xred | adcb154a472177f99055a2c7cc2b203737a9a63807782de66154d85d2921cd43

Analysis

max time kernel
141s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-02-2025 00:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

grannycc.exe
Size

3.1MB
MD5

93bba25a98254755eaf3afdb7826bd31
SHA1

d9a2cc89eb523886710e485b5be703d9c7c1e53d
SHA256

adcb154a472177f99055a2c7cc2b203737a9a63807782de66154d85d2921cd43
SHA512

9e2142bf39d3b90ff3e170876b00e591c7473dd9462428932bb26ecfb213a5435a332ac8ce601367c8ef8872aaf66100f6523803593e541f48d5a027e41ef264
SSDEEP

49152:5nsHyjtk2MYC5GDSKOR8wgkLCEUMi1M8PPQg8N6ToOTCTDey7/t7+dxwYSQH:5nsmtk2aRtuwncM8UNla0T0SQ

Score

10^/10

xred xworm backdoor discovery persistence rat trojan

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

xworm

Version

5.0

noipedd.ddns.net:1193

Mutex

8V29vmvrMp98QQ8X

Attributes

Install_directory
%AppData%
install_file
qqwgjfggjd.exe

aes.plain

Signatures

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral1/files/0x0008000000016eb4-112.dat	family_xworm
behavioral1/memory/1688-104-0x0000000000400000-0x00000000004DF000-memory.dmp	family_xworm
behavioral1/memory/1356-107-0x0000000000400000-0x00000000004DF000-memory.dmp	family_xworm
behavioral1/memory/2324-117-0x0000000000E80000-0x0000000000E90000-memory.dmp	family_xworm

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

.NET Reactor proctector 5 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/files/0x0007000000016dd9-50.dat	net_reactor
behavioral1/files/0x0007000000016de0-61.dat	net_reactor
behavioral1/memory/1084-65-0x0000000000400000-0x000000000074D000-memory.dmp	net_reactor
behavioral1/memory/3004-71-0x0000000000400000-0x000000000074D000-memory.dmp	net_reactor
behavioral1/memory/2952-67-0x0000000000E50000-0x00000000010CE000-memory.dmp	net_reactor

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	._cache_persistence.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	._cache_persistence.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qqwgjfggjd.lnk	._cache_MSBuild.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qqwgjfggjd.lnk	._cache_MSBuild.exe

Executes dropped EXE 12 IoCs

pid	Process
2740	._cache_grannycc.exe
2748	Synaptics.exe
2624	._cache_Synaptics.exe
2672	GrannyEscapeTogether.exe
1100	Process not Found
1084	persistence.exe
2872	GrannyEscapeTogether.exe
2952	._cache_persistence.exe
3004	persistence.exe
684	._cache_persistence.exe
2324	._cache_MSBuild.exe
1132	._cache_MSBuild.exe

Loads dropped DLL 16 IoCs

pid	Process
2876	grannycc.exe
2876	grannycc.exe
2876	grannycc.exe
2748	Synaptics.exe
2748	Synaptics.exe
2740	._cache_grannycc.exe
1100	Process not Found
2624	._cache_Synaptics.exe
1084	persistence.exe
1084	persistence.exe
3004	persistence.exe
3004	persistence.exe
3004	persistence.exe
1356	MSBuild.exe
1688	MSBuild.exe
1356	MSBuild.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	grannycc.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2952 set thread context of 1688	2952	._cache_persistence.exe	40
PID 684 set thread context of 1356	684	._cache_persistence.exe	39

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_persistence.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_persistence.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	grannycc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	persistence.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	persistence.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
1240	timeout.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
620	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1132	._cache_MSBuild.exe
Token: SeDebugPrivilege	2324	._cache_MSBuild.exe
Token: SeDebugPrivilege	1132	._cache_MSBuild.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2872	GrannyEscapeTogether.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
620	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 2740	2876	grannycc.exe	30
PID 2876 wrote to memory of 2740	2876	grannycc.exe	30
PID 2876 wrote to memory of 2740	2876	grannycc.exe	30
PID 2876 wrote to memory of 2740	2876	grannycc.exe	30
PID 2876 wrote to memory of 2748	2876	grannycc.exe	31
PID 2876 wrote to memory of 2748	2876	grannycc.exe	31
PID 2876 wrote to memory of 2748	2876	grannycc.exe	31
PID 2876 wrote to memory of 2748	2876	grannycc.exe	31
PID 2748 wrote to memory of 2624	2748	Synaptics.exe	32
PID 2748 wrote to memory of 2624	2748	Synaptics.exe	32
PID 2748 wrote to memory of 2624	2748	Synaptics.exe	32
PID 2748 wrote to memory of 2624	2748	Synaptics.exe	32
PID 2740 wrote to memory of 2672	2740	._cache_grannycc.exe	33
PID 2740 wrote to memory of 2672	2740	._cache_grannycc.exe	33
PID 2740 wrote to memory of 2672	2740	._cache_grannycc.exe	33
PID 2740 wrote to memory of 1084	2740	._cache_grannycc.exe	34
PID 2740 wrote to memory of 1084	2740	._cache_grannycc.exe	34
PID 2740 wrote to memory of 1084	2740	._cache_grannycc.exe	34
PID 2740 wrote to memory of 1084	2740	._cache_grannycc.exe	34
PID 2624 wrote to memory of 2872	2624	._cache_Synaptics.exe	35
PID 2624 wrote to memory of 2872	2624	._cache_Synaptics.exe	35
PID 2624 wrote to memory of 2872	2624	._cache_Synaptics.exe	35
PID 1084 wrote to memory of 2952	1084	persistence.exe	36
PID 1084 wrote to memory of 2952	1084	persistence.exe	36
PID 1084 wrote to memory of 2952	1084	persistence.exe	36
PID 1084 wrote to memory of 2952	1084	persistence.exe	36
PID 2624 wrote to memory of 3004	2624	._cache_Synaptics.exe	37
PID 2624 wrote to memory of 3004	2624	._cache_Synaptics.exe	37
PID 2624 wrote to memory of 3004	2624	._cache_Synaptics.exe	37
PID 2624 wrote to memory of 3004	2624	._cache_Synaptics.exe	37
PID 3004 wrote to memory of 684	3004	persistence.exe	38
PID 3004 wrote to memory of 684	3004	persistence.exe	38
PID 3004 wrote to memory of 684	3004	persistence.exe	38
PID 3004 wrote to memory of 684	3004	persistence.exe	38
PID 2952 wrote to memory of 1688	2952	._cache_persistence.exe	40
PID 2952 wrote to memory of 1688	2952	._cache_persistence.exe	40
PID 2952 wrote to memory of 1688	2952	._cache_persistence.exe	40
PID 2952 wrote to memory of 1688	2952	._cache_persistence.exe	40
PID 684 wrote to memory of 1356	684	._cache_persistence.exe	39
PID 684 wrote to memory of 1356	684	._cache_persistence.exe	39
PID 684 wrote to memory of 1356	684	._cache_persistence.exe	39
PID 684 wrote to memory of 1356	684	._cache_persistence.exe	39
PID 2952 wrote to memory of 1688	2952	._cache_persistence.exe	40
PID 684 wrote to memory of 1356	684	._cache_persistence.exe	39
PID 684 wrote to memory of 1356	684	._cache_persistence.exe	39
PID 2952 wrote to memory of 1688	2952	._cache_persistence.exe	40
PID 684 wrote to memory of 1356	684	._cache_persistence.exe	39
PID 2952 wrote to memory of 1688	2952	._cache_persistence.exe	40
PID 2952 wrote to memory of 1688	2952	._cache_persistence.exe	40
PID 684 wrote to memory of 1356	684	._cache_persistence.exe	39
PID 2952 wrote to memory of 1688	2952	._cache_persistence.exe	40
PID 684 wrote to memory of 1356	684	._cache_persistence.exe	39
PID 2952 wrote to memory of 1688	2952	._cache_persistence.exe	40
PID 684 wrote to memory of 1356	684	._cache_persistence.exe	39
PID 2952 wrote to memory of 1688	2952	._cache_persistence.exe	40
PID 2952 wrote to memory of 1688	2952	._cache_persistence.exe	40
PID 684 wrote to memory of 1356	684	._cache_persistence.exe	39
PID 684 wrote to memory of 1356	684	._cache_persistence.exe	39
PID 1688 wrote to memory of 2324	1688	MSBuild.exe	41
PID 1688 wrote to memory of 2324	1688	MSBuild.exe	41
PID 1688 wrote to memory of 2324	1688	MSBuild.exe	41
PID 1688 wrote to memory of 2324	1688	MSBuild.exe	41
PID 1356 wrote to memory of 1132	1356	MSBuild.exe	42
PID 1356 wrote to memory of 1132	1356	MSBuild.exe	42

C:\Users\Admin\AppData\Local\Temp\grannycc.exe
"C:\Users\Admin\AppData\Local\Temp\grannycc.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Users\Admin\AppData\Local\Temp\._cache_grannycc.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_grannycc.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Users\Admin\AppData\Local\Temp\GrannyEscapeTogether.exe
    "C:\Users\Admin\AppData\Local\Temp\GrannyEscapeTogether.exe"
    3⤵
    - Executes dropped EXE
    PID:2672
- - C:\Users\Admin\AppData\Local\Temp\persistence.exe
    "C:\Users\Admin\AppData\Local\Temp\persistence.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1084
  - - C:\Users\Admin\AppData\Local\Temp\._cache_persistence.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_persistence.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2952
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1688
      - C:\Users\Admin\AppData\Local\Temp\._cache_MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_MSBuild.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2324
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Users\Admin\AppData\Local\Temp\GrannyEscapeTogether.exe
      "C:\Users\Admin\AppData\Local\Temp\GrannyEscapeTogether.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      PID:2872
  - - C:\Users\Admin\AppData\Local\Temp\persistence.exe
      "C:\Users\Admin\AppData\Local\Temp\persistence.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3004
    - - C:\Users\Admin\AppData\Local\Temp\._cache_persistence.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_persistence.exe"
        5⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:684
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\._cache_MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_MSBuild.exe"
        7⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1132
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpF853.tmp.bat""
        8⤵
        
        PID:624
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        9⤵
        Delays execution with timeout.exe
        
        PID:1240

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
3.1MB

MD5
93bba25a98254755eaf3afdb7826bd31

SHA1
d9a2cc89eb523886710e485b5be703d9c7c1e53d

SHA256
adcb154a472177f99055a2c7cc2b203737a9a63807782de66154d85d2921cd43

SHA512
9e2142bf39d3b90ff3e170876b00e591c7473dd9462428932bb26ecfb213a5435a332ac8ce601367c8ef8872aaf66100f6523803593e541f48d5a027e41ef264

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_persistence.exe

Filesize
2.5MB

MD5
ae3d97bf016cebe68109d6c58ad59642

SHA1
1cb02cf2837af1e499c4306988344b12eb192312

SHA256
4fc1eeb5bfa1e22dbbe049cf40ebfae1b986593413f657e50d5956c500e8ef80

SHA512
656ed8de685d7525d76d0dbb47fa3326773f5233141106f66955b7459372cc0c442a6d7319afe5e2dee33043a589b2b0f5f55a287306301e0eea177d34d4e30e

Download Submit
C:\Users\Admin\AppData\Local\Temp\persistence.exe

Filesize
3.3MB

MD5
0cd8e614a8cfc0f571fd20db5b5913fe

SHA1
4fc13da917124435dd6b9413fbf553e9357023e8

SHA256
8d181ee22219a3ccc077679d2651ee64cf10f8fc315b5f0a42418d114f37b94e

SHA512
244968545242abb2d1cadaf8d56bb321a39040402dacbefaebaccb5f647103d2d77288fa3785cb6ec69f6c1760b8034a63a480caee8db66527385a8592c4db85

Download Submit
C:\Users\Admin\AppData\Local\Temp\rdf6jty7.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\rdf6jty7.xlsm

Filesize
20KB

MD5
e1d28bb59ddaf9332afa35ed2f7d0f39

SHA1
a29468169062e5a132998b44d8895566debf5c54

SHA256
3fa319a0208ad93f71377b38c4b1e99bda86ac4658dce2441997304dcf942657

SHA512
cb3cd74a5423859ea2a6aba2c49a921d23d1416eeab3aa840a5d2c1589dabaf7e9319654f5f479a4a4963b4af789c9d8adaef163b21ff1770a0c45830c6cab18

Download Submit
C:\Users\Admin\AppData\Local\Temp\rdf6jty7.xlsm

Filesize
22KB

MD5
e6fe2892f3f9af9aaaca01196be59ff6

SHA1
81d14808530b6ec423c0b5a6973ab7a83cea26e2

SHA256
91accc263fadafa9a13044259971339b7d9910d122f33fdee4b6235701a1eb80

SHA512
1bc56ba7a12c795a40aac9b8e218d4291af2eb88980b10688b13ba6689294b3021702004ddac48945fefeabd25cc6cda0811fb9ec2ba25e7651f9169e0f85857

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF853.tmp.bat

Filesize
167B

MD5
bf4bec40a86bd16dedb65ffc771a0964

SHA1
22fad916876a794d5244f42f0ecb233951fb0470

SHA256
95ce960bec748e340957bcf65f7e894ee79fa10a0124651782234f9f700997a6

SHA512
49c6037e8a89a54d2f4595f4d1cc2f96284cdaedaade08e8884f105fa8d4c9e22b9f59a84599035777990856ff83ed39cf7719ed878ab23e427a5fd4d0e48ac6

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_MSBuild.exe

Filesize
35KB

MD5
023819bcc9e82d78de2da9cf54f6ed47

SHA1
706b6eda1e781904a153e8c4adc763ea7584b542

SHA256
c3b5245831f0d76db25b7497eefcc29ff59903ddc401524b3b8c49af982d2691

SHA512
857ec3b461b08c603288f90a18ba0b6b9b13069c4b4533b787edd5b3021a2e967c85e9d4001d7c263b69b7134aff68ab8b77d9cd2f1d06c36d686ea370f9254d

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_grannycc.exe

Filesize
2.3MB

MD5
92d66ee187b0065843621d7c5062ab9c

SHA1
9e5172b7584a6a227c44202f65a78059bee69cf5

SHA256
fa6629cf86bd23eaaf918dd1d527aff025cfb805be31456c644520c7f164486e

SHA512
96bb8769536fd3713e646238a31b96c9a2147cd5f818d115fd84fc0fb2a603fb39bbf62a4deef3406d3328db154306996b2e0702a5d3119420dea92ef9588cee

Download Submit
\Users\Admin\AppData\Local\Temp\GrannyEscapeTogether.exe

Filesize
255KB

MD5
ab9ec0a0554187a55c49912026cf5b03

SHA1
f13fdcd81621a189917ce30fee700d95988a73a6

SHA256
676a4cbbdcd5327cc004ae2ae1b45aa4dace193968a579532646a92ad3874a64

SHA512
65637dc804c3d9f050df0ad764280332ed9fc55084aea985e954bdb8450070ac5342bd30e222553d67524a40d508da1fb7fb112ada9479dc14899edd9a71372e

Download Submit
memory/620-123-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/684-74-0x0000000000D90000-0x0000000000E46000-memory.dmp

Filesize
728KB

Download
memory/1084-65-0x0000000000400000-0x000000000074D000-memory.dmp

Filesize
3.3MB

Download
memory/1132-178-0x00000000004D0000-0x00000000004DC000-memory.dmp

Filesize
48KB

Download
memory/1356-81-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1356-85-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1356-107-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1356-80-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1356-105-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1688-91-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1688-104-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1688-99-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1688-103-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1688-75-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1688-95-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2324-117-0x0000000000E80000-0x0000000000E90000-memory.dmp

Filesize
64KB

Download
memory/2624-36-0x0000000000840000-0x0000000000A8A000-memory.dmp

Filesize
2.3MB

Download
memory/2740-20-0x0000000000350000-0x000000000059A000-memory.dmp

Filesize
2.3MB

Download
memory/2748-225-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/2748-177-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/2748-179-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/2748-199-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/2748-122-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/2876-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2876-26-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/2952-67-0x0000000000E50000-0x00000000010CE000-memory.dmp

Filesize
2.5MB

Download
memory/3004-71-0x0000000000400000-0x000000000074D000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads