blackshades | 6581e844b0f7815000ae606d4bddbb3fdc76a2f3e3d241a5ec26af51acf451b3

Analysis

max time kernel
148s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-02-2025 08:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_91e0a030c52a77bd0a98fbb99c1fc442.exe
Size

599KB
MD5

91e0a030c52a77bd0a98fbb99c1fc442
SHA1

04876d7e31747d7656ef1a7b1e6d1149dd124a7f
SHA256

6581e844b0f7815000ae606d4bddbb3fdc76a2f3e3d241a5ec26af51acf451b3
SHA512

191726d4f0bd9092f02f11ed2c6cc4a66eb8286ba06e605cdb740b54271dfd45571aa7844398e988f245bed6598f65e2d888ad1d987b77c9c182c85a46bdda64
SSDEEP

12288:m7XHz04jEPWJJijIuLjXFMQ9Gy8Kc/jfkfZGQQbD4w3y:m73KPWJJAIYXGQwT/jfkfoQQfF

Score

10^/10

blackshades defense_evasion discovery persistence rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 11 IoCs

resource	yara_rule
behavioral1/memory/2372-31-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackshades
behavioral1/memory/2372-28-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackshades
behavioral1/memory/2372-43-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackshades
behavioral1/memory/2372-44-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackshades
behavioral1/memory/2372-46-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackshades
behavioral1/memory/2372-47-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackshades
behavioral1/memory/2372-48-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackshades
behavioral1/memory/2372-51-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackshades
behavioral1/memory/2372-52-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackshades
behavioral1/memory/2372-55-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackshades
behavioral1/memory/2372-59-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 8 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\smss.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\smss.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\bot.exe = "C:\\Users\\Admin\\AppData\\Roaming\\bot.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe

Executes dropped EXE 2 IoCs

pid	Process
2676	ռƈƍӂƋ.exe
2372	smss.exe

Loads dropped DLL 3 IoCs

pid	Process
1696	JaffaCakes118_91e0a030c52a77bd0a98fbb99c1fc442.exe
1696	JaffaCakes118_91e0a030c52a77bd0a98fbb99c1fc442.exe
1696	JaffaCakes118_91e0a030c52a77bd0a98fbb99c1fc442.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wsctfy.exe"	ռƈƍӂƋ.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1696 set thread context of 2372	1696	JaffaCakes118_91e0a030c52a77bd0a98fbb99c1fc442.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_91e0a030c52a77bd0a98fbb99c1fc442.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ռƈƍӂƋ.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2548	reg.exe
2504	reg.exe
3044	reg.exe
3000	reg.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeDebugPrivilege	1696	JaffaCakes118_91e0a030c52a77bd0a98fbb99c1fc442.exe
Token: 1	2372	smss.exe
Token: SeCreateTokenPrivilege	2372	smss.exe
Token: SeAssignPrimaryTokenPrivilege	2372	smss.exe
Token: SeLockMemoryPrivilege	2372	smss.exe
Token: SeIncreaseQuotaPrivilege	2372	smss.exe
Token: SeMachineAccountPrivilege	2372	smss.exe
Token: SeTcbPrivilege	2372	smss.exe
Token: SeSecurityPrivilege	2372	smss.exe
Token: SeTakeOwnershipPrivilege	2372	smss.exe
Token: SeLoadDriverPrivilege	2372	smss.exe
Token: SeSystemProfilePrivilege	2372	smss.exe
Token: SeSystemtimePrivilege	2372	smss.exe
Token: SeProfSingleProcessPrivilege	2372	smss.exe
Token: SeIncBasePriorityPrivilege	2372	smss.exe
Token: SeCreatePagefilePrivilege	2372	smss.exe
Token: SeCreatePermanentPrivilege	2372	smss.exe
Token: SeBackupPrivilege	2372	smss.exe
Token: SeRestorePrivilege	2372	smss.exe
Token: SeShutdownPrivilege	2372	smss.exe
Token: SeDebugPrivilege	2372	smss.exe
Token: SeAuditPrivilege	2372	smss.exe
Token: SeSystemEnvironmentPrivilege	2372	smss.exe
Token: SeChangeNotifyPrivilege	2372	smss.exe
Token: SeRemoteShutdownPrivilege	2372	smss.exe
Token: SeUndockPrivilege	2372	smss.exe
Token: SeSyncAgentPrivilege	2372	smss.exe
Token: SeEnableDelegationPrivilege	2372	smss.exe
Token: SeManageVolumePrivilege	2372	smss.exe
Token: SeImpersonatePrivilege	2372	smss.exe
Token: SeCreateGlobalPrivilege	2372	smss.exe
Token: 31	2372	smss.exe
Token: 32	2372	smss.exe
Token: 33	2372	smss.exe
Token: 34	2372	smss.exe
Token: 35	2372	smss.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2372	smss.exe
2372	smss.exe
2372	smss.exe
2372	smss.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 2088	1696	JaffaCakes118_91e0a030c52a77bd0a98fbb99c1fc442.exe	31
PID 1696 wrote to memory of 2088	1696	JaffaCakes118_91e0a030c52a77bd0a98fbb99c1fc442.exe	31
PID 1696 wrote to memory of 2088	1696	JaffaCakes118_91e0a030c52a77bd0a98fbb99c1fc442.exe	31
PID 1696 wrote to memory of 2088	1696	JaffaCakes118_91e0a030c52a77bd0a98fbb99c1fc442.exe	31
PID 2088 wrote to memory of 1164	2088	csc.exe	33
PID 2088 wrote to memory of 1164	2088	csc.exe	33
PID 2088 wrote to memory of 1164	2088	csc.exe	33
PID 2088 wrote to memory of 1164	2088	csc.exe	33
PID 1696 wrote to memory of 2676	1696	JaffaCakes118_91e0a030c52a77bd0a98fbb99c1fc442.exe	34
PID 1696 wrote to memory of 2676	1696	JaffaCakes118_91e0a030c52a77bd0a98fbb99c1fc442.exe	34
PID 1696 wrote to memory of 2676	1696	JaffaCakes118_91e0a030c52a77bd0a98fbb99c1fc442.exe	34
PID 1696 wrote to memory of 2676	1696	JaffaCakes118_91e0a030c52a77bd0a98fbb99c1fc442.exe	34
PID 1696 wrote to memory of 2372	1696	JaffaCakes118_91e0a030c52a77bd0a98fbb99c1fc442.exe	35
PID 1696 wrote to memory of 2372	1696	JaffaCakes118_91e0a030c52a77bd0a98fbb99c1fc442.exe	35
PID 1696 wrote to memory of 2372	1696	JaffaCakes118_91e0a030c52a77bd0a98fbb99c1fc442.exe	35
PID 1696 wrote to memory of 2372	1696	JaffaCakes118_91e0a030c52a77bd0a98fbb99c1fc442.exe	35
PID 1696 wrote to memory of 2372	1696	JaffaCakes118_91e0a030c52a77bd0a98fbb99c1fc442.exe	35
PID 1696 wrote to memory of 2372	1696	JaffaCakes118_91e0a030c52a77bd0a98fbb99c1fc442.exe	35
PID 1696 wrote to memory of 2372	1696	JaffaCakes118_91e0a030c52a77bd0a98fbb99c1fc442.exe	35
PID 1696 wrote to memory of 2372	1696	JaffaCakes118_91e0a030c52a77bd0a98fbb99c1fc442.exe	35
PID 2372 wrote to memory of 2768	2372	smss.exe	36
PID 2372 wrote to memory of 2768	2372	smss.exe	36
PID 2372 wrote to memory of 2768	2372	smss.exe	36
PID 2372 wrote to memory of 2768	2372	smss.exe	36
PID 2372 wrote to memory of 2868	2372	smss.exe	37
PID 2372 wrote to memory of 2868	2372	smss.exe	37
PID 2372 wrote to memory of 2868	2372	smss.exe	37
PID 2372 wrote to memory of 2868	2372	smss.exe	37
PID 2372 wrote to memory of 864	2372	smss.exe	40
PID 2372 wrote to memory of 864	2372	smss.exe	40
PID 2372 wrote to memory of 864	2372	smss.exe	40
PID 2372 wrote to memory of 864	2372	smss.exe	40
PID 2372 wrote to memory of 2584	2372	smss.exe	41
PID 2372 wrote to memory of 2584	2372	smss.exe	41
PID 2372 wrote to memory of 2584	2372	smss.exe	41
PID 2372 wrote to memory of 2584	2372	smss.exe	41
PID 2768 wrote to memory of 2548	2768	cmd.exe	43
PID 2768 wrote to memory of 2548	2768	cmd.exe	43
PID 2768 wrote to memory of 2548	2768	cmd.exe	43
PID 2768 wrote to memory of 2548	2768	cmd.exe	43
PID 864 wrote to memory of 2504	864	cmd.exe	45
PID 864 wrote to memory of 2504	864	cmd.exe	45
PID 864 wrote to memory of 2504	864	cmd.exe	45
PID 864 wrote to memory of 2504	864	cmd.exe	45
PID 2584 wrote to memory of 3000	2584	cmd.exe	46
PID 2584 wrote to memory of 3000	2584	cmd.exe	46
PID 2584 wrote to memory of 3000	2584	cmd.exe	46
PID 2584 wrote to memory of 3000	2584	cmd.exe	46
PID 2868 wrote to memory of 3044	2868	cmd.exe	47
PID 2868 wrote to memory of 3044	2868	cmd.exe	47
PID 2868 wrote to memory of 3044	2868	cmd.exe	47
PID 2868 wrote to memory of 3044	2868	cmd.exe	47

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_91e0a030c52a77bd0a98fbb99c1fc442.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_91e0a030c52a77bd0a98fbb99c1fc442.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\g9wnhxoh.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDE30.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCDE2F.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1164
- C:\Users\Admin\AppData\Local\Temp\ռƈƍӂƋ.exe
  "C:\Users\Admin\AppData\Local\Temp\ռƈƍӂƋ.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2676
- C:\Users\Admin\AppData\Local\Temp\smss.exe
  C:\Users\Admin\AppData\Local\Temp\smss.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2548
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\smss.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\smss.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2868
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\smss.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\smss.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:3044
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:864
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2504
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\bot.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bot.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\bot.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bot.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESDE30.tmp

Filesize
1KB

MD5
cec46f9f7259e2930fb5ed60c0dc602f

SHA1
6cc2f00df8833a4e51d9561f977f5ec07975d5ab

SHA256
03494da1fd9de921058ebdd6fa050256474e23887b066749de236caf5877599b

SHA512
631bc57dfef705bc4fbb7be1f7a8200304a3ec26ebb7d161426842f1b792c2c8d6f331f7920e744640ac0318f814f37d374000175293c69fbba47925be227113

Download Submit
C:\Users\Admin\AppData\Local\Temp\ռƈƍӂƋ.exe

Filesize
4KB

MD5
f57619e0e26d52d7dea47ffa3f9660f8

SHA1
1a18f579054f7ae00ce91040042208bf74e80047

SHA256
55d889fee1747258e14306055347a793d8098dcb67c0d559a01fe44a097a8563

SHA512
35e98290f86ca83180c2f37f031cbc78d10351cc19954735e0e113c1091b82b070f44e5c6507b7ebcaaa5bd33ef78325ce0af4919fbd7860170d105cb15927ae

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCDE2F.tmp

Filesize
636B

MD5
4b89aba9a5ca28c1f14379edf525f8b1

SHA1
95a5d8110b18238dee3b91db524703ea67febc8c

SHA256
dc19cd538d40592c076bd2e4fea637992d08fa124f6b45d78d33152222530db1

SHA512
0974a462c9488ddefdc901ecd2cc6f36d83e233adde1841c36daaaee3d9fb9920b245b24368c29419b542054ef0cdb28399e8acf31e11c195fc1f3de07295308

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\g9wnhxoh.0.cs

Filesize
1KB

MD5
e6d189b282a26b1d0301ec0a8775b485

SHA1
9ff4f0fc126f7fb5e22e368710a47dd51de4c310

SHA256
6bf1991fb09c2e57f2b61ae0d774de6efc2544d600928b0028de9b6fda8cd038

SHA512
6a8ce26bd6d3fe10873dd49443a5212368adfbe15f3b213c03677634e7f8c8666ce2a903327c8d581d04b0e8daedd6dd29a0f98b19df96810b613517d6cc51fd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\g9wnhxoh.cmdline

Filesize
263B

MD5
e9a0da2e0f44ad2e40103f15a9af31f0

SHA1
eddd4d6cdf07b7e4d664d949017626f5a010d75d

SHA256
8b07b621eca8548723630e9d26fd8608a1b400b8778c21e940bfc8a82780b93a

SHA512
c2656d9fd793a9ed326f720b42b84b97a75d29644b1df154d3e2a6a3c72bb55820aec4547867b828f6ff471e31b44b94a3ce3463fccdff95fec06982cf60a3ac

Download Submit
\Users\Admin\AppData\Local\Temp\smss.exe

Filesize
31KB

MD5
ed797d8dc2c92401985d162e42ffa450

SHA1
0f02fc517c7facc4baefde4fe9467fb6488ebabe

SHA256
b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e

SHA512
e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2

Download Submit
memory/1696-35-0x00000000746E0000-0x0000000074C8B000-memory.dmp

Filesize
5.7MB

Download
memory/1696-1-0x00000000746E0000-0x0000000074C8B000-memory.dmp

Filesize
5.7MB

Download
memory/1696-0-0x00000000746E1000-0x00000000746E2000-memory.dmp

Filesize
4KB

Download
memory/2088-7-0x00000000746E0000-0x0000000074C8B000-memory.dmp

Filesize
5.7MB

Download
memory/2088-14-0x00000000746E0000-0x0000000074C8B000-memory.dmp

Filesize
5.7MB

Download
memory/2372-31-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2372-46-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2372-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2372-28-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2372-26-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2372-43-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2372-44-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2372-24-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2372-47-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2372-48-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2372-51-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2372-52-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2372-55-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2372-59-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads