blackshades | c447e74c79ae7ce446ae23384c26a316df1d91b1d26c515f8051abb64e09c424

Analysis

max time kernel
148s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
05-02-2025 09:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_9e123b366349174b9fe9fc0fe29f1bb0.exe
Size

456KB
MD5

9e123b366349174b9fe9fc0fe29f1bb0
SHA1

398db87d242d33a3a3cc32f697fa6b2e03c729cc
SHA256

c447e74c79ae7ce446ae23384c26a316df1d91b1d26c515f8051abb64e09c424
SHA512

9a20e590fa4296dd1dcaf7bff2f63f36c38f37d625742b169dbf99fa12fe1750091dc1fc69b97a689cbb247ef5f3d8bf11cc6512515814ebddc4e2a1e89bd3ae
SSDEEP

12288:vxo++0inYc+d5GJWt/Tel5h0bCgNlmOoxC:IYc+GJWtO/0WgNlmOox

Score

10^/10

blackshades defense_evasion discovery persistence rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 13 IoCs

resource	yara_rule
behavioral2/memory/4936-19-0x0000000000400000-0x000000000045A000-memory.dmp	family_blackshades
behavioral2/memory/4936-22-0x0000000000400000-0x000000000045A000-memory.dmp	family_blackshades
behavioral2/memory/4936-29-0x0000000000400000-0x000000000045A000-memory.dmp	family_blackshades
behavioral2/memory/4936-30-0x0000000000400000-0x000000000045A000-memory.dmp	family_blackshades
behavioral2/memory/4936-32-0x0000000000400000-0x000000000045A000-memory.dmp	family_blackshades
behavioral2/memory/4936-33-0x0000000000400000-0x000000000045A000-memory.dmp	family_blackshades
behavioral2/memory/4936-35-0x0000000000400000-0x000000000045A000-memory.dmp	family_blackshades
behavioral2/memory/4936-36-0x0000000000400000-0x000000000045A000-memory.dmp	family_blackshades
behavioral2/memory/4936-38-0x0000000000400000-0x000000000045A000-memory.dmp	family_blackshades
behavioral2/memory/4936-39-0x0000000000400000-0x000000000045A000-memory.dmp	family_blackshades
behavioral2/memory/4936-40-0x0000000000400000-0x000000000045A000-memory.dmp	family_blackshades
behavioral2/memory/4936-41-0x0000000000400000-0x000000000045A000-memory.dmp	family_blackshades
behavioral2/memory/4936-42-0x0000000000400000-0x000000000045A000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 10 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe:*:Enabled:Windows Messanger"	reg.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\update = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe"	vbc.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EAAECBAE-BE29-C7DA-A5CC-C63E8FA27AB3}	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EAAECBAE-BE29-C7DA-A5CC-C63E8FA27AB3}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe"	vbc.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{EAAECBAE-BE29-C7DA-A5CC-C63E8FA27AB3}	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{EAAECBAE-BE29-C7DA-A5CC-C63E8FA27AB3}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe"	vbc.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation	JaffaCakes118_9e123b366349174b9fe9fc0fe29f1bb0.exe

Executes dropped EXE 1 IoCs

pid	Process
2504	CCleaner.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe"	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe"	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2504 set thread context of 4936	2504	CCleaner.exe	87

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_9e123b366349174b9fe9fc0fe29f1bb0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CCleaner.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
3308	reg.exe
2960	reg.exe
1724	reg.exe
4816	reg.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeDebugPrivilege	2264	JaffaCakes118_9e123b366349174b9fe9fc0fe29f1bb0.exe
Token: 1	4936	vbc.exe
Token: SeCreateTokenPrivilege	4936	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	4936	vbc.exe
Token: SeLockMemoryPrivilege	4936	vbc.exe
Token: SeIncreaseQuotaPrivilege	4936	vbc.exe
Token: SeMachineAccountPrivilege	4936	vbc.exe
Token: SeTcbPrivilege	4936	vbc.exe
Token: SeSecurityPrivilege	4936	vbc.exe
Token: SeTakeOwnershipPrivilege	4936	vbc.exe
Token: SeLoadDriverPrivilege	4936	vbc.exe
Token: SeSystemProfilePrivilege	4936	vbc.exe
Token: SeSystemtimePrivilege	4936	vbc.exe
Token: SeProfSingleProcessPrivilege	4936	vbc.exe
Token: SeIncBasePriorityPrivilege	4936	vbc.exe
Token: SeCreatePagefilePrivilege	4936	vbc.exe
Token: SeCreatePermanentPrivilege	4936	vbc.exe
Token: SeBackupPrivilege	4936	vbc.exe
Token: SeRestorePrivilege	4936	vbc.exe
Token: SeShutdownPrivilege	4936	vbc.exe
Token: SeDebugPrivilege	4936	vbc.exe
Token: SeAuditPrivilege	4936	vbc.exe
Token: SeSystemEnvironmentPrivilege	4936	vbc.exe
Token: SeChangeNotifyPrivilege	4936	vbc.exe
Token: SeRemoteShutdownPrivilege	4936	vbc.exe
Token: SeUndockPrivilege	4936	vbc.exe
Token: SeSyncAgentPrivilege	4936	vbc.exe
Token: SeEnableDelegationPrivilege	4936	vbc.exe
Token: SeManageVolumePrivilege	4936	vbc.exe
Token: SeImpersonatePrivilege	4936	vbc.exe
Token: SeCreateGlobalPrivilege	4936	vbc.exe
Token: 31	4936	vbc.exe
Token: 32	4936	vbc.exe
Token: 33	4936	vbc.exe
Token: 34	4936	vbc.exe
Token: 35	4936	vbc.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4936	vbc.exe
4936	vbc.exe
4936	vbc.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 2504	2264	JaffaCakes118_9e123b366349174b9fe9fc0fe29f1bb0.exe	85
PID 2264 wrote to memory of 2504	2264	JaffaCakes118_9e123b366349174b9fe9fc0fe29f1bb0.exe	85
PID 2264 wrote to memory of 2504	2264	JaffaCakes118_9e123b366349174b9fe9fc0fe29f1bb0.exe	85
PID 2504 wrote to memory of 4936	2504	CCleaner.exe	87
PID 2504 wrote to memory of 4936	2504	CCleaner.exe	87
PID 2504 wrote to memory of 4936	2504	CCleaner.exe	87
PID 2504 wrote to memory of 4936	2504	CCleaner.exe	87
PID 2504 wrote to memory of 4936	2504	CCleaner.exe	87
PID 2504 wrote to memory of 4936	2504	CCleaner.exe	87
PID 2504 wrote to memory of 4936	2504	CCleaner.exe	87
PID 2504 wrote to memory of 4936	2504	CCleaner.exe	87
PID 4936 wrote to memory of 1788	4936	vbc.exe	88
PID 4936 wrote to memory of 1788	4936	vbc.exe	88
PID 4936 wrote to memory of 1788	4936	vbc.exe	88
PID 4936 wrote to memory of 432	4936	vbc.exe	89
PID 4936 wrote to memory of 432	4936	vbc.exe	89
PID 4936 wrote to memory of 432	4936	vbc.exe	89
PID 4936 wrote to memory of 3184	4936	vbc.exe	91
PID 4936 wrote to memory of 3184	4936	vbc.exe	91
PID 4936 wrote to memory of 3184	4936	vbc.exe	91
PID 4936 wrote to memory of 4160	4936	vbc.exe	93
PID 4936 wrote to memory of 4160	4936	vbc.exe	93
PID 4936 wrote to memory of 4160	4936	vbc.exe	93
PID 1788 wrote to memory of 3308	1788	cmd.exe	96
PID 1788 wrote to memory of 3308	1788	cmd.exe	96
PID 1788 wrote to memory of 3308	1788	cmd.exe	96
PID 3184 wrote to memory of 2960	3184	cmd.exe	97
PID 3184 wrote to memory of 2960	3184	cmd.exe	97
PID 3184 wrote to memory of 2960	3184	cmd.exe	97
PID 432 wrote to memory of 1724	432	cmd.exe	98
PID 432 wrote to memory of 1724	432	cmd.exe	98
PID 432 wrote to memory of 1724	432	cmd.exe	98
PID 4160 wrote to memory of 4816	4160	cmd.exe	99
PID 4160 wrote to memory of 4816	4160	cmd.exe	99
PID 4160 wrote to memory of 4816	4160	cmd.exe	99

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e123b366349174b9fe9fc0fe29f1bb0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e123b366349174b9fe9fc0fe29f1bb0.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Users\Admin\Documents\CCleaner.exe
  "C:\Users\Admin\Documents\CCleaner.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4936
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1788
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3308
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:432
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1724
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3184
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2960
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\explorer.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\explorer.exe:*:Enabled:Windows Messanger" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4160
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\explorer.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\explorer.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\CCleaner.exe

Filesize
404KB

MD5
0ba68518f07693c703e4209412ba7d5c

SHA1
7c0c1b347021b4bf7829b20856076b2ca1d270c7

SHA256
d1ae3399606dd693ab1ff3e308873a637c3e99c25cb4735c25726127419086ad

SHA512
6fb0045ae70ec65161f07c90619e337065fc2ba87ada0f59916148c55977cfad9155a651fb6e396a5a039840689cb30d09d0bc13a21effedcf3c9f2257b3a781

Download Submit
memory/2264-15-0x0000000074F20000-0x00000000754D1000-memory.dmp

Filesize
5.7MB

Download
memory/2264-1-0x0000000074F20000-0x00000000754D1000-memory.dmp

Filesize
5.7MB

Download
memory/2264-2-0x0000000074F20000-0x00000000754D1000-memory.dmp

Filesize
5.7MB

Download
memory/2264-0-0x0000000074F22000-0x0000000074F23000-memory.dmp

Filesize
4KB

Download
memory/2504-23-0x0000000074F20000-0x00000000754D1000-memory.dmp

Filesize
5.7MB

Download
memory/2504-16-0x0000000074F20000-0x00000000754D1000-memory.dmp

Filesize
5.7MB

Download
memory/2504-18-0x0000000074F20000-0x00000000754D1000-memory.dmp

Filesize
5.7MB

Download
memory/2504-17-0x0000000074F20000-0x00000000754D1000-memory.dmp

Filesize
5.7MB

Download
memory/4936-33-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4936-22-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4936-29-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4936-30-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4936-32-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4936-19-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4936-35-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4936-36-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4936-38-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4936-39-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4936-40-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4936-41-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4936-42-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads