xred | 8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387

General

Target

8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe
Size

7.2MB
MD5

ba953b5381694ed49ebe449ce9bed3f0
SHA1

0269af2a058fe1286ad0847e5a7de7bdb08f597f
SHA256

8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387
SHA512

27ee40ce2516422193bf5302a43820b9fa812ed0f87663f3ebdf2e52f05facdca1ef4677e5bd1db69ee8e33c3dc154c9161109f45cc6a392f37d9bda8c7e9041
SSDEEP

196608:qLJ1103T3hrxZULtIta6oOcScwWhBNDWD:qV03FrrU5Ita6oOc7NCD

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 5 IoCs

Processes:

._cache_8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe._cache_8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exeSynaptics.exe._cache_Synaptics.exe._cache_Synaptics.exe

pid	process
2264	._cache_8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe
2772	._cache_8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe
2928	Synaptics.exe
2192	._cache_Synaptics.exe
2516	._cache_Synaptics.exe

Loads dropped DLL 19 IoCs

Processes:

8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe._cache_8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe._cache_8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exeSynaptics.exe._cache_Synaptics.exe._cache_Synaptics.exe

pid	process
2112	8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe
2112	8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe
2264	._cache_8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe
2112	8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe
2112	8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe
2772	._cache_8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe
2772	._cache_8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe
2772	._cache_8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe
2772	._cache_8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe
2772	._cache_8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe
2928	Synaptics.exe
2928	Synaptics.exe
2928	Synaptics.exe
2192	._cache_Synaptics.exe
2516	._cache_Synaptics.exe
2516	._cache_Synaptics.exe
2516	._cache_Synaptics.exe
2516	._cache_Synaptics.exe
2516	._cache_Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe._cache_8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.execmd.exeEXCEL.EXEcmd.exe._cache_8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exeSynaptics.exe._cache_Synaptics.exe._cache_Synaptics.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1340 EXCEL.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

EXCEL.EXE

pid process

1340 EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
1340	EXCEL.EXE

pid	process
1340	EXCEL.EXE

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe._cache_8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe._cache_8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exeSynaptics.exe._cache_Synaptics.exe._cache_Synaptics.exe

description	pid	process	target process
PID 2112 wrote to memory of 2264	2112	8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe	._cache_8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe
PID 2112 wrote to memory of 2264	2112	8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe	._cache_8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe
PID 2112 wrote to memory of 2264	2112	8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe	._cache_8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe
PID 2112 wrote to memory of 2264	2112	8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe	._cache_8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe
PID 2264 wrote to memory of 2772	2264	._cache_8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe	._cache_8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe
PID 2264 wrote to memory of 2772	2264	._cache_8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe	._cache_8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe
PID 2264 wrote to memory of 2772	2264	._cache_8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe	._cache_8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe
PID 2264 wrote to memory of 2772	2264	._cache_8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe	._cache_8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe
PID 2112 wrote to memory of 2928	2112	8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe	Synaptics.exe
PID 2112 wrote to memory of 2928	2112	8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe	Synaptics.exe
PID 2112 wrote to memory of 2928	2112	8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe	Synaptics.exe
PID 2112 wrote to memory of 2928	2112	8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe	Synaptics.exe
PID 2772 wrote to memory of 2676	2772	._cache_8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe	cmd.exe
PID 2772 wrote to memory of 2676	2772	._cache_8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe	cmd.exe
PID 2772 wrote to memory of 2676	2772	._cache_8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe	cmd.exe
PID 2772 wrote to memory of 2676	2772	._cache_8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe	cmd.exe
PID 2928 wrote to memory of 2192	2928	Synaptics.exe	._cache_Synaptics.exe
PID 2928 wrote to memory of 2192	2928	Synaptics.exe	._cache_Synaptics.exe
PID 2928 wrote to memory of 2192	2928	Synaptics.exe	._cache_Synaptics.exe
PID 2928 wrote to memory of 2192	2928	Synaptics.exe	._cache_Synaptics.exe
PID 2192 wrote to memory of 2516	2192	._cache_Synaptics.exe	._cache_Synaptics.exe
PID 2192 wrote to memory of 2516	2192	._cache_Synaptics.exe	._cache_Synaptics.exe
PID 2192 wrote to memory of 2516	2192	._cache_Synaptics.exe	._cache_Synaptics.exe
PID 2192 wrote to memory of 2516	2192	._cache_Synaptics.exe	._cache_Synaptics.exe
PID 2516 wrote to memory of 1752	2516	._cache_Synaptics.exe	cmd.exe
PID 2516 wrote to memory of 1752	2516	._cache_Synaptics.exe	cmd.exe
PID 2516 wrote to memory of 1752	2516	._cache_Synaptics.exe	cmd.exe
PID 2516 wrote to memory of 1752	2516	._cache_Synaptics.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe
"C:\Users\Admin\AppData\Local\Temp\8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Users\Admin\AppData\Local\Temp\._cache_8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Users\Admin\AppData\Local\Temp\._cache_8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      System Location Discovery: System Language Discovery
      PID:2676
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2192
  - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2516
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1752

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
7.2MB

MD5
ba953b5381694ed49ebe449ce9bed3f0

SHA1
0269af2a058fe1286ad0847e5a7de7bdb08f597f

SHA256
8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387

SHA512
27ee40ce2516422193bf5302a43820b9fa812ed0f87663f3ebdf2e52f05facdca1ef4677e5bd1db69ee8e33c3dc154c9161109f45cc6a392f37d9bda8c7e9041

Download Submit
C:\Users\Admin\AppData\Local\Temp\4mSnB9c9.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22642\_hashlib.pyd

Filesize
278KB

MD5
cf239a4ea58056f6b32e2928f64738c4

SHA1
a4d2bdf399c2cc56ed1c11e3a48c7bdbcad721e8

SHA256
052fee1823ad2986f7e4bab33f2fba136dcf87ec3d6acca37af72525aa1a6821

SHA512
2c23652ba5e397bedc88eb1a13d4c2dce06ed5c5857d790a5205ab31f9bc5506da5e55e1f139924dad9f446cdf5ea0eae5b2eacc733e6fbdb9eec2e113581adc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22642\_ssl.pyd

Filesize
705KB

MD5
e98a9104ee53322918e22b4d5900f695

SHA1
37565ff8a2ac41f97d3eea6db0b51f1d8b59c38a

SHA256
e1f095371953942643b1d4d199b7b090529afeb20ab1bc26c90454716ea96ab2

SHA512
5612dd1388a68e96bd30493d6ceaaecd32df4ceb7db64ae704aba52d041e1f49ad95f94bcab615c76430e250c81a68fee8bc937a43bb80ddc5493c87a7ebdaec

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22642\lxml.etree.pyd

Filesize
2.8MB

MD5
490a41d1696f913cce54a3492f9230cc

SHA1
1783db8852345aee155c62080bdd0c44788bf45c

SHA256
baf2f7c11a41c9a5ee6437174fdaf1753f9a1d592d0f79fc8e5d09ccac164032

SHA512
df14b6eb474965ea6941315250a6cb9d22420d41123640e6d29b1a4563482db2ff89e83a47ac7c777ec85e953093b9c3ed82820770ae7a0466124e169a886252

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe

Filesize
6.4MB

MD5
08f9dfe54351fbe840a1064057534b3c

SHA1
778243c235a8cd0184c1d96f9066e332d26e4096

SHA256
18eac1745817cc2f0fad48e37799596980321b11e16429d642d5089b59948f7d

SHA512
aeb4ff6eb9601d7d7451710b3657608283048062fdaa6e9d4dbbc05324efb799a325a0ab9db9b07d461856faf10c36e5e5935f115a6eb5e5e76bc7eec655be0d

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI22642\_socket.pyd

Filesize
40KB

MD5
e7e577c117bb5aa1011f841d1a10a218

SHA1
16558097bef92fcb61def76248823fe2d49f83c4

SHA256
74ac52c9497d696c8d8eaa120899752c964573ee90e6b04dc3e6ba72ae06e0a0

SHA512
82dc4594c4c6ad2cff76c54cc2caeb6751068c91f23b61deca6a1f9dba640acc4f0556df70d3812b8592c247c3259a74f5f1abd2b81fd0dfec2f194df62e1a34

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI22642\python27.dll

Filesize
2.2MB

MD5
c5a254155bd7a9548a7b81ae37b46ee4

SHA1
594a143cbdba14743b6d2a702ab0543fe28eba29

SHA256
d46fa7be982ae654c92d5799ddfcbf91d071529f87258646a98a637fe6b650e0

SHA512
b2aa525a7c88df2514e5c542ae04bd05c951ec0142580f57b2819cefb49be7d5e70b708ccf8e154e6be3541811dd7af781a72bfd47611b9a3e87e62c13d0985f

Download Submit
memory/1340-115-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2112-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2112-50-0x0000000000400000-0x0000000000B2D000-memory.dmp

Filesize
7.2MB

Download
memory/2516-113-0x0000000000680000-0x0000000000736000-memory.dmp

Filesize
728KB

Download
memory/2516-106-0x0000000000270000-0x00000000002B9000-memory.dmp

Filesize
292KB

Download
memory/2772-63-0x00000000002C0000-0x00000000002CC000-memory.dmp

Filesize
48KB

Download
memory/2772-66-0x0000000000460000-0x0000000000516000-memory.dmp

Filesize
728KB

Download
memory/2772-59-0x0000000000350000-0x0000000000399000-memory.dmp

Filesize
292KB

Download
memory/2928-135-0x0000000000400000-0x0000000000B2D000-memory.dmp

Filesize
7.2MB

Download
memory/2928-136-0x0000000000400000-0x0000000000B2D000-memory.dmp

Filesize
7.2MB

Download
memory/2928-168-0x0000000000400000-0x0000000000B2D000-memory.dmp

Filesize
7.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads