xred | f642d048f822c9b363135f29b649077f9d5371460644add8a38cd1211aa76e4b

Analysis

max time kernel
41s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
10/04/2025, 21:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-10_946803c996f7c32f754b4e864a1e4ac5_amadey_darkgate_elex_magniber_poet-rat_rhadamanthys_smoke-loader.exe
Size

28.7MB
MD5

946803c996f7c32f754b4e864a1e4ac5
SHA1

c982b2e7dd6844327f4a77e9a8365067345670ae
SHA256

f642d048f822c9b363135f29b649077f9d5371460644add8a38cd1211aa76e4b
SHA512

b57e51b90fb25701cdb1bda2717d6a836643bee8d8b1f7729b0c1d8a9b5cbcce1eba35b028f21cfef851de446c6ef4ed23feaf8849820ba8b385572b018fb251
SSDEEP

393216:Bn1a552kjgDWzYQqD/Jf59RqWEOax8eX+bLJItmNiL5yTG1M16PExfe9zMHl:J1aljQWz0xRqbGeO8m4ll8f1Hl

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	2025-04-10_946803c996f7c32f754b4e864a1e4ac5_amadey_darkgate_elex_magniber_poet-rat_rhadamanthys_smoke-loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 7 IoCs

pid	Process
3832	._cache_2025-04-10_946803c996f7c32f754b4e864a1e4ac5_amadey_darkgate_elex_magniber_poet-rat_rhadamanthys_smoke-loader.exe
1972	Synaptics.exe
776	Synaptics.exe
4008	._cache_Synaptics.exe
736	._cache_Synaptics.exe
1756	._cache_Synaptics.exe
3204	._cache_Synaptics.exe

Loads dropped DLL 10 IoCs

pid	Process
4008	._cache_Synaptics.exe
4008	._cache_Synaptics.exe
4008	._cache_Synaptics.exe
4008	._cache_Synaptics.exe
736	._cache_Synaptics.exe
1756	._cache_Synaptics.exe
1756	._cache_Synaptics.exe
1756	._cache_Synaptics.exe
1756	._cache_Synaptics.exe
3204	._cache_Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	2025-04-10_946803c996f7c32f754b4e864a1e4ac5_amadey_darkgate_elex_magniber_poet-rat_rhadamanthys_smoke-loader.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\._cache_Synaptics.exe	Synaptics.exe
File opened for modification	C:\Windows\SysWOW64\._cache_Synaptics.exe	Synaptics.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4008 set thread context of 736	4008	._cache_Synaptics.exe	101
PID 1756 set thread context of 3204	1756	._cache_Synaptics.exe	105

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2352	3832	WerFault.exe	89

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-10_946803c996f7c32f754b4e864a1e4ac5_amadey_darkgate_elex_magniber_poet-rat_rhadamanthys_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_2025-04-10_946803c996f7c32f754b4e864a1e4ac5_amadey_darkgate_elex_magniber_poet-rat_rhadamanthys_smoke-loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	._cache_Synaptics.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	2025-04-10_946803c996f7c32f754b4e864a1e4ac5_amadey_darkgate_elex_magniber_poet-rat_rhadamanthys_smoke-loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5416	EXCEL.EXE

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4008	._cache_Synaptics.exe
1756	._cache_Synaptics.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
5416	EXCEL.EXE
5416	EXCEL.EXE
5416	EXCEL.EXE
5416	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 212 wrote to memory of 3832	212	2025-04-10_946803c996f7c32f754b4e864a1e4ac5_amadey_darkgate_elex_magniber_poet-rat_rhadamanthys_smoke-loader.exe	89
PID 212 wrote to memory of 3832	212	2025-04-10_946803c996f7c32f754b4e864a1e4ac5_amadey_darkgate_elex_magniber_poet-rat_rhadamanthys_smoke-loader.exe	89
PID 212 wrote to memory of 3832	212	2025-04-10_946803c996f7c32f754b4e864a1e4ac5_amadey_darkgate_elex_magniber_poet-rat_rhadamanthys_smoke-loader.exe	89
PID 4848 wrote to memory of 1972	4848	cmd.exe	95
PID 4848 wrote to memory of 1972	4848	cmd.exe	95
PID 4848 wrote to memory of 1972	4848	cmd.exe	95
PID 212 wrote to memory of 776	212	2025-04-10_946803c996f7c32f754b4e864a1e4ac5_amadey_darkgate_elex_magniber_poet-rat_rhadamanthys_smoke-loader.exe	96
PID 212 wrote to memory of 776	212	2025-04-10_946803c996f7c32f754b4e864a1e4ac5_amadey_darkgate_elex_magniber_poet-rat_rhadamanthys_smoke-loader.exe	96
PID 212 wrote to memory of 776	212	2025-04-10_946803c996f7c32f754b4e864a1e4ac5_amadey_darkgate_elex_magniber_poet-rat_rhadamanthys_smoke-loader.exe	96
PID 1972 wrote to memory of 4008	1972	Synaptics.exe	99
PID 1972 wrote to memory of 4008	1972	Synaptics.exe	99
PID 1972 wrote to memory of 4008	1972	Synaptics.exe	99
PID 4008 wrote to memory of 736	4008	._cache_Synaptics.exe	101
PID 4008 wrote to memory of 736	4008	._cache_Synaptics.exe	101
PID 4008 wrote to memory of 736	4008	._cache_Synaptics.exe	101
PID 4008 wrote to memory of 736	4008	._cache_Synaptics.exe	101
PID 4008 wrote to memory of 736	4008	._cache_Synaptics.exe	101
PID 4008 wrote to memory of 736	4008	._cache_Synaptics.exe	101
PID 4008 wrote to memory of 736	4008	._cache_Synaptics.exe	101
PID 4008 wrote to memory of 736	4008	._cache_Synaptics.exe	101
PID 4008 wrote to memory of 736	4008	._cache_Synaptics.exe	101
PID 4008 wrote to memory of 736	4008	._cache_Synaptics.exe	101
PID 4008 wrote to memory of 736	4008	._cache_Synaptics.exe	101
PID 4008 wrote to memory of 736	4008	._cache_Synaptics.exe	101
PID 4008 wrote to memory of 736	4008	._cache_Synaptics.exe	101
PID 4008 wrote to memory of 736	4008	._cache_Synaptics.exe	101
PID 4008 wrote to memory of 736	4008	._cache_Synaptics.exe	101
PID 4008 wrote to memory of 736	4008	._cache_Synaptics.exe	101
PID 4008 wrote to memory of 736	4008	._cache_Synaptics.exe	101
PID 4008 wrote to memory of 736	4008	._cache_Synaptics.exe	101
PID 4008 wrote to memory of 736	4008	._cache_Synaptics.exe	101
PID 4008 wrote to memory of 736	4008	._cache_Synaptics.exe	101
PID 4008 wrote to memory of 736	4008	._cache_Synaptics.exe	101
PID 4008 wrote to memory of 736	4008	._cache_Synaptics.exe	101
PID 4008 wrote to memory of 736	4008	._cache_Synaptics.exe	101
PID 4008 wrote to memory of 736	4008	._cache_Synaptics.exe	101
PID 4008 wrote to memory of 736	4008	._cache_Synaptics.exe	101
PID 4008 wrote to memory of 736	4008	._cache_Synaptics.exe	101
PID 4008 wrote to memory of 736	4008	._cache_Synaptics.exe	101
PID 4008 wrote to memory of 736	4008	._cache_Synaptics.exe	101
PID 4008 wrote to memory of 736	4008	._cache_Synaptics.exe	101
PID 4008 wrote to memory of 736	4008	._cache_Synaptics.exe	101
PID 4008 wrote to memory of 736	4008	._cache_Synaptics.exe	101
PID 4008 wrote to memory of 736	4008	._cache_Synaptics.exe	101
PID 4008 wrote to memory of 736	4008	._cache_Synaptics.exe	101
PID 4008 wrote to memory of 736	4008	._cache_Synaptics.exe	101
PID 4008 wrote to memory of 736	4008	._cache_Synaptics.exe	101
PID 4008 wrote to memory of 736	4008	._cache_Synaptics.exe	101
PID 4008 wrote to memory of 736	4008	._cache_Synaptics.exe	101
PID 4008 wrote to memory of 736	4008	._cache_Synaptics.exe	101
PID 4008 wrote to memory of 736	4008	._cache_Synaptics.exe	101
PID 4008 wrote to memory of 736	4008	._cache_Synaptics.exe	101
PID 4008 wrote to memory of 736	4008	._cache_Synaptics.exe	101
PID 4008 wrote to memory of 736	4008	._cache_Synaptics.exe	101
PID 4008 wrote to memory of 736	4008	._cache_Synaptics.exe	101
PID 4008 wrote to memory of 736	4008	._cache_Synaptics.exe	101
PID 4008 wrote to memory of 736	4008	._cache_Synaptics.exe	101
PID 4008 wrote to memory of 736	4008	._cache_Synaptics.exe	101
PID 4008 wrote to memory of 736	4008	._cache_Synaptics.exe	101
PID 4008 wrote to memory of 736	4008	._cache_Synaptics.exe	101
PID 4008 wrote to memory of 736	4008	._cache_Synaptics.exe	101
PID 4008 wrote to memory of 736	4008	._cache_Synaptics.exe	101
PID 4008 wrote to memory of 736	4008	._cache_Synaptics.exe	101
PID 4008 wrote to memory of 736	4008	._cache_Synaptics.exe	101

C:\Users\Admin\AppData\Local\Temp\2025-04-10_946803c996f7c32f754b4e864a1e4ac5_amadey_darkgate_elex_magniber_poet-rat_rhadamanthys_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-10_946803c996f7c32f754b4e864a1e4ac5_amadey_darkgate_elex_magniber_poet-rat_rhadamanthys_smoke-loader.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:212
- C:\Users\Admin\AppData\Local\Temp\._cache_2025-04-10_946803c996f7c32f754b4e864a1e4ac5_amadey_darkgate_elex_magniber_poet-rat_rhadamanthys_smoke-loader.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_2025-04-10_946803c996f7c32f754b4e864a1e4ac5_amadey_darkgate_elex_magniber_poet-rat_rhadamanthys_smoke-loader.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3832
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3832 -s 284
    3⤵
    - Program crash
    PID:2352
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:776
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    PID:1756
  - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
      "D:\WoW!Keygen.exe" InjUpdate
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3832 -ip 3832
1⤵
PID:2860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\Synaptics\Synaptics.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4848
- C:\ProgramData\Synaptics\Synaptics.exe
  C:\ProgramData\Synaptics\Synaptics.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Windows\SysWOW64\._cache_Synaptics.exe
    "C:\Windows\system32\._cache_Synaptics.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:4008
  - - C:\Windows\SysWOW64\._cache_Synaptics.exe
      "D:\WoW!Keygen.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:736

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5416

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
28.7MB

MD5
946803c996f7c32f754b4e864a1e4ac5

SHA1
c982b2e7dd6844327f4a77e9a8365067345670ae

SHA256
f642d048f822c9b363135f29b649077f9d5371460644add8a38cd1211aa76e4b

SHA512
b57e51b90fb25701cdb1bda2717d6a836643bee8d8b1f7729b0c1d8a9b5cbcce1eba35b028f21cfef851de446c6ef4ed23feaf8849820ba8b385572b018fb251

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_2025-04-10_946803c996f7c32f754b4e864a1e4ac5_amadey_darkgate_elex_magniber_poet-rat_rhadamanthys_smoke-loader.exe

Filesize
28.0MB

MD5
3a94cd236f942e64bafef16d5a7cdd95

SHA1
92b9cf9c10f9082b21cdb26c3efa588059c2116a

SHA256
6c5e292be08b81a735649eb4b0d3a27a7d06fb88dac80281861a6e91dbcd253d

SHA512
2951d9893ed701f6525dca0a6aff1dcc12fc9474decf4a8da71a8615c978a09342d11e2603afd1f31dfdac39552278d03f5550df3cef6c18392a0789fb2c4e44

Download Submit
C:\Users\Admin\AppData\Local\Temp\iiXehRrq.xlsm

Filesize
17KB

MD5
af4d37aad8b34471da588360a43e768a

SHA1
83ed64667d4e68ea531b8bcf58aab3ed4a5ca998

SHA256
e7550c3453156531308fda255a198c3710aa4bc7412819c180b103c11e85cef1

SHA512
74f5000038c47b7c909c4ee5740e0e87cac12c9c96fff8b1c7ec749541ee3d4b7efd80f9ac02cd39809dca3f2707d0063fa852a3a541342d93a9d03de08823da

Download Submit
C:\Users\Admin\AppData\Roaming\Thinstall\WoW!Keygen\Registry.rw.tvr

Filesize
4KB

MD5
0d247d007b73a1d7ac3c8a65ed69ddb3

SHA1
0415281197f211b3b222481bfe5a6b00cd6344a4

SHA256
6dfb85b1dc4627df329aab77b27fd9e341b2dc5d13f741c48156c1b0949837b3

SHA512
01e094e1a5b511ca1dabd0c064007845329854d7fa87651516c68057bab14f1c538492c912d82f63e9bc20976ca1ba13fd70f268d70a1acf359a7fa16d0ba929

Download Submit
C:\Users\Admin\AppData\Roaming\Thinstall\WoW!Keygen\Registry.rw.tvr.lck

Filesize
60B

MD5
7add0384dc9ba7cedb04e4929ee70a6d

SHA1
6871b4e01fc3e5bce57ecdca23fcdd433d0936e1

SHA256
ddbffb98655360dde06962003f02ffd951501dd902b40974e198e187b3f2a8d3

SHA512
cab3945eb36dc52277439a699e9258a5c506d4ca5d915cf3c1f1d81b3436255c68738d32f591babdf938f0330af69c41515c958987b4865665ef4263b250d774

Download Submit
C:\Users\Admin\AppData\Roaming\Thinstall\WoW!Keygen\Registry.rw.tvr.transact

Filesize
4KB

MD5
cfc6a35b4b5f151d01ded8af9ac6a4ee

SHA1
f94c02db7c94eeb85fa97437559416a82b99dceb

SHA256
02706f4c4212def65afc1194c9d8bff6e63b13b660f9ee8a2b4bde0bf9662f3c

SHA512
cfd26257090d7ab439445fd01739709f714d7f47996df6b22f3361441d7798b3374a8ebc8e42d029b42a19028577281d9ce67075c62c149af8e09c2766623180

Download Submit
C:\Users\Admin\AppData\Roaming\Thinstall\WoW!Keygen\SKEL\53e20fd995c151aff7e7fdd8fce6acce1d8ca25d.SharedTA

Filesize
5.9MB

MD5
308277f44bc23c338fada09d1efcaf1c

SHA1
53e20fd995c151aff7e7fdd8fce6acce1d8ca25d

SHA256
75f863c499b3a1ca16af80705c2a42558082b544ec809a87fd06746f7e0d10e9

SHA512
1149ce07864c473cce56981e8ffd77c7bfe6e3a6e005846345b362d6efc6fb6c217b72255938b79d3714c531b9fc9eec0141de75ab3bda750db8b714574db77e

Download Submit
C:\Users\Admin\AppData\Roaming\Thinstall\WoW!Keygen\SKEL\5600-1.manifest

Filesize
1KB

MD5
25c689fdb02074ecfa5d2a35897cfa57

SHA1
e29805eae83fbf6d279c5de8cad8b388f199cd23

SHA256
a718db4d5c37a2d4c752b7ad989484bbc9d9a282db31f30fa39b923b9b65e6da

SHA512
b4d13f89330ed6e3bea377c477670df57e62d42996974251f8aa28ddd13d3720f033c0e93d0f909fd225fd85f446bcf2de0bfd52a4e24db911895a3f27911730

Download Submit
memory/212-107-0x0000000000400000-0x00000000020C2000-memory.dmp

Filesize
28.8MB

Download
memory/212-0-0x00000000023B0000-0x00000000023B1000-memory.dmp

Filesize
4KB

Download
memory/736-297-0x0000000000400000-0x0000000001CBB000-memory.dmp

Filesize
24.7MB

Download
memory/736-562-0x0000000000400000-0x0000000001CBB000-memory.dmp

Filesize
24.7MB

Download
memory/1756-397-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/1756-421-0x00000000027B0000-0x000000000406B000-memory.dmp

Filesize
24.7MB

Download
memory/3204-577-0x0000000000400000-0x0000000001CBB000-memory.dmp

Filesize
24.7MB

Download
memory/3832-61-0x000000007FFA0000-0x000000007FFDC000-memory.dmp

Filesize
240KB

Download
memory/3832-62-0x000000007FFA0000-0x000000007FFDC000-memory.dmp

Filesize
240KB

Download
memory/3832-64-0x000000007FFA0000-0x000000007FFDC000-memory.dmp

Filesize
240KB

Download
memory/3832-65-0x0000000079BF0000-0x0000000079BF6000-memory.dmp

Filesize
24KB

Download
memory/4008-244-0x000000007FDF0000-0x000000007FF9E000-memory.dmp

Filesize
1.7MB

Download
memory/4008-235-0x000000007FFA0000-0x000000007FFDC000-memory.dmp

Filesize
240KB

Download
memory/4008-272-0x000000007FDF0000-0x000000007FF9E000-memory.dmp

Filesize
1.7MB

Download
memory/4008-268-0x000000007FDF0000-0x000000007FF9E000-memory.dmp

Filesize
1.7MB

Download
memory/4008-266-0x000000007FDF0000-0x000000007FF9E000-memory.dmp

Filesize
1.7MB

Download
memory/4008-257-0x000000007FDF0000-0x000000007FF9E000-memory.dmp

Filesize
1.7MB

Download
memory/4008-256-0x000000007FDF0000-0x000000007FF9E000-memory.dmp

Filesize
1.7MB

Download
memory/4008-255-0x000000007FDF0000-0x000000007FF9E000-memory.dmp

Filesize
1.7MB

Download
memory/4008-254-0x0000000002220000-0x000000000222C000-memory.dmp

Filesize
48KB

Download
memory/4008-253-0x000000007FDF0000-0x000000007FF9E000-memory.dmp

Filesize
1.7MB

Download
memory/4008-252-0x000000007FDF0000-0x000000007FF9E000-memory.dmp

Filesize
1.7MB

Download
memory/4008-249-0x000000007FDF0000-0x000000007FF9E000-memory.dmp

Filesize
1.7MB

Download
memory/4008-247-0x000000007FDF0000-0x000000007FF9E000-memory.dmp

Filesize
1.7MB

Download
memory/4008-246-0x000000007FDF0000-0x000000007FF9E000-memory.dmp

Filesize
1.7MB

Download
memory/4008-245-0x000000007FDF0000-0x000000007FF9E000-memory.dmp

Filesize
1.7MB

Download
memory/4008-243-0x000000007FDF0000-0x000000007FF9E000-memory.dmp

Filesize
1.7MB

Download
memory/4008-242-0x000000007FFA0000-0x000000007FFDC000-memory.dmp

Filesize
240KB

Download
memory/4008-241-0x000000007FFA0000-0x000000007FFDC000-memory.dmp

Filesize
240KB

Download
memory/4008-240-0x000000007FFA0000-0x000000007FFDC000-memory.dmp

Filesize
240KB

Download
memory/4008-239-0x000000007FFA0000-0x000000007FFDC000-memory.dmp

Filesize
240KB

Download
memory/4008-238-0x000000007FFA0000-0x000000007FFDC000-memory.dmp

Filesize
240KB

Download
memory/4008-237-0x000000007FFA0000-0x000000007FFDC000-memory.dmp

Filesize
240KB

Download
memory/4008-236-0x000000007FFA0000-0x000000007FFDC000-memory.dmp

Filesize
240KB

Download
memory/4008-248-0x000000007FDF0000-0x000000007FF9E000-memory.dmp

Filesize
1.7MB

Download
memory/4008-234-0x000000007FFA0000-0x000000007FFDC000-memory.dmp

Filesize
240KB

Download
memory/4008-233-0x000000007FFA0000-0x000000007FFDC000-memory.dmp

Filesize
240KB

Download
memory/4008-232-0x000000007FFA0000-0x000000007FFDC000-memory.dmp

Filesize
240KB

Download
memory/4008-231-0x000000007FFA0000-0x000000007FFDC000-memory.dmp

Filesize
240KB

Download
memory/4008-230-0x000000007FFA0000-0x000000007FFDC000-memory.dmp

Filesize
240KB

Download
memory/4008-229-0x000000007FFA0000-0x000000007FFDC000-memory.dmp

Filesize
240KB

Download
memory/4008-228-0x000000007FFA0000-0x000000007FFDC000-memory.dmp

Filesize
240KB

Download
memory/4008-226-0x000000007FFA0000-0x000000007FFDC000-memory.dmp

Filesize
240KB

Download
memory/4008-225-0x000000007FFA0000-0x000000007FFDC000-memory.dmp

Filesize
240KB

Download
memory/4008-224-0x000000007FFA0000-0x000000007FFDC000-memory.dmp

Filesize
240KB

Download
memory/4008-223-0x000000007FFA0000-0x000000007FFDC000-memory.dmp

Filesize
240KB

Download
memory/4008-222-0x000000007FFA0000-0x000000007FFDC000-memory.dmp

Filesize
240KB

Download
memory/4008-221-0x000000007FFA0000-0x000000007FFDC000-memory.dmp

Filesize
240KB

Download
memory/4008-227-0x000000007FFA0000-0x000000007FFDC000-memory.dmp

Filesize
240KB

Download
memory/4008-300-0x00000000027B0000-0x000000000406B000-memory.dmp

Filesize
24.7MB

Download
memory/4008-294-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/4008-295-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/4008-251-0x000000007FDF0000-0x000000007FF9E000-memory.dmp

Filesize
1.7MB

Download
memory/4008-250-0x000000007FDF0000-0x000000007FF9E000-memory.dmp

Filesize
1.7MB

Download
memory/5416-273-0x00007FFC248D0000-0x00007FFC248E0000-memory.dmp

Filesize
64KB

Download
memory/5416-279-0x00007FFC248D0000-0x00007FFC248E0000-memory.dmp

Filesize
64KB

Download
memory/5416-277-0x00007FFC248D0000-0x00007FFC248E0000-memory.dmp

Filesize
64KB

Download
memory/5416-278-0x00007FFC248D0000-0x00007FFC248E0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads