xred | 2fbd716ca1f19737591463a9f5776de57105fd800118375012d08fb000d2e39e

Analysis

max time kernel
5s
max time network
18s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-12-2024 23:00

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

000.exe
Size

7.4MB
MD5

06c9504a38c6996916dbd515559c9564
SHA1

33e92f8c6dd8b3eab4b06ca0bb428e48b4504dac
SHA256

2fbd716ca1f19737591463a9f5776de57105fd800118375012d08fb000d2e39e
SHA512

e9259b0ebcf970db693af90a8811e706ef10187c33d662409c678034abdf5282a1bd63e1a6445c25f35a0c7714863109a17289e1919d9ad268ba72fc4f6f792f
SSDEEP

12288:cMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9Jt1I2rVvWHuuuvj:cnsJ39LyjbJkQFMhmC+6GD9j1dUuuu7

Score

10^/10

xred backdoor discovery evasion persistence ransomware

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred
Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	000.exe

Executes dropped EXE 2 IoCs

pid	Process
2792	._cache_000.exe
2704	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	000.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	._cache_000.exe
File opened (read-only)	\??\J:	._cache_000.exe
File opened (read-only)	\??\K:	._cache_000.exe
File opened (read-only)	\??\X:	._cache_000.exe
File opened (read-only)	\??\Y:	._cache_000.exe
File opened (read-only)	\??\H:	._cache_000.exe
File opened (read-only)	\??\M:	._cache_000.exe
File opened (read-only)	\??\N:	._cache_000.exe
File opened (read-only)	\??\O:	._cache_000.exe
File opened (read-only)	\??\Q:	._cache_000.exe
File opened (read-only)	\??\A:	._cache_000.exe
File opened (read-only)	\??\E:	._cache_000.exe
File opened (read-only)	\??\L:	._cache_000.exe
File opened (read-only)	\??\U:	._cache_000.exe
File opened (read-only)	\??\Z:	._cache_000.exe
File opened (read-only)	\??\T:	._cache_000.exe
File opened (read-only)	\??\V:	._cache_000.exe
File opened (read-only)	\??\W:	._cache_000.exe
File opened (read-only)	\??\B:	._cache_000.exe
File opened (read-only)	\??\G:	._cache_000.exe
File opened (read-only)	\??\P:	._cache_000.exe
File opened (read-only)	\??\R:	._cache_000.exe
File opened (read-only)	\??\S:	._cache_000.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0"	._cache_000.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\Wallpaper	._cache_000.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	000.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_000.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
3052	taskkill.exe
1836	taskkill.exe
3944	taskkill.exe
3140	taskkill.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	000.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icon.ico"	._cache_000.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3350944739-639801879-157714471-1000\{A9C4CF81-EAE3-4FC2-B9A9-2EED388FFA72}	._cache_000.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3052	taskkill.exe
Token: SeShutdownPrivilege	2792	._cache_000.exe
Token: SeCreatePagefilePrivilege	2792	._cache_000.exe
Token: SeDebugPrivilege	1836	taskkill.exe
Token: SeIncreaseQuotaPrivilege	2244	WMIC.exe
Token: SeSecurityPrivilege	2244	WMIC.exe
Token: SeTakeOwnershipPrivilege	2244	WMIC.exe
Token: SeLoadDriverPrivilege	2244	WMIC.exe
Token: SeSystemProfilePrivilege	2244	WMIC.exe
Token: SeSystemtimePrivilege	2244	WMIC.exe
Token: SeProfSingleProcessPrivilege	2244	WMIC.exe
Token: SeIncBasePriorityPrivilege	2244	WMIC.exe
Token: SeCreatePagefilePrivilege	2244	WMIC.exe
Token: SeBackupPrivilege	2244	WMIC.exe
Token: SeRestorePrivilege	2244	WMIC.exe
Token: SeShutdownPrivilege	2244	WMIC.exe
Token: SeDebugPrivilege	2244	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2244	WMIC.exe
Token: SeRemoteShutdownPrivilege	2244	WMIC.exe
Token: SeUndockPrivilege	2244	WMIC.exe
Token: SeManageVolumePrivilege	2244	WMIC.exe
Token: 33	2244	WMIC.exe
Token: 34	2244	WMIC.exe
Token: 35	2244	WMIC.exe
Token: 36	2244	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2244	WMIC.exe
Token: SeSecurityPrivilege	2244	WMIC.exe
Token: SeTakeOwnershipPrivilege	2244	WMIC.exe
Token: SeLoadDriverPrivilege	2244	WMIC.exe
Token: SeSystemProfilePrivilege	2244	WMIC.exe
Token: SeSystemtimePrivilege	2244	WMIC.exe
Token: SeProfSingleProcessPrivilege	2244	WMIC.exe
Token: SeIncBasePriorityPrivilege	2244	WMIC.exe
Token: SeCreatePagefilePrivilege	2244	WMIC.exe
Token: SeBackupPrivilege	2244	WMIC.exe
Token: SeRestorePrivilege	2244	WMIC.exe
Token: SeShutdownPrivilege	2244	WMIC.exe
Token: SeDebugPrivilege	2244	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2244	WMIC.exe
Token: SeRemoteShutdownPrivilege	2244	WMIC.exe
Token: SeUndockPrivilege	2244	WMIC.exe
Token: SeManageVolumePrivilege	2244	WMIC.exe
Token: 33	2244	WMIC.exe
Token: 34	2244	WMIC.exe
Token: 35	2244	WMIC.exe
Token: 36	2244	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4992	WMIC.exe
Token: SeSecurityPrivilege	4992	WMIC.exe
Token: SeTakeOwnershipPrivilege	4992	WMIC.exe
Token: SeLoadDriverPrivilege	4992	WMIC.exe
Token: SeSystemProfilePrivilege	4992	WMIC.exe
Token: SeSystemtimePrivilege	4992	WMIC.exe
Token: SeProfSingleProcessPrivilege	4992	WMIC.exe
Token: SeIncBasePriorityPrivilege	4992	WMIC.exe
Token: SeCreatePagefilePrivilege	4992	WMIC.exe
Token: SeBackupPrivilege	4992	WMIC.exe
Token: SeRestorePrivilege	4992	WMIC.exe
Token: SeShutdownPrivilege	4992	WMIC.exe
Token: SeDebugPrivilege	4992	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4992	WMIC.exe
Token: SeRemoteShutdownPrivilege	4992	WMIC.exe
Token: SeUndockPrivilege	4992	WMIC.exe
Token: SeManageVolumePrivilege	4992	WMIC.exe
Token: 33	4992	WMIC.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2792	._cache_000.exe
2792	._cache_000.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4928 wrote to memory of 2792	4928	000.exe	83
PID 4928 wrote to memory of 2792	4928	000.exe	83
PID 4928 wrote to memory of 2792	4928	000.exe	83
PID 4928 wrote to memory of 2704	4928	000.exe	84
PID 4928 wrote to memory of 2704	4928	000.exe	84
PID 4928 wrote to memory of 2704	4928	000.exe	84
PID 2792 wrote to memory of 2300	2792	._cache_000.exe	85
PID 2792 wrote to memory of 2300	2792	._cache_000.exe	85
PID 2792 wrote to memory of 2300	2792	._cache_000.exe	85
PID 2300 wrote to memory of 3052	2300	cmd.exe	87
PID 2300 wrote to memory of 3052	2300	cmd.exe	87
PID 2300 wrote to memory of 3052	2300	cmd.exe	87
PID 2300 wrote to memory of 1836	2300	cmd.exe	89
PID 2300 wrote to memory of 1836	2300	cmd.exe	89
PID 2300 wrote to memory of 1836	2300	cmd.exe	89
PID 2300 wrote to memory of 2244	2300	cmd.exe	90
PID 2300 wrote to memory of 2244	2300	cmd.exe	90
PID 2300 wrote to memory of 2244	2300	cmd.exe	90
PID 2300 wrote to memory of 4992	2300	cmd.exe	91
PID 2300 wrote to memory of 4992	2300	cmd.exe	91
PID 2300 wrote to memory of 4992	2300	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\000.exe
"C:\Users\Admin\AppData\Local\Temp\000.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4928
- C:\Users\Admin\AppData\Local\Temp\._cache_000.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_000.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Modifies WinLogon
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2300
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im explorer.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3052
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1836
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic useraccount where name='Admin' set FullName='UR NEXT'
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2244
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic useraccount where name='Admin' rename 'UR NEXT'
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4992
  - - C:\Windows\SysWOW64\shutdown.exe
      shutdown /f /r /t 0
      4⤵
      PID:3596
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2704
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    PID:3008
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""
      4⤵
      PID:672
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im explorer.exe
        5⤵
        Kills process with taskkill
        
        PID:3944
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        5⤵
        Kills process with taskkill
        
        PID:3140
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic useraccount where name='Admin' set FullName='UR NEXT'
        5⤵
        
        PID:4196
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic useraccount where name='Admin' rename 'UR NEXT'
        5⤵
        
        PID:1924

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:4132

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa391a855 /state1:0x41c64e6d
1⤵
PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
7.4MB

MD5
06c9504a38c6996916dbd515559c9564

SHA1
33e92f8c6dd8b3eab4b06ca0bb428e48b4504dac

SHA256
2fbd716ca1f19737591463a9f5776de57105fd800118375012d08fb000d2e39e

SHA512
e9259b0ebcf970db693af90a8811e706ef10187c33d662409c678034abdf5282a1bd63e1a6445c25f35a0c7714863109a17289e1919d9ad268ba72fc4f6f792f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
640KB

MD5
487728b6ee62cb123a9b293934af7dda

SHA1
079ac1fc5f5ea86fbdd2255ee5f8fc9e4de434eb

SHA256
5f6a0325d7efb96d26a8bf59bafd307f74537a38b1643d411e8fe58ad916f3d4

SHA512
98347889147325d86ff1a87de89d664ab91569432529a852714fa9ee322b51353e0bf32d55ac7d894f4c4bf99dec4625453f89f764dd8c885385943e8ddf3b3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_000.exe

Filesize
6.7MB

MD5
d5671758956b39e048680b6a8275e96a

SHA1
33c341130bf9c93311001a6284692c86fec200ef

SHA256
4a900b344ef765a66f98cf39ac06273d565ca0f5d19f7ea4ca183786155d4a47

SHA512
972e89ed8b7b4d75df0a05c53e71fb5c29edaa173d7289656676b9d2a1ed439be1687beddc6fb1fbf068868c3da9c3d2deb03b55e5ab5e7968858b5efc49fbe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\icon.ico

Filesize
361KB

MD5
a4b9662cf3b6ea6626f6081c0d8c13f3

SHA1
946501d358e5e3b10223431e474607e0eb248796

SHA256
84a1c2713642090523f05d9fb015c537fd210d3200cadaf442bb67cf1834b356

SHA512
4e94dcf9200bfd6d685f93acaa0bd93d49bb0fe2229f3105e22b8893e0d530ad15e8dce5be6db1c1db393fcc169defc43f12e35308be30b054631487d16cbf33

Download Submit
C:\Users\Admin\AppData\Local\Temp\one.rtf

Filesize
403B

MD5
6fbd6ce25307749d6e0a66ebbc0264e7

SHA1
faee71e2eac4c03b96aabecde91336a6510fff60

SHA256
e152b106733d9263d3cf175f0b6197880d70acb753f8bde8035a3e4865b31690

SHA512
35a0d6d91178ec10619cf4d2fd44d3e57aa0266e1779e15b1eef6e9c359c77c384e0ffe4edb2cde980a6847e53f47733e6eacb72d46762066b3541dee3d29064

Download Submit
C:\Users\Admin\AppData\Local\Temp\rniw.exe

Filesize
76KB

MD5
9232120b6ff11d48a90069b25aa30abc

SHA1
97bb45f4076083fca037eee15d001fd284e53e47

SHA256
70faa0e1498461731f873d3594f20cbf2beaa6f123a06b66f9df59a9cdf862be

SHA512
b06688a9fc0b853d2895f11e812c48d5871f2793183fda5e9638ded22fc5dc1e813f174baedc980a1f0b6a7b0a65cd61f29bb16acc6dd45da62988eb012d6877

Download Submit
C:\Users\Admin\AppData\Local\Temp\windl.bat

Filesize
771B

MD5
a9401e260d9856d1134692759d636e92

SHA1
4141d3c60173741e14f36dfe41588bb2716d2867

SHA256
b551fba71dfd526d4916ae277d8686d83fff36d22fcf6f18457924a070b30ef7

SHA512
5cbe38cdab0283b87d9a9875f7ba6fa4e8a7673d933ca05deddddbcf6cf793bd1bf34ac0add798b4ed59ab483e49f433ce4012f571a658bc0add28dd987a57b6

Download Submit
C:\Users\Admin\Desktop\UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR N1XT.txt

Filesize
396B

MD5
9037ebf0a18a1c17537832bc73739109

SHA1
1d951dedfa4c172a1aa1aae096cfb576c1fb1d60

SHA256
38c889b5d7bdcb79bbcb55554c520a9ce74b5bfc29c19d1e4cb1419176c99f48

SHA512
4fb5c06089524c6dcd48b6d165cedb488e9efe2d27613289ef8834dbb6c010632d2bd5e3ac75f83b1d8024477ebdf05b9e0809602bbe1780528947c36e4de32f

Download Submit
memory/2704-1919-0x0000000000400000-0x0000000000B6B000-memory.dmp

Filesize
7.4MB

Download
memory/2704-1836-0x0000000000400000-0x0000000000B6B000-memory.dmp

Filesize
7.4MB

Download
memory/2792-213-0x000000000BDE0000-0x000000000BDF0000-memory.dmp

Filesize
64KB

Download
memory/2792-212-0x000000000BDB0000-0x000000000BDC0000-memory.dmp

Filesize
64KB

Download
memory/2792-207-0x000000000BDE0000-0x000000000BDF0000-memory.dmp

Filesize
64KB

Download
memory/2792-208-0x000000000BDE0000-0x000000000BDF0000-memory.dmp

Filesize
64KB

Download
memory/2792-209-0x000000000BDE0000-0x000000000BDF0000-memory.dmp

Filesize
64KB

Download
memory/2792-210-0x000000000BDE0000-0x000000000BDF0000-memory.dmp

Filesize
64KB

Download
memory/2792-211-0x000000000BDB0000-0x000000000BDC0000-memory.dmp

Filesize
64KB

Download
memory/2792-1920-0x00000000724E0000-0x0000000072C90000-memory.dmp

Filesize
7.7MB

Download
memory/2792-214-0x000000000BDE0000-0x000000000BDF0000-memory.dmp

Filesize
64KB

Download
memory/2792-201-0x000000000BC60000-0x000000000BC6E000-memory.dmp

Filesize
56KB

Download
memory/2792-215-0x000000000BDB0000-0x000000000BDC0000-memory.dmp

Filesize
64KB

Download
memory/2792-200-0x000000000BC90000-0x000000000BCC8000-memory.dmp

Filesize
224KB

Download
memory/2792-132-0x00000000062E0000-0x0000000006884000-memory.dmp

Filesize
5.6MB

Download
memory/2792-131-0x00000000724E0000-0x0000000072C90000-memory.dmp

Filesize
7.7MB

Download
memory/2792-65-0x00000000724EE000-0x00000000724EF000-memory.dmp

Filesize
4KB

Download
memory/2792-1918-0x00000000724E0000-0x0000000072C90000-memory.dmp

Filesize
7.7MB

Download
memory/2792-72-0x0000000000B80000-0x000000000122E000-memory.dmp

Filesize
6.7MB

Download
memory/2792-1837-0x00000000724EE000-0x00000000724EF000-memory.dmp

Filesize
4KB

Download
memory/4132-1056-0x00007FF957CB0000-0x00007FF957CC0000-memory.dmp

Filesize
64KB

Download
memory/4132-1045-0x00007FF95A230000-0x00007FF95A240000-memory.dmp

Filesize
64KB

Download
memory/4132-1044-0x00007FF95A230000-0x00007FF95A240000-memory.dmp

Filesize
64KB

Download
memory/4132-1058-0x00007FF957CB0000-0x00007FF957CC0000-memory.dmp

Filesize
64KB

Download
memory/4132-1046-0x00007FF95A230000-0x00007FF95A240000-memory.dmp

Filesize
64KB

Download
memory/4132-1053-0x00007FF95A230000-0x00007FF95A240000-memory.dmp

Filesize
64KB

Download
memory/4132-1054-0x00007FF95A230000-0x00007FF95A240000-memory.dmp

Filesize
64KB

Download
memory/4928-130-0x0000000000400000-0x0000000000B6B000-memory.dmp

Filesize
7.4MB

Download
memory/4928-0-0x0000000000E70000-0x0000000000E71000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads