blackshades | 82f7b78f2714e2a4f501415969796881b108e0d2b3cd6d70810ef3b713377e74

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-01-2025 16:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe
Size

503KB
MD5

37438f7c4ade8f683b35933ff40026f4
SHA1

90bb942f3a7205f853b70884aabe98bb413f2e29
SHA256

82f7b78f2714e2a4f501415969796881b108e0d2b3cd6d70810ef3b713377e74
SHA512

baeff0f6e943d98afdc9c1dbc36ae5a21d24bc1f72fadf1ab385ef08fc841f5ec25e914b0a74c0c2336ee84635917fa42fdcd3a984cab51c434aace6cd4368c7
SSDEEP

12288:9HmM3RwBc7MdnpEugZvoM66w/voZphlqdxBKt61MpRj878qhQl:9Gu65dnSh38oZTl4Qqmq7lm

Score

10^/10

blackshades defense_evasion discovery rat trojan upx

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 2 IoCs

resource	yara_rule
behavioral2/memory/1460-14-0x0000000000400000-0x0000000000474000-memory.dmp	family_blackshades
behavioral2/memory/1460-21-0x0000000000400000-0x0000000000474000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 8 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4240 set thread context of 2612	4240	JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe	82
PID 2612 set thread context of 1460	2612	JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe	83

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2612-3-0x0000000000400000-0x000000000049A000-memory.dmp	upx
behavioral2/memory/2612-6-0x0000000000400000-0x000000000049A000-memory.dmp	upx
behavioral2/memory/2612-7-0x0000000000400000-0x000000000049A000-memory.dmp	upx
behavioral2/memory/2612-8-0x0000000000400000-0x000000000049A000-memory.dmp	upx
behavioral2/memory/1460-10-0x0000000000400000-0x0000000000474000-memory.dmp	upx
behavioral2/memory/1460-12-0x0000000000400000-0x0000000000474000-memory.dmp	upx
behavioral2/memory/2612-13-0x0000000000400000-0x000000000049A000-memory.dmp	upx
behavioral2/memory/1460-14-0x0000000000400000-0x0000000000474000-memory.dmp	upx
behavioral2/memory/1460-21-0x0000000000400000-0x0000000000474000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2476	reg.exe
760	reg.exe
4160	reg.exe
4280	reg.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeDebugPrivilege	4240	JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe
Token: 1	1460	JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe
Token: SeCreateTokenPrivilege	1460	JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe
Token: SeAssignPrimaryTokenPrivilege	1460	JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe
Token: SeLockMemoryPrivilege	1460	JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe
Token: SeIncreaseQuotaPrivilege	1460	JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe
Token: SeMachineAccountPrivilege	1460	JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe
Token: SeTcbPrivilege	1460	JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe
Token: SeSecurityPrivilege	1460	JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe
Token: SeTakeOwnershipPrivilege	1460	JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe
Token: SeLoadDriverPrivilege	1460	JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe
Token: SeSystemProfilePrivilege	1460	JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe
Token: SeSystemtimePrivilege	1460	JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe
Token: SeProfSingleProcessPrivilege	1460	JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe
Token: SeIncBasePriorityPrivilege	1460	JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe
Token: SeCreatePagefilePrivilege	1460	JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe
Token: SeCreatePermanentPrivilege	1460	JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe
Token: SeBackupPrivilege	1460	JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe
Token: SeRestorePrivilege	1460	JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe
Token: SeShutdownPrivilege	1460	JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe
Token: SeDebugPrivilege	1460	JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe
Token: SeAuditPrivilege	1460	JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe
Token: SeSystemEnvironmentPrivilege	1460	JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe
Token: SeChangeNotifyPrivilege	1460	JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe
Token: SeRemoteShutdownPrivilege	1460	JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe
Token: SeUndockPrivilege	1460	JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe
Token: SeSyncAgentPrivilege	1460	JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe
Token: SeEnableDelegationPrivilege	1460	JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe
Token: SeManageVolumePrivilege	1460	JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe
Token: SeImpersonatePrivilege	1460	JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe
Token: SeCreateGlobalPrivilege	1460	JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe
Token: 31	1460	JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe
Token: 32	1460	JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe
Token: 33	1460	JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe
Token: 34	1460	JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe
Token: 35	1460	JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe
Token: SeDebugPrivilege	1460	JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1460	JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe
1460	JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4240 wrote to memory of 2612	4240	JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe	82
PID 4240 wrote to memory of 2612	4240	JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe	82
PID 4240 wrote to memory of 2612	4240	JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe	82
PID 4240 wrote to memory of 2612	4240	JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe	82
PID 4240 wrote to memory of 2612	4240	JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe	82
PID 4240 wrote to memory of 2612	4240	JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe	82
PID 4240 wrote to memory of 2612	4240	JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe	82
PID 4240 wrote to memory of 2612	4240	JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe	82
PID 2612 wrote to memory of 1460	2612	JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe	83
PID 2612 wrote to memory of 1460	2612	JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe	83
PID 2612 wrote to memory of 1460	2612	JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe	83
PID 2612 wrote to memory of 1460	2612	JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe	83
PID 2612 wrote to memory of 1460	2612	JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe	83
PID 2612 wrote to memory of 1460	2612	JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe	83
PID 2612 wrote to memory of 1460	2612	JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe	83
PID 2612 wrote to memory of 1460	2612	JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe	83
PID 2612 wrote to memory of 1460	2612	JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe	83
PID 2612 wrote to memory of 1460	2612	JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe	83
PID 1460 wrote to memory of 4344	1460	JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe	84
PID 1460 wrote to memory of 4344	1460	JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe	84
PID 1460 wrote to memory of 4344	1460	JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe	84
PID 1460 wrote to memory of 4856	1460	JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe	85
PID 1460 wrote to memory of 4856	1460	JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe	85
PID 1460 wrote to memory of 4856	1460	JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe	85
PID 1460 wrote to memory of 1984	1460	JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe	86
PID 1460 wrote to memory of 1984	1460	JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe	86
PID 1460 wrote to memory of 1984	1460	JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe	86
PID 1460 wrote to memory of 2484	1460	JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe	87
PID 1460 wrote to memory of 2484	1460	JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe	87
PID 1460 wrote to memory of 2484	1460	JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe	87
PID 4856 wrote to memory of 4160	4856	cmd.exe	92
PID 4856 wrote to memory of 4160	4856	cmd.exe	92
PID 4856 wrote to memory of 4160	4856	cmd.exe	92
PID 1984 wrote to memory of 4280	1984	cmd.exe	94
PID 1984 wrote to memory of 4280	1984	cmd.exe	94
PID 1984 wrote to memory of 4280	1984	cmd.exe	94
PID 4344 wrote to memory of 2476	4344	cmd.exe	93
PID 4344 wrote to memory of 2476	4344	cmd.exe	93
PID 4344 wrote to memory of 2476	4344	cmd.exe	93
PID 2484 wrote to memory of 760	2484	cmd.exe	95
PID 2484 wrote to memory of 760	2484	cmd.exe	95
PID 2484 wrote to memory of 760	2484	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4240
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe"
  2⤵
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1460
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4344
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2476
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe:*:Enabled:Windows Messanger" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4856
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37438f7c4ade8f683b35933ff40026f4.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4160
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1984
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4280
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\:*:Enabled:Windows Messanger" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2484
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\:*:Enabled:Windows Messanger" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\data.dat

Filesize
33B

MD5
9ffd07e8518e5ec773e578939236b868

SHA1
e67a85886586d49ea50b244f7cbd96d5c57589ec

SHA256
5c0b28022b6b9a76829c948ca75210b7af64566ac79407622014ad2b370c848a

SHA512
561faf34a70e18db78b5ad9273e8dff83e6cc67f254c68253d1d6789c8665d3681a57dd42d4e7e3d7051df3b176a5a7bdfe17a59f51cbcd05170bdb90c28d49d

Download Submit
memory/1460-18-0x0000000077431000-0x0000000077432000-memory.dmp

Filesize
4KB

Download
memory/1460-19-0x0000000077410000-0x0000000077500000-memory.dmp

Filesize
960KB

Download
memory/1460-12-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1460-14-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1460-25-0x0000000077410000-0x0000000077500000-memory.dmp

Filesize
960KB

Download
memory/1460-22-0x0000000077410000-0x0000000077500000-memory.dmp

Filesize
960KB

Download
memory/1460-21-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1460-10-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1460-20-0x0000000077410000-0x0000000077500000-memory.dmp

Filesize
960KB

Download
memory/2612-8-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2612-6-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2612-3-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2612-7-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2612-13-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4240-0-0x0000000074CF2000-0x0000000074CF3000-memory.dmp

Filesize
4KB

Download
memory/4240-1-0x0000000074CF0000-0x00000000752A1000-memory.dmp

Filesize
5.7MB

Download
memory/4240-9-0x0000000074CF0000-0x00000000752A1000-memory.dmp

Filesize
5.7MB

Download
memory/4240-2-0x0000000074CF0000-0x00000000752A1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads