blackshades | e32fedaa29bc6b47f5a4ef8a9b3316017d63ecf50f409d795513ae441cab7360

Analysis

max time kernel
150s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
06-02-2025 13:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_abe395d3e6bfad78fa2e55d8b01b0399.exe
Size

624KB
MD5

abe395d3e6bfad78fa2e55d8b01b0399
SHA1

696cc32e2c43f35e732a5a70b7cf879ce8b4ad54
SHA256

e32fedaa29bc6b47f5a4ef8a9b3316017d63ecf50f409d795513ae441cab7360
SHA512

ca1d92712984746a1d715415baf1629375084fa35b4f8d1ebff13682a34fd5a253ed20a551b1132183fbc8a29ddd852fed6b4e6d76c8b3d4dc89074c2fb8f7f8
SSDEEP

12288:7DEYaUcamFQJDZF1F1tZsRvdBdtT7UqfSlq2v8LS2I3v9paa:SUcamFQxZF1DMvdBjvasn/I3v9pB

Score

10^/10

blackshades defense_evasion discovery persistence rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0009000000016cd8-59.dat	family_blackshades

Modifies firewall policy service 3 TTPs 8 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\test.exe = "test.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\1.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1.exe:*:Enabled:Windows Messanger"	reg.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Adobe Updater = "C:\\Users\\Admin\\AppData\\Roaming\\test.exe"	1.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ACFD0DC2-B64B-2E4D-DFFA-989D9EEE5926}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\test.exe"	1.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{ACFD0DC2-B64B-2E4D-DFFA-989D9EEE5926}	1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Active Setup\Installed Components\{ACFD0DC2-B64B-2E4D-DFFA-989D9EEE5926}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\test.exe"	1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ACFD0DC2-B64B-2E4D-DFFA-989D9EEE5926}	1.exe

Executes dropped EXE 1 IoCs

pid	Process
2884	1.exe

Loads dropped DLL 4 IoCs

pid	Process
2280	JaffaCakes118_abe395d3e6bfad78fa2e55d8b01b0399.exe
2280	JaffaCakes118_abe395d3e6bfad78fa2e55d8b01b0399.exe
2280	JaffaCakes118_abe395d3e6bfad78fa2e55d8b01b0399.exe
2280	JaffaCakes118_abe395d3e6bfad78fa2e55d8b01b0399.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe Updater = "C:\\Users\\Admin\\AppData\\Roaming\\test.exe"	1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Adobe Updater = "C:\\Users\\Admin\\AppData\\Roaming\\test.exe"	1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_abe395d3e6bfad78fa2e55d8b01b0399.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2396	reg.exe
944	reg.exe
2668	reg.exe
1116	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	2884	1.exe
Token: SeCreateTokenPrivilege	2884	1.exe
Token: SeAssignPrimaryTokenPrivilege	2884	1.exe
Token: SeLockMemoryPrivilege	2884	1.exe
Token: SeIncreaseQuotaPrivilege	2884	1.exe
Token: SeMachineAccountPrivilege	2884	1.exe
Token: SeTcbPrivilege	2884	1.exe
Token: SeSecurityPrivilege	2884	1.exe
Token: SeTakeOwnershipPrivilege	2884	1.exe
Token: SeLoadDriverPrivilege	2884	1.exe
Token: SeSystemProfilePrivilege	2884	1.exe
Token: SeSystemtimePrivilege	2884	1.exe
Token: SeProfSingleProcessPrivilege	2884	1.exe
Token: SeIncBasePriorityPrivilege	2884	1.exe
Token: SeCreatePagefilePrivilege	2884	1.exe
Token: SeCreatePermanentPrivilege	2884	1.exe
Token: SeBackupPrivilege	2884	1.exe
Token: SeRestorePrivilege	2884	1.exe
Token: SeShutdownPrivilege	2884	1.exe
Token: SeDebugPrivilege	2884	1.exe
Token: SeAuditPrivilege	2884	1.exe
Token: SeSystemEnvironmentPrivilege	2884	1.exe
Token: SeChangeNotifyPrivilege	2884	1.exe
Token: SeRemoteShutdownPrivilege	2884	1.exe
Token: SeUndockPrivilege	2884	1.exe
Token: SeSyncAgentPrivilege	2884	1.exe
Token: SeEnableDelegationPrivilege	2884	1.exe
Token: SeManageVolumePrivilege	2884	1.exe
Token: SeImpersonatePrivilege	2884	1.exe
Token: SeCreateGlobalPrivilege	2884	1.exe
Token: 31	2884	1.exe
Token: 32	2884	1.exe
Token: 33	2884	1.exe
Token: 34	2884	1.exe
Token: 35	2884	1.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2280	JaffaCakes118_abe395d3e6bfad78fa2e55d8b01b0399.exe
2280	JaffaCakes118_abe395d3e6bfad78fa2e55d8b01b0399.exe
2884	1.exe
2884	1.exe
2884	1.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 2884	2280	JaffaCakes118_abe395d3e6bfad78fa2e55d8b01b0399.exe	29
PID 2280 wrote to memory of 2884	2280	JaffaCakes118_abe395d3e6bfad78fa2e55d8b01b0399.exe	29
PID 2280 wrote to memory of 2884	2280	JaffaCakes118_abe395d3e6bfad78fa2e55d8b01b0399.exe	29
PID 2280 wrote to memory of 2884	2280	JaffaCakes118_abe395d3e6bfad78fa2e55d8b01b0399.exe	29
PID 2884 wrote to memory of 2688	2884	1.exe	30
PID 2884 wrote to memory of 2688	2884	1.exe	30
PID 2884 wrote to memory of 2688	2884	1.exe	30
PID 2884 wrote to memory of 2688	2884	1.exe	30
PID 2884 wrote to memory of 2684	2884	1.exe	31
PID 2884 wrote to memory of 2684	2884	1.exe	31
PID 2884 wrote to memory of 2684	2884	1.exe	31
PID 2884 wrote to memory of 2684	2884	1.exe	31
PID 2884 wrote to memory of 896	2884	1.exe	33
PID 2884 wrote to memory of 896	2884	1.exe	33
PID 2884 wrote to memory of 896	2884	1.exe	33
PID 2884 wrote to memory of 896	2884	1.exe	33
PID 2884 wrote to memory of 2736	2884	1.exe	34
PID 2884 wrote to memory of 2736	2884	1.exe	34
PID 2884 wrote to memory of 2736	2884	1.exe	34
PID 2884 wrote to memory of 2736	2884	1.exe	34
PID 2684 wrote to memory of 1116	2684	cmd.exe	38
PID 2684 wrote to memory of 1116	2684	cmd.exe	38
PID 2684 wrote to memory of 1116	2684	cmd.exe	38
PID 2684 wrote to memory of 1116	2684	cmd.exe	38
PID 2736 wrote to memory of 2668	2736	cmd.exe	39
PID 2736 wrote to memory of 2668	2736	cmd.exe	39
PID 2736 wrote to memory of 2668	2736	cmd.exe	39
PID 2736 wrote to memory of 2668	2736	cmd.exe	39
PID 2688 wrote to memory of 2396	2688	cmd.exe	40
PID 2688 wrote to memory of 2396	2688	cmd.exe	40
PID 2688 wrote to memory of 2396	2688	cmd.exe	40
PID 2688 wrote to memory of 2396	2688	cmd.exe	40
PID 896 wrote to memory of 944	896	cmd.exe	41
PID 896 wrote to memory of 944	896	cmd.exe	41
PID 896 wrote to memory of 944	896	cmd.exe	41
PID 896 wrote to memory of 944	896	cmd.exe	41

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_abe395d3e6bfad78fa2e55d8b01b0399.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_abe395d3e6bfad78fa2e55d8b01b0399.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Users\Admin\AppData\Local\Temp\1.exe
  "C:\Users\Admin\AppData\Local\Temp\1.exe"
  2⤵
  - Adds policy Run key to start application
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2396
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\1.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\1.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:1116
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:896
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:944
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "test.exe" /t REG_SZ /d "test.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "test.exe" /t REG_SZ /d "test.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\1.exe

Filesize
560KB

MD5
e32c451e3d6d91081fd410fc171aed23

SHA1
9ff2db516c9f24b434e800ed82dd40911b173201

SHA256
1bef4cc93c8aaa7a03b4ec24b53b17a8d182656551ac5417ff7ec326dfba05aa

SHA512
759d1152117af96f6acbab11dfaefdc1a632b2bd00447301d3a12c9ed1dd5ca23a8e18df8b767a2c495e59166e3b6ce0cfbed6ddb2d8bf885215d93cdaa92276

Download Submit
memory/2280-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2280-1-0x00000000002B0000-0x00000000002C0000-memory.dmp

Filesize
64KB

Download
memory/2280-2-0x00000000002C0000-0x00000000002D0000-memory.dmp

Filesize
64KB

Download
memory/2280-3-0x0000000000310000-0x0000000000320000-memory.dmp

Filesize
64KB

Download
memory/2280-17-0x0000000000450000-0x0000000000460000-memory.dmp

Filesize
64KB

Download
memory/2280-16-0x0000000000440000-0x0000000000450000-memory.dmp

Filesize
64KB

Download
memory/2280-15-0x0000000000430000-0x0000000000440000-memory.dmp

Filesize
64KB

Download
memory/2280-14-0x0000000000420000-0x0000000000430000-memory.dmp

Filesize
64KB

Download
memory/2280-13-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/2280-12-0x00000000003E0000-0x00000000003F0000-memory.dmp

Filesize
64KB

Download
memory/2280-11-0x00000000003D0000-0x00000000003E0000-memory.dmp

Filesize
64KB

Download
memory/2280-10-0x00000000003C0000-0x00000000003D0000-memory.dmp

Filesize
64KB

Download
memory/2280-9-0x00000000003B0000-0x00000000003C0000-memory.dmp

Filesize
64KB

Download
memory/2280-8-0x00000000003A0000-0x00000000003B0000-memory.dmp

Filesize
64KB

Download
memory/2280-7-0x0000000000390000-0x00000000003A0000-memory.dmp

Filesize
64KB

Download
memory/2280-6-0x0000000000340000-0x0000000000350000-memory.dmp

Filesize
64KB

Download
memory/2280-5-0x0000000000330000-0x0000000000340000-memory.dmp

Filesize
64KB

Download
memory/2280-4-0x0000000000320000-0x0000000000330000-memory.dmp

Filesize
64KB

Download
memory/2280-18-0x0000000000460000-0x0000000000470000-memory.dmp

Filesize
64KB

Download
memory/2280-19-0x0000000000470000-0x0000000000480000-memory.dmp

Filesize
64KB

Download
memory/2280-20-0x0000000000480000-0x0000000000490000-memory.dmp

Filesize
64KB

Download
memory/2280-21-0x0000000000720000-0x0000000000730000-memory.dmp

Filesize
64KB

Download
memory/2280-22-0x0000000000730000-0x0000000000740000-memory.dmp

Filesize
64KB

Download
memory/2280-23-0x0000000000740000-0x0000000000750000-memory.dmp

Filesize
64KB

Download
memory/2280-24-0x0000000000750000-0x0000000000760000-memory.dmp

Filesize
64KB

Download
memory/2280-25-0x00000000024B0000-0x00000000024C0000-memory.dmp

Filesize
64KB

Download
memory/2280-26-0x00000000024C0000-0x00000000024D0000-memory.dmp

Filesize
64KB

Download
memory/2280-27-0x00000000024D0000-0x00000000024E0000-memory.dmp

Filesize
64KB

Download
memory/2280-28-0x00000000024E0000-0x00000000024F0000-memory.dmp

Filesize
64KB

Download
memory/2280-29-0x00000000024F0000-0x0000000002500000-memory.dmp

Filesize
64KB

Download
memory/2280-30-0x0000000002500000-0x0000000002510000-memory.dmp

Filesize
64KB

Download
memory/2280-31-0x0000000002510000-0x0000000002520000-memory.dmp

Filesize
64KB

Download
memory/2280-32-0x0000000002520000-0x0000000002530000-memory.dmp

Filesize
64KB

Download
memory/2280-33-0x0000000002530000-0x0000000002540000-memory.dmp

Filesize
64KB

Download
memory/2280-34-0x0000000002540000-0x0000000002550000-memory.dmp

Filesize
64KB

Download
memory/2280-35-0x0000000002550000-0x0000000002560000-memory.dmp

Filesize
64KB

Download
memory/2280-36-0x0000000002560000-0x0000000002570000-memory.dmp

Filesize
64KB

Download
memory/2280-37-0x0000000002570000-0x0000000002580000-memory.dmp

Filesize
64KB

Download
memory/2280-38-0x00000000026D0000-0x00000000026E0000-memory.dmp

Filesize
64KB

Download
memory/2280-39-0x00000000026E0000-0x00000000026F0000-memory.dmp

Filesize
64KB

Download
memory/2280-40-0x00000000026F0000-0x0000000002700000-memory.dmp

Filesize
64KB

Download
memory/2280-41-0x0000000002700000-0x0000000002710000-memory.dmp

Filesize
64KB

Download
memory/2280-42-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/2280-43-0x0000000002720000-0x0000000002730000-memory.dmp

Filesize
64KB

Download
memory/2280-44-0x0000000002730000-0x0000000002740000-memory.dmp

Filesize
64KB

Download
memory/2280-45-0x0000000002740000-0x0000000002750000-memory.dmp

Filesize
64KB

Download
memory/2280-46-0x0000000002750000-0x0000000002760000-memory.dmp

Filesize
64KB

Download
memory/2280-47-0x0000000002770000-0x0000000002780000-memory.dmp

Filesize
64KB

Download
memory/2280-48-0x0000000002780000-0x0000000002790000-memory.dmp

Filesize
64KB

Download
memory/2280-49-0x0000000002790000-0x00000000027A0000-memory.dmp

Filesize
64KB

Download
memory/2280-50-0x00000000027A0000-0x00000000027B0000-memory.dmp

Filesize
64KB

Download
memory/2280-51-0x00000000027B0000-0x00000000027C0000-memory.dmp

Filesize
64KB

Download
memory/2280-52-0x00000000027C0000-0x00000000027D0000-memory.dmp

Filesize
64KB

Download
memory/2280-53-0x00000000027D0000-0x00000000027E0000-memory.dmp

Filesize
64KB

Download
memory/2280-54-0x00000000027E0000-0x00000000027F0000-memory.dmp

Filesize
64KB

Download
memory/2280-72-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads