xred | db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85

Analysis

max time kernel
9s
max time network
10s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-01-2025 04:38

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe
Size

6KB
MD5

06303600a3a44eb2fbce248eb0fe9fc1
SHA1

ccfb720a50808469da5d67eea306d08f51e11538
SHA256

db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85
SHA512

b135f23760aba312cb0c0cab697d2ec4f735f5cad9011d3b11310eb9cc59f65c4ffdc757e4f39bdcf6c8abb3badb6865301ffd5ed817c1251b6ecabe21f17df9
SSDEEP

192:DfaOBqbo/qmA2LEnrtDINynT+vCgcJXB:OOY8tLqltJXB

Score

10^/10

xred backdoor discovery persistence upx

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred
Downloads MZ/PE file

Drops startup file 9 IoCs

description	ioc	Process
File opened for modification	C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\clxa.exe	4.exe
File created	C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\__tmp_rar_sfx_access_check_259426948	4.exe
File created	C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bykcxw.exe	4.exe
File created	C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cghqi.exe	4.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\cbas.lnk	wic.exe
File created	C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cbas.lnk	wic.exe
File opened for modification	C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bykcxw.exe	4.exe
File opened for modification	C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cghqi.exe	4.exe
File created	C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\clxa.exe	4.exe

Executes dropped EXE 9 IoCs

pid	Process
3044	1.exe
2704	._cache_1.exe
2616	Synaptics.exe
2452	._cache_Synaptics.exe
372	2.exe
1752	._cache_2.exe
328	3.exe
1780	4.exe
2320	wic.exe

Loads dropped DLL 17 IoCs

pid	Process
2784	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe
2784	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe
3044	1.exe
3044	1.exe
3044	1.exe
3044	1.exe
3044	1.exe
2616	Synaptics.exe
2616	Synaptics.exe
2616	Synaptics.exe
2784	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe
2784	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe
372	2.exe
372	2.exe
2784	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe
2784	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe
2784	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	1.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2784-0-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x0007000000016d33-31.dat	upx
behavioral1/memory/2704-38-0x0000000000400000-0x00000000004A4000-memory.dmp	upx
behavioral1/memory/2452-62-0x0000000000400000-0x00000000004A4000-memory.dmp	upx
behavioral1/memory/328-144-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/files/0x0005000000019501-143.dat	upx
behavioral1/memory/2784-142-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2784-177-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2704-192-0x0000000000400000-0x00000000004A4000-memory.dmp	upx
behavioral1/memory/2452-189-0x0000000000400000-0x00000000004A4000-memory.dmp	upx
behavioral1/memory/328-187-0x0000000000400000-0x000000000040C000-memory.dmp	upx

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\1.exe	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe
File created	C:\Program Files (x86)\2.exe	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe
File created	C:\Program Files (x86)\3.exe	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe
File created	C:\Program Files (x86)\4.exe	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\wic.exe	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe
File created	C:\Windows\cbas.exe	wic.exe
File created	C:\Windows\msslac.dll	wic.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shutdown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	._cache_2.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2996	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	832	shutdown.exe
Token: SeRemoteShutdownPrivilege	832	shutdown.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2784	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe
2996	EXCEL.EXE
1752	._cache_2.exe
1752	._cache_2.exe
2320	wic.exe
2320	wic.exe
2996	EXCEL.EXE
2996	EXCEL.EXE

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 3044	2784	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe	30
PID 2784 wrote to memory of 3044	2784	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe	30
PID 2784 wrote to memory of 3044	2784	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe	30
PID 2784 wrote to memory of 3044	2784	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe	30
PID 3044 wrote to memory of 2704	3044	1.exe	31
PID 3044 wrote to memory of 2704	3044	1.exe	31
PID 3044 wrote to memory of 2704	3044	1.exe	31
PID 3044 wrote to memory of 2704	3044	1.exe	31
PID 3044 wrote to memory of 2616	3044	1.exe	32
PID 3044 wrote to memory of 2616	3044	1.exe	32
PID 3044 wrote to memory of 2616	3044	1.exe	32
PID 3044 wrote to memory of 2616	3044	1.exe	32
PID 2616 wrote to memory of 2452	2616	Synaptics.exe	34
PID 2616 wrote to memory of 2452	2616	Synaptics.exe	34
PID 2616 wrote to memory of 2452	2616	Synaptics.exe	34
PID 2616 wrote to memory of 2452	2616	Synaptics.exe	34
PID 2784 wrote to memory of 372	2784	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe	36
PID 2784 wrote to memory of 372	2784	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe	36
PID 2784 wrote to memory of 372	2784	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe	36
PID 2784 wrote to memory of 372	2784	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe	36
PID 372 wrote to memory of 1752	372	2.exe	37
PID 372 wrote to memory of 1752	372	2.exe	37
PID 372 wrote to memory of 1752	372	2.exe	37
PID 372 wrote to memory of 1752	372	2.exe	37
PID 2784 wrote to memory of 328	2784	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe	38
PID 2784 wrote to memory of 328	2784	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe	38
PID 2784 wrote to memory of 328	2784	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe	38
PID 2784 wrote to memory of 328	2784	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe	38
PID 2784 wrote to memory of 1780	2784	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe	39
PID 2784 wrote to memory of 1780	2784	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe	39
PID 2784 wrote to memory of 1780	2784	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe	39
PID 2784 wrote to memory of 1780	2784	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe	39
PID 2784 wrote to memory of 2320	2784	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe	40
PID 2784 wrote to memory of 2320	2784	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe	40
PID 2784 wrote to memory of 2320	2784	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe	40
PID 2784 wrote to memory of 2320	2784	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe	40
PID 2320 wrote to memory of 1572	2320	wic.exe	41
PID 2320 wrote to memory of 1572	2320	wic.exe	41
PID 2320 wrote to memory of 1572	2320	wic.exe	41
PID 2320 wrote to memory of 1572	2320	wic.exe	41
PID 1572 wrote to memory of 832	1572	cmd.exe	43
PID 1572 wrote to memory of 832	1572	cmd.exe	43
PID 1572 wrote to memory of 832	1572	cmd.exe	43
PID 1572 wrote to memory of 832	1572	cmd.exe	43

C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe
"C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Program Files (x86)\1.exe
  "C:\Program Files (x86)\1.exe" 0
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Users\Admin\AppData\Local\Temp\._cache_1.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_1.exe" 0
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2704
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2452
- C:\Program Files (x86)\2.exe
  "C:\Program Files (x86)\2.exe" 0
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:372
- - C:\Users\Admin\AppData\Local\Temp\._cache_2.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_2.exe" 0
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1752
- C:\Program Files (x86)\3.exe
  "C:\Program Files (x86)\3.exe" 0
  2⤵
  - Executes dropped EXE
  PID:328
- C:\Program Files (x86)\4.exe
  "C:\Program Files (x86)\4.exe" 0
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1780
- C:\Windows\wic.exe
  "C:\Windows\wic.exe" 0
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "shutdown /r /t 0"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1572
  - - C:\Windows\SysWOW64\shutdown.exe
      shutdown /r /t 0
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:832

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2996

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:3040

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\1.exe

Filesize
811KB

MD5
d026cfe00b08da14b0a8b7f8860887d7

SHA1
08ef96351067f151c19b9cc21605ea018fb43a18

SHA256
e261d309f30de33a1ba0aa43604db15f3326c6c8c5b291bdd52f18ea361fe3dd

SHA512
4ef560ff8c6a9a143b9365884c0c999a1fbf5ee638f170ad96add2b8b56933038d573cb31f45724a7f1a7b6a35cd2557344bd55c746fc9e9da38ecd3bdd6361d

Download Submit
C:\Program Files (x86)\2.exe

Filesize
4.4MB

MD5
85a57509db3e9dfa7b4e451b8243220d

SHA1
ee21f93372218959f8b3dcefaa2c680d857e9e52

SHA256
fcd8d4592cf92fb9f9235a2774cdc8aff4265d4015269fb7aa995182f8ce26e1

SHA512
104615f2366e06cbba58a87f2e01d6806c1871c29af8277e06fcdb385f4ae6beb37c3bafd861c320a01303a287a68ae9b5d8640f29a39c21fe38ad9803ebe00d

Download Submit
C:\Program Files (x86)\3.exe

Filesize
9KB

MD5
1edb88f9ee745eaaee2cbd8219318eb0

SHA1
6561c12d51090972b6f866f38f8ed281c5c83313

SHA256
0ac1125284e2600d3714c0226f800f4d8d9aa291fa299bb1d33b7d8984b5e1c0

SHA512
a2a20a70c9e1db729f716706796027a5c9002ad000e75c0dced3ece6f26d76ee0803acc31d3a116266e711ec6a16d33c0668412238dfe0f128f3a841232ff4c5

Download Submit
C:\Program Files (x86)\4.exe

Filesize
338KB

MD5
39e7be73c7531ac895f75834fdc1bcd6

SHA1
646b88b488cf673c38b56fe7748c70b31bb29fc3

SHA256
a176e32335d81e69906f1c062e62247e97b8863f2c6148a36713e5bed5d16195

SHA512
e5c34ef2d309ef2071495a359999b9f8dbeb6d7db1daa67e82494d71b0f1e888d0958b5a503cb3b0e505b70f26cfefe362d6301599143bedb40a19fdb60ef072

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_1.exe

Filesize
58KB

MD5
aed710082d6986c6dceed09d3a5edcc6

SHA1
02456d21cef29be4cb63004aea6aa225a90fd882

SHA256
5cbe5888cd034b95b14f4ad7c63f84f9c9bc605558c5cc484e26c13f1978399e

SHA512
4bccab62e816e296becd7318ff76d8fefa1f1cd25bdfcfb092c4424f3cc37e9edb46c90dae78d364c4406c954eaf75a6e18b7499d51b164d1ddf0136e4f52050

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_2.exe

Filesize
3.7MB

MD5
b7176450aebb9572b34e875984456ac1

SHA1
5d9d1824c5c235dcfc82e6e3af48b63d70016393

SHA256
f78dcb1b389c99240befde490f8c74d9c9487f54e1f523397aa056072003a4c2

SHA512
4c9aba9b92972312c87d2b875246b22dafcb49a0f519291fba823ce57dd9282e25489a7cddf7dfb432caa921602db6266b0e625aae780845824f91cf48d8f85d

Download Submit
C:\Users\Admin\AppData\Local\Temp\mePIPkR7.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\mePIPkR7.xlsm

Filesize
22KB

MD5
ac586fec0f75e58cad5868d4fbe7194c

SHA1
b315d91889aa2d0016979199d9d91aedba61f7a5

SHA256
7e5ca61cc0f2c6543e2de3bdff606f7a7cae86a57402e2f1abd26b4e5e5250dc

SHA512
7f82029392bf58d801a03ec16d7915ec159c8403988b60809ab713bb05a4692d1c5b12079b752518fe2a708daed6dfd228876b17ba92d83e6c9b0df1eb17114b

Download Submit
C:\Windows\wic.exe

Filesize
3.3MB

MD5
6ad65b03e75bc5509ba3104510178ee6

SHA1
dba73f97938d2dab4bf8fb8076b363db82ad3a16

SHA256
4d74eb72321c5137ed364541deef19ddc30593fff62abab2a3d17a0bad7bd5c6

SHA512
976c7aba50e17271f6aea4ab80e7bc89e68727164d98d99566e0752b4989d716a849b0cc53f0321a53dce6086ef4cab1604aae8456ce76bfeacf185137aa8ba8

Download Submit
memory/328-187-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/328-144-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/372-128-0x0000000000400000-0x0000000000874000-memory.dmp

Filesize
4.5MB

Download
memory/2452-62-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/2452-189-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/2616-60-0x0000000004080000-0x0000000004124000-memory.dmp

Filesize
656KB

Download
memory/2616-61-0x0000000004080000-0x0000000004124000-memory.dmp

Filesize
656KB

Download
memory/2616-190-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/2704-38-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/2704-192-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/2784-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2784-137-0x00000000034D0000-0x00000000034DC000-memory.dmp

Filesize
48KB

Download
memory/2784-177-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2784-142-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2996-63-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/3044-15-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/3044-37-0x0000000004050000-0x00000000040F4000-memory.dmp

Filesize
656KB

Download
memory/3044-47-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads