054fb8b3bf6235eed3

SHA256
aa3e3e99964d7f9b89f288dbe30ff18cbc960ee5add533ec1b8326fe63787aa3

SHA512
fc85a3be23621145b8dc067290bd66416b6b1566001a799975bf99f0f526935e41a2c8861625e7cfb8539ca0621ed9f46343c04b6c41db812f58412be9c8a0de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27442\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
13KB

MD5
41fbbb054af69f0141e8fc7480d7f122

SHA1
3613a572b462845d6478a92a94769885da0843af

SHA256
974af1f1a38c02869073b4e7ec4b2a47a6ce8339fa62c549da6b20668de6798c

SHA512
97fb0a19227887d55905c2d622fbf5451921567f145be7855f72909eb3027f48a57d8c4d76e98305121b1b0cc1f5f2667ef6109c59a83ea1b3e266934b2eb33c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27442\api-ms-win-crt-locale-l1-1-0.dll

Filesize
11KB

MD5
242829c7be4190564becee51c7a43a7e

SHA1
663154c1437acf66480518068fbc756f5cabb72f

SHA256
edc1699e9995f98826df06d2c45beb9e02aa7817bae3e61373096ae7f6fa06e0

SHA512
3529fde428affc3663c5c69baee60367a083841b49583080f0c4c7e72eaa63cabbf8b9da8ccfc473b3c552a0453405a4a68fcd7888d143529d53e5eec9a91a34

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27442\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
17KB

MD5
29680d7b1105171116a137450c8bb452

SHA1
492bb8c231aae9d5f5af565abb208a706fb2b130

SHA256
6f6f6e857b347f70ecc669b4df73c32e42199b834fe009641d7b41a0b1c210af

SHA512
87dcf131e21041b06ed84c3a510fe360048de46f1975155b4b12e4bbf120f2dd0cb74ccd2e8691a39eee0da7f82ad39bc65c81f530fc0572a726f0a6661524f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27442\base_library.zip

Filesize
768KB

MD5
eb723b4c1b48d3e8969ff3f4d897b79e

SHA1
a03479e7a916d0ee5e3647322307aceb0b1c30b9

SHA256
ed6356556e3a86b92f9995bce5b1c3182d5df8976a2ca2e400ebf4eaed592ef5

SHA512
4c9902b5698e4e3d8837d594e337a6696ce03d9f6d0d3fc7f5f144c53c2fb7494ac10d303ea597c25c159076f74a7b7c59eb2d29db068878ab6f4bbb510fd13f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27442\libcrypto-1_1.dll

Filesize
3.2MB

MD5
bf83f8ad60cb9db462ce62c73208a30d

SHA1
f1bc7dbc1e5b00426a51878719196d78981674c4

SHA256
012866b68f458ec204b9bce067af8f4a488860774e7e17973c49e583b52b828d

SHA512
ae1bdda1c174ddf4205ab19a25737fe523dca6a9a339030cd8a95674c243d0011121067c007be56def4eaeffc40cbdadfdcbd1e61df3404d6a3921d196dcd81e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27442\python37.dll

Filesize
3.6MB

MD5
86af9b888a72bdceb8fd8ed54975edd5

SHA1
c9d67c9243f818c0a8cc279267cca44d9995f0cf

SHA256
e11aa3893597d7c408349ebb11f47a24e388fd702c4d38b5d6f363f7ad6e8e5f

SHA512
5d8fd9040f466e23af7f17772e3769ad83c5f55f8c70dcc3cfb1f827e105f0f4e6133f0e183fabc67dd44799495c47f931bf92546342b30b9c4a5c2b4aeee7c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27442\ucrtbase.dll

Filesize
987KB

MD5
61eb0ad4c285b60732353a0cb5c9b2ab

SHA1
21a1bea01f6ca7e9828a522c696853706d0a457b

SHA256
10521fe73fe05f2ba95d40757d9f676f2091e2ed578da9d5cdef352f986f3bcd

SHA512
44cd871f48b5193abb3b9664dbea8cdad19e72c47b6967c685cf1cc803bc9abb48a8a93009c972ef4936e7f78e3c92110828790aa0a9d26b80e6a523bbcd830d

Download Submit
C:\Users\Admin\AppData\Local\Temp\~$F7AEzZVr.xlsm

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
\ProgramData\Windows Portable Clipboard\Runtime Broker.exe

Filesize
255KB

MD5
8629c65903ca26e7ffada84c69ae0972

SHA1
015673ba0498ae35bd4da1c3ba45bab5fbfa18ce

SHA256
adc6887d772f9f47ab67406cc9ea7dd0177b94d84f98124fc712b9e66208dd0d

SHA512
6a3b8717daeaed8dde18cedcb1c6fc31932f01234a63b80f37c6960f7212255cd32d1c3135d84da773e7b94ad1f326cc965463b9fc68f35b8b5449ff70d79af7

Download Submit
\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\RDXService\._cache_Jint.exe

Filesize
206KB

MD5
01954f322fc670b93d59b9bdf710d3f5

SHA1
7c9e9af5da35de32c41d9a883c61d6a773905059

SHA256
43a1c5f3292787add7507c3aa57179682b69dc499965039c1179560bd2b567fd

SHA512
c160714b91ee7f86edb3462d7b88b8121ef369aa24499708e2e05c41cf31f4677d4e8da56b0b495cc60eae98768b7110722790f316da88eb51c3a9100f7baa05

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI27442\_ctypes.pyd

Filesize
131KB

MD5
9a69561e94859bc3411c6499bc46c4bd

SHA1
3fa5bc2d4ffc23c4c383252c51098d6211949b99

SHA256
6bbde732c5bcb89455f43f370a444bb6bca321825de56f9a1f2e947b0a006f1c

SHA512
31d9e3844f1b8e72ec80acd1e224a94d11039c130e69c498a668e07e0d8bba8d1ed1ebe0b7a16376ca597d0e2b74a0d5e3bf53d1cbadf5bf099d3bf78db659a4

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI27442\api-ms-win-core-file-l1-2-0.dll

Filesize
11KB

MD5
35bc1f1c6fbccec7eb8819178ef67664

SHA1
bbcad0148ff008e984a75937aaddf1ef6fda5e0c

SHA256
7a3c5167731238cf262f749aa46ab3bfb2ae1b22191b76e28e1d7499d28c24b7

SHA512
9ab9b5b12215e57af5b3c588ed5003d978071dc591ed18c78c4563381a132edb7b2c508a8b75b4f1ed8823118d23c88eda453cd4b42b9020463416f8f6832a3d

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI27442\api-ms-win-core-file-l2-1-0.dll

Filesize
11KB

MD5
3bf4406de02aa148f460e5d709f4f67d

SHA1
89b28107c39bb216da00507ffd8adb7838d883f6

SHA256
349a79fa1572e3538dfbb942610d8c47d03e8a41b98897bc02ec7e897d05237e

SHA512
5ff6e8ad602d9e31ac88e06a6fbb54303c57d011c388f46d957aee8cd3b7d7cced8b6bfa821ff347ade62f7359acb1fba9ee181527f349c03d295bdb74efbace

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI27442\api-ms-win-core-localization-l1-2-0.dll

Filesize
13KB

MD5
8acb83d102dabd9a5017a94239a2b0c6

SHA1
9b43a40a7b498e02f96107e1524fe2f4112d36ae

SHA256
059cb23fdcf4d80b92e3da29e9ef4c322edf6fba9a1837978fd983e9bdfc7413

SHA512
b7ecf60e20098ea509b76b1cc308a954a6ede8d836bf709790ce7d4bd1b85b84cf5f3aedf55af225d2d21fbd3065d01aa201dae6c131b8e1e3aa80ed6fc910a4

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI27442\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
11KB

MD5
9c9b50b204fcb84265810ef1f3c5d70a

SHA1
0913ab720bd692abcdb18a2609df6a7f85d96db3

SHA256
25a99bdf8bf4d16077dc30dd9ffef7bb5a2ceaf9afcee7cf52ad408355239d40

SHA512
ea2d22234e587ad9fa255d9f57907cc14327ead917fdede8b0a38516e7c7a08c4172349c8a7479ec55d1976a37e520628006f5c362f6a3ec76ec87978c4469cd

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI27442\api-ms-win-core-timezone-l1-1-0.dll

Filesize
11KB

MD5
43e1ae2e432eb99aa4427bb68f8826bb

SHA1
eee1747b3ade5a9b985467512215caf7e0d4cb9b

SHA256
3d798b9c345a507e142e8dacd7fb6c17528cc1453abfef2ffa9710d2fa9e032c

SHA512
40ec0482f668bde71aeb4520a0709d3e84f093062bfbd05285e2cc09b19b7492cb96cdd6056281c213ab0560f87bd485ee4d2aeefa0b285d2d005634c1f3af0b

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI27442\api-ms-win-crt-conio-l1-1-0.dll

Filesize
12KB

MD5
031dc390780ac08f498e82a5604ef1eb

SHA1
cf23d59674286d3dc7a3b10cd8689490f583f15f

SHA256
b119adad588ebca7f9c88628010d47d68bf6e7dc6050b7e4b787559f131f5ede

SHA512
1468ad9e313e184b5c88ffd79a17c7d458d5603722620b500dba06e5b831037cd1dd198c8ce2721c3260ab376582f5791958763910e77aa718449b6622d023c7

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI27442\api-ms-win-crt-convert-l1-1-0.dll

Filesize
15KB

MD5
285dcd72d73559678cfd3ed39f81ddad

SHA1
df22928e43ea6a9a41c1b2b5bfcab5ba58d2a83a

SHA256
6c008be766c44bf968c9e91cddc5b472110beffee3106a99532e68c605c78d44

SHA512
84ef0a843798fd6bd6246e1d40924be42550d3ef239dab6db4d423b142fa8f691c6f0603687901f1c52898554bf4f48d18d3aebd47de935560cde4906798c39a

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI27442\api-ms-win-crt-heap-l1-1-0.dll

Filesize
12KB

MD5
212d58cefb2347bd694b214a27828c83

SHA1
f0e98e2d594054e8a836bd9c6f68c3fe5048f870

SHA256
8166321f14d5804ce76f172f290a6f39ce81373257887d9897a6cf3925d47989

SHA512
637c215ed3e781f824ae93a0e04a7b6c0a6b1694d489e9058203630dcfc0b8152f2eb452177ea9fd2872a8a1f29c539f85a2f2824cf50b1d7496fa3febe27dfe

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI27442\api-ms-win-crt-math-l1-1-0.dll

Filesize
20KB

MD5
fb79420ec05aa715fe76d9b89111f3e2

SHA1
15c6d65837c9979af7ec143e034923884c3b0dbd

SHA256
f6a93fe6b57a54aac46229f2ed14a0a979bf60416adb2b2cfc672386ccb2b42e

SHA512
c40884c80f7921addced37b1bf282bb5cb47608e53d4f4127ef1c6ce7e6bb9a4adc7401389bc8504bf24751c402342693b11cef8d06862677a63159a04da544e

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI27442\api-ms-win-crt-process-l1-1-0.dll

Filesize
12KB

MD5
dd899c6ffecce1dca3e1c3b9ba2c8da2

SHA1
2914b84226f5996161eb3646e62973b1e6c9e596

SHA256
191f53988c7f02dd888c4fbf7c1d3351570f3b641146fae6d60acdae544771ae

SHA512
2db47faa025c797d8b9b82de4254ee80e499203de8c6738bd17ddf6a77149020857f95d0b145128681a3084b95c7d14eb678c0a607c58b76137403c80fe8f856

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI27442\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
15KB

MD5
883120f9c25633b6c688577d024efd12

SHA1
e4fa6254623a2b4cdea61712cdfa9c91aa905f18

SHA256
4390c389bbbf9ec7215d12d22723efd77beb4cd83311c75ffe215725ecfd55dc

SHA512
f17d3b667cc8002f4b6e6b96b630913fa1cb4083d855db5b7269518f6ff6eebf835544fa3b737f4fc0eb46ccb368778c4ae8b11ebcf9274ce1e5a0ba331a0e2f

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI27442\api-ms-win-crt-string-l1-1-0.dll

Filesize
17KB

MD5
f816666e3fc087cd24828943cb15f260

SHA1
eae814c9c41e3d333f43890ed7dafa3575e4c50e

SHA256
45e0835b1d3b446fe2c347bd87922c53cfb6dd826499e19a1d977bf4c11b0e4a

SHA512
6860abe8ab5220efb88f68b80e6c6e95fe35b4029f46b59bc467e3850fe671bda1c7c1c7b035b287bdfed5daeac879ee481d35330b153ea7ef2532970f62c581

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI27442\api-ms-win-crt-time-l1-1-0.dll

Filesize
13KB

MD5
143a735134cd8c889ec7d7b85298705b

SHA1
906ac1f3a933dd57798ae826bbefa3096c20d424

SHA256
b48310b0837027f756d62c37ea91af988baa403cbcbd01cb26b6fdae21ea96a2

SHA512
c9abe209508afae2d1776391f73b658c9a25628876724344023e0fc8a790ecb7dbce75fddae267158d08a8237f83336b1d2bd5b5ce0a8eed7dd41cbe0c031d48

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI27442\pywintypes37.dll

Filesize
136KB

MD5
77b6875977e77c4619bbb471d5eaf790

SHA1
f08c3bc5e918c0a197fbfd1b15e7c0491bd5fade

SHA256
780a72ba3215ff413d5a9e98861d8bb87c15c43a75bb81dc985034ae7dcf5ef6

SHA512
783939fc97b2445dfe7e21eb6b71711aba6d85e275e489eddcc4f20c2ed018678d8d14c9e1856f66e3876f318312d69c22cee77f9105a72e56a1be4f3e8a7c2e

Download Submit
memory/2348-301-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/2348-374-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/2348-375-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/2348-407-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/2408-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2408-26-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/2584-302-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2584-373-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads