blackshades | e36e36593c9d0335592f93298208298f5bcce86bad692bcc7b11ceed9c4a0ff4

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25/02/2025, 20:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_22d63921487325e68fbc7bc66dee0b3e.exe
Size

1.0MB
MD5

22d63921487325e68fbc7bc66dee0b3e
SHA1

9993b7407a9f580162517260aae18ed38d23ba32
SHA256

e36e36593c9d0335592f93298208298f5bcce86bad692bcc7b11ceed9c4a0ff4
SHA512

05d9ebb3f29442bf290c6c08abf0f28944b7c7539acf82cbaeecc17ae7071525541d82f7b9a754fd9584ac95fdbc355973891f007efb75fcc1d9de1ccf0f68b7
SSDEEP

6144:E3l2pzovt4ZtIWn9pqtLRNl/ppIVUqdLeyluODMo4cc0:WQtpOLRZ6Vf53Mktc

Score

10^/10

blackshades defense_evasion discovery persistence rat upx

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 6 IoCs

resource	yara_rule
behavioral1/memory/2644-42-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/2644-59-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/2644-61-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/2644-63-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/2644-66-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/2644-68-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 8 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\java\javaconsole.exe = "C:\\Users\\Admin\\AppData\\Roaming\\java\\javaconsole.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Nvidia.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Nvidia.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
2668	javaconsole.exe
2644	javaconsole.exe
2784	javaconsole.exe

Loads dropped DLL 4 IoCs

pid	Process
2476	JaffaCakes118_22d63921487325e68fbc7bc66dee0b3e.exe
2476	JaffaCakes118_22d63921487325e68fbc7bc66dee0b3e.exe
2476	JaffaCakes118_22d63921487325e68fbc7bc66dee0b3e.exe
2476	JaffaCakes118_22d63921487325e68fbc7bc66dee0b3e.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Oy = "C:\\Users\\Admin\\AppData\\Roaming\\java\\javaconsole.exe"	reg.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2668 set thread context of 2644	2668	javaconsole.exe	35
PID 2668 set thread context of 2784	2668	javaconsole.exe	36

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2644-36-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2644-40-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2644-42-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2644-59-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2644-61-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2644-63-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2644-66-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2644-68-0x0000000000400000-0x000000000045D000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaconsole.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaconsole.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaconsole.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_22d63921487325e68fbc7bc66dee0b3e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
1716	reg.exe
300	reg.exe
1936	reg.exe
1216	reg.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: 1	2644	javaconsole.exe
Token: SeCreateTokenPrivilege	2644	javaconsole.exe
Token: SeAssignPrimaryTokenPrivilege	2644	javaconsole.exe
Token: SeLockMemoryPrivilege	2644	javaconsole.exe
Token: SeIncreaseQuotaPrivilege	2644	javaconsole.exe
Token: SeMachineAccountPrivilege	2644	javaconsole.exe
Token: SeTcbPrivilege	2644	javaconsole.exe
Token: SeSecurityPrivilege	2644	javaconsole.exe
Token: SeTakeOwnershipPrivilege	2644	javaconsole.exe
Token: SeLoadDriverPrivilege	2644	javaconsole.exe
Token: SeSystemProfilePrivilege	2644	javaconsole.exe
Token: SeSystemtimePrivilege	2644	javaconsole.exe
Token: SeProfSingleProcessPrivilege	2644	javaconsole.exe
Token: SeIncBasePriorityPrivilege	2644	javaconsole.exe
Token: SeCreatePagefilePrivilege	2644	javaconsole.exe
Token: SeCreatePermanentPrivilege	2644	javaconsole.exe
Token: SeBackupPrivilege	2644	javaconsole.exe
Token: SeRestorePrivilege	2644	javaconsole.exe
Token: SeShutdownPrivilege	2644	javaconsole.exe
Token: SeDebugPrivilege	2644	javaconsole.exe
Token: SeAuditPrivilege	2644	javaconsole.exe
Token: SeSystemEnvironmentPrivilege	2644	javaconsole.exe
Token: SeChangeNotifyPrivilege	2644	javaconsole.exe
Token: SeRemoteShutdownPrivilege	2644	javaconsole.exe
Token: SeUndockPrivilege	2644	javaconsole.exe
Token: SeSyncAgentPrivilege	2644	javaconsole.exe
Token: SeEnableDelegationPrivilege	2644	javaconsole.exe
Token: SeManageVolumePrivilege	2644	javaconsole.exe
Token: SeImpersonatePrivilege	2644	javaconsole.exe
Token: SeCreateGlobalPrivilege	2644	javaconsole.exe
Token: 31	2644	javaconsole.exe
Token: 32	2644	javaconsole.exe
Token: 33	2644	javaconsole.exe
Token: 34	2644	javaconsole.exe
Token: 35	2644	javaconsole.exe
Token: SeDebugPrivilege	2784	javaconsole.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2476	JaffaCakes118_22d63921487325e68fbc7bc66dee0b3e.exe
2668	javaconsole.exe
2644	javaconsole.exe
2644	javaconsole.exe
2784	javaconsole.exe
2644	javaconsole.exe

Suspicious use of WriteProcessMemory 61 IoCs

description	pid	Process	procid_target
PID 2476 wrote to memory of 2800	2476	JaffaCakes118_22d63921487325e68fbc7bc66dee0b3e.exe	31
PID 2476 wrote to memory of 2800	2476	JaffaCakes118_22d63921487325e68fbc7bc66dee0b3e.exe	31
PID 2476 wrote to memory of 2800	2476	JaffaCakes118_22d63921487325e68fbc7bc66dee0b3e.exe	31
PID 2476 wrote to memory of 2800	2476	JaffaCakes118_22d63921487325e68fbc7bc66dee0b3e.exe	31
PID 2800 wrote to memory of 2628	2800	cmd.exe	33
PID 2800 wrote to memory of 2628	2800	cmd.exe	33
PID 2800 wrote to memory of 2628	2800	cmd.exe	33
PID 2800 wrote to memory of 2628	2800	cmd.exe	33
PID 2476 wrote to memory of 2668	2476	JaffaCakes118_22d63921487325e68fbc7bc66dee0b3e.exe	34
PID 2476 wrote to memory of 2668	2476	JaffaCakes118_22d63921487325e68fbc7bc66dee0b3e.exe	34
PID 2476 wrote to memory of 2668	2476	JaffaCakes118_22d63921487325e68fbc7bc66dee0b3e.exe	34
PID 2476 wrote to memory of 2668	2476	JaffaCakes118_22d63921487325e68fbc7bc66dee0b3e.exe	34
PID 2668 wrote to memory of 2644	2668	javaconsole.exe	35
PID 2668 wrote to memory of 2644	2668	javaconsole.exe	35
PID 2668 wrote to memory of 2644	2668	javaconsole.exe	35
PID 2668 wrote to memory of 2644	2668	javaconsole.exe	35
PID 2668 wrote to memory of 2644	2668	javaconsole.exe	35
PID 2668 wrote to memory of 2644	2668	javaconsole.exe	35
PID 2668 wrote to memory of 2644	2668	javaconsole.exe	35
PID 2668 wrote to memory of 2644	2668	javaconsole.exe	35
PID 2668 wrote to memory of 2644	2668	javaconsole.exe	35
PID 2668 wrote to memory of 2784	2668	javaconsole.exe	36
PID 2668 wrote to memory of 2784	2668	javaconsole.exe	36
PID 2668 wrote to memory of 2784	2668	javaconsole.exe	36
PID 2668 wrote to memory of 2784	2668	javaconsole.exe	36
PID 2668 wrote to memory of 2784	2668	javaconsole.exe	36
PID 2668 wrote to memory of 2784	2668	javaconsole.exe	36
PID 2668 wrote to memory of 2784	2668	javaconsole.exe	36
PID 2668 wrote to memory of 2784	2668	javaconsole.exe	36
PID 2644 wrote to memory of 2748	2644	javaconsole.exe	37
PID 2644 wrote to memory of 2748	2644	javaconsole.exe	37
PID 2644 wrote to memory of 2748	2644	javaconsole.exe	37
PID 2644 wrote to memory of 2748	2644	javaconsole.exe	37
PID 2644 wrote to memory of 2516	2644	javaconsole.exe	38
PID 2644 wrote to memory of 2516	2644	javaconsole.exe	38
PID 2644 wrote to memory of 2516	2644	javaconsole.exe	38
PID 2644 wrote to memory of 2516	2644	javaconsole.exe	38
PID 2644 wrote to memory of 2512	2644	javaconsole.exe	39
PID 2644 wrote to memory of 2512	2644	javaconsole.exe	39
PID 2644 wrote to memory of 2512	2644	javaconsole.exe	39
PID 2644 wrote to memory of 2512	2644	javaconsole.exe	39
PID 2644 wrote to memory of 2532	2644	javaconsole.exe	40
PID 2644 wrote to memory of 2532	2644	javaconsole.exe	40
PID 2644 wrote to memory of 2532	2644	javaconsole.exe	40
PID 2644 wrote to memory of 2532	2644	javaconsole.exe	40
PID 2516 wrote to memory of 1216	2516	cmd.exe	44
PID 2516 wrote to memory of 1216	2516	cmd.exe	44
PID 2516 wrote to memory of 1216	2516	cmd.exe	44
PID 2516 wrote to memory of 1216	2516	cmd.exe	44
PID 2512 wrote to memory of 300	2512	cmd.exe	45
PID 2512 wrote to memory of 300	2512	cmd.exe	45
PID 2512 wrote to memory of 300	2512	cmd.exe	45
PID 2512 wrote to memory of 300	2512	cmd.exe	45
PID 2748 wrote to memory of 1716	2748	cmd.exe	47
PID 2748 wrote to memory of 1716	2748	cmd.exe	47
PID 2748 wrote to memory of 1716	2748	cmd.exe	47
PID 2748 wrote to memory of 1716	2748	cmd.exe	47
PID 2532 wrote to memory of 1936	2532	cmd.exe	48
PID 2532 wrote to memory of 1936	2532	cmd.exe	48
PID 2532 wrote to memory of 1936	2532	cmd.exe	48
PID 2532 wrote to memory of 1936	2532	cmd.exe	48

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_22d63921487325e68fbc7bc66dee0b3e.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_22d63921487325e68fbc7bc66dee0b3e.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\259451409.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Java Oy" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\java\javaconsole.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2628
- C:\Users\Admin\AppData\Roaming\java\javaconsole.exe
  "C:\Users\Admin\AppData\Roaming\java\javaconsole.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Users\Admin\AppData\Roaming\java\javaconsole.exe
    "C:\Users\Admin\AppData\Roaming\java\javaconsole.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2748
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1716
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\java\javaconsole.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\java\javaconsole.exe:*:Enabled:Windows Messanger" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2516
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\java\javaconsole.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\java\javaconsole.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1216
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2512
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:300
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Nvidia.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Nvidia.exe:*:Enabled:Windows Messanger" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2532
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Nvidia.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Nvidia.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1936
- - C:\Users\Admin\AppData\Roaming\java\javaconsole.exe
    "C:\Users\Admin\AppData\Roaming\java\javaconsole.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\259451409.bat

Filesize
143B

MD5
1deef04b0d0abe2d75154cc508a85e9c

SHA1
067668cc9de86f0a73290c1783662c5530349f7e

SHA256
2dccd725bc2d38c740fd28b627d0fb1fe3efa798ce445e80fa44c3ce0607620e

SHA512
c3466c7c6a10255a20c7e2d4e95dd6c607bed1279a3609495cde25fae210d16ef9f8f404ace7b475a0e4ae14adef3a440c551f79cbf1ccd3c56445415ec8a3c3

Download Submit
\Users\Admin\AppData\Roaming\java\javaconsole.exe

Filesize
1.0MB

MD5
1d958c0ffc01bf257990ddc2f7f2a9fc

SHA1
f4b1984adaae3cdbf32c0117502079b8250831f8

SHA256
a7538a08f53b8322cff4aa26a04021ab4160baff3b960ce3e274cb4ccb481375

SHA512
5e44e9468becd88e9e37d0a97f81e46ba2fe999dcca331129e09b24bc80b10b633cbb4ca0207556020d90589bd8d1666bf2374035791fe778489bcbca1059798

Download Submit
memory/2644-59-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2644-36-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2644-40-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2644-42-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2644-68-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2644-66-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2644-63-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2644-61-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2784-43-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2784-60-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2784-49-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2784-50-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2784-54-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2784-52-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads