xred | 2133ac409362b4b0c40c025196029ec2424c916f79c6265fcef6e450db8184e9

Analysis

max time kernel
295s
max time network
302s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-01-2025 09:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Cracking Tools.rar
Size

106.6MB
MD5

c585ea080095642f32e6a684146cbe86
SHA1

3312d31d90b86fe4a8f9a4c79d50e37811110491
SHA256

2133ac409362b4b0c40c025196029ec2424c916f79c6265fcef6e450db8184e9
SHA512

32b5fd63f1397fa6b6fabd0a3f533f4f3bbb1e77193cfcb6380262fb88b0138e97fc8a3e38f89e882d7013cf958d26bc2e766c28fe1ca9cf3c7db3ca06d1caaa
SSDEEP

3145728:ownRC8LPyiedFSAU34D1fEC9PcF0z3ao5hGYZ:FLyiOFSAU34D17VcGz3aShZ

Score

10^/10

xred backdoor discovery persistence pyinstaller

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	UD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 4 IoCs

pid	Process
3452	UD.exe
2388	._cache_UD.exe
1396	Synaptics.exe
1288	._cache_Synaptics.exe

Loads dropped DLL 16 IoCs

pid	Process
1396	Synaptics.exe
1396	Synaptics.exe
1396	Synaptics.exe
1396	Synaptics.exe
1396	Synaptics.exe
1396	Synaptics.exe
1396	Synaptics.exe
1396	Synaptics.exe
1396	Synaptics.exe
1396	Synaptics.exe
1396	Synaptics.exe
1396	Synaptics.exe
1396	Synaptics.exe
1396	Synaptics.exe
1396	Synaptics.exe
1396	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	UD.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0007000000024054-2056.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_UD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 41 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	._cache_UD.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	._cache_UD.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 00000000ffffffff	._cache_UD.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	._cache_UD.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg	._cache_UD.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	._cache_UD.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	._cache_UD.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000	._cache_UD.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell	._cache_UD.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	._cache_UD.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	._cache_UD.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	._cache_UD.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 = 66003100000000007d59740e1000435241434b497e3100004e0009000400efbe2d5ae88e2d5ae98e2e0000009d3b020000000a000000000000000000000000000000edde390043007200610063006b0069006e006700200054006f006f006c007300000018000000	._cache_UD.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	._cache_UD.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7	._cache_UD.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	._cache_UD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	UD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	._cache_UD.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	._cache_UD.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = 00000000ffffffff	._cache_UD.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	._cache_UD.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	._cache_UD.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	._cache_UD.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202	._cache_UD.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	._cache_UD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	._cache_UD.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	._cache_UD.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	._cache_UD.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 = 48003100000000002d5a008f100055440000360009000400efbe2d5ae88e2d5a008f2e000000e13e020000000700000000000000000000000000000002342a0155004400000012000000	._cache_UD.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0	._cache_UD.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\MRUListEx = ffffffff	._cache_UD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	._cache_UD.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	._cache_UD.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	._cache_UD.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	._cache_UD.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	._cache_UD.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	._cache_UD.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\NodeSlot = "7"	._cache_UD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\SniffedFolderType = "Generic"	._cache_UD.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	._cache_UD.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5084	EXCEL.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1832	7zFM.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	1832	7zFM.exe
Token: 35	1832	7zFM.exe
Token: SeSecurityPrivilege	1832	7zFM.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1832	7zFM.exe
1832	7zFM.exe
1832	7zFM.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2388	._cache_UD.exe
5084	EXCEL.EXE
5084	EXCEL.EXE
5084	EXCEL.EXE
5084	EXCEL.EXE
5084	EXCEL.EXE
5084	EXCEL.EXE
2388	._cache_UD.exe
2388	._cache_UD.exe
5084	EXCEL.EXE
5084	EXCEL.EXE
2388	._cache_UD.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3452 wrote to memory of 2388	3452	UD.exe	107
PID 3452 wrote to memory of 2388	3452	UD.exe	107
PID 3452 wrote to memory of 2388	3452	UD.exe	107
PID 3452 wrote to memory of 1396	3452	UD.exe	108
PID 3452 wrote to memory of 1396	3452	UD.exe	108
PID 3452 wrote to memory of 1396	3452	UD.exe	108
PID 1396 wrote to memory of 1288	1396	Synaptics.exe	109
PID 1396 wrote to memory of 1288	1396	Synaptics.exe	109
PID 1396 wrote to memory of 1288	1396	Synaptics.exe	109

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Cracking Tools.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1832

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3660

C:\Users\Admin\Desktop\Cracking Tools\UD\UD.exe
"C:\Users\Admin\Desktop\Cracking Tools\UD\UD.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3452
- C:\Users\Admin\Desktop\Cracking Tools\UD\._cache_UD.exe
  "C:\Users\Admin\Desktop\Cracking Tools\UD\._cache_UD.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2388
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1396
- - C:\Users\Admin\Desktop\Cracking Tools\UD\._cache_Synaptics.exe
    "C:\Users\Admin\Desktop\Cracking Tools\UD\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1288

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\01E85E00

Filesize
23KB

MD5
07f94c4c4307876415279e2c6d4bafc1

SHA1
fa6b2ee5b2ee2b84b5840af8b986433165c1a429

SHA256
c0abc59720317a66c48cac1353279e4cec66ed27dc008052e2f8cfdd9f371b22

SHA512
611743b4df686d9b25450495aa6e14f38232faa97455bdfc82a460dbf931edd56607a19da14c83116754224784553fd6dd3c69927395a0d407b4a71ba4d79cc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7FufnO5J.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE8274AB18\Cracking Tools\Filegrab\New folder (2)\tWWirfQzHUpgWSeHyp

Filesize
33KB

MD5
1898ceda3247213c084f43637ef163b3

SHA1
d04e5db5b6c848a29732bfd52029001f23c3da75

SHA256
4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b

SHA512
84c3ccc657f83725b24a20f83b87577603f580993920cc42d6da58648c6888d950fd19fbb8b404ce51a3eab674066c5cefe275763fbdb32e1ae1ba98097ab377

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE8274AB18\Cracking Tools\Filegrab\nmew\BrowserMetrics-65ACF2AC-2910.pma

Filesize
4.0MB

MD5
6f64ca90f4dde19acccc01c1a5f75978

SHA1
f7d358f39d48f34000c78b43063678fa9a7128af

SHA256
1da0b24c2b5c335c210ab28521770205a219d9f736ed1f5f76eacccceef6fd2b

SHA512
cc216f54d6e429045a8e5ac977fed9190a59d6503b112d198c3bb1a39d2452e60a266eddd207c26a0cd4d2b93af7fde3fa4ed93623159c44daac8e929f597878

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE8274AB18\Cracking Tools\Filegrab\nmew\f_00004b

Filesize
1.2MB

MD5
3ad1246ad83b3da15cb79566f692e912

SHA1
731b4fe9a0cad4259de8287bb03055abeb3028f7

SHA256
da3b2870e87608fa40c9cdbe8a340b4e2d36979c5318eb06f33eee7c45de6893

SHA512
a96361db6369c6e0c0f6cbe70e4e11b9fd60d8043eae7d747fec71659b6525f9baa0412a05055a7f9b90f8114ec07a2a43cef128332e5d147643e551b87c1c88

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE8274AB18\Cracking Tools\Filegrab\nmew\transH07OIXKR.gif

Filesize
43B

MD5
325472601571f31e1bf00674c368d335

SHA1
2daeaa8b5f19f0bc209d976c02bd6acb51b00b0a

SHA256
b1442e85b03bdcaf66dc58c7abb98745dd2687d86350be9a298a1d9382ac849b

SHA512
717ea0ff7f3f624c268eccb244e24ec1305ab21557abb3d6f1a7e183ff68a2d28f13d1d2af926c9ef6d1fb16dd8cbe34cd98cacf79091dddc7874dcee21ecfdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE8274AB18\Cracking Tools\UD Proccess Hacker\Process Hacker\plugins\DUP.exe

Filesize
2.3MB

MD5
04522c0d75b3a49d1a1f2295d7baa498

SHA1
f04f4908b3c7fa9af0f01177564cbf6070f031e4

SHA256
a956b4c5f7add385e7b68752185746d5ecbe933fde77eae2eb44432685296a06

SHA512
3b0bfe0a9f48f7a8d98c8569119148936b46e3253f549cf5d4565bec792123ae7de85be925de8501a9e3b3840c1bce4f198e9a0d38209ed57a32192c9f68f7b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE8274AB18\Cracking Tools\UD\x64\Reverse x64.ini

Filesize
47KB

MD5
97f48bb67a20a16f0a06788c5cd0c7cd

SHA1
a68643027106314c5f6a5492e60755693af3f257

SHA256
6a091ad252b3b946a12e1f8eb55648a8c019b40ada187b85fd589f4f1ae1bafc

SHA512
47d7d795d09977adf04d9bb5b2806c647925747fde3dc2f6e5a4d644936e094003bb10ee3b8f30e9b0acf96b5b203c90956d8b0069dbcb00bac6ab71763c8aec

Download Submit
C:\Users\Admin\Desktop\Cracking Tools\Filegrab\FileGrab.exe

Filesize
802KB

MD5
f4d902e70524666a52182720fe208ab1

SHA1
33774655d0fc10bccd652e95b18fb428dcd80a38

SHA256
6eb643eb56e8fbff11276d23354b6b473bc252464d3ef7b98ec8cbbd57792f8e

SHA512
5bf37506097654f384f12f2d90fc9888f0bb5eaa548033a616ed16cbc90fd7a6483aa1b74f7423925e11f7f826e42d5373ac1c88ab7b049e63e23288ac656d65

Download Submit
C:\Users\Admin\Desktop\Cracking Tools\HxD.exe

Filesize
6.6MB

MD5
14fca45f383b3de689d38f45c283f71f

SHA1
5cb16e51c3bb3c63613ffd6d77505db7c5aa4ed6

SHA256
9d460040a454deeb3fe69300fe6b9017350e1efcb1f52f7f14a4702d96cb45ca

SHA512
0014192bd5f0eb8b2cd80042937ccc0228ff19123b10ee938e3b72a080e3f8d3d215f62b68810d4e06b5fad8322d0327dcd17d0a29fd0db570c0cd7da825634c

Download Submit
C:\Users\Admin\Desktop\Cracking Tools\UD\._cache_Synaptics.ini

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Desktop\Cracking Tools\UD\._cache_UD.exe

Filesize
157KB

MD5
31502fc36fffb750d7bcc60646f772b9

SHA1
b65dad8556dce1f1454d1e0b3a45a79d7865282f

SHA256
61c8c9313fc94b64aac1d2fc2cdc6abb9a30d02f021bb84e8833ee8b7c27b180

SHA512
be9e17e5677540f444868ebb802b27f07173b1c0c904d7a831d61a47ba2c0e3ca4fe6af8a471e462f704532221f9c5934025e40e96e09d5e310fbfb59b5ab49b

Download Submit
C:\Users\Admin\Desktop\Cracking Tools\UD\UD.exe

Filesize
911KB

MD5
9b8a85412b584aaf306fedbd5535a448

SHA1
b73bf826823c05cc541dae55b0120251a270445a

SHA256
9a9275528a074d22b28becbb3f3bb3dd4f011dfe91aa4d5d44cf53d40e9c5951

SHA512
f13bd18aa7b5818cdc627dabc75f287e13470bebf119276f8b02fc2f8064174a764bcb2a97454d735afee84b79b6c9fbfd31bd8acaf78803e0e3e26207eeb020

Download Submit
C:\Users\Admin\Desktop\Cracking Tools\UD\x32\UD 32.exe

Filesize
811KB

MD5
4b6f55c500e4b6b570f1f4e07f47ce8e

SHA1
429f6ed94f3bbbd6a503eea8cc3ce03e4589db78

SHA256
e16b0144a06a5273124da42568407bb42c26a22dead666aea53b70f529b0bedd

SHA512
01fb987bbd39b45066387a0fd71084f2e3464bb8374e84c3b15936f99ea4274dbf4fd1bcc5cd64535f3cbbb50c1858462f9eede98bf82dc6518dc5d1b95c0cb8

Download Submit
C:\Users\Admin\Desktop\Cracking Tools\UD\x32\loaddll.exe

Filesize
830KB

MD5
dff05ad84ad8f58cb33ee5fe6da105f7

SHA1
4bb3f77fc8ea8139099f0bf9d25692d5e06c5978

SHA256
f37ef219df619386ec20e1bff2c4d99e0f78f63a40c69cf302f3219fd966d36f

SHA512
a3d09341d87868444b048c359d569c47d5f88bb2cabc113156c3d105c734b7b01c9c6b825c52ac1f26717ec2ed07f2c0ece7c82343ba8cca9794abb7b6ee329e

Download Submit
C:\Users\Admin\Desktop\Cracking Tools\UD\x64\loaddll.exe

Filesize
88KB

MD5
7f1b49379c8a8ecec559911340d94465

SHA1
3bb7f136bdef6904f185422f73629ec760d955df

SHA256
63d0732dcb7b6babd53de59cec01cbba6da148a610dea65d3e758b6fced138b3

SHA512
a49846250ddc752bd164eff73459b72d6566c72105492d20d11fe3ab9549601424a2013cd4d8acda8adf3addd5ffa8d97e0382a4477b074be3595a4d79d8d581

Download Submit
C:\Users\Admin\Desktop\Cracking Tools\UD\x64\wompwomp.exe

Filesize
59KB

MD5
11c2355ae66099dcf09baa4ab5ea6586

SHA1
bdd160dd3b5a241563cff7b4285e7f902442e58e

SHA256
55f61e00db69e9a866ddbdd7d5fd8dc3c52799d0db790481e04e3426468091de

SHA512
23242677b674810945a070d3ff851570ffba09ec753a842888d3aaba9a253c2699861f66a4bcdec478ac6295e84b78025a101f3ed78d5dc6eb6abca82f792754

Download Submit
C:\Users\Admin\Desktop\Cracking Tools\Unlicense\unlicense.exe

Filesize
47.2MB

MD5
69e2318d24da523c4d6623385a81f201

SHA1
62f8fbf59fabad8052dc215fc6f7527d7fd4e33f

SHA256
33c27d4deaaf54f832849d71ce65ce568eb2ca2bb1f24c21f9cf9f0dde7af955

SHA512
ccdad88cef3469e87d6952779f76b326246dc6e00b22028667924e44fcfa1a19140d73e591014a05e6148169622ea0f7b19c695e096acf44348daa774ce47632

Download Submit
C:\Users\Admin\Desktop\Cracking Tools\die\die.exe

Filesize
11.5MB

MD5
962f6f5f863d09ed484d9d50ca71feda

SHA1
57587d009f67f3987d1e7fda6a0115e579cb79f6

SHA256
5b45b70dcd897e9b89a28bcbbbda50fa777e539b59fa95bc3e8dc48afb520931

SHA512
7304f64be9fb26a60b53c34d04da4c19752b01315a5426f37025fd64712278d4496daa8f6daa84665d2c2ca9d07be85e05b48e4545304e1ea4cd6e1abed15527

Download Submit
memory/1396-2146-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/1396-2136-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/1396-2117-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/1396-2113-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/3452-1969-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/3452-1838-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/5084-2064-0x00007FF9E2050000-0x00007FF9E2060000-memory.dmp

Filesize
64KB

Download
memory/5084-2066-0x00007FF9DFFC0000-0x00007FF9DFFD0000-memory.dmp

Filesize
64KB

Download
memory/5084-2063-0x00007FF9E2050000-0x00007FF9E2060000-memory.dmp

Filesize
64KB

Download
memory/5084-2062-0x00007FF9E2050000-0x00007FF9E2060000-memory.dmp

Filesize
64KB

Download
memory/5084-2060-0x00007FF9E2050000-0x00007FF9E2060000-memory.dmp

Filesize
64KB

Download
memory/5084-2065-0x00007FF9DFFC0000-0x00007FF9DFFD0000-memory.dmp

Filesize
64KB

Download
memory/5084-2061-0x00007FF9E2050000-0x00007FF9E2060000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads