blacknet | 97ac2f7c9ff8e79aa217a8bac22bc9575cecb39bc87bcd753d428c56ea4899c9

General

Target

c77e5db3244e658843f06ae2e61ad95f.exe
Size

133KB
MD5

c77e5db3244e658843f06ae2e61ad95f
SHA1

5bcf4c83cd1218db713c1be89369e368c6c0f115
SHA256

97ac2f7c9ff8e79aa217a8bac22bc9575cecb39bc87bcd753d428c56ea4899c9
SHA512

0d62eaaf493e840d4fe0c96cde1d8d1c76377789c1e99817426e39d16573a4a8de722d3c337a100e2a3c74bea7f1d89e5e494b0587b4c6114eb33b8b0c31d339
SSDEEP

3072:BI7KpEaKA2L22xYWVVz8pWzWpBZ7ubozFyTO1wbCl9fGJu:u7kKAhI8pWzWpB0boQMZGJ

Score

10^/10

blacknet ec evasion persistence trojan

Malware Config

Extracted

Family

blacknet

Botnet

ec

C2

NriE0EakUiK+22Ai4N6Othh0De1s55kV0+sFoXChkQhcVCI2dUu3XGlBV5pu/x/cmJ/BByQIf9PqFghM2sWKP07Iz1Om2nFj+5Ad12ZaY4I9PtWNNix+MC57LiawhMvDUqvUZ0D9AMzT8Ml3Nn9NF/VG4jr2jwHli/295QeYGFGuN7RO/IqZPFblPfaRqq3BNeE7xgdHFMHJVcwvHA4s0oso3I6avTLaxL57NqpSPVJhEZ1yPk4qQWERPXxXoS+1Wp4lQUuVgRpkdjgjhF3IjONn1RIO+3lwJvDoUCLTzG1IxQGrYB+xHSLQ6jCzByfdvDqCc0Jpf0uylVa3q6zmPQ==

Mutex

BN[UfwxTUeC-7463479]

Attributes

antivm
false
elevate_uac
true
install_name
WindowsUpdate.exe
splitter
|BN|
start_name
cde2f914e4cce7f13b2c1cec7b6da970
startup
false
usb_spread
true

Signatures

BlackNET
BlackNET is an open source remote access tool written in VB.NET.
trojan blacknet

BlackNET payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe	family_blacknet
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe	family_blacknet

Contains code to disable Windows Defender 2 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe	disable_win_def
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

c77e5db3244e658843f06ae2e61ad95f.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	c77e5db3244e658843f06ae2e61ad95f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	c77e5db3244e658843f06ae2e61ad95f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	c77e5db3244e658843f06ae2e61ad95f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	c77e5db3244e658843f06ae2e61ad95f.exe

Executes dropped EXE 2 IoCs

Processes:

WindowsUpdate.exesvchosts.exe

pid process

1684 WindowsUpdate.exe
1692 svchosts.exe

pid	process
1684	WindowsUpdate.exe
1692	svchosts.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

c77e5db3244e658843f06ae2e61ad95f.exeWindowsUpdate.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	c77e5db3244e658843f06ae2e61ad95f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	WindowsUpdate.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

c77e5db3244e658843f06ae2e61ad95f.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\cde2f914e4cce7f13b2c1cec7b6da970 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\MyClient\\WindowsUpdate.exe"	c77e5db3244e658843f06ae2e61ad95f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1252 schtasks.exe

pid	process
1252	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

c77e5db3244e658843f06ae2e61ad95f.exe

pid	process
1784	c77e5db3244e658843f06ae2e61ad95f.exe
1784	c77e5db3244e658843f06ae2e61ad95f.exe
1784	c77e5db3244e658843f06ae2e61ad95f.exe
1784	c77e5db3244e658843f06ae2e61ad95f.exe
1784	c77e5db3244e658843f06ae2e61ad95f.exe
1784	c77e5db3244e658843f06ae2e61ad95f.exe
1784	c77e5db3244e658843f06ae2e61ad95f.exe
1784	c77e5db3244e658843f06ae2e61ad95f.exe
1784	c77e5db3244e658843f06ae2e61ad95f.exe
1784	c77e5db3244e658843f06ae2e61ad95f.exe
1784	c77e5db3244e658843f06ae2e61ad95f.exe
1784	c77e5db3244e658843f06ae2e61ad95f.exe
1784	c77e5db3244e658843f06ae2e61ad95f.exe
1784	c77e5db3244e658843f06ae2e61ad95f.exe
1784	c77e5db3244e658843f06ae2e61ad95f.exe
1784	c77e5db3244e658843f06ae2e61ad95f.exe
1784	c77e5db3244e658843f06ae2e61ad95f.exe
1784	c77e5db3244e658843f06ae2e61ad95f.exe
1784	c77e5db3244e658843f06ae2e61ad95f.exe
1784	c77e5db3244e658843f06ae2e61ad95f.exe
1784	c77e5db3244e658843f06ae2e61ad95f.exe
1784	c77e5db3244e658843f06ae2e61ad95f.exe
1784	c77e5db3244e658843f06ae2e61ad95f.exe
1784	c77e5db3244e658843f06ae2e61ad95f.exe
1784	c77e5db3244e658843f06ae2e61ad95f.exe
1784	c77e5db3244e658843f06ae2e61ad95f.exe
1784	c77e5db3244e658843f06ae2e61ad95f.exe
1784	c77e5db3244e658843f06ae2e61ad95f.exe
1784	c77e5db3244e658843f06ae2e61ad95f.exe
1784	c77e5db3244e658843f06ae2e61ad95f.exe
1784	c77e5db3244e658843f06ae2e61ad95f.exe
1784	c77e5db3244e658843f06ae2e61ad95f.exe
1784	c77e5db3244e658843f06ae2e61ad95f.exe
1784	c77e5db3244e658843f06ae2e61ad95f.exe
1784	c77e5db3244e658843f06ae2e61ad95f.exe
1784	c77e5db3244e658843f06ae2e61ad95f.exe
1784	c77e5db3244e658843f06ae2e61ad95f.exe
1784	c77e5db3244e658843f06ae2e61ad95f.exe
1784	c77e5db3244e658843f06ae2e61ad95f.exe
1784	c77e5db3244e658843f06ae2e61ad95f.exe
1784	c77e5db3244e658843f06ae2e61ad95f.exe
1784	c77e5db3244e658843f06ae2e61ad95f.exe
1784	c77e5db3244e658843f06ae2e61ad95f.exe
1784	c77e5db3244e658843f06ae2e61ad95f.exe
1784	c77e5db3244e658843f06ae2e61ad95f.exe
1784	c77e5db3244e658843f06ae2e61ad95f.exe
1784	c77e5db3244e658843f06ae2e61ad95f.exe
1784	c77e5db3244e658843f06ae2e61ad95f.exe
1784	c77e5db3244e658843f06ae2e61ad95f.exe
1784	c77e5db3244e658843f06ae2e61ad95f.exe
1784	c77e5db3244e658843f06ae2e61ad95f.exe
1784	c77e5db3244e658843f06ae2e61ad95f.exe
1784	c77e5db3244e658843f06ae2e61ad95f.exe
1784	c77e5db3244e658843f06ae2e61ad95f.exe
1784	c77e5db3244e658843f06ae2e61ad95f.exe
1784	c77e5db3244e658843f06ae2e61ad95f.exe
1784	c77e5db3244e658843f06ae2e61ad95f.exe
1784	c77e5db3244e658843f06ae2e61ad95f.exe
1784	c77e5db3244e658843f06ae2e61ad95f.exe
1784	c77e5db3244e658843f06ae2e61ad95f.exe
1784	c77e5db3244e658843f06ae2e61ad95f.exe
1784	c77e5db3244e658843f06ae2e61ad95f.exe
1784	c77e5db3244e658843f06ae2e61ad95f.exe
1784	c77e5db3244e658843f06ae2e61ad95f.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

c77e5db3244e658843f06ae2e61ad95f.exepowershell.exeWindowsUpdate.exepowershell.exesvchosts.exe

description	pid	process
Token: SeDebugPrivilege	1784	c77e5db3244e658843f06ae2e61ad95f.exe
Token: SeDebugPrivilege	1900	powershell.exe
Token: SeDebugPrivilege	1684	WindowsUpdate.exe
Token: SeDebugPrivilege	1936	powershell.exe
Token: SeDebugPrivilege	1692	svchosts.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

c77e5db3244e658843f06ae2e61ad95f.exeWindowsUpdate.exe

description	pid	process	target process
PID 1784 wrote to memory of 1900	1784	c77e5db3244e658843f06ae2e61ad95f.exe	powershell.exe
PID 1784 wrote to memory of 1900	1784	c77e5db3244e658843f06ae2e61ad95f.exe	powershell.exe
PID 1784 wrote to memory of 1900	1784	c77e5db3244e658843f06ae2e61ad95f.exe	powershell.exe
PID 1784 wrote to memory of 1684	1784	c77e5db3244e658843f06ae2e61ad95f.exe	WindowsUpdate.exe
PID 1784 wrote to memory of 1684	1784	c77e5db3244e658843f06ae2e61ad95f.exe	WindowsUpdate.exe
PID 1784 wrote to memory of 1684	1784	c77e5db3244e658843f06ae2e61ad95f.exe	WindowsUpdate.exe
PID 1684 wrote to memory of 1936	1684	WindowsUpdate.exe	powershell.exe
PID 1684 wrote to memory of 1936	1684	WindowsUpdate.exe	powershell.exe
PID 1684 wrote to memory of 1936	1684	WindowsUpdate.exe	powershell.exe
PID 1684 wrote to memory of 1252	1684	WindowsUpdate.exe	schtasks.exe
PID 1684 wrote to memory of 1252	1684	WindowsUpdate.exe	schtasks.exe
PID 1684 wrote to memory of 1252	1684	WindowsUpdate.exe	schtasks.exe
PID 1684 wrote to memory of 1692	1684	WindowsUpdate.exe	svchosts.exe
PID 1684 wrote to memory of 1692	1684	WindowsUpdate.exe	svchosts.exe
PID 1684 wrote to memory of 1692	1684	WindowsUpdate.exe	svchosts.exe

C:\Users\Admin\AppData\Local\Temp\c77e5db3244e658843f06ae2e61ad95f.exe
"C:\Users\Admin\AppData\Local\Temp\c77e5db3244e658843f06ae2e61ad95f.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Windows security modification
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1784

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1900

C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe"
2⤵
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1936

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONSTART /RL HIGHEST /tn "'WindowsUpdate"' /tr "'C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"'
3⤵
- Creates scheduled task(s)
PID:1252

C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\svchosts.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\svchosts.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1692

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

3

T1112

Disabling Security Tools

2

T1089

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe
Filesize
133KB

MD5
c77e5db3244e658843f06ae2e61ad95f

SHA1
5bcf4c83cd1218db713c1be89369e368c6c0f115

SHA256
97ac2f7c9ff8e79aa217a8bac22bc9575cecb39bc87bcd753d428c56ea4899c9

SHA512
0d62eaaf493e840d4fe0c96cde1d8d1c76377789c1e99817426e39d16573a4a8de722d3c337a100e2a3c74bea7f1d89e5e494b0587b4c6114eb33b8b0c31d339

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe
Filesize
133KB

MD5
c77e5db3244e658843f06ae2e61ad95f

SHA1
5bcf4c83cd1218db713c1be89369e368c6c0f115

SHA256
97ac2f7c9ff8e79aa217a8bac22bc9575cecb39bc87bcd753d428c56ea4899c9

SHA512
0d62eaaf493e840d4fe0c96cde1d8d1c76377789c1e99817426e39d16573a4a8de722d3c337a100e2a3c74bea7f1d89e5e494b0587b4c6114eb33b8b0c31d339

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\svchosts.exe
Filesize
18KB

MD5
d133d370c3858c9811e70f95d554d2c6

SHA1
bb09b1253ce571a49b76951283883a3499588295

SHA256
87a1711030512dd414bcbab0659a2b51c0c16505bd8a068a282a1cc2c9fdf93b

SHA512
db4d41fca43e496b2b0d8d47d936a9ce204e3b6c4c669a8a9810362776a977b5337359b843fcd1d20004455d2c91f9790b3accb5352f4e55ec53c7e5d359d778

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\svchosts.exe
Filesize
18KB

MD5
d133d370c3858c9811e70f95d554d2c6

SHA1
bb09b1253ce571a49b76951283883a3499588295

SHA256
87a1711030512dd414bcbab0659a2b51c0c16505bd8a068a282a1cc2c9fdf93b

SHA512
db4d41fca43e496b2b0d8d47d936a9ce204e3b6c4c669a8a9810362776a977b5337359b843fcd1d20004455d2c91f9790b3accb5352f4e55ec53c7e5d359d778

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
1378e490c0b7f5dc9b4fd534087d0ec5

SHA1
9788733cf9cdc02a3769f01beead8b796bcf36fa

SHA256
23c9f5fbef6181200f2b3f9ead32efc9fa2aae211b881d89dba047c12641b2b8

SHA512
ab62063146a9c09ff9ebfcc79fbda8797d2d0454cd38e229920706fe9c142b1f704b0c4253c9974f98836389ffcb60e41d56785282ee1f6beb7f1c0a71c72a07

Download Submit
memory/1252-81-0x0000000000000000-mapping.dmp

Download
memory/1684-108-0x0000000001FE6000-0x0000000001FE9000-memory.dmp

Filesize
12KB

Download
memory/1684-112-0x0000000001FB6000-0x0000000001FD5000-memory.dmp

Filesize
124KB

Download
memory/1684-62-0x000007FEF40A0000-0x000007FEF4AC3000-memory.dmp

Filesize
10.1MB

Download
memory/1684-116-0x0000000001FFB000-0x0000000001FFF000-memory.dmp

Filesize
16KB

Download
memory/1684-123-0x000000001D319000-0x000000001D321000-memory.dmp

Filesize
32KB

Download
memory/1684-93-0x0000000002003000-0x0000000002007000-memory.dmp

Filesize
16KB

Download
memory/1684-121-0x0000000002027000-0x0000000002030000-memory.dmp

Filesize
36KB

Download
memory/1684-120-0x000000000201F000-0x0000000002027000-memory.dmp

Filesize
32KB

Download
memory/1684-119-0x0000000002017000-0x000000000201F000-memory.dmp

Filesize
32KB

Download
memory/1684-118-0x0000000002013000-0x0000000002017000-memory.dmp

Filesize
16KB

Download
memory/1684-72-0x0000000001FB6000-0x0000000001FD5000-memory.dmp

Filesize
124KB

Download
memory/1684-117-0x0000000001FFF000-0x0000000002003000-memory.dmp

Filesize
16KB

Download
memory/1684-115-0x0000000001FF7000-0x0000000001FFB000-memory.dmp

Filesize
16KB

Download
memory/1684-94-0x0000000002007000-0x000000000200B000-memory.dmp

Filesize
16KB

Download
memory/1684-65-0x000007FEF3000000-0x000007FEF4096000-memory.dmp

Filesize
16.6MB

Download
memory/1684-114-0x0000000002007000-0x000000000200B000-memory.dmp

Filesize
16KB

Download
memory/1684-113-0x0000000002003000-0x0000000002007000-memory.dmp

Filesize
16KB

Download
memory/1684-97-0x000000000200F000-0x0000000002013000-memory.dmp

Filesize
16KB

Download
memory/1684-109-0x0000000001FD6000-0x0000000001FD9000-memory.dmp

Filesize
12KB

Download
memory/1684-58-0x0000000000000000-mapping.dmp

Download
memory/1684-106-0x000000001D339000-0x000000001D349000-memory.dmp

Filesize
64KB

Download
memory/1684-105-0x000000001D331000-0x000000001D339000-memory.dmp

Filesize
32KB

Download
memory/1684-104-0x000000001D329000-0x000000001D331000-memory.dmp

Filesize
32KB

Download
memory/1684-103-0x000000001D321000-0x000000001D329000-memory.dmp

Filesize
32KB

Download
memory/1684-102-0x000000001D319000-0x000000001D321000-memory.dmp

Filesize
32KB

Download
memory/1684-101-0x000000001D310000-0x000000001D319000-memory.dmp

Filesize
36KB

Download
memory/1684-100-0x0000000002027000-0x0000000002030000-memory.dmp

Filesize
36KB

Download
memory/1684-88-0x0000000001FF7000-0x0000000001FFB000-memory.dmp

Filesize
16KB

Download
memory/1684-90-0x0000000001FFB000-0x0000000001FFF000-memory.dmp

Filesize
16KB

Download
memory/1684-99-0x000000000201F000-0x0000000002027000-memory.dmp

Filesize
32KB

Download
memory/1684-92-0x0000000001FFF000-0x0000000002003000-memory.dmp

Filesize
16KB

Download
memory/1684-122-0x000000001D310000-0x000000001D319000-memory.dmp

Filesize
36KB

Download
memory/1684-98-0x0000000002017000-0x000000000201F000-memory.dmp

Filesize
32KB

Download
memory/1684-96-0x000000000200B000-0x000000000200F000-memory.dmp

Filesize
16KB

Download
memory/1692-107-0x0000000000B46000-0x0000000000B65000-memory.dmp

Filesize
124KB

Download
memory/1692-87-0x000007FEF40A0000-0x000007FEF4AC3000-memory.dmp

Filesize
10.1MB

Download
memory/1692-84-0x0000000000000000-mapping.dmp

Download
memory/1692-91-0x000007FEF3000000-0x000007FEF4096000-memory.dmp

Filesize
16.6MB

Download
memory/1784-75-0x0000000000A2F000-0x0000000000A33000-memory.dmp

Filesize
16KB

Download
memory/1784-74-0x0000000000A2B000-0x0000000000A2F000-memory.dmp

Filesize
16KB

Download
memory/1784-56-0x00000000009C6000-0x00000000009E5000-memory.dmp

Filesize
124KB

Download
memory/1784-68-0x0000000000A1B000-0x0000000000A1F000-memory.dmp

Filesize
16KB

Download
memory/1784-64-0x00000000009C6000-0x00000000009E5000-memory.dmp

Filesize
124KB

Download
memory/1784-55-0x000007FEF3000000-0x000007FEF4096000-memory.dmp

Filesize
16.6MB

Download
memory/1784-71-0x0000000000A23000-0x0000000000A27000-memory.dmp

Filesize
16KB

Download
memory/1784-69-0x0000000000A1F000-0x0000000000A23000-memory.dmp

Filesize
16KB

Download
memory/1784-54-0x000007FEF40A0000-0x000007FEF4AC3000-memory.dmp

Filesize
10.1MB

Download
memory/1784-66-0x0000000000A17000-0x0000000000A1B000-memory.dmp

Filesize
16KB

Download
memory/1784-73-0x0000000000A27000-0x0000000000A2B000-memory.dmp

Filesize
16KB

Download
memory/1900-63-0x000007FEF40A0000-0x000007FEF4AC3000-memory.dmp

Filesize
10.1MB

Download
memory/1900-70-0x00000000025E4000-0x00000000025E7000-memory.dmp

Filesize
12KB

Download
memory/1900-77-0x00000000025EB000-0x000000000260A000-memory.dmp

Filesize
124KB

Download
memory/1900-76-0x00000000025E4000-0x00000000025E7000-memory.dmp

Filesize
12KB

Download
memory/1900-67-0x000007FEEEDB0000-0x000007FEEF90D000-memory.dmp

Filesize
11.4MB

Download
memory/1900-59-0x000007FEFC421000-0x000007FEFC423000-memory.dmp

Filesize
8KB

Download
memory/1900-57-0x0000000000000000-mapping.dmp

Download
memory/1936-83-0x000007FEEE250000-0x000007FEEEDAD000-memory.dmp

Filesize
11.4MB

Download
memory/1936-111-0x000000000248B000-0x00000000024AA000-memory.dmp

Filesize
124KB

Download
memory/1936-110-0x0000000002484000-0x0000000002487000-memory.dmp

Filesize
12KB

Download
memory/1936-89-0x000000001B730000-0x000000001BA2F000-memory.dmp

Filesize
3.0MB

Download
memory/1936-78-0x0000000000000000-mapping.dmp

Download
memory/1936-82-0x000007FEF40A0000-0x000007FEF4AC3000-memory.dmp

Filesize
10.1MB

Download
memory/1936-95-0x0000000002484000-0x0000000002487000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads