xred | 6701a7622b891288246ed09789f30ee54f6046a75b3ad7f1de3b31ab00a2d63f

Analysis

max time kernel
20s
max time network
21s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-01-2025 01:00

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe
Size

6KB
MD5

06303600a3a44eb2fbce248eb0fe9fc1
SHA1

ccfb720a50808469da5d67eea306d08f51e11538
SHA256

db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85
SHA512

b135f23760aba312cb0c0cab697d2ec4f735f5cad9011d3b11310eb9cc59f65c4ffdc757e4f39bdcf6c8abb3badb6865301ffd5ed817c1251b6ecabe21f17df9
SSDEEP

192:DfaOBqbo/qmA2LEnrtDINynT+vCgcJXB:OOY8tLqltJXB

Score

10^/10

xred backdoor discovery persistence upx

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred
Downloads MZ/PE file

Drops startup file 9 IoCs

description	ioc	Process
File created	C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\__tmp_rar_sfx_access_check_259455590	4.exe
File opened for modification	C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bykcxw.exe	4.exe
File created	C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cghqi.exe	4.exe
File opened for modification	C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cghqi.exe	4.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\cbas.lnk	wic.exe
File created	C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cbas.lnk	wic.exe
File created	C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bykcxw.exe	4.exe
File created	C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\clxa.exe	4.exe
File opened for modification	C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\clxa.exe	4.exe

Executes dropped EXE 9 IoCs

pid	Process
1156	1.exe
2784	._cache_1.exe
2724	Synaptics.exe
3012	._cache_Synaptics.exe
1048	2.exe
2520	3.exe
1252	._cache_2.exe
2656	4.exe
2900	wic.exe

Loads dropped DLL 17 IoCs

pid	Process
320	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe
320	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe
1156	1.exe
1156	1.exe
1156	1.exe
1156	1.exe
1156	1.exe
2724	Synaptics.exe
2724	Synaptics.exe
2724	Synaptics.exe
320	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe
320	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe
320	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe
320	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe
1048	2.exe
1048	2.exe
320	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	1.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/320-0-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x0008000000016da7-21.dat	upx
behavioral1/memory/2784-39-0x0000000000400000-0x00000000004A4000-memory.dmp	upx
behavioral1/memory/3012-64-0x0000000000400000-0x00000000004A4000-memory.dmp	upx
behavioral1/memory/320-63-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x00060000000190e1-83.dat	upx
behavioral1/memory/2520-93-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/3012-103-0x0000000000400000-0x00000000004A4000-memory.dmp	upx
behavioral1/memory/2784-105-0x0000000000400000-0x00000000004A4000-memory.dmp	upx
behavioral1/memory/320-139-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2520-150-0x0000000000400000-0x000000000040C000-memory.dmp	upx

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\3.exe	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe
File created	C:\Program Files (x86)\4.exe	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe
File created	C:\Program Files (x86)\1.exe	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe
File created	C:\Program Files (x86)\2.exe	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\msslac.dll	wic.exe
File created	C:\Windows\wic.exe	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe
File created	C:\Windows\cbas.exe	wic.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shutdown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_2.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	._cache_2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2856	shutdown.exe
Token: SeRemoteShutdownPrivilege	2856	shutdown.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
320	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe
1252	._cache_2.exe
1252	._cache_2.exe
2900	wic.exe
2900	wic.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 320 wrote to memory of 1156	320	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe	32
PID 320 wrote to memory of 1156	320	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe	32
PID 320 wrote to memory of 1156	320	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe	32
PID 320 wrote to memory of 1156	320	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe	32
PID 1156 wrote to memory of 2784	1156	1.exe	33
PID 1156 wrote to memory of 2784	1156	1.exe	33
PID 1156 wrote to memory of 2784	1156	1.exe	33
PID 1156 wrote to memory of 2784	1156	1.exe	33
PID 1156 wrote to memory of 2724	1156	1.exe	34
PID 1156 wrote to memory of 2724	1156	1.exe	34
PID 1156 wrote to memory of 2724	1156	1.exe	34
PID 1156 wrote to memory of 2724	1156	1.exe	34
PID 2724 wrote to memory of 3012	2724	Synaptics.exe	35
PID 2724 wrote to memory of 3012	2724	Synaptics.exe	35
PID 2724 wrote to memory of 3012	2724	Synaptics.exe	35
PID 2724 wrote to memory of 3012	2724	Synaptics.exe	35
PID 320 wrote to memory of 1048	320	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe	36
PID 320 wrote to memory of 1048	320	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe	36
PID 320 wrote to memory of 1048	320	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe	36
PID 320 wrote to memory of 1048	320	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe	36
PID 320 wrote to memory of 2520	320	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe	37
PID 320 wrote to memory of 2520	320	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe	37
PID 320 wrote to memory of 2520	320	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe	37
PID 320 wrote to memory of 2520	320	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe	37
PID 1048 wrote to memory of 1252	1048	2.exe	38
PID 1048 wrote to memory of 1252	1048	2.exe	38
PID 1048 wrote to memory of 1252	1048	2.exe	38
PID 1048 wrote to memory of 1252	1048	2.exe	38
PID 320 wrote to memory of 2656	320	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe	39
PID 320 wrote to memory of 2656	320	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe	39
PID 320 wrote to memory of 2656	320	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe	39
PID 320 wrote to memory of 2656	320	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe	39
PID 320 wrote to memory of 2900	320	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe	40
PID 320 wrote to memory of 2900	320	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe	40
PID 320 wrote to memory of 2900	320	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe	40
PID 320 wrote to memory of 2900	320	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe	40
PID 2900 wrote to memory of 1700	2900	wic.exe	41
PID 2900 wrote to memory of 1700	2900	wic.exe	41
PID 2900 wrote to memory of 1700	2900	wic.exe	41
PID 2900 wrote to memory of 1700	2900	wic.exe	41
PID 1700 wrote to memory of 2856	1700	cmd.exe	43
PID 1700 wrote to memory of 2856	1700	cmd.exe	43
PID 1700 wrote to memory of 2856	1700	cmd.exe	43
PID 1700 wrote to memory of 2856	1700	cmd.exe	43

C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe
"C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:320
- C:\Program Files (x86)\1.exe
  "C:\Program Files (x86)\1.exe" 0
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1156
- - C:\Users\Admin\AppData\Local\Temp\._cache_1.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_1.exe" 0
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2784
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3012
- C:\Program Files (x86)\2.exe
  "C:\Program Files (x86)\2.exe" 0
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1048
- - C:\Users\Admin\AppData\Local\Temp\._cache_2.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_2.exe" 0
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1252
- C:\Program Files (x86)\3.exe
  "C:\Program Files (x86)\3.exe" 0
  2⤵
  - Executes dropped EXE
  PID:2520
- C:\Program Files (x86)\4.exe
  "C:\Program Files (x86)\4.exe" 0
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2656
- C:\Windows\wic.exe
  "C:\Windows\wic.exe" 0
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "shutdown /r /t 0"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1700
  - - C:\Windows\SysWOW64\shutdown.exe
      shutdown /r /t 0
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2856

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:928

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:2924

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\1.exe

Filesize
811KB

MD5
d026cfe00b08da14b0a8b7f8860887d7

SHA1
08ef96351067f151c19b9cc21605ea018fb43a18

SHA256
e261d309f30de33a1ba0aa43604db15f3326c6c8c5b291bdd52f18ea361fe3dd

SHA512
4ef560ff8c6a9a143b9365884c0c999a1fbf5ee638f170ad96add2b8b56933038d573cb31f45724a7f1a7b6a35cd2557344bd55c746fc9e9da38ecd3bdd6361d

Download Submit
C:\Program Files (x86)\2.exe

Filesize
4.4MB

MD5
85a57509db3e9dfa7b4e451b8243220d

SHA1
ee21f93372218959f8b3dcefaa2c680d857e9e52

SHA256
fcd8d4592cf92fb9f9235a2774cdc8aff4265d4015269fb7aa995182f8ce26e1

SHA512
104615f2366e06cbba58a87f2e01d6806c1871c29af8277e06fcdb385f4ae6beb37c3bafd861c320a01303a287a68ae9b5d8640f29a39c21fe38ad9803ebe00d

Download Submit
C:\Program Files (x86)\3.exe

Filesize
9KB

MD5
1edb88f9ee745eaaee2cbd8219318eb0

SHA1
6561c12d51090972b6f866f38f8ed281c5c83313

SHA256
0ac1125284e2600d3714c0226f800f4d8d9aa291fa299bb1d33b7d8984b5e1c0

SHA512
a2a20a70c9e1db729f716706796027a5c9002ad000e75c0dced3ece6f26d76ee0803acc31d3a116266e711ec6a16d33c0668412238dfe0f128f3a841232ff4c5

Download Submit
C:\Program Files (x86)\4.exe

Filesize
338KB

MD5
39e7be73c7531ac895f75834fdc1bcd6

SHA1
646b88b488cf673c38b56fe7748c70b31bb29fc3

SHA256
a176e32335d81e69906f1c062e62247e97b8863f2c6148a36713e5bed5d16195

SHA512
e5c34ef2d309ef2071495a359999b9f8dbeb6d7db1daa67e82494d71b0f1e888d0958b5a503cb3b0e505b70f26cfefe362d6301599143bedb40a19fdb60ef072

Download Submit
C:\Windows\wic.exe

Filesize
3.3MB

MD5
6ad65b03e75bc5509ba3104510178ee6

SHA1
dba73f97938d2dab4bf8fb8076b363db82ad3a16

SHA256
4d74eb72321c5137ed364541deef19ddc30593fff62abab2a3d17a0bad7bd5c6

SHA512
976c7aba50e17271f6aea4ab80e7bc89e68727164d98d99566e0752b4989d716a849b0cc53f0321a53dce6086ef4cab1604aae8456ce76bfeacf185137aa8ba8

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_1.exe

Filesize
58KB

MD5
aed710082d6986c6dceed09d3a5edcc6

SHA1
02456d21cef29be4cb63004aea6aa225a90fd882

SHA256
5cbe5888cd034b95b14f4ad7c63f84f9c9bc605558c5cc484e26c13f1978399e

SHA512
4bccab62e816e296becd7318ff76d8fefa1f1cd25bdfcfb092c4424f3cc37e9edb46c90dae78d364c4406c954eaf75a6e18b7499d51b164d1ddf0136e4f52050

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_2.exe

Filesize
3.7MB

MD5
b7176450aebb9572b34e875984456ac1

SHA1
5d9d1824c5c235dcfc82e6e3af48b63d70016393

SHA256
f78dcb1b389c99240befde490f8c74d9c9487f54e1f523397aa056072003a4c2

SHA512
4c9aba9b92972312c87d2b875246b22dafcb49a0f519291fba823ce57dd9282e25489a7cddf7dfb432caa921602db6266b0e625aae780845824f91cf48d8f85d

Download Submit
memory/320-63-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/320-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/320-90-0x0000000001E40000-0x0000000001E4C000-memory.dmp

Filesize
48KB

Download
memory/320-91-0x0000000001E40000-0x0000000001E4C000-memory.dmp

Filesize
48KB

Download
memory/320-139-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1048-108-0x0000000000400000-0x0000000000874000-memory.dmp

Filesize
4.5MB

Download
memory/1156-48-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/1156-15-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1156-28-0x0000000004290000-0x0000000004334000-memory.dmp

Filesize
656KB

Download
memory/1156-27-0x0000000004290000-0x0000000004334000-memory.dmp

Filesize
656KB

Download
memory/2520-93-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2520-150-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2724-61-0x0000000004090000-0x0000000004134000-memory.dmp

Filesize
656KB

Download
memory/2724-60-0x0000000004090000-0x0000000004134000-memory.dmp

Filesize
656KB

Download
memory/2724-144-0x0000000004090000-0x0000000004134000-memory.dmp

Filesize
656KB

Download
memory/2724-151-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/2724-152-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/2784-105-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/2784-39-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/3012-64-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/3012-103-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads