xred | dc3191c2db33b0d07d84df6ac9cbe42b8fad690baf1cb18d9362eeaa902e4d45

Analysis

max time kernel
148s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29/01/2025, 23:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe
Size

6.6MB
MD5

f19be4307d4e92b4c63c10769de4fc2b
SHA1

fdda128bf119fd694a8f2a27bb106918b4331f57
SHA256

dc3191c2db33b0d07d84df6ac9cbe42b8fad690baf1cb18d9362eeaa902e4d45
SHA512

11411c200d24282aa8e39e7e365763b1f09706133894544f6d7ce9114c4796946a659bd89c5c14f9d7b1e76b61aaf0cd76fbe26a729dc6b1dfeb256556cdcaf3
SSDEEP

196608:jcvooVgSF3zajKNSPyTcvooVgSF3zajKNSPyqcvooVgSF3zajKNSPy0OrFV:iVHF3PSVHF3P7VHF3PBrFV

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	._cache_2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 5 IoCs

pid	Process
1668	._cache_2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe
4016	Synaptics.exe
3748	tyttue.exe
2124	Synaptics.exe
5064	joxnkm.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\My App = "C:\\Users\\Admin\\AppData\\Roaming\\tyttue.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\My App = "C:\\Users\\Admin\\AppData\\Roaming\\joxnkm.exe"	reg.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2324 set thread context of 3136	2324	2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe	82
PID 4016 set thread context of 2124	4016	Synaptics.exe	88

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tyttue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	joxnkm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	tyttue.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	tyttue.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	._cache_Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	._cache_2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4324	EXCEL.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4324	EXCEL.EXE
4324	EXCEL.EXE
4324	EXCEL.EXE
4324	EXCEL.EXE
4324	EXCEL.EXE
4324	EXCEL.EXE

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 3136	2324	2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe	82
PID 2324 wrote to memory of 3136	2324	2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe	82
PID 2324 wrote to memory of 3136	2324	2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe	82
PID 2324 wrote to memory of 3136	2324	2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe	82
PID 2324 wrote to memory of 3136	2324	2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe	82
PID 2324 wrote to memory of 3136	2324	2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe	82
PID 2324 wrote to memory of 3136	2324	2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe	82
PID 2324 wrote to memory of 3136	2324	2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe	82
PID 2324 wrote to memory of 3136	2324	2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe	82
PID 2324 wrote to memory of 3136	2324	2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe	82
PID 2324 wrote to memory of 3136	2324	2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe	82
PID 3136 wrote to memory of 1668	3136	2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe	83
PID 3136 wrote to memory of 1668	3136	2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe	83
PID 3136 wrote to memory of 1668	3136	2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe	83
PID 1668 wrote to memory of 3404	1668	._cache_2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe	84
PID 1668 wrote to memory of 3404	1668	._cache_2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe	84
PID 1668 wrote to memory of 3404	1668	._cache_2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe	84
PID 3136 wrote to memory of 4016	3136	2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe	86
PID 3136 wrote to memory of 4016	3136	2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe	86
PID 3136 wrote to memory of 4016	3136	2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe	86
PID 1668 wrote to memory of 3748	1668	._cache_2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe	87
PID 1668 wrote to memory of 3748	1668	._cache_2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe	87
PID 1668 wrote to memory of 3748	1668	._cache_2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe	87
PID 4016 wrote to memory of 2124	4016	Synaptics.exe	88
PID 4016 wrote to memory of 2124	4016	Synaptics.exe	88
PID 4016 wrote to memory of 2124	4016	Synaptics.exe	88
PID 4016 wrote to memory of 2124	4016	Synaptics.exe	88
PID 4016 wrote to memory of 2124	4016	Synaptics.exe	88
PID 4016 wrote to memory of 2124	4016	Synaptics.exe	88
PID 4016 wrote to memory of 2124	4016	Synaptics.exe	88
PID 4016 wrote to memory of 2124	4016	Synaptics.exe	88
PID 4016 wrote to memory of 2124	4016	Synaptics.exe	88
PID 4016 wrote to memory of 2124	4016	Synaptics.exe	88
PID 4016 wrote to memory of 2124	4016	Synaptics.exe	88
PID 4680 wrote to memory of 4888	4680	._cache_Synaptics.exe	91
PID 4680 wrote to memory of 4888	4680	._cache_Synaptics.exe	91
PID 4680 wrote to memory of 4888	4680	._cache_Synaptics.exe	91
PID 4680 wrote to memory of 5064	4680	._cache_Synaptics.exe	94
PID 4680 wrote to memory of 5064	4680	._cache_Synaptics.exe	94
PID 4680 wrote to memory of 5064	4680	._cache_Synaptics.exe	94

C:\Users\Admin\AppData\Local\Temp\2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Users\Admin\AppData\Local\Temp\2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe
  "C:\Users\Admin\AppData\Local\Temp\2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3136
- - C:\Users\Admin\AppData\Local\Temp\._cache_2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1668
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "My App" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\tyttue.exe"
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:3404
  - - C:\Users\Admin\AppData\Roaming\tyttue.exe
      "C:\Users\Admin\AppData\Roaming\tyttue.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      PID:3748
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4016
  - - C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:2124
    - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4680
      - C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "My App" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\joxnkm.exe"
        6⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4888
      - C:\Users\Admin\AppData\Roaming\joxnkm.exe
        
        "C:\Users\Admin\AppData\Roaming\joxnkm.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5064

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
6.6MB

MD5
f19be4307d4e92b4c63c10769de4fc2b

SHA1
fdda128bf119fd694a8f2a27bb106918b4331f57

SHA256
dc3191c2db33b0d07d84df6ac9cbe42b8fad690baf1cb18d9362eeaa902e4d45

SHA512
11411c200d24282aa8e39e7e365763b1f09706133894544f6d7ce9114c4796946a659bd89c5c14f9d7b1e76b61aaf0cd76fbe26a729dc6b1dfeb256556cdcaf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_2025-01-29_f19be4307d4e92b4c63c10769de4fc2b_mafia.exe

Filesize
371KB

MD5
ec47e9ac1304201739f03f7cef8ea1bd

SHA1
fb138d78af34a373a849a0f5955479bba35704e0

SHA256
a859fd7e1221e91bd0e1bdee2b9f07f947fd5d679086faf36edcc2e0075de539

SHA512
c12900a403e448bcda9aee54a224d0a7c53e438bbe6fd7ea683bb46746c6f63758054bb50be22ea926addea821b9390a0a1e1f47e44b32a5dba4c6b84d6f6634

Download Submit
C:\Users\Admin\AppData\Local\Temp\F6875E00

Filesize
23KB

MD5
e7d7591c0123703af0735309e90db0a7

SHA1
f18b05ebac7e89f0eb03e37cdd25278df0f726a9

SHA256
3e137f03fe73c4f2889722e99cf18c1abbcda49620a88547177acc40cbc2cbbe

SHA512
1614c2cd787e07891051a8a0301200180e5bcc3df1c89da969c1410d0a8198a96c60f0ea7c52988b09cee336610a7994c0d28e7dd74427aaa0c9131dd4345c51

Download Submit
memory/2324-20-0x0000000007BC0000-0x0000000007D0D000-memory.dmp

Filesize
1.3MB

Download
memory/2324-18-0x0000000007BC0000-0x0000000007D0D000-memory.dmp

Filesize
1.3MB

Download
memory/2324-46-0x0000000007BC0000-0x0000000007D0D000-memory.dmp

Filesize
1.3MB

Download
memory/2324-56-0x0000000007BC0000-0x0000000007D0D000-memory.dmp

Filesize
1.3MB

Download
memory/2324-54-0x0000000007BC0000-0x0000000007D0D000-memory.dmp

Filesize
1.3MB

Download
memory/2324-52-0x0000000007BC0000-0x0000000007D0D000-memory.dmp

Filesize
1.3MB

Download
memory/2324-1-0x0000000075330000-0x00000000758E1000-memory.dmp

Filesize
5.7MB

Download
memory/2324-3-0x0000000007BC0000-0x0000000007D0D000-memory.dmp

Filesize
1.3MB

Download
memory/2324-63-0x0000000075330000-0x00000000758E1000-memory.dmp

Filesize
5.7MB

Download
memory/2324-30-0x0000000007BC0000-0x0000000007D0D000-memory.dmp

Filesize
1.3MB

Download
memory/2324-4-0x0000000007BC0000-0x0000000007D0D000-memory.dmp

Filesize
1.3MB

Download
memory/2324-8-0x0000000007BC0000-0x0000000007D0D000-memory.dmp

Filesize
1.3MB

Download
memory/2324-50-0x0000000007BC0000-0x0000000007D0D000-memory.dmp

Filesize
1.3MB

Download
memory/2324-48-0x0000000007BC0000-0x0000000007D0D000-memory.dmp

Filesize
1.3MB

Download
memory/2324-44-0x0000000007BC0000-0x0000000007D0D000-memory.dmp

Filesize
1.3MB

Download
memory/2324-42-0x0000000007BC0000-0x0000000007D0D000-memory.dmp

Filesize
1.3MB

Download
memory/2324-40-0x0000000007BC0000-0x0000000007D0D000-memory.dmp

Filesize
1.3MB

Download
memory/2324-34-0x0000000007BC0000-0x0000000007D0D000-memory.dmp

Filesize
1.3MB

Download
memory/2324-13-0x0000000007BC0000-0x0000000007D0D000-memory.dmp

Filesize
1.3MB

Download
memory/2324-32-0x0000000007BC0000-0x0000000007D0D000-memory.dmp

Filesize
1.3MB

Download
memory/2324-10-0x0000000007BC0000-0x0000000007D0D000-memory.dmp

Filesize
1.3MB

Download
memory/2324-28-0x0000000007BC0000-0x0000000007D0D000-memory.dmp

Filesize
1.3MB

Download
memory/2324-26-0x0000000007BC0000-0x0000000007D0D000-memory.dmp

Filesize
1.3MB

Download
memory/2324-24-0x0000000007BC0000-0x0000000007D0D000-memory.dmp

Filesize
1.3MB

Download
memory/2324-22-0x0000000007BC0000-0x0000000007D0D000-memory.dmp

Filesize
1.3MB

Download
memory/2324-2-0x0000000075330000-0x00000000758E1000-memory.dmp

Filesize
5.7MB

Download
memory/2324-14-0x0000000007BC0000-0x0000000007D0D000-memory.dmp

Filesize
1.3MB

Download
memory/2324-0-0x0000000075332000-0x0000000075333000-memory.dmp

Filesize
4KB

Download
memory/2324-6-0x0000000007BC0000-0x0000000007D0D000-memory.dmp

Filesize
1.3MB

Download
memory/2324-16-0x0000000007BC0000-0x0000000007D0D000-memory.dmp

Filesize
1.3MB

Download
memory/2324-38-0x0000000007BC0000-0x0000000007D0D000-memory.dmp

Filesize
1.3MB

Download
memory/2324-36-0x0000000007BC0000-0x0000000007D0D000-memory.dmp

Filesize
1.3MB

Download
memory/3136-240-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/3136-61-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/3136-58-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/3136-60-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/3136-62-0x00000000035D0000-0x00000000035D1000-memory.dmp

Filesize
4KB

Download
memory/3136-57-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads