xred | 29a4b28a5bf962b4199486b9ae16431f4b338b7ea1c752b407be6e27579570bf

Analysis

max time kernel
111s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-01-2025 14:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29a4b28a5bf962b4199486b9ae16431f4b338b7ea1c752b407be6e27579570bfN.exe
Size

2.4MB
MD5

3b4645f991532abe60ba20d5f4733aa0
SHA1

b2c88769c1dd5f4c4e55ab50fe6112e277d3a4fd
SHA256

29a4b28a5bf962b4199486b9ae16431f4b338b7ea1c752b407be6e27579570bf
SHA512

dcb3fafdc053f180cba418a75974398073d2cdb3861686827a0317f77d3d308760432c8fcee40cdf012846b72ff5004d103ab01f0ca8c32555359b41546febab
SSDEEP

49152:nnsHyjtk2MYC5GD/14+yZbWBgo3RFH54jcwcJOi7Wz4xwI+M/ae4:nnsmtk2aA1fyZbWBgo3PH541cJrWz4xq

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	29a4b28a5bf962b4199486b9ae16431f4b338b7ea1c752b407be6e27579570bfN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 3 IoCs

pid	Process
2316	._cache_29a4b28a5bf962b4199486b9ae16431f4b338b7ea1c752b407be6e27579570bfN.exe
4128	Synaptics.exe
4572	._cache_Synaptics.exe

Loads dropped DLL 6 IoCs

pid	Process
2316	._cache_29a4b28a5bf962b4199486b9ae16431f4b338b7ea1c752b407be6e27579570bfN.exe
4572	._cache_Synaptics.exe
4572	._cache_Synaptics.exe
2316	._cache_29a4b28a5bf962b4199486b9ae16431f4b338b7ea1c752b407be6e27579570bfN.exe
2316	._cache_29a4b28a5bf962b4199486b9ae16431f4b338b7ea1c752b407be6e27579570bfN.exe
4572	._cache_Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	29a4b28a5bf962b4199486b9ae16431f4b338b7ea1c752b407be6e27579570bfN.exe

Drops file in Program Files directory 26 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\VAGDashCOM\LoginDetectorVAG\DLL\vagau2.dll	._cache_29a4b28a5bf962b4199486b9ae16431f4b338b7ea1c752b407be6e27579570bfN.exe
File created	C:\Program Files (x86)\VAGDashCOM\LoginDetectorVAG\DICT\me_de.hlp	._cache_29a4b28a5bf962b4199486b9ae16431f4b338b7ea1c752b407be6e27579570bfN.exe
File opened for modification	C:\Program Files (x86)\VAGDashCOM\LoginDetectorVAG\LoginDetectorVAG.exe	._cache_Synaptics.exe
File opened for modification	C:\Program Files (x86)\VAGDashCOM\LoginDetectorVAG\DLL\vagau.dll	._cache_Synaptics.exe
File opened for modification	C:\Program Files (x86)\VAGDashCOM\LoginDetectorVAG\DICT\me_de.hlp	._cache_Synaptics.exe
File opened for modification	C:\Program Files (x86)\VAGDashCOM\LoginDetectorVAG\DICT\me_en.hlp	._cache_Synaptics.exe
File created	C:\Program Files (x86)\VAGDashCOM\LoginDetectorVAG\DLL\vagvd.dll	._cache_29a4b28a5bf962b4199486b9ae16431f4b338b7ea1c752b407be6e27579570bfN.exe
File created	C:\Program Files (x86)\VAGDashCOM\LoginDetectorVAG\DLL\vagmm.dll	._cache_29a4b28a5bf962b4199486b9ae16431f4b338b7ea1c752b407be6e27579570bfN.exe
File created	C:\Program Files (x86)\VAGDashCOM\LoginDetectorVAG\DLL\vagmm2.dll	._cache_29a4b28a5bf962b4199486b9ae16431f4b338b7ea1c752b407be6e27579570bfN.exe
File opened for modification	C:\Program Files (x86)\VAGDashCOM\LoginDetectorVAG\DLL\vagau2.dll	._cache_Synaptics.exe
File opened for modification	C:\Program Files (x86)\VAGDashCOM\LoginDetectorVAG\DLL\vagvd2.dll	._cache_Synaptics.exe
File created	C:\Program Files (x86)\VAGDashCOM\LoginDetectorVAG\Uninstall.exe	._cache_29a4b28a5bf962b4199486b9ae16431f4b338b7ea1c752b407be6e27579570bfN.exe
File opened for modification	C:\Program Files (x86)\VAGDashCOM\LoginDetectorVAG\Uninstall.exe	._cache_Synaptics.exe
File opened for modification	C:\Program Files (x86)\VAGDashCOM\LoginDetectorVAG\DLL\vagmm2.dll	._cache_Synaptics.exe
File opened for modification	C:\Program Files (x86)\VAGDashCOM\LoginDetectorVAG\DICT\edc_de.hlp	._cache_Synaptics.exe
File created	C:\Program Files (x86)\VAGDashCOM\LoginDetectorVAG\DICT\me_en.hlp	._cache_29a4b28a5bf962b4199486b9ae16431f4b338b7ea1c752b407be6e27579570bfN.exe
File created	C:\Program Files (x86)\VAGDashCOM\LoginDetectorVAG\dat.dat	._cache_29a4b28a5bf962b4199486b9ae16431f4b338b7ea1c752b407be6e27579570bfN.exe
File created	C:\Program Files (x86)\VAGDashCOM\LoginDetectorVAG\DLL\vagau.dll	._cache_29a4b28a5bf962b4199486b9ae16431f4b338b7ea1c752b407be6e27579570bfN.exe
File created	C:\Program Files (x86)\VAGDashCOM\LoginDetectorVAG\DLL\vagvd2.dll	._cache_29a4b28a5bf962b4199486b9ae16431f4b338b7ea1c752b407be6e27579570bfN.exe
File created	C:\Program Files (x86)\VAGDashCOM\LoginDetectorVAG\USB\VAGdashCOM.inf	._cache_29a4b28a5bf962b4199486b9ae16431f4b338b7ea1c752b407be6e27579570bfN.exe
File created	C:\Program Files (x86)\VAGDashCOM\LoginDetectorVAG\DICT\edc_de.hlp	._cache_29a4b28a5bf962b4199486b9ae16431f4b338b7ea1c752b407be6e27579570bfN.exe
File opened for modification	C:\Program Files (x86)\VAGDashCOM\LoginDetectorVAG\dat.dat	._cache_Synaptics.exe
File opened for modification	C:\Program Files (x86)\VAGDashCOM\LoginDetectorVAG\DLL\vagmm.dll	._cache_Synaptics.exe
File created	C:\Program Files (x86)\VAGDashCOM\LoginDetectorVAG\LoginDetectorVAG.exe	._cache_29a4b28a5bf962b4199486b9ae16431f4b338b7ea1c752b407be6e27579570bfN.exe
File opened for modification	C:\Program Files (x86)\VAGDashCOM\LoginDetectorVAG\USB\VAGdashCOM.inf	._cache_Synaptics.exe
File opened for modification	C:\Program Files (x86)\VAGDashCOM\LoginDetectorVAG\DLL\vagvd.dll	._cache_Synaptics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	29a4b28a5bf962b4199486b9ae16431f4b338b7ea1c752b407be6e27579570bfN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_29a4b28a5bf962b4199486b9ae16431f4b338b7ea1c752b407be6e27579570bfN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe

NSIS installer 5 IoCs

installer

resource	yara_rule
behavioral2/files/0x000a000000023c66-5.dat	nsis_installer_1
behavioral2/files/0x000a000000023c66-5.dat	nsis_installer_2
behavioral2/files/0x0007000000023ccb-66.dat	nsis_installer_2
behavioral2/files/0x0007000000023cff-383.dat	nsis_installer_1
behavioral2/files/0x0007000000023cff-383.dat	nsis_installer_2

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	29a4b28a5bf962b4199486b9ae16431f4b338b7ea1c752b407be6e27579570bfN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3916	EXCEL.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3916	EXCEL.EXE
3916	EXCEL.EXE
3916	EXCEL.EXE
3916	EXCEL.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4332 wrote to memory of 2316	4332	29a4b28a5bf962b4199486b9ae16431f4b338b7ea1c752b407be6e27579570bfN.exe	82
PID 4332 wrote to memory of 2316	4332	29a4b28a5bf962b4199486b9ae16431f4b338b7ea1c752b407be6e27579570bfN.exe	82
PID 4332 wrote to memory of 2316	4332	29a4b28a5bf962b4199486b9ae16431f4b338b7ea1c752b407be6e27579570bfN.exe	82
PID 4332 wrote to memory of 4128	4332	29a4b28a5bf962b4199486b9ae16431f4b338b7ea1c752b407be6e27579570bfN.exe	83
PID 4332 wrote to memory of 4128	4332	29a4b28a5bf962b4199486b9ae16431f4b338b7ea1c752b407be6e27579570bfN.exe	83
PID 4332 wrote to memory of 4128	4332	29a4b28a5bf962b4199486b9ae16431f4b338b7ea1c752b407be6e27579570bfN.exe	83
PID 4128 wrote to memory of 4572	4128	Synaptics.exe	84
PID 4128 wrote to memory of 4572	4128	Synaptics.exe	84
PID 4128 wrote to memory of 4572	4128	Synaptics.exe	84

C:\Users\Admin\AppData\Local\Temp\29a4b28a5bf962b4199486b9ae16431f4b338b7ea1c752b407be6e27579570bfN.exe
"C:\Users\Admin\AppData\Local\Temp\29a4b28a5bf962b4199486b9ae16431f4b338b7ea1c752b407be6e27579570bfN.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4332
- C:\Users\Admin\AppData\Local\Temp\._cache_29a4b28a5bf962b4199486b9ae16431f4b338b7ea1c752b407be6e27579570bfN.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_29a4b28a5bf962b4199486b9ae16431f4b338b7ea1c752b407be6e27579570bfN.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:2316
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4128
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:4572

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\VAGDashCOM\LoginDetectorVAG\LoginDetectorVAG.exe

Filesize
3.3MB

MD5
bfc7075df4dedc8d27a448fa049c1ae9

SHA1
ceaf35afd0e73d0b575380792612265d9e0ae7a3

SHA256
8da6c9c9e7093d873bfcb32d90103ff400b3d9bd74111ec7a38cdb7841feffaf

SHA512
895f645bbe541530b53527fe4dfefc678896dfba717f195a5d9b2632760468c704e06f64ac4d00c840e9814adadc568c2afed57da43235503b4a1194ca0eb93a

Download Submit
C:\Program Files (x86)\VAGDashCOM\LoginDetectorVAG\Uninstall.exe

Filesize
63KB

MD5
7f1c07732b1044b9c6dcf5c13770dd01

SHA1
b284a42ad97f2f1150f04f11198e257850b8d520

SHA256
d01841c85b3e05931ad98e32903f0f43d8632c8bfb30e2dbaa4abb1fec07f456

SHA512
1b4646ea7c5dea9d4b0f295de44884b30a333b6862b4c173a155c09afea521f19c90debc309fb75d9d2f744921bc58ee92a196175d3d582904f743ad01b31280

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
2.4MB

MD5
3b4645f991532abe60ba20d5f4733aa0

SHA1
b2c88769c1dd5f4c4e55ab50fe6112e277d3a4fd

SHA256
29a4b28a5bf962b4199486b9ae16431f4b338b7ea1c752b407be6e27579570bf

SHA512
dcb3fafdc053f180cba418a75974398073d2cdb3861686827a0317f77d3d308760432c8fcee40cdf012846b72ff5004d103ab01f0ca8c32555359b41546febab

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_29a4b28a5bf962b4199486b9ae16431f4b338b7ea1c752b407be6e27579570bfN.exe

Filesize
1.7MB

MD5
c768f7fb0bcc48b31aea0d739ee4d072

SHA1
54e7330e3ba39704524bde99578acdad479b7896

SHA256
c82d6599b7b900469d0f9ff02fe3e3badc488703f877d23b31e71a3bf8604d2c

SHA512
cd5c8ca0af02375538cabc79daa3f7bdde430383fe1f1a540814acc1b86941ac21f463c54ff0e0f2fa5209d21f32e48d25031dff62e9d8fbbc74b5b893035d7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskC4A9.tmp\LangDLL.dll

Filesize
5KB

MD5
c9ac0758ce8c10793d39655064c653cb

SHA1
8ba1f9dfcc671b5102f5940da67570c28252bc71

SHA256
161d69c50e5c50d853fda129b6f6f6bc241214b87d13a33bf93543e7e6886119

SHA512
54a8c2ded9a42de867c8a89a11701bcdb5d51aea168c4f3ffe8991859cf26f15d478b6111c85732c1059edbfd9408e42ca830706347a8ac87c5064e47d823349

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskC4A9.tmp\StartMenu.dll

Filesize
7KB

MD5
3d8f82aa21fd7861890594027f39879f

SHA1
5fecbecabc15f639c7b3fb57400f6ca6e192a73e

SHA256
4bc38ffc6d1b09108be0031874bbebb3bd892eac86498c76a60a33c1e3c80d9e

SHA512
28ebf820047a27e3a7f0f2fa593af5492e27dddf62ea0c2ca633840fa68fb8b893b1c194f8456869d175eaf5a34f6146fb01f95898007ce19ed29438a1fee65e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskC4A9.tmp\ioSpecial.ini

Filesize
700B

MD5
1d7cacdaade98de0eff6dd56e74857c2

SHA1
3eb494d2979ec81b1e413763cc6daf86bf46cdc2

SHA256
1325ef094debd705cb5c0104c19ad7bf2ad8a3864319dae35ec8a20526b955f7

SHA512
4dc165a3162f1445503a9fc84ae4483a7349f23c9f8f3895bd762570939324fa7610b9a8293896660e81443ca3f4451ab808989e27327a31be1d0410f4883f1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmC9D9.tmp\InstallOptions.dll

Filesize
14KB

MD5
f62d03fcb1473110e920a9bb2c701006

SHA1
c48444ef2daa60dcdf91f1645cd4ecd8e66545f7

SHA256
17e2f205af12d5a86638dc83c95fc69199c41af2fa6daeb1e91ec330f68c5372

SHA512
701d531d405d08054d53298141d5bbd56e74df7b22bcea5f9f0e5c4407421ea0ca9617aa84e740dc1dc44e6d14e58852c1ca2087213cc2319f2da44eaed0bc05

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmC9D9.tmp\ioSpecial.ini

Filesize
700B

MD5
3260aaf7ab72f591a18b2916ddb79936

SHA1
0a96716d24d1fff4078e5316e4a645e378843ae7

SHA256
5fba016ebc40cdfc7365e60ffe29704bc05bb48df704ccff8f731ce47e47cd44

SHA512
69a3dbf364479ba2e419acaca9d550eeeafaa2d926b8e95967c5e8e3c1e760eff48c0532ee120689c8d070f5737e12f2a8177c9c07355c6141f12484d8596070

Download Submit
C:\Users\Admin\AppData\Local\Temp\wItWW3aH.xlsm

Filesize
17KB

MD5
af4d37aad8b34471da588360a43e768a

SHA1
83ed64667d4e68ea531b8bcf58aab3ed4a5ca998

SHA256
e7550c3453156531308fda255a198c3710aa4bc7412819c180b103c11e85cef1

SHA512
74f5000038c47b7c909c4ee5740e0e87cac12c9c96fff8b1c7ec749541ee3d4b7efd80f9ac02cd39809dca3f2707d0063fa852a3a541342d93a9d03de08823da

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\LoginDetectorVAG\LoginDetectorVAG.lnk

Filesize
2KB

MD5
90ee8ac4f054db6c2dcdab0c4b9a8d1b

SHA1
5bf3a32801aa9d3b586a1c396349f2ee25d5773d

SHA256
fe62ee59c0b9b999bd0d7fb4eecc4f9a51ffa96a614cda958bdd0404cf5425b9

SHA512
47ee562d6df1a39a58538e8216553bc32f0d52cb23dbd312a0dbf9533f2936ec5d0f34f7bdef26df4de649ee2ecb93739b3356de1638411e514d81817758929d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\LoginDetectorVAG\Uninstall.lnk

Filesize
1KB

MD5
b3afc4a9bad9cbc2b133a75e870adb8c

SHA1
51f3a8857c9b1a6e03017dc5309dc0938faaaa2b

SHA256
5279a803a162c294b093340dc4682e7861bd9c20a972d35578e47b1480cbc3ec

SHA512
a30e5dc075704e3f80900377bb54e553bb17f53598f095ef676917e67cf8feb92a6447f6fa8d105664934e66f14ecb52248140f5cfb0b7594b9ed30005ac5113

Download Submit
memory/3916-179-0x00007FFD434F0000-0x00007FFD43500000-memory.dmp

Filesize
64KB

Download
memory/3916-170-0x00007FFD45D50000-0x00007FFD45D60000-memory.dmp

Filesize
64KB

Download
memory/3916-178-0x00007FFD434F0000-0x00007FFD43500000-memory.dmp

Filesize
64KB

Download
memory/3916-177-0x00007FFD45D50000-0x00007FFD45D60000-memory.dmp

Filesize
64KB

Download
memory/3916-175-0x00007FFD45D50000-0x00007FFD45D60000-memory.dmp

Filesize
64KB

Download
memory/3916-174-0x00007FFD45D50000-0x00007FFD45D60000-memory.dmp

Filesize
64KB

Download
memory/3916-176-0x00007FFD45D50000-0x00007FFD45D60000-memory.dmp

Filesize
64KB

Download
memory/4128-346-0x0000000000820000-0x0000000000821000-memory.dmp

Filesize
4KB

Download
memory/4128-345-0x0000000000400000-0x0000000000677000-memory.dmp

Filesize
2.5MB

Download
memory/4128-107-0x0000000000820000-0x0000000000821000-memory.dmp

Filesize
4KB

Download
memory/4128-414-0x0000000000400000-0x0000000000677000-memory.dmp

Filesize
2.5MB

Download
memory/4128-445-0x0000000000400000-0x0000000000677000-memory.dmp

Filesize
2.5MB

Download
memory/4332-0-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/4332-106-0x0000000000400000-0x0000000000677000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads