xred | ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76

Analysis

max time kernel
111s
max time network
119s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
03-12-2024 17:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe
Size

898KB
MD5

0b2b2940a699e2562878ca7a8ad04d06
SHA1

1fae35e478f84c92261e9e041c19cae2074b17eb
SHA256

ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76
SHA512

b371f871b69781c072f1c2d6d5eef1da8a93084663e01baa36dfb78e790d1dd2efa709bf9e51f60f9a7a47095e56dd309982865459430d165edb8714bd05e560
SSDEEP

12288:AMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9IKnPdjDupjIa61UD:AnsJ39LyjbJkQFMhmC+6GD9PPdjCj44

Score

10^/10

xred backdoor discovery macro persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Suspicious Office macro 2 IoCs

Office document equipped with macros.

macro

resource
behavioral1/files/0x000500000001a46f-92.dat
behavioral1/files/0x000500000001a48d-105.dat

Executes dropped EXE 5 IoCs

pid	Process
2244	._cache_ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe
2848	Un.exe
2728	Synaptics.exe
1616	._cache_Synaptics.exe
2676	Un.exe

Loads dropped DLL 9 IoCs

pid	Process
2548	ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe
2244	._cache_ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe
2548	ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe
2548	ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe
2728	Synaptics.exe
2728	Synaptics.exe
1616	._cache_Synaptics.exe
2676	Un.exe
2848	Un.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Un.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Un.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2616	EXCEL.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2616	EXCEL.EXE

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 2244	2548	ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe	29
PID 2548 wrote to memory of 2244	2548	ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe	29
PID 2548 wrote to memory of 2244	2548	ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe	29
PID 2548 wrote to memory of 2244	2548	ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe	29
PID 2548 wrote to memory of 2244	2548	ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe	29
PID 2548 wrote to memory of 2244	2548	ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe	29
PID 2548 wrote to memory of 2244	2548	ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe	29
PID 2244 wrote to memory of 2848	2244	._cache_ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe	30
PID 2244 wrote to memory of 2848	2244	._cache_ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe	30
PID 2244 wrote to memory of 2848	2244	._cache_ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe	30
PID 2244 wrote to memory of 2848	2244	._cache_ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe	30
PID 2244 wrote to memory of 2848	2244	._cache_ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe	30
PID 2244 wrote to memory of 2848	2244	._cache_ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe	30
PID 2244 wrote to memory of 2848	2244	._cache_ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe	30
PID 2548 wrote to memory of 2728	2548	ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe	31
PID 2548 wrote to memory of 2728	2548	ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe	31
PID 2548 wrote to memory of 2728	2548	ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe	31
PID 2548 wrote to memory of 2728	2548	ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe	31
PID 2728 wrote to memory of 1616	2728	Synaptics.exe	32
PID 2728 wrote to memory of 1616	2728	Synaptics.exe	32
PID 2728 wrote to memory of 1616	2728	Synaptics.exe	32
PID 2728 wrote to memory of 1616	2728	Synaptics.exe	32
PID 2728 wrote to memory of 1616	2728	Synaptics.exe	32
PID 2728 wrote to memory of 1616	2728	Synaptics.exe	32
PID 2728 wrote to memory of 1616	2728	Synaptics.exe	32
PID 1616 wrote to memory of 2676	1616	._cache_Synaptics.exe	34
PID 1616 wrote to memory of 2676	1616	._cache_Synaptics.exe	34
PID 1616 wrote to memory of 2676	1616	._cache_Synaptics.exe	34
PID 1616 wrote to memory of 2676	1616	._cache_Synaptics.exe	34
PID 1616 wrote to memory of 2676	1616	._cache_Synaptics.exe	34
PID 1616 wrote to memory of 2676	1616	._cache_Synaptics.exe	34
PID 1616 wrote to memory of 2676	1616	._cache_Synaptics.exe	34
PID 2676 wrote to memory of 2276	2676	Un.exe	37
PID 2676 wrote to memory of 2276	2676	Un.exe	37
PID 2676 wrote to memory of 2276	2676	Un.exe	37
PID 2676 wrote to memory of 2276	2676	Un.exe	37
PID 2676 wrote to memory of 2276	2676	Un.exe	37
PID 2676 wrote to memory of 2276	2676	Un.exe	37
PID 2676 wrote to memory of 2276	2676	Un.exe	37
PID 2848 wrote to memory of 2504	2848	Un.exe	36
PID 2848 wrote to memory of 2504	2848	Un.exe	36
PID 2848 wrote to memory of 2504	2848	Un.exe	36
PID 2848 wrote to memory of 2504	2848	Un.exe	36
PID 2848 wrote to memory of 2504	2848	Un.exe	36
PID 2848 wrote to memory of 2504	2848	Un.exe	36
PID 2848 wrote to memory of 2504	2848	Un.exe	36
PID 2676 wrote to memory of 1980	2676	Un.exe	38
PID 2676 wrote to memory of 1980	2676	Un.exe	38
PID 2676 wrote to memory of 1980	2676	Un.exe	38
PID 2676 wrote to memory of 1980	2676	Un.exe	38
PID 2676 wrote to memory of 1980	2676	Un.exe	38
PID 2676 wrote to memory of 1980	2676	Un.exe	38
PID 2676 wrote to memory of 1980	2676	Un.exe	38
PID 2848 wrote to memory of 1200	2848	Un.exe	39
PID 2848 wrote to memory of 1200	2848	Un.exe	39
PID 2848 wrote to memory of 1200	2848	Un.exe	39
PID 2848 wrote to memory of 1200	2848	Un.exe	39
PID 2848 wrote to memory of 1200	2848	Un.exe	39
PID 2848 wrote to memory of 1200	2848	Un.exe	39
PID 2848 wrote to memory of 1200	2848	Un.exe	39

C:\Users\Admin\AppData\Local\Temp\ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe
"C:\Users\Admin\AppData\Local\Temp\ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Users\Admin\AppData\Local\Temp\._cache_ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Users\Admin\AppData\Local\Temp\~nsu1.tmp\Un.exe
    "C:\Users\Admin\AppData\Local\Temp\~nsu1.tmp\Un.exe" _?=C:\Users\Admin\AppData\Local\Temp\
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /u /s "C:\Users\Admin\AppData\Local\Temp\data\obs-plugins\win-dshow\obs-virtualcam-module32.dll"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2504
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /u /s "C:\Users\Admin\AppData\Local\Temp\data\obs-plugins\win-dshow\obs-virtualcam-module64.dll"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1200
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1616
  - - C:\Users\Admin\AppData\Local\Temp\~nsu2.tmp\Un.exe
      "C:\Users\Admin\AppData\Local\Temp\~nsu2.tmp\Un.exe" InjUpdate _?=C:\Users\Admin\AppData\Local\Temp\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2676
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\system32\regsvr32.exe" /u /s "C:\Users\Admin\AppData\Local\Temp\data\obs-plugins\win-dshow\obs-virtualcam-module32.dll"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2276
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\system32\regsvr32.exe" /u /s "C:\Users\Admin\AppData\Local\Temp\data\obs-plugins\win-dshow\obs-virtualcam-module64.dll"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1980

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
898KB

MD5
0b2b2940a699e2562878ca7a8ad04d06

SHA1
1fae35e478f84c92261e9e041c19cae2074b17eb

SHA256
ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76

SHA512
b371f871b69781c072f1c2d6d5eef1da8a93084663e01baa36dfb78e790d1dd2efa709bf9e51f60f9a7a47095e56dd309982865459430d165edb8714bd05e560

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseE3CC.tmp\modern-header.bmp

Filesize
33KB

MD5
f007ed32620609ef99928c078564b2a0

SHA1
324371a33b4e1aa557ab1b863fae6b9d623d3bed

SHA256
9c7a53caac4a9ce099278ad1b2364296a3170d893bfb21dda35eb1ffc5b30fce

SHA512
88e62c77391776429eba180281a2b9df7430ac8873578a3cf9e7ebbf708d50997282eeefc2fd0f7016a9837d03a677b38534bc695958f12ac214a5736bb11272

Download Submit
C:\Users\Admin\AppData\Local\Temp\xY2sPXr3.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\xY2sPXr3.xlsm

Filesize
22KB

MD5
b99998386b7c95952d644989c0bb2f97

SHA1
9d417437779d6b86a024db7b759849beab04796e

SHA256
a11c8d0c3b9c7676c774cea49494db0c8774c7b53379904f56fed517973d021f

SHA512
0c6c8c9629586327fe82eb17b614e29ea42a6883173bc594e4e8876fa09cd2c7ef8ce92b3add47c61e4500a173b05f1f993ace82c8a45832f37d1aee19e8a0c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\xY2sPXr3.xlsm

Filesize
31KB

MD5
27767af995edefd639c410ac3df22350

SHA1
990f2307752a5c6c4e7436f591d8c8147bb8f4a0

SHA256
bbf2bdd695364320ae38b982cdfd30d5df02082b8522f66b179a58a13d5b71ad

SHA512
b589ac1a48d3abbbba668fffe1383c25c51ec8acc4a441a108c156ff0c435fddd0f2c143fc43a0739153cb824780dffc61d1b9a97f338107383e4156223a36f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\xY2sPXr3.xlsm

Filesize
23KB

MD5
6934b9f4396710ac7194b38cb5ea1014

SHA1
f5223f4b02434a496e192e86ae6d4648985c03b0

SHA256
50fff023d6fad1f862d8da4836b87d4ec20721ac1bd3cf3851a37476a83055a4

SHA512
eb77a1328dbc1c3574a5ff7d84d88539ec5ab56c86b70d5c6b7ad3a6230c4b4ea8f0f1892afa68e4db66e2bb6d5846aeb90f1e80dac0d97ff166f5f00df11c89

Download Submit
C:\Users\Admin\AppData\Local\Temp\xY2sPXr3.xlsm

Filesize
28KB

MD5
66294b36df269e6ff557e8df8df22faf

SHA1
a1084c775d43981f05bbbb12803099c91d585274

SHA256
231ca459e3b68472e692928ffac1af1d66e7fa02521711dc48d05539f9dca0a6

SHA512
569abb89fa7ec5d5e37aa61bd6224491556689582047af810eb9c992aad72e4b9650ddd2918b3f73be07675b9f2c688f6c310c36898f0a9fd5ffbee3a08d4153

Download Submit
C:\Users\Admin\AppData\Local\Temp\~$xY2sPXr3.xlsm

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe

Filesize
144KB

MD5
4ccbe25e360023421c703a858f4a377c

SHA1
ec3e91ed7ced0dc9319d7a59e25ad7384f336842

SHA256
8a5d67ad13db5cf105b99a0c90b1954fca96388fba1d7df329bcd689c79420ff

SHA512
a6ca98bee85319989f456c85db3040c8cc4b8310d60aa408ba0390d79b3adf44c4c490a36c87ec63d5780d188b4aa5a0d7f728b57b8b3f5a4851f88f5b202f6b

Download Submit
\Users\Admin\AppData\Local\Temp\nseE3CC.tmp\System.dll

Filesize
12KB

MD5
4add245d4ba34b04f213409bfe504c07

SHA1
ef756d6581d70e87d58cc4982e3f4d18e0ea5b09

SHA256
9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706

SHA512
1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

Download Submit
memory/2548-36-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/2548-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2616-68-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2616-76-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2616-64-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2616-63-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2616-62-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2616-61-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2616-83-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2616-82-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2616-81-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2616-80-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2616-79-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2616-78-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2616-77-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2616-65-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2616-75-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2616-66-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2616-67-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2616-74-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2616-70-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2616-73-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2616-72-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2616-71-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2616-69-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2616-133-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2616-60-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2616-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2728-144-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/2728-189-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads