blackshades | cda884256a956e327bde7ea969e1b665adc842e0c5c136492b523ee41d3847a3

Analysis

max time kernel
119s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05/02/2025, 03:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cda884256a956e327bde7ea969e1b665adc842e0c5c136492b523ee41d3847a3.exe
Size

1.5MB
MD5

e46e8605c7dd4927f00173e2a587726d
SHA1

37dd89538130146fdbde3f9ef7790ee9b5cee32e
SHA256

cda884256a956e327bde7ea969e1b665adc842e0c5c136492b523ee41d3847a3
SHA512

ed32a8efad799a0ad17faa13aa885e52a05b36c844425e7aece0007c1e3bc6ed22f90cc17dc32759ad97007e3ec8460ae082c51dad8f9911a72bd698c5a684da
SSDEEP

12288:z+Qf9NxkERr1JzrDTzz7wHxhW88KH6Yn77TCNp8jToZGrhR0Zr:Dx0j8KaYnfTYp8/oZMGZr

Score

10^/10

blackshades defense_evasion discovery persistence rat upx

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 9 IoCs

resource	yara_rule
behavioral2/memory/4824-35-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral2/memory/4824-40-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral2/memory/4824-39-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral2/memory/4824-51-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral2/memory/4824-52-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral2/memory/4824-54-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral2/memory/4824-57-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral2/memory/4824-59-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral2/memory/4824-75-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 10 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\winlogon.exe = "C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe:*:Enabled:Windows Messanger"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\darkeye-nosttingspersistent2.exe = "C:\\Users\\Admin\\AppData\\Roaming\\darkeye-nosttingspersistent2.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	cda884256a956e327bde7ea969e1b665adc842e0c5c136492b523ee41d3847a3.exe

Executes dropped EXE 3 IoCs

pid	Process
4316	winlogon.exe
4824	winlogon.exe
4448	winlogon.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe"	reg.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4316 set thread context of 4824	4316	winlogon.exe	87
PID 4316 set thread context of 4448	4316	winlogon.exe	88

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4824-34-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/4824-35-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/4448-41-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/memory/4448-50-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/memory/4448-46-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/memory/4448-47-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/memory/4824-40-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/4824-39-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/4824-31-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/4824-51-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/4824-52-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/4824-54-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/4824-57-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/4824-59-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/4824-75-0x0000000000400000-0x000000000045D000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cda884256a956e327bde7ea969e1b665adc842e0c5c136492b523ee41d3847a3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2004	reg.exe
4984	reg.exe
3220	reg.exe
1036	reg.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: 1	4824	winlogon.exe
Token: SeCreateTokenPrivilege	4824	winlogon.exe
Token: SeAssignPrimaryTokenPrivilege	4824	winlogon.exe
Token: SeLockMemoryPrivilege	4824	winlogon.exe
Token: SeIncreaseQuotaPrivilege	4824	winlogon.exe
Token: SeMachineAccountPrivilege	4824	winlogon.exe
Token: SeTcbPrivilege	4824	winlogon.exe
Token: SeSecurityPrivilege	4824	winlogon.exe
Token: SeTakeOwnershipPrivilege	4824	winlogon.exe
Token: SeLoadDriverPrivilege	4824	winlogon.exe
Token: SeSystemProfilePrivilege	4824	winlogon.exe
Token: SeSystemtimePrivilege	4824	winlogon.exe
Token: SeProfSingleProcessPrivilege	4824	winlogon.exe
Token: SeIncBasePriorityPrivilege	4824	winlogon.exe
Token: SeCreatePagefilePrivilege	4824	winlogon.exe
Token: SeCreatePermanentPrivilege	4824	winlogon.exe
Token: SeBackupPrivilege	4824	winlogon.exe
Token: SeRestorePrivilege	4824	winlogon.exe
Token: SeShutdownPrivilege	4824	winlogon.exe
Token: SeDebugPrivilege	4824	winlogon.exe
Token: SeAuditPrivilege	4824	winlogon.exe
Token: SeSystemEnvironmentPrivilege	4824	winlogon.exe
Token: SeChangeNotifyPrivilege	4824	winlogon.exe
Token: SeRemoteShutdownPrivilege	4824	winlogon.exe
Token: SeUndockPrivilege	4824	winlogon.exe
Token: SeSyncAgentPrivilege	4824	winlogon.exe
Token: SeEnableDelegationPrivilege	4824	winlogon.exe
Token: SeManageVolumePrivilege	4824	winlogon.exe
Token: SeImpersonatePrivilege	4824	winlogon.exe
Token: SeCreateGlobalPrivilege	4824	winlogon.exe
Token: 31	4824	winlogon.exe
Token: 32	4824	winlogon.exe
Token: 33	4824	winlogon.exe
Token: 34	4824	winlogon.exe
Token: 35	4824	winlogon.exe
Token: SeDebugPrivilege	4448	winlogon.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3948	cda884256a956e327bde7ea969e1b665adc842e0c5c136492b523ee41d3847a3.exe
4316	winlogon.exe
4824	winlogon.exe
4824	winlogon.exe
4448	winlogon.exe
4824	winlogon.exe

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 3948 wrote to memory of 3808	3948	cda884256a956e327bde7ea969e1b665adc842e0c5c136492b523ee41d3847a3.exe	82
PID 3948 wrote to memory of 3808	3948	cda884256a956e327bde7ea969e1b665adc842e0c5c136492b523ee41d3847a3.exe	82
PID 3948 wrote to memory of 3808	3948	cda884256a956e327bde7ea969e1b665adc842e0c5c136492b523ee41d3847a3.exe	82
PID 3808 wrote to memory of 2080	3808	cmd.exe	85
PID 3808 wrote to memory of 2080	3808	cmd.exe	85
PID 3808 wrote to memory of 2080	3808	cmd.exe	85
PID 3948 wrote to memory of 4316	3948	cda884256a956e327bde7ea969e1b665adc842e0c5c136492b523ee41d3847a3.exe	86
PID 3948 wrote to memory of 4316	3948	cda884256a956e327bde7ea969e1b665adc842e0c5c136492b523ee41d3847a3.exe	86
PID 3948 wrote to memory of 4316	3948	cda884256a956e327bde7ea969e1b665adc842e0c5c136492b523ee41d3847a3.exe	86
PID 4316 wrote to memory of 4824	4316	winlogon.exe	87
PID 4316 wrote to memory of 4824	4316	winlogon.exe	87
PID 4316 wrote to memory of 4824	4316	winlogon.exe	87
PID 4316 wrote to memory of 4824	4316	winlogon.exe	87
PID 4316 wrote to memory of 4824	4316	winlogon.exe	87
PID 4316 wrote to memory of 4824	4316	winlogon.exe	87
PID 4316 wrote to memory of 4824	4316	winlogon.exe	87
PID 4316 wrote to memory of 4824	4316	winlogon.exe	87
PID 4316 wrote to memory of 4448	4316	winlogon.exe	88
PID 4316 wrote to memory of 4448	4316	winlogon.exe	88
PID 4316 wrote to memory of 4448	4316	winlogon.exe	88
PID 4824 wrote to memory of 4288	4824	winlogon.exe	89
PID 4824 wrote to memory of 4288	4824	winlogon.exe	89
PID 4824 wrote to memory of 4288	4824	winlogon.exe	89
PID 4316 wrote to memory of 4448	4316	winlogon.exe	88
PID 4316 wrote to memory of 4448	4316	winlogon.exe	88
PID 4316 wrote to memory of 4448	4316	winlogon.exe	88
PID 4316 wrote to memory of 4448	4316	winlogon.exe	88
PID 4316 wrote to memory of 4448	4316	winlogon.exe	88
PID 4824 wrote to memory of 3124	4824	winlogon.exe	90
PID 4824 wrote to memory of 3124	4824	winlogon.exe	90
PID 4824 wrote to memory of 3124	4824	winlogon.exe	90
PID 4824 wrote to memory of 3932	4824	winlogon.exe	91
PID 4824 wrote to memory of 3932	4824	winlogon.exe	91
PID 4824 wrote to memory of 3932	4824	winlogon.exe	91
PID 4824 wrote to memory of 896	4824	winlogon.exe	92
PID 4824 wrote to memory of 896	4824	winlogon.exe	92
PID 4824 wrote to memory of 896	4824	winlogon.exe	92
PID 3124 wrote to memory of 2004	3124	cmd.exe	97
PID 3124 wrote to memory of 2004	3124	cmd.exe	97
PID 3124 wrote to memory of 2004	3124	cmd.exe	97
PID 4288 wrote to memory of 4984	4288	cmd.exe	98
PID 4288 wrote to memory of 4984	4288	cmd.exe	98
PID 4288 wrote to memory of 4984	4288	cmd.exe	98
PID 3932 wrote to memory of 3220	3932	cmd.exe	99
PID 3932 wrote to memory of 3220	3932	cmd.exe	99
PID 3932 wrote to memory of 3220	3932	cmd.exe	99
PID 896 wrote to memory of 1036	896	cmd.exe	100
PID 896 wrote to memory of 1036	896	cmd.exe	100
PID 896 wrote to memory of 1036	896	cmd.exe	100

C:\Users\Admin\AppData\Local\Temp\cda884256a956e327bde7ea969e1b665adc842e0c5c136492b523ee41d3847a3.exe
"C:\Users\Admin\AppData\Local\Temp\cda884256a956e327bde7ea969e1b665adc842e0c5c136492b523ee41d3847a3.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3948
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nreXV.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3808
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Winlogon" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\winlogon.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2080
- C:\Users\Admin\AppData\Roaming\winlogon.exe
  "C:\Users\Admin\AppData\Roaming\winlogon.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4316
- - C:\Users\Admin\AppData\Roaming\winlogon.exe
    C:\Users\Admin\AppData\Roaming\winlogon.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4824
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4288
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4984
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\winlogon.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\winlogon.exe:*:Enabled:Windows Messanger" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3124
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\winlogon.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\winlogon.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2004
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3932
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3220
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\darkeye-nosttingspersistent2.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\darkeye-nosttingspersistent2.exe:*:Enabled:Windows Messanger" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:896
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\darkeye-nosttingspersistent2.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\darkeye-nosttingspersistent2.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1036
- - C:\Users\Admin\AppData\Roaming\winlogon.exe
    C:\Users\Admin\AppData\Roaming\winlogon.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nreXV.txt

Filesize
138B

MD5
4da6717f2c70f4bd32ad33a227a2ff47

SHA1
3d7f7159e1f695bd469287d1ad4ffa0841b407a8

SHA256
a12bb2e5d2fb0b3c400ce311fae72995a00b57a97d23e4b9effec47cff189d07

SHA512
6765314054ad9bf2164058248f3d3a17775176925abbe4376aec030dca3a5e59be8b9e96139941fec2b2e1a9bff38f87abdb29ea09a299d8ab7e23ecec4083df

Download Submit
C:\Users\Admin\AppData\Roaming\winlogon.txt

Filesize
1.5MB

MD5
33566ed958b31e87d83f2e02c8f15128

SHA1
31c3ace47d1d48213b88408450b34c92dcfd42bb

SHA256
094397f192ab0e9554388b61101805d54ee849d7b20605482820cf397c8dca5e

SHA512
df265f65d05ad9b023823de00ad843f738348f759cf8c31e9e942fa7d855e9a6aa6f0e15b298f33c9c32fe389e319274b6c00f438d40de516072a8f09732e635

Download Submit
memory/3948-0-0x0000000000400000-0x000000000058A000-memory.dmp

Filesize
1.5MB

Download
memory/4448-46-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4448-47-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4448-41-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4448-50-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4824-35-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4824-34-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4824-40-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4824-39-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4824-31-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4824-51-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4824-52-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4824-54-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4824-57-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4824-59-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4824-75-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads