xred | f642d048f822c9b363135f29b649077f9d5371460644add8a38cd1211aa76e4b

Analysis

max time kernel
143s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
10/04/2025, 21:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-10_946803c996f7c32f754b4e864a1e4ac5_amadey_darkgate_elex_magniber_poet-rat_rhadamanthys_smoke-loader.exe
Size

28.7MB
MD5

946803c996f7c32f754b4e864a1e4ac5
SHA1

c982b2e7dd6844327f4a77e9a8365067345670ae
SHA256

f642d048f822c9b363135f29b649077f9d5371460644add8a38cd1211aa76e4b
SHA512

b57e51b90fb25701cdb1bda2717d6a836643bee8d8b1f7729b0c1d8a9b5cbcce1eba35b028f21cfef851de446c6ef4ed23feaf8849820ba8b385572b018fb251
SSDEEP

393216:Bn1a552kjgDWzYQqD/Jf59RqWEOax8eX+bLJItmNiL5yTG1M16PExfe9zMHl:J1aljQWz0xRqbGeO8m4ll8f1Hl

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	2025-04-10_946803c996f7c32f754b4e864a1e4ac5_amadey_darkgate_elex_magniber_poet-rat_rhadamanthys_smoke-loader.exe

Executes dropped EXE 7 IoCs

pid	Process
4864	._cache_2025-04-10_946803c996f7c32f754b4e864a1e4ac5_amadey_darkgate_elex_magniber_poet-rat_rhadamanthys_smoke-loader.exe
5068	Synaptics.exe
5092	Synaptics.exe
4116	._cache_Synaptics.exe
4728	._cache_Synaptics.exe
2844	._cache_Synaptics.exe
3200	._cache_Synaptics.exe

Loads dropped DLL 10 IoCs

pid	Process
4116	._cache_Synaptics.exe
4116	._cache_Synaptics.exe
4116	._cache_Synaptics.exe
4116	._cache_Synaptics.exe
4728	._cache_Synaptics.exe
4728	._cache_Synaptics.exe
4728	._cache_Synaptics.exe
4728	._cache_Synaptics.exe
2844	._cache_Synaptics.exe
3200	._cache_Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	2025-04-10_946803c996f7c32f754b4e864a1e4ac5_amadey_darkgate_elex_magniber_poet-rat_rhadamanthys_smoke-loader.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\._cache_Synaptics.exe	Synaptics.exe
File opened for modification	C:\Windows\SysWOW64\._cache_Synaptics.exe	Synaptics.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4116 set thread context of 2844	4116	._cache_Synaptics.exe	101
PID 4728 set thread context of 3200	4728	._cache_Synaptics.exe	102

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1524	4864	WerFault.exe	89

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_2025-04-10_946803c996f7c32f754b4e864a1e4ac5_amadey_darkgate_elex_magniber_poet-rat_rhadamanthys_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-10_946803c996f7c32f754b4e864a1e4ac5_amadey_darkgate_elex_magniber_poet-rat_rhadamanthys_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	._cache_Synaptics.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	2025-04-10_946803c996f7c32f754b4e864a1e4ac5_amadey_darkgate_elex_magniber_poet-rat_rhadamanthys_smoke-loader.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4104	EXCEL.EXE

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4116	._cache_Synaptics.exe
4728	._cache_Synaptics.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4104	EXCEL.EXE
4104	EXCEL.EXE
4104	EXCEL.EXE
4104	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 4864	3016	2025-04-10_946803c996f7c32f754b4e864a1e4ac5_amadey_darkgate_elex_magniber_poet-rat_rhadamanthys_smoke-loader.exe	89
PID 3016 wrote to memory of 4864	3016	2025-04-10_946803c996f7c32f754b4e864a1e4ac5_amadey_darkgate_elex_magniber_poet-rat_rhadamanthys_smoke-loader.exe	89
PID 3016 wrote to memory of 4864	3016	2025-04-10_946803c996f7c32f754b4e864a1e4ac5_amadey_darkgate_elex_magniber_poet-rat_rhadamanthys_smoke-loader.exe	89
PID 3016 wrote to memory of 5068	3016	2025-04-10_946803c996f7c32f754b4e864a1e4ac5_amadey_darkgate_elex_magniber_poet-rat_rhadamanthys_smoke-loader.exe	95
PID 3016 wrote to memory of 5068	3016	2025-04-10_946803c996f7c32f754b4e864a1e4ac5_amadey_darkgate_elex_magniber_poet-rat_rhadamanthys_smoke-loader.exe	95
PID 3016 wrote to memory of 5068	3016	2025-04-10_946803c996f7c32f754b4e864a1e4ac5_amadey_darkgate_elex_magniber_poet-rat_rhadamanthys_smoke-loader.exe	95
PID 744 wrote to memory of 5092	744	cmd.exe	96
PID 744 wrote to memory of 5092	744	cmd.exe	96
PID 744 wrote to memory of 5092	744	cmd.exe	96
PID 5068 wrote to memory of 4116	5068	Synaptics.exe	99
PID 5068 wrote to memory of 4116	5068	Synaptics.exe	99
PID 5068 wrote to memory of 4116	5068	Synaptics.exe	99
PID 5092 wrote to memory of 4728	5092	Synaptics.exe	100
PID 5092 wrote to memory of 4728	5092	Synaptics.exe	100
PID 5092 wrote to memory of 4728	5092	Synaptics.exe	100
PID 4116 wrote to memory of 2844	4116	._cache_Synaptics.exe	101
PID 4728 wrote to memory of 3200	4728	._cache_Synaptics.exe	102
PID 4116 wrote to memory of 2844	4116	._cache_Synaptics.exe	101
PID 4116 wrote to memory of 2844	4116	._cache_Synaptics.exe	101
PID 4116 wrote to memory of 2844	4116	._cache_Synaptics.exe	101
PID 4116 wrote to memory of 2844	4116	._cache_Synaptics.exe	101
PID 4116 wrote to memory of 2844	4116	._cache_Synaptics.exe	101
PID 4116 wrote to memory of 2844	4116	._cache_Synaptics.exe	101
PID 4116 wrote to memory of 2844	4116	._cache_Synaptics.exe	101
PID 4116 wrote to memory of 2844	4116	._cache_Synaptics.exe	101
PID 4728 wrote to memory of 3200	4728	._cache_Synaptics.exe	102
PID 4728 wrote to memory of 3200	4728	._cache_Synaptics.exe	102
PID 4116 wrote to memory of 2844	4116	._cache_Synaptics.exe	101
PID 4116 wrote to memory of 2844	4116	._cache_Synaptics.exe	101
PID 4116 wrote to memory of 2844	4116	._cache_Synaptics.exe	101
PID 4116 wrote to memory of 2844	4116	._cache_Synaptics.exe	101
PID 4116 wrote to memory of 2844	4116	._cache_Synaptics.exe	101
PID 4116 wrote to memory of 2844	4116	._cache_Synaptics.exe	101
PID 4116 wrote to memory of 2844	4116	._cache_Synaptics.exe	101
PID 4116 wrote to memory of 2844	4116	._cache_Synaptics.exe	101
PID 4116 wrote to memory of 2844	4116	._cache_Synaptics.exe	101
PID 4116 wrote to memory of 2844	4116	._cache_Synaptics.exe	101
PID 4116 wrote to memory of 2844	4116	._cache_Synaptics.exe	101
PID 4116 wrote to memory of 2844	4116	._cache_Synaptics.exe	101
PID 4116 wrote to memory of 2844	4116	._cache_Synaptics.exe	101
PID 4116 wrote to memory of 2844	4116	._cache_Synaptics.exe	101
PID 4116 wrote to memory of 2844	4116	._cache_Synaptics.exe	101
PID 4116 wrote to memory of 2844	4116	._cache_Synaptics.exe	101
PID 4116 wrote to memory of 2844	4116	._cache_Synaptics.exe	101
PID 4116 wrote to memory of 2844	4116	._cache_Synaptics.exe	101
PID 4116 wrote to memory of 2844	4116	._cache_Synaptics.exe	101
PID 4116 wrote to memory of 2844	4116	._cache_Synaptics.exe	101
PID 4116 wrote to memory of 2844	4116	._cache_Synaptics.exe	101
PID 4116 wrote to memory of 2844	4116	._cache_Synaptics.exe	101
PID 4116 wrote to memory of 2844	4116	._cache_Synaptics.exe	101
PID 4116 wrote to memory of 2844	4116	._cache_Synaptics.exe	101
PID 4116 wrote to memory of 2844	4116	._cache_Synaptics.exe	101
PID 4116 wrote to memory of 2844	4116	._cache_Synaptics.exe	101
PID 4116 wrote to memory of 2844	4116	._cache_Synaptics.exe	101
PID 4116 wrote to memory of 2844	4116	._cache_Synaptics.exe	101
PID 4116 wrote to memory of 2844	4116	._cache_Synaptics.exe	101
PID 4116 wrote to memory of 2844	4116	._cache_Synaptics.exe	101
PID 4116 wrote to memory of 2844	4116	._cache_Synaptics.exe	101
PID 4116 wrote to memory of 2844	4116	._cache_Synaptics.exe	101
PID 4116 wrote to memory of 2844	4116	._cache_Synaptics.exe	101
PID 4116 wrote to memory of 2844	4116	._cache_Synaptics.exe	101
PID 4116 wrote to memory of 2844	4116	._cache_Synaptics.exe	101
PID 4116 wrote to memory of 2844	4116	._cache_Synaptics.exe	101
PID 4116 wrote to memory of 2844	4116	._cache_Synaptics.exe	101

C:\Users\Admin\AppData\Local\Temp\2025-04-10_946803c996f7c32f754b4e864a1e4ac5_amadey_darkgate_elex_magniber_poet-rat_rhadamanthys_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-10_946803c996f7c32f754b4e864a1e4ac5_amadey_darkgate_elex_magniber_poet-rat_rhadamanthys_smoke-loader.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Users\Admin\AppData\Local\Temp\._cache_2025-04-10_946803c996f7c32f754b4e864a1e4ac5_amadey_darkgate_elex_magniber_poet-rat_rhadamanthys_smoke-loader.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_2025-04-10_946803c996f7c32f754b4e864a1e4ac5_amadey_darkgate_elex_magniber_poet-rat_rhadamanthys_smoke-loader.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4864
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 288
    3⤵
    - Program crash
    PID:1524
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5068
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:4116
  - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
      "D:\WoW!Keygen.exe" InjUpdate
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Synaptics\Synaptics.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:744
- C:\ProgramData\Synaptics\Synaptics.exe
  C:\ProgramData\Synaptics\Synaptics.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5092
- - C:\Windows\SysWOW64\._cache_Synaptics.exe
    "C:\Windows\system32\._cache_Synaptics.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:4728
  - - C:\Windows\SysWOW64\._cache_Synaptics.exe
      "D:\WoW!Keygen.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:3200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4864 -ip 4864
1⤵
PID:4920

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4104

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
28.7MB

MD5
946803c996f7c32f754b4e864a1e4ac5

SHA1
c982b2e7dd6844327f4a77e9a8365067345670ae

SHA256
f642d048f822c9b363135f29b649077f9d5371460644add8a38cd1211aa76e4b

SHA512
b57e51b90fb25701cdb1bda2717d6a836643bee8d8b1f7729b0c1d8a9b5cbcce1eba35b028f21cfef851de446c6ef4ed23feaf8849820ba8b385572b018fb251

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_2025-04-10_946803c996f7c32f754b4e864a1e4ac5_amadey_darkgate_elex_magniber_poet-rat_rhadamanthys_smoke-loader.exe

Filesize
28.0MB

MD5
3a94cd236f942e64bafef16d5a7cdd95

SHA1
92b9cf9c10f9082b21cdb26c3efa588059c2116a

SHA256
6c5e292be08b81a735649eb4b0d3a27a7d06fb88dac80281861a6e91dbcd253d

SHA512
2951d9893ed701f6525dca0a6aff1dcc12fc9474decf4a8da71a8615c978a09342d11e2603afd1f31dfdac39552278d03f5550df3cef6c18392a0789fb2c4e44

Download Submit
C:\Users\Admin\AppData\Local\Temp\cc3PLnwI.xlsm

Filesize
17KB

MD5
af4d37aad8b34471da588360a43e768a

SHA1
83ed64667d4e68ea531b8bcf58aab3ed4a5ca998

SHA256
e7550c3453156531308fda255a198c3710aa4bc7412819c180b103c11e85cef1

SHA512
74f5000038c47b7c909c4ee5740e0e87cac12c9c96fff8b1c7ec749541ee3d4b7efd80f9ac02cd39809dca3f2707d0063fa852a3a541342d93a9d03de08823da

Download Submit
C:\Users\Admin\AppData\Roaming\Thinstall\WoW!Keygen\Registry.rw.tvr

Filesize
4KB

MD5
805b9b383b37e8fd96d91ae89167060d

SHA1
9e4fe940881b46bfae999c7ab3d6db3cf0be41c2

SHA256
6bc1bd7e5ea7995ce8cd331b93aec9a1df306b99db077c263d460749876c68c4

SHA512
2b2d48988a869e46e6ea78cc6142ece6d007c4017fc51f60fb80a93c3235116f057a072cd977ce4542f07c852aa0d2974b5e1fff305b545a92c7b88c10cc827c

Download Submit
C:\Users\Admin\AppData\Roaming\Thinstall\WoW!Keygen\Registry.rw.tvr.lck

Filesize
60B

MD5
4f0c9adcee6f8fa7029569c588168ad2

SHA1
668746fb9ff9b5df193ea08f13c6bc9bcd9ad03a

SHA256
91f5ef1b41a01ea33a1f31c1ab5a8fbbcb83cb03428f56c89f2ceed2cc50ccb5

SHA512
73e03039d168701aff68834c31f194c69bd0ae60c799f072ae0271201b4fb3b7511e1a703f7bbb7473d75cdfb1406c39021fd177d95ca9d1408bffa8e9b45e54

Download Submit
C:\Users\Admin\AppData\Roaming\Thinstall\WoW!Keygen\Registry.rw.tvr.transact

Filesize
4KB

MD5
490d5b3dea1c8565ef8625efde5b514d

SHA1
88310fb0daa1e50015fac4b4d3d3d2148ba447fe

SHA256
46c5242dcc98271949a17dafff7f0965a45aa4ecdf83393520ced33e680f6f70

SHA512
6a26bc6db1abc05200c913254472112c59b50a277ed1aec0287c6d668c6258c7fad8ed26d18c7e3ab0a9b8821243337b2b1648c6da12615d9a543057ca8ee9ff

Download Submit
C:\Users\Admin\AppData\Roaming\Thinstall\WoW!Keygen\SKEL\4772-1.manifest

Filesize
1KB

MD5
25c689fdb02074ecfa5d2a35897cfa57

SHA1
e29805eae83fbf6d279c5de8cad8b388f199cd23

SHA256
a718db4d5c37a2d4c752b7ad989484bbc9d9a282db31f30fa39b923b9b65e6da

SHA512
b4d13f89330ed6e3bea377c477670df57e62d42996974251f8aa28ddd13d3720f033c0e93d0f909fd225fd85f446bcf2de0bfd52a4e24db911895a3f27911730

Download Submit
C:\Users\Admin\AppData\Roaming\Thinstall\WoW!Keygen\SKEL\53e20fd995c151aff7e7fdd8fce6acce1d8ca25d.SharedTA

Filesize
5.9MB

MD5
308277f44bc23c338fada09d1efcaf1c

SHA1
53e20fd995c151aff7e7fdd8fce6acce1d8ca25d

SHA256
75f863c499b3a1ca16af80705c2a42558082b544ec809a87fd06746f7e0d10e9

SHA512
1149ce07864c473cce56981e8ffd77c7bfe6e3a6e005846345b362d6efc6fb6c217b72255938b79d3714c531b9fc9eec0141de75ab3bda750db8b714574db77e

Download Submit
memory/2844-571-0x0000000000400000-0x0000000001CBB000-memory.dmp

Filesize
24.7MB

Download
memory/2844-367-0x0000000000400000-0x0000000001CBB000-memory.dmp

Filesize
24.7MB

Download
memory/3016-0-0x0000000003E10000-0x0000000003E11000-memory.dmp

Filesize
4KB

Download
memory/3016-109-0x0000000000400000-0x00000000020C2000-memory.dmp

Filesize
28.8MB

Download
memory/3200-390-0x0000000000400000-0x0000000001CBB000-memory.dmp

Filesize
24.7MB

Download
memory/3200-555-0x0000000000400000-0x0000000001CBB000-memory.dmp

Filesize
24.7MB

Download
memory/4116-241-0x000000007FFA0000-0x000000007FFDC000-memory.dmp

Filesize
240KB

Download
memory/4116-238-0x000000007FFA0000-0x000000007FFDC000-memory.dmp

Filesize
240KB

Download
memory/4116-360-0x0000000002310000-0x0000000002311000-memory.dmp

Filesize
4KB

Download
memory/4116-359-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/4116-236-0x000000007FFA0000-0x000000007FFDC000-memory.dmp

Filesize
240KB

Download
memory/4116-253-0x000000007FDF0000-0x000000007FF9E000-memory.dmp

Filesize
1.7MB

Download
memory/4116-259-0x000000007FDF0000-0x000000007FF9E000-memory.dmp

Filesize
1.7MB

Download
memory/4116-255-0x000000007FDF0000-0x000000007FF9E000-memory.dmp

Filesize
1.7MB

Download
memory/4116-256-0x000000007FDF0000-0x000000007FF9E000-memory.dmp

Filesize
1.7MB

Download
memory/4116-229-0x000000007FFA0000-0x000000007FFDC000-memory.dmp

Filesize
240KB

Download
memory/4116-230-0x000000007FFA0000-0x000000007FFDC000-memory.dmp

Filesize
240KB

Download
memory/4116-231-0x000000007FFA0000-0x000000007FFDC000-memory.dmp

Filesize
240KB

Download
memory/4116-232-0x000000007FFA0000-0x000000007FFDC000-memory.dmp

Filesize
240KB

Download
memory/4116-233-0x000000007FFA0000-0x000000007FFDC000-memory.dmp

Filesize
240KB

Download
memory/4116-234-0x000000007FFA0000-0x000000007FFDC000-memory.dmp

Filesize
240KB

Download
memory/4116-235-0x000000007FFA0000-0x000000007FFDC000-memory.dmp

Filesize
240KB

Download
memory/4116-237-0x000000007FFA0000-0x000000007FFDC000-memory.dmp

Filesize
240KB

Download
memory/4116-372-0x0000000002680000-0x0000000003F3B000-memory.dmp

Filesize
24.7MB

Download
memory/4116-239-0x000000007FFA0000-0x000000007FFDC000-memory.dmp

Filesize
240KB

Download
memory/4116-240-0x000000007FFA0000-0x000000007FFDC000-memory.dmp

Filesize
240KB

Download
memory/4116-242-0x000000007FFA0000-0x000000007FFDC000-memory.dmp

Filesize
240KB

Download
memory/4116-243-0x000000007FFA0000-0x000000007FFDC000-memory.dmp

Filesize
240KB

Download
memory/4116-244-0x000000007FFA0000-0x000000007FFDC000-memory.dmp

Filesize
240KB

Download
memory/4116-245-0x000000007FFA0000-0x000000007FFDC000-memory.dmp

Filesize
240KB

Download
memory/4116-246-0x000000007FFA0000-0x000000007FFDC000-memory.dmp

Filesize
240KB

Download
memory/4116-247-0x000000007FFA0000-0x000000007FFDC000-memory.dmp

Filesize
240KB

Download
memory/4116-258-0x000000007FDF0000-0x000000007FF9E000-memory.dmp

Filesize
1.7MB

Download
memory/4116-248-0x000000007FFA0000-0x000000007FFDC000-memory.dmp

Filesize
240KB

Download
memory/4116-257-0x000000007FDF0000-0x000000007FF9E000-memory.dmp

Filesize
1.7MB

Download
memory/4116-254-0x000000007FDF0000-0x000000007FF9E000-memory.dmp

Filesize
1.7MB

Download
memory/4116-252-0x000000007FDF0000-0x000000007FF9E000-memory.dmp

Filesize
1.7MB

Download
memory/4116-251-0x000000007FDF0000-0x000000007FF9E000-memory.dmp

Filesize
1.7MB

Download
memory/4116-250-0x000000007FFA0000-0x000000007FFDC000-memory.dmp

Filesize
240KB

Download
memory/4116-249-0x000000007FFA0000-0x000000007FFDC000-memory.dmp

Filesize
240KB

Download
memory/4728-276-0x000000007FFA0000-0x000000007FFDC000-memory.dmp

Filesize
240KB

Download
memory/4728-282-0x000000007FFA0000-0x000000007FFDC000-memory.dmp

Filesize
240KB

Download
memory/4728-391-0x00000000028C0000-0x000000000417B000-memory.dmp

Filesize
24.7MB

Download
memory/4728-267-0x000000007FFA0000-0x000000007FFDC000-memory.dmp

Filesize
240KB

Download
memory/4728-268-0x000000007FFA0000-0x000000007FFDC000-memory.dmp

Filesize
240KB

Download
memory/4728-269-0x000000007FFA0000-0x000000007FFDC000-memory.dmp

Filesize
240KB

Download
memory/4728-373-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/4728-270-0x000000007FFA0000-0x000000007FFDC000-memory.dmp

Filesize
240KB

Download
memory/4728-271-0x000000007FFA0000-0x000000007FFDC000-memory.dmp

Filesize
240KB

Download
memory/4728-287-0x000000007FFA0000-0x000000007FFDC000-memory.dmp

Filesize
240KB

Download
memory/4728-272-0x000000007FFA0000-0x000000007FFDC000-memory.dmp

Filesize
240KB

Download
memory/4728-273-0x000000007FFA0000-0x000000007FFDC000-memory.dmp

Filesize
240KB

Download
memory/4728-274-0x000000007FFA0000-0x000000007FFDC000-memory.dmp

Filesize
240KB

Download
memory/4728-275-0x000000007FFA0000-0x000000007FFDC000-memory.dmp

Filesize
240KB

Download
memory/4728-283-0x000000007FFA0000-0x000000007FFDC000-memory.dmp

Filesize
240KB

Download
memory/4728-278-0x000000007FFA0000-0x000000007FFDC000-memory.dmp

Filesize
240KB

Download
memory/4728-279-0x000000007FFA0000-0x000000007FFDC000-memory.dmp

Filesize
240KB

Download
memory/4728-280-0x000000007FFA0000-0x000000007FFDC000-memory.dmp

Filesize
240KB

Download
memory/4728-281-0x000000007FFA0000-0x000000007FFDC000-memory.dmp

Filesize
240KB

Download
memory/4728-277-0x000000007FFA0000-0x000000007FFDC000-memory.dmp

Filesize
240KB

Download
memory/4728-284-0x000000007FFA0000-0x000000007FFDC000-memory.dmp

Filesize
240KB

Download
memory/4728-285-0x000000007FFA0000-0x000000007FFDC000-memory.dmp

Filesize
240KB

Download
memory/4728-286-0x000000007FFA0000-0x000000007FFDC000-memory.dmp

Filesize
240KB

Download
memory/4728-288-0x000000007FFA0000-0x000000007FFDC000-memory.dmp

Filesize
240KB

Download
memory/4864-113-0x0000000079BF0000-0x0000000079BF6000-memory.dmp

Filesize
24KB

Download
memory/4864-61-0x0000000079BF0000-0x0000000079BF6000-memory.dmp

Filesize
24KB

Download
memory/4864-62-0x000000007FFA0000-0x000000007FFDC000-memory.dmp

Filesize
240KB

Download
memory/4864-63-0x000000007FFA0000-0x000000007FFDC000-memory.dmp

Filesize
240KB

Download
memory/4864-65-0x000000007FFA0000-0x000000007FFDC000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads