xred | 1f19676ca26d854e3637e2029f82aa661e6d20cafa60887a8a5dffc568e0df3d

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
03-12-2024 20:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f19676ca26d854e3637e2029f82aa661e6d20cafa60887a8a5dffc568e0df3dN.exe
Size

1.6MB
MD5

92be3014969075531b699422ca5b5960
SHA1

6c40aae12ca8564930bd7357edab202fe79eba81
SHA256

1f19676ca26d854e3637e2029f82aa661e6d20cafa60887a8a5dffc568e0df3d
SHA512

0dbc56cf53b34dfe28612c43347cf1714fa6f24be86a0394d62a11adf98c608f84561137b4ac26de08a4869d8900ac58238388d980f547fe9911747bfcf3b1e7
SSDEEP

49152:EnsHyjtk2MYC5GD2HZxOe4+T+4sOj8yJ4LJ+Y:Ensmtk2af4R4xj8UOp

Score

10^/10

xred backdoor discovery macro persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Suspicious Office macro 1 IoCs

Office document equipped with macros.

macro

resource
behavioral1/files/0x000600000001c86e-212.dat

Executes dropped EXE 6 IoCs

pid	Process
2188	._cache_1f19676ca26d854e3637e2029f82aa661e6d20cafa60887a8a5dffc568e0df3dN.exe
2808	Synaptics.exe
2744	._cache_Synaptics.exe
1312	Setup.exe
2940	_INS5576._MP
2004	_ISDEL.EXE

Loads dropped DLL 26 IoCs

pid	Process
2308	1f19676ca26d854e3637e2029f82aa661e6d20cafa60887a8a5dffc568e0df3dN.exe
2308	1f19676ca26d854e3637e2029f82aa661e6d20cafa60887a8a5dffc568e0df3dN.exe
2188	._cache_1f19676ca26d854e3637e2029f82aa661e6d20cafa60887a8a5dffc568e0df3dN.exe
2188	._cache_1f19676ca26d854e3637e2029f82aa661e6d20cafa60887a8a5dffc568e0df3dN.exe
2188	._cache_1f19676ca26d854e3637e2029f82aa661e6d20cafa60887a8a5dffc568e0df3dN.exe
2308	1f19676ca26d854e3637e2029f82aa661e6d20cafa60887a8a5dffc568e0df3dN.exe
2308	1f19676ca26d854e3637e2029f82aa661e6d20cafa60887a8a5dffc568e0df3dN.exe
2808	Synaptics.exe
2808	Synaptics.exe
2808	Synaptics.exe
2744	._cache_Synaptics.exe
2744	._cache_Synaptics.exe
2744	._cache_Synaptics.exe
2744	._cache_Synaptics.exe
1312	Setup.exe
1312	Setup.exe
1312	Setup.exe
1312	Setup.exe
1312	Setup.exe
1312	Setup.exe
2940	_INS5576._MP
2940	_INS5576._MP
2940	_INS5576._MP
2940	_INS5576._MP
2940	_INS5576._MP
2940	_INS5576._MP

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	1f19676ca26d854e3637e2029f82aa661e6d20cafa60887a8a5dffc568e0df3dN.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\GM\TIFF Viewer Plugin\Uninst.isu	_INS5576._MP
File opened for modification	C:\Program Files (x86)\GM\TIFF Viewer Plugin\NPIMGVIE.dll	_INS5576._MP

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\_iserr31.ini	Setup.exe
File created	C:\Windows\_isenv31.ini	Setup.exe
File opened for modification	C:\Windows\_delis32.ini	Setup.exe
File opened for modification	C:\Windows\IsUninst.exe	_INS5576._MP
File created	C:\Windows\_INS33IS._MP	_ISDEL.EXE
File opened for modification	C:\Windows\_delis32.ini	_ISDEL.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_1f19676ca26d854e3637e2029f82aa661e6d20cafa60887a8a5dffc568e0df3dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	_INS5576._MP
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	_ISDEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1f19676ca26d854e3637e2029f82aa661e6d20cafa60887a8a5dffc568e0df3dN.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1D0E4EDB-3E73-11D3-A295-00E0290E822E}\ProxyStubClsid32	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NPIMGVIE.TIFFHotSpotCtrl\ = "TIFFHotSpotCtrl Class"	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-TIFF-HotSpot\CLSID = "{1D0E4EDA-3E73-11D3-A295-00E0290E822E}"	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}\Programmable	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}\InprocServer32	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}\MiscStatus\1\ = "131473"	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D0E4ECD-3E73-11D3-A295-00E0290E822E}\1.0\0	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1D0E4EDB-3E73-11D3-A295-00E0290E822E}\TypeLib\ = "{1D0E4ECD-3E73-11D3-A295-00E0290E822E}"	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D0E4ED9-3E73-11D3-A295-00E0290E822E}	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NPIMGVIE.TIFFHotSpotCtrl\CLSID\ = "{1D0E4EDA-3E73-11D3-A295-00E0290E822E}"	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}\VersionIndependentProgID	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}\ProgID	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}\EnableFullPage	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1D0E4EDB-3E73-11D3-A295-00E0290E822E}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D0E4ED9-3E73-11D3-A295-00E0290E822E}\TypeLib\ = "{1D0E4ECD-3E73-11D3-A295-00E0290E822E}"	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1D0E4ED9-3E73-11D3-A295-00E0290E822E}\TypeLib\ = "{1D0E4ECD-3E73-11D3-A295-00E0290E822E}"	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}\ProgID\ = "NPIMGVIE.TIFFHotSpotCtrl.1"	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}\Insertable	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}\Control	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-TIFF-GM	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D0E4ECD-3E73-11D3-A295-00E0290E822E}\1.0\0\win32	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NPIMGVIE.TIFFHotSpotCtrl.1	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}\ = "TIFFHotSpotCtrl Class"	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}\MiscStatus\1	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}\EnableFullPage\.htf	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-TIFF-HotSpot\Extension = ".htf"	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D0E4ECD-3E73-11D3-A295-00E0290E822E}\1.0	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D0E4EDB-3E73-11D3-A295-00E0290E822E}\ = "_ITIFFHotSpotCtrlEvents"	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D0E4EDB-3E73-11D3-A295-00E0290E822E}\TypeLib\Version = "1.0"	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NPIMGVIE.TIFFHotSpotCtrl.1\CLSID\ = "{1D0E4EDA-3E73-11D3-A295-00E0290E822E}"	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}\ToolboxBitmap32	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1D0E4EDB-3E73-11D3-A295-00E0290E822E}	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}\Version	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D0E4ED9-3E73-11D3-A295-00E0290E822E}\ProxyStubClsid32	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}\TypeLib\ = "{1D0E4ECD-3E73-11D3-A295-00E0290E822E}"	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htf	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D0E4ECD-3E73-11D3-A295-00E0290E822E}\1.0\0\win32\ = "C:\\Program Files (x86)\\GM\\TIFF Viewer Plugin\\NPIMGVIE.dll"	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D0E4EDB-3E73-11D3-A295-00E0290E822E}	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1D0E4EDB-3E73-11D3-A295-00E0290E822E}\TypeLib\Version = "1.0"	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}\InprocServer32\ThreadingModel = "Apartment"	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-TIFF-GM\CLSID = "{1D0E4EDA-3E73-11D3-A295-00E0290E822E}"	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}\VersionIndependentProgID\ = "NPIMGVIE.TIFFHotSpotCtrl"	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}\EnableFullPage\.itf	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-TIFF-GM\Extension = ".itf"	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.itf	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D0E4ED9-3E73-11D3-A295-00E0290E822E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D0E4ED9-3E73-11D3-A295-00E0290E822E}\TypeLib	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NPIMGVIE.TIFFHotSpotCtrl\CLSID	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}\ToolboxBitmap32\ = "C:\\PROGRA~2\\GM\\TIFFVI~1\\NPIMGVIE.dll, 101"	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}\MiscStatus\ = "0"	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}\TypeLib	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D0E4ECD-3E73-11D3-A295-00E0290E822E}	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D0E4ECD-3E73-11D3-A295-00E0290E822E}\1.0\HELPDIR	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D0E4EDB-3E73-11D3-A295-00E0290E822E}\TypeLib	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NPIMGVIE.TIFFHotSpotCtrl.1\ = "TIFFHotSpotCtrl Class"	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NPIMGVIE.TIFFHotSpotCtrl\CurVer\ = "NPIMGVIE.TIFFHotSpotCtrl.1"	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1D0E4ED9-3E73-11D3-A295-00E0290E822E}\ProxyStubClsid32	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D0E4EDB-3E73-11D3-A295-00E0290E822E}\TypeLib\ = "{1D0E4ECD-3E73-11D3-A295-00E0290E822E}"	_INS5576._MP
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1D0E4EDB-3E73-11D3-A295-00E0290E822E}\TypeLib	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1D0E4EDA-3E73-11D3-A295-00E0290E822E}\InprocServer32\ = "C:\\PROGRA~2\\GM\\TIFFVI~1\\NPIMGVIE.dll"	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D0E4EDB-3E73-11D3-A295-00E0290E822E}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htf\Content Type = "application/x-TIFF-HotSpot"	_INS5576._MP
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1D0E4EDB-3E73-11D3-A295-00E0290E822E}\ = "_ITIFFHotSpotCtrlEvents"	_INS5576._MP

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3032	EXCEL.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3032	EXCEL.EXE

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 2188	2308	1f19676ca26d854e3637e2029f82aa661e6d20cafa60887a8a5dffc568e0df3dN.exe	30
PID 2308 wrote to memory of 2188	2308	1f19676ca26d854e3637e2029f82aa661e6d20cafa60887a8a5dffc568e0df3dN.exe	30
PID 2308 wrote to memory of 2188	2308	1f19676ca26d854e3637e2029f82aa661e6d20cafa60887a8a5dffc568e0df3dN.exe	30
PID 2308 wrote to memory of 2188	2308	1f19676ca26d854e3637e2029f82aa661e6d20cafa60887a8a5dffc568e0df3dN.exe	30
PID 2308 wrote to memory of 2188	2308	1f19676ca26d854e3637e2029f82aa661e6d20cafa60887a8a5dffc568e0df3dN.exe	30
PID 2308 wrote to memory of 2188	2308	1f19676ca26d854e3637e2029f82aa661e6d20cafa60887a8a5dffc568e0df3dN.exe	30
PID 2308 wrote to memory of 2188	2308	1f19676ca26d854e3637e2029f82aa661e6d20cafa60887a8a5dffc568e0df3dN.exe	30
PID 2308 wrote to memory of 2808	2308	1f19676ca26d854e3637e2029f82aa661e6d20cafa60887a8a5dffc568e0df3dN.exe	31
PID 2308 wrote to memory of 2808	2308	1f19676ca26d854e3637e2029f82aa661e6d20cafa60887a8a5dffc568e0df3dN.exe	31
PID 2308 wrote to memory of 2808	2308	1f19676ca26d854e3637e2029f82aa661e6d20cafa60887a8a5dffc568e0df3dN.exe	31
PID 2308 wrote to memory of 2808	2308	1f19676ca26d854e3637e2029f82aa661e6d20cafa60887a8a5dffc568e0df3dN.exe	31
PID 2808 wrote to memory of 2744	2808	Synaptics.exe	32
PID 2808 wrote to memory of 2744	2808	Synaptics.exe	32
PID 2808 wrote to memory of 2744	2808	Synaptics.exe	32
PID 2808 wrote to memory of 2744	2808	Synaptics.exe	32
PID 2808 wrote to memory of 2744	2808	Synaptics.exe	32
PID 2808 wrote to memory of 2744	2808	Synaptics.exe	32
PID 2808 wrote to memory of 2744	2808	Synaptics.exe	32
PID 2744 wrote to memory of 1312	2744	._cache_Synaptics.exe	33
PID 2744 wrote to memory of 1312	2744	._cache_Synaptics.exe	33
PID 2744 wrote to memory of 1312	2744	._cache_Synaptics.exe	33
PID 2744 wrote to memory of 1312	2744	._cache_Synaptics.exe	33
PID 2744 wrote to memory of 1312	2744	._cache_Synaptics.exe	33
PID 2744 wrote to memory of 1312	2744	._cache_Synaptics.exe	33
PID 2744 wrote to memory of 1312	2744	._cache_Synaptics.exe	33
PID 1312 wrote to memory of 2940	1312	Setup.exe	35
PID 1312 wrote to memory of 2940	1312	Setup.exe	35
PID 1312 wrote to memory of 2940	1312	Setup.exe	35
PID 1312 wrote to memory of 2940	1312	Setup.exe	35
PID 1312 wrote to memory of 2940	1312	Setup.exe	35
PID 1312 wrote to memory of 2940	1312	Setup.exe	35
PID 1312 wrote to memory of 2940	1312	Setup.exe	35
PID 1312 wrote to memory of 2004	1312	Setup.exe	36
PID 1312 wrote to memory of 2004	1312	Setup.exe	36
PID 1312 wrote to memory of 2004	1312	Setup.exe	36
PID 1312 wrote to memory of 2004	1312	Setup.exe	36
PID 1312 wrote to memory of 2004	1312	Setup.exe	36
PID 1312 wrote to memory of 2004	1312	Setup.exe	36
PID 1312 wrote to memory of 2004	1312	Setup.exe	36

C:\Users\Admin\AppData\Local\Temp\1f19676ca26d854e3637e2029f82aa661e6d20cafa60887a8a5dffc568e0df3dN.exe
"C:\Users\Admin\AppData\Local\Temp\1f19676ca26d854e3637e2029f82aa661e6d20cafa60887a8a5dffc568e0df3dN.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Users\Admin\AppData\Local\Temp\._cache_1f19676ca26d854e3637e2029f82aa661e6d20cafa60887a8a5dffc568e0df3dN.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_1f19676ca26d854e3637e2029f82aa661e6d20cafa60887a8a5dffc568e0df3dN.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2188
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\Users\Admin\AppData\Local\Temp\pftC439~tmp\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\pftC439~tmp\Setup.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1312
    - - C:\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\_INS5576._MP
        
        C:\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\_INS5576._MP
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2940
    - - C:\Users\Admin\AppData\Local\Temp\pftC439~tmp\_ISDEL.EXE
        
        C:\Users\Admin\AppData\Local\Temp\pftC439~tmp\_ISDEL.EXE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2004

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\GM\TIFFVI~1\NPIMGVIE.dll

Filesize
620KB

MD5
13ab2d02bbff6b6bb7a699f97f03d03c

SHA1
0fa848dfb2b85d50bd38e14b2b15083198057a79

SHA256
cd8608c00b79b2bdc515a517839ff77369a80fe4d6f877f9ba2dd27a9161c26d

SHA512
d5c74ba0e37b623a7ffb0338e2c6393d6eebd4b87c12f4d1c0f43846b27332d1a2aaa28fea681d259f971c1378a8e3db2537d50a46337139ea29bd29f2a7be11

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.6MB

MD5
92be3014969075531b699422ca5b5960

SHA1
6c40aae12ca8564930bd7357edab202fe79eba81

SHA256
1f19676ca26d854e3637e2029f82aa661e6d20cafa60887a8a5dffc568e0df3d

SHA512
0dbc56cf53b34dfe28612c43347cf1714fa6f24be86a0394d62a11adf98c608f84561137b4ac26de08a4869d8900ac58238388d980f547fe9911747bfcf3b1e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\X9Y1DXIN.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\X9Y1DXIN.xlsm

Filesize
22KB

MD5
3fb859d0a21d417854ab507cfe765083

SHA1
a5ce12daae23cfe934592eb46c7d2bb48e9f86b3

SHA256
614e38efd7c978caa5dc5a7a359c5c370e0eb3e4e681d3baa6a219fd5cbe4f31

SHA512
07df2ee53de1b071f7ae8f53d3d22b2685971fb9f8227788953cea72b943863bc0594a6085e7cc40f030beaff642f1931053150b1adcdbd38714e3136f05e76a

Download Submit
C:\Users\Admin\AppData\Local\Temp\X9Y1DXIN.xlsm

Filesize
28KB

MD5
151458d2cffcfdf805b195ef215ac62c

SHA1
e19d3716b0c547663a3159dc577bcbcaab4d36dc

SHA256
ea8b54602e1171aa0555c8bc985ff0e43b761e87b2bc9652e65c0f83dd4ffa08

SHA512
898de56bf4f86d887630400c0f0c1d511e952cc73006eeff67e21e44ce49ee42ed34ed2ff4ec9d5cbf2c1f094d84893b50fe6d24d173b920f9c42de60b8b785e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\ZDATAI51.DLL

Filesize
52KB

MD5
2a9a390018a50f1af0df0b7118696f6e

SHA1
f9a4cf357e49cf1f032ca4f8d46def52c6935e33

SHA256
1d9321dd5e1790dff91cbd475a023760f3b6b6b26e849b70b171b841070378f2

SHA512
813be48cf11a14b618fbfa358794b1e6cef727f305470f27c82bbfccc0921ef2141d740a71c47890db1e705f10bc3d0c67e3d9f651710fdd88f19b9e7e30bc38

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\_INS0432.INI

Filesize
178B

MD5
f7086c9f881e3bbcab5f3c5a2d9218d6

SHA1
ef68bf1992644f2dff34492f00864b946a7cd9fe

SHA256
24eee0d2fa9fd64111ec9dc5ebd51767d527904a051c1c60c1b270a59d06395f

SHA512
a61e05bcbe5766edcefe4ded388bb0a3b62864170c6f9a965f27adaf0f9bc45e15086a52c3057c4f93e86d0866116555b084eca645666c6e109877b0af5cd810

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\_WUTL951.DLL

Filesize
45KB

MD5
9567a2dac1b8efbd7b0c6dce2a2251c3

SHA1
db72683ff3a3000771394d5eed7e2de922dcadbf

SHA256
67d309a88d68c449c2d0a76c0f2d2c9b2b764a469a6daea67df0279dd49c9296

SHA512
51806383e05cbc67754fc746c16ddf8364610bb22260b8638f586b02dbeb0813cee6acc9962b2b928205d445a82f2cc2022b6d1162f8da644ac902c0f3a327a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftC439~tmp\LAYOUT.BIN

Filesize
590B

MD5
34a1ec00b2470bd90d0a9c6480aa9054

SHA1
9d8d13b9df708a6ffdc7cf4f29e6783bb7ba3a8c

SHA256
b48cf9b1279830032c9c9d3229004658a55d5e34ced2eed0c4f79e4ca94e3d04

SHA512
27ea2cbe231c88434e225b6437013e8152a9b1121b2216f0331cb6cecc8a4e3eb17613ed4ddb4635639e5e1f06a12e9588608b23c615a8e5a48318dca0dba334

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftC439~tmp\SETUP.INS

Filesize
55KB

MD5
fa14cba392925f26f53a5c16ccc863fe

SHA1
4baa27eccb6b0facd6728533775bc5ec1a3e5e61

SHA256
6066a60ef19d52bf10b42632e46a49b88bb63020eca448255aa71cfb81055e69

SHA512
a280259e0e4cb9edeb2450ee70db35b6fad14ece1055832bd86286ce952a7865ab700a45f6cca438c664268883f2fdb87872691cac025f858e4b391a52228c50

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftC439~tmp\SETUP.LID

Filesize
49B

MD5
1b79748e93a541cc1590505b6c72828a

SHA1
1ddefee04dc9e9b2576dc34eebcfa3de4aa82af9

SHA256
708d29c649525882937031b3d73cc851b7b1bc30772eb4e0e2a71523908f2eb5

SHA512
e85c1f04d3841cd1e5aa5d7ba37bb3aff557d67b1aceb2d9435f07862593eb4e139162c71d9b017c82aade2e1c535c79d1a18d26dffb95282e10bc64bda04bfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftC439~tmp\_INST32I.EX_

Filesize
289KB

MD5
6229a86a1d291c311da49a7d69a49a1f

SHA1
586254e13d8ffdd956f1fb4e6ce858b91a390864

SHA256
b2ff4e8402a5160c491b1ac7eba0073fbbe2220dce107441461b250544eff35a

SHA512
d2e21662258593d17b8debbd74f92e2b37ee3f5f3fdb0cbe8a4c9a16a6dbee6911b92c4afff86f4fa2afa311343e43029dec9c0e08a728309f2ccbf1ded7e896

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftC439~tmp\_ISDEL.EXE

Filesize
27KB

MD5
51161bf79f25ff278912005078ad93d5

SHA1
13cb580aa1d2823ca0f748b1fc262b7db1689f19

SHA256
b5dc0feb738a91ce3cfa982647fe2779787335c6c2c598d5b49818565d7c3e84

SHA512
c91eac5a01ec7bfb4d3c9df7f90a1c6c6211464ecfede54f7ce2f0c8a79561e4425a56eb41b48bcd89a80bd45228b2ce0c649ed92d24019a15916306d9131d8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftC439~tmp\_SETUP.DLL

Filesize
34KB

MD5
ecacc9ab09d7e8898799fe5c4ebbbdd2

SHA1
be255fe9b6c9d638a40a5c1e88f2d5f4e37654e6

SHA256
1ad637e80a25f6f885604589056814d16ccad55699be14920e2b99f2d74c1019

SHA512
16412756b147a9e6c1e8ce503f374abde87919a5ae1de576963ed748a2934eff9f95d5b33cacefebe1c6cdfe64d9b595986c60bdbce8aebf0a4bcc83b6f25779

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftC439~tmp\_sys1.cab

Filesize
171KB

MD5
969ac09a8e439ae814e0855fd9473e1e

SHA1
2fc2f4fafc98f91504e03f85246ef09dc8b9be8d

SHA256
d97bd0e8ba728e1a1ce5147a9fb60008e7b6d1ff1529f7b1ee646112ebf79e10

SHA512
ea497b2c2cc66bd9255d38bb2a938c65a87ec94db66bf9f0ba93864ad87396920f19555a9ce88a65492226fdbf9958173ecd2eca5602afcc0e2bab89db3a22a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftC439~tmp\_sys1.hdr

Filesize
3KB

MD5
0687fb7d9e9ca7a053ca8a02817aaf01

SHA1
26333ccc22aa7d19c6cd292ba5db90dc7d9ea067

SHA256
87525135e6cb44a607eaad61028e84f0b2e6a4689fe48ad923f4c4f7d1829d6a

SHA512
49569b88c9f4e6580e02719341e0a40f73bdbdf8e0247edacc0a14a185b7d46bb776b0e2e306eea50888a75c6694bfbc8350cd67a659ca4491e24902df0297fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftC439~tmp\_user1.cab

Filesize
928B

MD5
c0b06f789609706d89256a74f151f2e8

SHA1
d1ea04d9ed2b01bed60d20a7bfde7a0e80583e26

SHA256
71ea51273b233026cf0803e0351610ecf4cb1b6a704daca1b63f7f09b1d278d2

SHA512
f79920215ae18366bf6095270597305cbcf979b6c5a49b97e2fe840146ab16b96e229db6be6dc82fdcef3c44672a7a2a0bed173f50d30a5020ea0d4d7f3b1c7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftC439~tmp\_user1.hdr

Filesize
4KB

MD5
002c98334ca2fa21fe75d35611889ba8

SHA1
713f4a78b7b2c56dd1b6c052e1f7542c5fbdadda

SHA256
5d696e38520fad0a321f47ef03d901e5a635803478bf107ce534c895ba8e1bfe

SHA512
fd122c6f62776dbf2fc78d523df6895ae499e84f5c66e29d23f8b752283a4a97af283ffadd1b1bb28c67f31babc42bf859e95746a7ea4788b4c6b7959e5218ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftC439~tmp\data1.cab

Filesize
268KB

MD5
65c536448bfb096978956636c5797986

SHA1
302b8d307dae7af6146785d39c25a598c676fc41

SHA256
d6b0b85ef45b10efc73800d142d27130a60f60f76a8983d29a5b43400ee2feca

SHA512
128f861febe8401db65d30f22d93c15fccaecac17d73318095f39fa5af7b6f031790ea9fa4a96023c56df14336b3a67b79717bece9c29b96c99a8f243435c78c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftC439~tmp\data1.hdr

Filesize
2KB

MD5
941c58b4485190409bb29c50dba48bbb

SHA1
afc0573818f05acf2f858bafc47773fa44f0fefe

SHA256
be67cb3ac80c8637d19fae775c967f0ebf96ebf823fe24480877944a68db8d64

SHA512
c19830405c41e135161dea6aab2c6e4cfcd94ed35d62bfccdf7ebff2dec41b4f2610e6f9bd065ae29393a85b39f1d6e13880523d0b9fccc111e36adab00d811d

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftC439~tmp\os.dat

Filesize
450B

MD5
478f65a0b922b6ba0a6ce99e1d15c336

SHA1
577bb092378b8e4522eff40335ff7a50040170b7

SHA256
be2292517342de82d50cefbacb185e36558fcdfbf686692e7df08a80331f9bee

SHA512
747589cae4514cff7d5ea9b51b483c0fe6cb9242b0f31503268a73881acddf25541a7ae56f8826b4f15235dd2ab8c98c94674666e47c36ea913bcfb539143c9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftC439~tmp\pftw1.pkg

Filesize
806KB

MD5
1b41aaf5f449dfcce9bff89a7fcbbcf3

SHA1
87eeee167c02442af9d60e0da654476bbd7a6652

SHA256
e2d9292406eb9bf1a49ab95b8a1a43503d34216aa778d2ff017ba4f8fbad7d19

SHA512
2aea9bb85951d101a66a622e855c592867d194c0e117a9662ca0877d169fccf599960901962c26ecdbd548e05fa030017fd87afd1ddb16dcb12c8c20984c7c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftC439~tmp\setup.ini

Filesize
106B

MD5
6c823e4fc1e4bd3e0359db1e2c14cdfb

SHA1
a65396bdd98b7f05f41887da536d65f84292f626

SHA256
f55d480fb1869fbaf39ed96d846c6216d82b027d4a3ef2efbe3a8e05b1cb25ba

SHA512
d5de6fd8d7adbab7570fcb82e347ab4d04652455bfec439543b210f85c87479dec5362d9d530c93d6cad433dfa654e5dc489a2d69d8e192355366d83e23403d7

Download Submit
C:\Windows\_delis32.ini

Filesize
268B

MD5
88c6ea9ed6cd04c7cae5d96a623d1973

SHA1
50e875bc6a3ce09b8e2e31a738747bcbb26d78b2

SHA256
290b98b00f660ca6317dc2b64ec399b15373a9b7a0574c45b7b4b5888a0b257d

SHA512
dce8c79b04d4319f9b43cd585877c382b0d5b1778ee1e85614e78a87366526167c658512c245ad1ebf96d465f4cb33f2c959fbc8189ccff53d888cd154e500b8

Download Submit
C:\Windows\_isenv31.ini

Filesize
1KB

MD5
ca4ea5bad3141a78440b66d85ed7aedb

SHA1
226910113b67aa9d8ea399d41fc38bf6181cad4b

SHA256
64e6ccab96a315cc0511ae6019b4990c75f4c89ec486a2b4b61b5eb81e7619f0

SHA512
2b73d5a7584993fff3264b6537e4a3ca793eeaa71a23e3784d993b226a09999de8b43501d12f600fbac5217dce83c7f1c79f1e5b003becec566908587511e6c2

Download Submit
C:\Windows\_iserr31.ini

Filesize
521B

MD5
b99921c1ce27e631044ad7ad03e27faa

SHA1
13fa80578e7a9f5ece1cfd7913eec6e3e5b12250

SHA256
bd6efc8e0f5b775ae357f3b647d74b7ddbc5fb8fc827e659d77ac2ef9888f16f

SHA512
79ff7699ad240f4b62c5b336fb6ebb684e675b2d74cf541997f1d42716c1e05bcc35d92443c0641a6f0e60a26d3add03f6316390aacb22701b718f652e5472ab

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_1f19676ca26d854e3637e2029f82aa661e6d20cafa60887a8a5dffc568e0df3dN.exe

Filesize
935KB

MD5
5efa0e6fcb7452aee89ae7ae3fb8a0b1

SHA1
8c0010c61b7921cfc795d7e07cc19070765206c2

SHA256
08b733416d9dbe1261f206dd524a4903f0c852b62c74450aafcb3bc44e1c2bd5

SHA512
94d86bd670c949473f5c076b8c1232fd42282fda2d14d4448e613cda0161a431e1c787901f08221a39c47fef0f48c784d84b96bc5103c85c0e6b371f22373655

Download Submit
\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\_INS5576._MP

Filesize
544KB

MD5
d28cb295e2395b3593293470e7784512

SHA1
8a734689b76929beaeb6110c45c41948d4d4c12f

SHA256
a8657371f03e2e66db951c3dcd3aeb42c576894908ca2eb1b3806aa0404cb083

SHA512
c526b986e47a8cb2f9cb6fd0bf1f48d9fbbcbfaa6dcee0bce6670095df586b179eef0fa6fc7ee56995d3f100df5ed359eff6858d646b68268bd9d3c68dd816f5

Download Submit
\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\_ISTMP0.DIR\ISUninst.exe

Filesize
299KB

MD5
515e4684008e955de0c81e6a7aea1c2a

SHA1
ebe026f9c551f372ad82186ff6b9c2ca26dd684c

SHA256
6d631e94acce1f2808a6b1125a6617d1b0ba7e50d93c1d656aa2620bcd0bb965

SHA512
c889a733c61687aa9be0b67cc2e4ecf2a500386054dffa072780a4f46b29373e0dad79c35f375fdeb6572dbc11b24436b88cee3ba431a37965cf0e884ab636b8

Download Submit
\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\_ISTMP0.DIR\f7810e2.DLL

Filesize
126KB

MD5
18556ed6ea953c31f1c4953d2f210c78

SHA1
7ec5618bae6bbfb45a02c933de7bce8d0fdeb22c

SHA256
f8fa0c3350ed8675c95a9532a0ee057bd0d1c0e79d90bf5e91f75b3f7f25d969

SHA512
0523df4e8062f8dca1a3096f17eaf359c4cd84a00aaadf734e0431a07ded2fa7fe6549bb5a387d839cffe60a9705c3e4f376679006d3eea4e95dcac21766e79f

Download Submit
\Users\Admin\AppData\Local\Temp\pftC439~tmp\Setup.exe

Filesize
72KB

MD5
71e6dd8a9de4a9baf89fca951768059a

SHA1
aac779471a2f9ae3d3e0e39047ef1744feda77b1

SHA256
5656e87da0641c9dcfcd0ee8949ce72b3fa6a7d0e8b1fd985a16f6bd6c34ce52

SHA512
d15bb31ce595767dd366ea2130121a7a2a311c4e639f8b464ceac880d00735c11d950fc16725a3da9459d22a122dd3c33bc0631be90556b4078df9509b0048de

Download Submit
memory/2004-259-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2308-32-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/2308-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2808-117-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/2808-246-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/2808-114-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/2808-293-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/2808-328-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/2940-242-0x0000000000260000-0x0000000000270000-memory.dmp

Filesize
64KB

Download
memory/2940-251-0x00000000032C0000-0x000000000335D000-memory.dmp

Filesize
628KB

Download
memory/3032-126-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads