xred | dc3191c2db33b0d07d84df6ac9cbe42b8fad690baf1cb18d9362eeaa902e4d45

Analysis

max time kernel
149s
max time network
142s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
29-01-2025 23:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe
Size

6.6MB
MD5

f19be4307d4e92b4c63c10769de4fc2b
SHA1

fdda128bf119fd694a8f2a27bb106918b4331f57
SHA256

dc3191c2db33b0d07d84df6ac9cbe42b8fad690baf1cb18d9362eeaa902e4d45
SHA512

11411c200d24282aa8e39e7e365763b1f09706133894544f6d7ce9114c4796946a659bd89c5c14f9d7b1e76b61aaf0cd76fbe26a729dc6b1dfeb256556cdcaf3
SSDEEP

196608:jcvooVgSF3zajKNSPyTcvooVgSF3zajKNSPyqcvooVgSF3zajKNSPy0OrFV:iVHF3PSVHF3P7VHF3PBrFV

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 6 IoCs

pid	Process
2816	._cache_2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe
2084	zmtrwm.exe
1256	Synaptics.exe
824	Synaptics.exe
684	._cache_Synaptics.exe
2392	kkmiuy.exe

Loads dropped DLL 11 IoCs

pid	Process
2964	2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe
2964	2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe
2816	._cache_2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe
2816	._cache_2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe
2964	2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe
2964	2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe
824	Synaptics.exe
824	Synaptics.exe
824	Synaptics.exe
684	._cache_Synaptics.exe
684	._cache_Synaptics.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\My App = "C:\\Users\\Admin\\AppData\\Roaming\\zmtrwm.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\My App = "C:\\Users\\Admin\\AppData\\Roaming\\kkmiuy.exe"	reg.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3068 set thread context of 2964	3068	2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe	30
PID 1256 set thread context of 824	1256	Synaptics.exe	37

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zmtrwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kkmiuy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	zmtrwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	zmtrwm.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1036	EXCEL.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1036	EXCEL.EXE

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 2964	3068	2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe	30
PID 3068 wrote to memory of 2964	3068	2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe	30
PID 3068 wrote to memory of 2964	3068	2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe	30
PID 3068 wrote to memory of 2964	3068	2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe	30
PID 3068 wrote to memory of 2964	3068	2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe	30
PID 3068 wrote to memory of 2964	3068	2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe	30
PID 3068 wrote to memory of 2964	3068	2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe	30
PID 3068 wrote to memory of 2964	3068	2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe	30
PID 3068 wrote to memory of 2964	3068	2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe	30
PID 3068 wrote to memory of 2964	3068	2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe	30
PID 3068 wrote to memory of 2964	3068	2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe	30
PID 3068 wrote to memory of 2964	3068	2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe	30
PID 2964 wrote to memory of 2816	2964	2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe	31
PID 2964 wrote to memory of 2816	2964	2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe	31
PID 2964 wrote to memory of 2816	2964	2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe	31
PID 2964 wrote to memory of 2816	2964	2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe	31
PID 2816 wrote to memory of 2356	2816	._cache_2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe	32
PID 2816 wrote to memory of 2356	2816	._cache_2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe	32
PID 2816 wrote to memory of 2356	2816	._cache_2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe	32
PID 2816 wrote to memory of 2356	2816	._cache_2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe	32
PID 2816 wrote to memory of 2084	2816	._cache_2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe	34
PID 2816 wrote to memory of 2084	2816	._cache_2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe	34
PID 2816 wrote to memory of 2084	2816	._cache_2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe	34
PID 2816 wrote to memory of 2084	2816	._cache_2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe	34
PID 2964 wrote to memory of 1256	2964	2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe	36
PID 2964 wrote to memory of 1256	2964	2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe	36
PID 2964 wrote to memory of 1256	2964	2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe	36
PID 2964 wrote to memory of 1256	2964	2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe	36
PID 1256 wrote to memory of 824	1256	Synaptics.exe	37
PID 1256 wrote to memory of 824	1256	Synaptics.exe	37
PID 1256 wrote to memory of 824	1256	Synaptics.exe	37
PID 1256 wrote to memory of 824	1256	Synaptics.exe	37
PID 1256 wrote to memory of 824	1256	Synaptics.exe	37
PID 1256 wrote to memory of 824	1256	Synaptics.exe	37
PID 1256 wrote to memory of 824	1256	Synaptics.exe	37
PID 1256 wrote to memory of 824	1256	Synaptics.exe	37
PID 1256 wrote to memory of 824	1256	Synaptics.exe	37
PID 1256 wrote to memory of 824	1256	Synaptics.exe	37
PID 1256 wrote to memory of 824	1256	Synaptics.exe	37
PID 1256 wrote to memory of 824	1256	Synaptics.exe	37
PID 824 wrote to memory of 684	824	Synaptics.exe	38
PID 824 wrote to memory of 684	824	Synaptics.exe	38
PID 824 wrote to memory of 684	824	Synaptics.exe	38
PID 824 wrote to memory of 684	824	Synaptics.exe	38
PID 684 wrote to memory of 924	684	._cache_Synaptics.exe	40
PID 684 wrote to memory of 924	684	._cache_Synaptics.exe	40
PID 684 wrote to memory of 924	684	._cache_Synaptics.exe	40
PID 684 wrote to memory of 924	684	._cache_Synaptics.exe	40
PID 684 wrote to memory of 2392	684	._cache_Synaptics.exe	42
PID 684 wrote to memory of 2392	684	._cache_Synaptics.exe	42
PID 684 wrote to memory of 2392	684	._cache_Synaptics.exe	42
PID 684 wrote to memory of 2392	684	._cache_Synaptics.exe	42

C:\Users\Admin\AppData\Local\Temp\2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Users\Admin\AppData\Local\Temp\2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe
  "C:\Users\Admin\AppData\Local\Temp\2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Users\Admin\AppData\Local\Temp\._cache_2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "My App" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\zmtrwm.exe"
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:2356
  - - C:\Users\Admin\AppData\Roaming\zmtrwm.exe
      "C:\Users\Admin\AppData\Roaming\zmtrwm.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      PID:2084
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1256
  - - C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:824
    - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:684
      - C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "My App" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\kkmiuy.exe"
        6⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:924
      - C:\Users\Admin\AppData\Roaming\kkmiuy.exe
        
        "C:\Users\Admin\AppData\Roaming\kkmiuy.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2392

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
6.6MB

MD5
f19be4307d4e92b4c63c10769de4fc2b

SHA1
fdda128bf119fd694a8f2a27bb106918b4331f57

SHA256
dc3191c2db33b0d07d84df6ac9cbe42b8fad690baf1cb18d9362eeaa902e4d45

SHA512
11411c200d24282aa8e39e7e365763b1f09706133894544f6d7ce9114c4796946a659bd89c5c14f9d7b1e76b61aaf0cd76fbe26a729dc6b1dfeb256556cdcaf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe

Filesize
371KB

MD5
ec47e9ac1304201739f03f7cef8ea1bd

SHA1
fb138d78af34a373a849a0f5955479bba35704e0

SHA256
a859fd7e1221e91bd0e1bdee2b9f07f947fd5d679086faf36edcc2e0075de539

SHA512
c12900a403e448bcda9aee54a224d0a7c53e438bbe6fd7ea683bb46746c6f63758054bb50be22ea926addea821b9390a0a1e1f47e44b32a5dba4c6b84d6f6634

Download Submit
C:\Users\Admin\AppData\Local\Temp\HHSQZ326.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
memory/2964-57-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2964-58-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2964-59-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2964-71-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2964-110-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2964-60-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2964-61-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2964-62-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2964-63-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2964-64-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2964-66-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2964-70-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/3068-42-0x0000000007540000-0x000000000768D000-memory.dmp

Filesize
1.3MB

Download
memory/3068-3-0x0000000007540000-0x000000000768D000-memory.dmp

Filesize
1.3MB

Download
memory/3068-68-0x0000000074D40000-0x00000000752EB000-memory.dmp

Filesize
5.7MB

Download
memory/3068-34-0x0000000007540000-0x000000000768D000-memory.dmp

Filesize
1.3MB

Download
memory/3068-36-0x0000000007540000-0x000000000768D000-memory.dmp

Filesize
1.3MB

Download
memory/3068-38-0x0000000007540000-0x000000000768D000-memory.dmp

Filesize
1.3MB

Download
memory/3068-40-0x0000000007540000-0x000000000768D000-memory.dmp

Filesize
1.3MB

Download
memory/3068-0-0x0000000074D41000-0x0000000074D42000-memory.dmp

Filesize
4KB

Download
memory/3068-44-0x0000000007540000-0x000000000768D000-memory.dmp

Filesize
1.3MB

Download
memory/3068-46-0x0000000007540000-0x000000000768D000-memory.dmp

Filesize
1.3MB

Download
memory/3068-48-0x0000000007540000-0x000000000768D000-memory.dmp

Filesize
1.3MB

Download
memory/3068-50-0x0000000007540000-0x000000000768D000-memory.dmp

Filesize
1.3MB

Download
memory/3068-52-0x0000000007540000-0x000000000768D000-memory.dmp

Filesize
1.3MB

Download
memory/3068-56-0x0000000007540000-0x000000000768D000-memory.dmp

Filesize
1.3MB

Download
memory/3068-30-0x0000000007540000-0x000000000768D000-memory.dmp

Filesize
1.3MB

Download
memory/3068-32-0x0000000007540000-0x000000000768D000-memory.dmp

Filesize
1.3MB

Download
memory/3068-28-0x0000000007540000-0x000000000768D000-memory.dmp

Filesize
1.3MB

Download
memory/3068-26-0x0000000007540000-0x000000000768D000-memory.dmp

Filesize
1.3MB

Download
memory/3068-24-0x0000000007540000-0x000000000768D000-memory.dmp

Filesize
1.3MB

Download
memory/3068-22-0x0000000007540000-0x000000000768D000-memory.dmp

Filesize
1.3MB

Download
memory/3068-20-0x0000000007540000-0x000000000768D000-memory.dmp

Filesize
1.3MB

Download
memory/3068-18-0x0000000007540000-0x000000000768D000-memory.dmp

Filesize
1.3MB

Download
memory/3068-16-0x0000000007540000-0x000000000768D000-memory.dmp

Filesize
1.3MB

Download
memory/3068-14-0x0000000007540000-0x000000000768D000-memory.dmp

Filesize
1.3MB

Download
memory/3068-12-0x0000000007540000-0x000000000768D000-memory.dmp

Filesize
1.3MB

Download
memory/3068-10-0x0000000007540000-0x000000000768D000-memory.dmp

Filesize
1.3MB

Download
memory/3068-8-0x0000000007540000-0x000000000768D000-memory.dmp

Filesize
1.3MB

Download
memory/3068-6-0x0000000007540000-0x000000000768D000-memory.dmp

Filesize
1.3MB

Download
memory/3068-4-0x0000000007540000-0x000000000768D000-memory.dmp

Filesize
1.3MB

Download
memory/3068-54-0x0000000007540000-0x000000000768D000-memory.dmp

Filesize
1.3MB

Download
memory/3068-2-0x0000000074D40000-0x00000000752EB000-memory.dmp

Filesize
5.7MB

Download
memory/3068-1-0x0000000074D40000-0x00000000752EB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads