xred | f61460da72d458c5d509ef5d410bc4c2fd9ec68385cf50be3e72adac979733fe

Analysis

max time kernel
143s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-02-2025 18:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

iexplore.exe
Size

41.0MB
MD5

e3772f3278710d82185f99ad32da83aa
SHA1

cb639994fb13a6abe0b719f86b6b8e56e18fe44f
SHA256

f61460da72d458c5d509ef5d410bc4c2fd9ec68385cf50be3e72adac979733fe
SHA512

10e087c2e61af27cd0e8d0b49ca6d87c210a2661097b2aa8a5ff15bb2c16fe9bedbbb0f7d1abaa8f43fd812c00dda65e04017f44046c4b9c2bcf4db918eae885
SSDEEP

786432:C4D6+v+Py3QQp2Qp5WmECxFUR2JmyiS+hzrZWa41xs6b64G71DaosUe3b:Cu6+WPyQZQpAmeKarZWa41xFb6V71pby

Score

10^/10

xred backdoor defense_evasion discovery persistence pyinstaller trojan

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 5 IoCs

pid	Process
2884	._cache_iexplore.exe
1776	Synaptics.exe
2700	._cache_Synaptics.exe
832	._cache_iexplore.exe
876	._cache_Synaptics.exe

Loads dropped DLL 64 IoCs

pid	Process
2484	iexplore.exe
2484	iexplore.exe
2484	iexplore.exe
1776	Synaptics.exe
1776	Synaptics.exe
2884	._cache_iexplore.exe
832	._cache_iexplore.exe
832	._cache_iexplore.exe
832	._cache_iexplore.exe
832	._cache_iexplore.exe
832	._cache_iexplore.exe
832	._cache_iexplore.exe
832	._cache_iexplore.exe
832	._cache_iexplore.exe
832	._cache_iexplore.exe
832	._cache_iexplore.exe
832	._cache_iexplore.exe
832	._cache_iexplore.exe
832	._cache_iexplore.exe
832	._cache_iexplore.exe
832	._cache_iexplore.exe
832	._cache_iexplore.exe
832	._cache_iexplore.exe
832	._cache_iexplore.exe
832	._cache_iexplore.exe
832	._cache_iexplore.exe
832	._cache_iexplore.exe
832	._cache_iexplore.exe
832	._cache_iexplore.exe
832	._cache_iexplore.exe
832	._cache_iexplore.exe
2700	._cache_Synaptics.exe
876	._cache_Synaptics.exe
876	._cache_Synaptics.exe
876	._cache_Synaptics.exe
876	._cache_Synaptics.exe
876	._cache_Synaptics.exe
876	._cache_Synaptics.exe
876	._cache_Synaptics.exe
876	._cache_Synaptics.exe
876	._cache_Synaptics.exe
876	._cache_Synaptics.exe
876	._cache_Synaptics.exe
876	._cache_Synaptics.exe
876	._cache_Synaptics.exe
876	._cache_Synaptics.exe
876	._cache_Synaptics.exe
876	._cache_Synaptics.exe
876	._cache_Synaptics.exe
876	._cache_Synaptics.exe
876	._cache_Synaptics.exe
876	._cache_Synaptics.exe
876	._cache_Synaptics.exe
876	._cache_Synaptics.exe
876	._cache_Synaptics.exe
876	._cache_Synaptics.exe
876	._cache_Synaptics.exe
876	._cache_Synaptics.exe
876	._cache_Synaptics.exe
876	._cache_Synaptics.exe
876	._cache_Synaptics.exe
876	._cache_Synaptics.exe
876	._cache_Synaptics.exe
876	._cache_Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	iexplore.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexplore.exe

Detects Pyinstaller 2 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x00080000000120ff-5.dat	pyinstaller
behavioral1/files/0x00070000000170b5-14.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_iexplore.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3000	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 35	832	._cache_iexplore.exe
Token: 35	876	._cache_Synaptics.exe
Token: SeDebugPrivilege	876	._cache_Synaptics.exe
Token: SeDebugPrivilege	832	._cache_iexplore.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3000	EXCEL.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 2884	2484	iexplore.exe	30
PID 2484 wrote to memory of 2884	2484	iexplore.exe	30
PID 2484 wrote to memory of 2884	2484	iexplore.exe	30
PID 2484 wrote to memory of 2884	2484	iexplore.exe	30
PID 2484 wrote to memory of 1776	2484	iexplore.exe	32
PID 2484 wrote to memory of 1776	2484	iexplore.exe	32
PID 2484 wrote to memory of 1776	2484	iexplore.exe	32
PID 2484 wrote to memory of 1776	2484	iexplore.exe	32
PID 1776 wrote to memory of 2700	1776	Synaptics.exe	33
PID 1776 wrote to memory of 2700	1776	Synaptics.exe	33
PID 1776 wrote to memory of 2700	1776	Synaptics.exe	33
PID 1776 wrote to memory of 2700	1776	Synaptics.exe	33
PID 2884 wrote to memory of 832	2884	._cache_iexplore.exe	36
PID 2884 wrote to memory of 832	2884	._cache_iexplore.exe	36
PID 2884 wrote to memory of 832	2884	._cache_iexplore.exe	36
PID 2884 wrote to memory of 832	2884	._cache_iexplore.exe	36
PID 2700 wrote to memory of 876	2700	._cache_Synaptics.exe	37
PID 2700 wrote to memory of 876	2700	._cache_Synaptics.exe	37
PID 2700 wrote to memory of 876	2700	._cache_Synaptics.exe	37
PID 2700 wrote to memory of 876	2700	._cache_Synaptics.exe	37

C:\Users\Admin\AppData\Local\Temp\iexplore.exe
"C:\Users\Admin\AppData\Local\Temp\iexplore.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Users\Admin\AppData\Local\Temp\._cache_iexplore.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_iexplore.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Users\Admin\AppData\Local\Temp\._cache_iexplore.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_iexplore.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:832
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1776
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2700
  - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:876

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
41.0MB

MD5
e3772f3278710d82185f99ad32da83aa

SHA1
cb639994fb13a6abe0b719f86b6b8e56e18fe44f

SHA256
f61460da72d458c5d509ef5d410bc4c2fd9ec68385cf50be3e72adac979733fe

SHA512
10e087c2e61af27cd0e8d0b49ca6d87c210a2661097b2aa8a5ff15bb2c16fe9bedbbb0f7d1abaa8f43fd812c00dda65e04017f44046c4b9c2bcf4db918eae885

Download Submit
C:\Users\Admin\AppData\Local\Temp\RQxFH527.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28842\_bz2.pyd

Filesize
76KB

MD5
1c52ba084a3723940c0778ab5186893a

SHA1
5150a800f217562490e25dd74d9eead992e10b2d

SHA256
cb008e0a6c65ddb5f20ab96e65285dee874468df203faeafca5e9b4a9f2918dc

SHA512
b397508607a1c7ccef88c6a941398f78ba4f97cf8a32f40764673db34c20eea61364148260d87014348613eb07e959a043b505702437e33927249899bf4522b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28842\api-ms-win-core-file-l1-2-0.dll

Filesize
10KB

MD5
5576fdd1f244be3f29072f3d0ef710e1

SHA1
653a08eee34c6391ce6bc3786875505578058a29

SHA256
26c712d65bd2d3621dbd75ec9cd9c25b5a43035137171c64c101c66f6943daa0

SHA512
d9e08ef90645037fbb06e7e6c98a5d66837de1c1f51381a4ec0473ef2dc3085838d90ed69d9f0902cb2c6e41b603c7061637eb79655c1131d33c2a7c67a2f9c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28842\api-ms-win-core-file-l2-1-0.dll

Filesize
10KB

MD5
718b88fc6f158a62309419cdc7c511ed

SHA1
294701dfa10801bf6bf8e8d6e3ec471ea81255d4

SHA256
8cd67dbc62070c1288e83d5789f41664951fb0c120070ab5334ac7719a5c8ac9

SHA512
8d41158b776fe31f9b2e785c9e1c90f86d69fe85ec777c171fd5063b73faf20a7473cb3ff4afae9666c6e4473210b94a837b847a0d2455fec2516e7ca6304c56

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28842\api-ms-win-core-localization-l1-2-0.dll

Filesize
13KB

MD5
a28c593b3efad3870be8c59957a65ca5

SHA1
fe90b4dff833d2a488e36c02d8cd0da1e9eb4bdd

SHA256
7ff7b17ecc55f978dab562a5bd26826085d9f80131ed415cee7c3b95c95b246a

SHA512
b34230e6ae04335975ee9bb8759767a8e74bbd1e220fa17568d95c755b3f959291a45a45cd27f845d38b940b2062145c21fabadd1985ec92b49e4761942bd90c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28842\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
11KB

MD5
eba234a05bd7fa9650ef9184d67554f2

SHA1
ca1d5a8e1cbbf741baced4040aa4b57131f2737b

SHA256
c51565cc52ea3e372acca10ffad2cd2ae43eaa8bca18742b045c7e99919b775f

SHA512
0f3bb6bbc8d865d2c5261509ee4480953c6d89526ceca67b36eb96d0430f56e9d4b8dbd236588ac150a1219c36e412a3916dbf0719f75e984aa65fbda1821dea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28842\api-ms-win-core-timezone-l1-1-0.dll

Filesize
10KB

MD5
f605bbc701e9a9ac82d5fe9533d46ebd

SHA1
e3231c03659dcd4edaf1869849e1b5060c8a9481

SHA256
b4d6282b721ec240ccf03c396e0aa589d113e6e5d49942ac7e1d9bedc50561e4

SHA512
c158db8a931fad6261673142cafec366d1c70bd962788dde99b7895b2057b29aa26fc07e2ee7bfc2a8204ea07d1faf03cd313bc4836cdbb642226babd9bf4f2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28842\api-ms-win-crt-conio-l1-1-0.dll

Filesize
11KB

MD5
4be787d220b988d8936584b1c534b9a4

SHA1
e06f728abcb6ee4892d6ce4075a72d6567560c26

SHA256
b0fc7123806fbc54b32584cda425ab8c7553ca6d1fe382c8c137bbdd5872c5f1

SHA512
32204579e3f27b31d5043b08e7d014d00774f4008331b53134012be194eb8c696dfd3690d09b4ec6685c99b6b7801be1ec9dc234fee1088e961022344dfd902c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28842\base_library.zip

Filesize
1000KB

MD5
8386cf8add72bab03573064b6e1d89d2

SHA1
c451d2f3eed6b944543f19c5bd15ae7e8832bbd4

SHA256
2eea4b6202a6a6f61cb4d75c78be5ec2e1052897f54973797885f2c3b24d202c

SHA512
2bb61f7fac7ecc7d5654756ae8286d5fd9e2730e6ac42f3e7516f598e00fd8b9b6d3e77373994bb31d89831278e6833d379f306d52033fa5c48a786ac67da2b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28842\cv2\__init__.py

Filesize
6KB

MD5
eab99b31f1fd18e46e6e081ba3b5c06e

SHA1
9ca76b1097d58ef9c652aebfbeff32bfec17b25b

SHA256
b05b8000c71987cd4df824c1ed134b7fcd34617665e437b1aaec128f93d7f1c3

SHA512
7c4ea4a28f7876249b503155187bd59bcd9cf18a80264c8892e59e9fd7f3d461c91afc4c3c177dba48e1dfdd0feb5705b54b504f7daa886a2a0b72fddd1e80fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28842\python37.dll

Filesize
3.3MB

MD5
465089eaced8159ec533e4a37033e227

SHA1
074596adae6f53f33b8297f02e21f6a6f7ac6ff1

SHA256
2b29ae140cb9f08af872acf9e17f785ef99398ef3367549b55242bc064d6ae40

SHA512
55eca0922074162c22fff2b4f97bd2972540fa893b9b02b7d9bfa26345186dbbdaf1fbc37a9eba6366743d0d42fb5bb88e708877dfd57cb02ca4d3a6953cfb81

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28842\ucrtbase.dll

Filesize
893KB

MD5
a924b24d71829da17e8908e05a5321e4

SHA1
fa5c69798b997c34c87a8b32130f664cdef8c124

SHA256
f32a61d91264aff96efd719915bed80785a8db4c8d881d6da28909b620fe466f

SHA512
9223ec0e6e0f70b92473e897e4fd4635a19e9ca3aff2fe7c5c065764b58e86460442991787525ed53e425ecd36f2881a6df34c35d2a0e21b7ac4bc61bf1cbeab

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_iexplore.exe

Filesize
40.3MB

MD5
c77ffc9c855d5440ac568667f5d90cf6

SHA1
9c463ed23a7afbe230be95b68c32c9f314bfb36f

SHA256
fbffe7319f68181c7a158df7e160c0d6bb6231444048fef70a8b768f0c1f1ddb

SHA512
624fe25a589cee43317d2ef62b8df2bc2d639516a170376377b0ff2219d6d1cd8407dc62540b312905a969adeb34cad96e309f0131ad298da8b39602fb9da708

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI28842\VCRUNTIME140.dll

Filesize
81KB

MD5
aeab74db6bc6c914997f1a8a9ff013ec

SHA1
6b717f23227d158d6aa566498c438b8f305a29b5

SHA256
18ccb2dd8af853f4e6221bb5513e3154ef67ae61cee6ec319a8a97615987dc4b

SHA512
a2832b7720599361e2537f79a2597acb1a2d5633fdfe20a0d1075e9457683fdb1d5676d121c0bf1a825ff99512dcd924254f1151b50aae922acc0cc10f461036

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI28842\_ctypes.pyd

Filesize
102KB

MD5
10861d3fa19d7dc3b41eb6f837340782

SHA1
b258d223b444ab994ec2fec95acaa9f82dc3938c

SHA256
6255bab0b7f3e2209a9c8b89a3e1ec1bbc7a29849a18e70c0cf582a63c90bed1

SHA512
ec83134c9bce9cedeee8ebdb8e382fb7f944a7bc9d3bb47c7e3144ef2ef95114a36ac1cc8c0d52f434ee4c359d938a2d7c035e699c4407df728e200de7da4af9

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI28842\_lzma.pyd

Filesize
143KB

MD5
f91a9f1f2efee2f5dbae42ea5d5d7153

SHA1
2575cc77b51cb080fceed9810a9f4b2903ae1384

SHA256
1f82bb06c79b6b392c92cad87ffa736377fa25cd6d10da8d61441d42c0d0101e

SHA512
df1dfb8c8cee3496a60eeeb6f0d3fe48e1de8af5d04667f9a3124b769e8edd886cc46e6e4d4b277ee5d30f9f70f6f8c755097ddd996573a6817a5bb335de919f

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI28842\api-ms-win-crt-convert-l1-1-0.dll

Filesize
14KB

MD5
c4a790e9b5371d5179bff78b3577edcc

SHA1
60d4c670643ca8e0bb6f482b7133efd3c59037df

SHA256
f3334fd8cde800152651200258dc4719271010677e1a55218c5f24bc6e7c7ff5

SHA512
b32df7ab4f4ab53c2357ef1e872740736f34f74a72a1ab07ba889a77f09ff2f7918c572c8255f70365729a1bd3f0ade23c09b08d4c0a44dc4e45318f4515fed8

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI28842\api-ms-win-crt-environment-l1-1-0.dll

Filesize
11KB

MD5
6f1a2d17995baff500d9a2e2ea4bf493

SHA1
18de93491e362de93f9e61c00f1c94aef2d880c5

SHA256
2ed73364a84581e67b5ce98ee8f69ddc03f49a202a94f367e9855b50eb8ae9a4

SHA512
d56bf9a90f05ba17119886a82218e60b1a2c31dd05396ab4894523658c6299a353aada786b6272ce1fe88886d17ac43f0d71dbef569ddbcc71d1621ff27fe5d7

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI28842\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
12KB

MD5
34664ea68d4dc7b94015a90869b55604

SHA1
5bd6abb07694159e4bb9b979669bd674747892ea

SHA256
c45fd7fe182b3edd287f5ae36e8e77198885be931607ca207af7dc8489b60bad

SHA512
4ac1b9caa40988e313e6075445906c372e8f0d6fd3e3092d2358e9584bb0f0c51586c8579ea8c4031d314a6d5ece31bfa8f4025225800f33ef9b290edb8d7dc3

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI28842\api-ms-win-crt-heap-l1-1-0.dll

Filesize
11KB

MD5
fd5925326354d9186891eb6da64da666

SHA1
3786f18ffd4b8f2e053f1568529c6b2c4a3d1b69

SHA256
05e695d316b0ab969cc221a99bf6f2581cbe5dadd2b966e811d151dfc9dbaeb4

SHA512
aad816e7c124ab0cbb3d1f5b472ed5e74f568df7b2da14d802d3e25a86fb3bda3c4d1f60ccd89aa07a941d48befabd0506403e4f3a10b770947649c1e234032e

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI28842\api-ms-win-crt-locale-l1-1-0.dll

Filesize
11KB

MD5
9a69eb348d7bc3c58e2e30fb2b8dd62b

SHA1
f18b5d1efed27de795207b413f19cf2643d9cadd

SHA256
70e06ed73bec7ac66c43ebaa03a020a2b976eb480ded429db74d31d47933fe78

SHA512
f3a74a7b311884179cefeeb07551c09385f6f5d76a378a4f5be66d5a155c3a8820e256b5a312f5f9ff24a5d87b7ee65db503c7c721149c50e62263b0fc9adf5e

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI28842\api-ms-win-crt-math-l1-1-0.dll

Filesize
21KB

MD5
5559d8f37665f327c295b4cd1638a3f2

SHA1
36d1a51b7d1741b0c3659be51fcb5d0c997752f1

SHA256
0c257ab2ba4553470b14c159fea39673fd7cfd02cedc2aa1294ab75618e19f7f

SHA512
aad4b0fe7172c1472deefa1dcd10072af73c14c50cb8e0b6e1b189dc9ce3bb043cf8dbb8306045bf36d0f46c9272d87664ed11670ebccdd16528ef2a35d59510

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI28842\api-ms-win-crt-process-l1-1-0.dll

Filesize
11KB

MD5
0691f7dbc96e4f42908e337fc20ffe9f

SHA1
4828f5a36e20e72e7679f0a70061a3c091c4f41f

SHA256
73747a60a92703f2eb0d83826093203357538a72ca321cfadc2e60427a6ed053

SHA512
cb6f40517be63ddca0bdb9649d5da50c11856c53c3200830eb2939e08ace338678455adf346df84ea1f81fd6d0e91e4bfbe58aa5933ce87bc5337442af1bffc3

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI28842\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
15KB

MD5
9eceedbc48924ad17950e0ef64bfc78d

SHA1
8bad15420dceb3e250dc88fe6ec8c5c5fd0953cb

SHA256
9b5dfbb6027d28c1a41cab008148e4a98bcd3d6a6d43269cd08dd8bbc366aa0f

SHA512
f986673bcfd71cbed8ede8e8063d3911d499c9600017781f38ab2014db0e24467b0ebf398400d949219e84c13596248530fb9de297af83f98967f7faee55fcd3

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI28842\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
16KB

MD5
6cc5e2392b5617175da2406b7187c6c8

SHA1
055cd8fd422de7630a256774bd90e70b1346a8a7

SHA256
15d2aac51ef02eb8242e7c121d4f405237da415e4a05f41a16b8e3640dc27298

SHA512
6b99ca77f45063ba4ecdaea214f42e8ee3431ce03e54f5119c284385408f438273ba3c881bb71bcf4059f8ae5ce6f05a1cf36fc84a65d9bfa9ce595a0a0be295

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI28842\api-ms-win-crt-string-l1-1-0.dll

Filesize
16KB

MD5
8db568b36f13feeefd150da0b63adcbe

SHA1
03bb29284802db358609c2cd10398d8a5077e417

SHA256
8597f9f239b350b86350f3cdb326bdca49cb23022703fe049f838998a8a32cd5

SHA512
8d57fa2975e45c2df82634135e57f29579778a118e033f036bb093e654a9a9d6a0b450c45b24d68fac2232d3255dbe9c88368ea8f6d697a86d035417b9ce61e6

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI28842\api-ms-win-crt-time-l1-1-0.dll

Filesize
13KB

MD5
8f5eca7b9be54bede759b2ba2f018bb2

SHA1
f7fb27990f9629332074fe4a3703dd3cdacf78b9

SHA256
9e5d937c72c6d5709b907130cf4c2bd12e3427e44d217a2047d461940c281c1f

SHA512
45de9e9b66303554487016d448c11cc38e6ead5b48b8660cc311c182a7b3cc20a83063eef0f4071ca126341b8083f4a55523445b13e060e5b745527e3b6b44d4

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI28842\python3.dll

Filesize
57KB

MD5
167ebefcf1a2cb0ce7f4118fe826f58b

SHA1
5d532467d78dcc2b63848452c4f600513b4136cf

SHA256
112c98099e5e6156a8844c6c39b2136f3146e1f2221c37b9064ab7af6fdfabb7

SHA512
bcd67bf4f7e5adbd8e06a28fe3f805f79323369fbe3f37d32a513aa0336f6ffd4e1c7d978fa0480742ba1ae5d91ceb2e255e9d7033d00670e738335387f92e22

Download Submit
memory/832-283-0x000000006C900000-0x000000006DFDC000-memory.dmp

Filesize
22.9MB

Download
memory/876-284-0x000000006C900000-0x000000006DFDC000-memory.dmp

Filesize
22.9MB

Download
memory/1776-282-0x0000000000400000-0x0000000002D0C000-memory.dmp

Filesize
41.0MB

Download
memory/1776-285-0x0000000000400000-0x0000000002D0C000-memory.dmp

Filesize
41.0MB

Download
memory/1776-329-0x0000000000400000-0x0000000002D0C000-memory.dmp

Filesize
41.0MB

Download
memory/2484-1-0x0000000002B30000-0x0000000002B31000-memory.dmp

Filesize
4KB

Download
memory/2484-73-0x0000000000010000-0x000000000291C000-memory.dmp

Filesize
41.0MB

Download
memory/2484-0-0x0000000000010000-0x000000000291C000-memory.dmp

Filesize
41.0MB

Download
memory/3000-152-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads