blackshades | 6ea32525bdd7fb538e97a9ec22b4e7e8c4f3d062d04ec64224f19fef3f6b76f4

Analysis

max time kernel
148s
max time network
146s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
05/03/2025, 10:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_51ac72aa5af11079f2c2ca22d0bf036e.exe
Size

2.7MB
MD5

51ac72aa5af11079f2c2ca22d0bf036e
SHA1

babda013a93e16274212ff57c1eef55856594eeb
SHA256

6ea32525bdd7fb538e97a9ec22b4e7e8c4f3d062d04ec64224f19fef3f6b76f4
SHA512

472aee0848f843784375c578a5afc6d3887099ef6e1841fe9bc24923032ec0fabce7ca0a51fac8ffc4f77393c44ec40dcc947ac5d6aa9ef2b334b7cc5e232e5f
SSDEEP

24576:7X1b1wQfjhVGQzqy7fzyW15DjezqzBxxzyVFwYF69Vi4KtftNdmQgfLaO3TE6L6f:Hn8W66KpHQoRDwNQDxn

Score

10^/10

blackshades defense_evasion discovery rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 4 IoCs

resource	yara_rule
behavioral1/memory/2108-37-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2108-55-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2108-33-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2108-300-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 8 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\uncrypted.exe = "C:\\Users\\Admin\\AppData\\Roaming\\uncrypted.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\uncrypted.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uncrypted.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe

Executes dropped EXE 4 IoCs

pid	Process
2596	uncrypted.exe
2548	setup (2).exe
2108	WinSec.exe
2812	setup (2).tmp

Loads dropped DLL 9 IoCs

pid	Process
2604	JaffaCakes118_51ac72aa5af11079f2c2ca22d0bf036e.exe
2604	JaffaCakes118_51ac72aa5af11079f2c2ca22d0bf036e.exe
2596	uncrypted.exe
2604	JaffaCakes118_51ac72aa5af11079f2c2ca22d0bf036e.exe
2548	setup (2).exe
2812	setup (2).tmp
2812	setup (2).tmp
2812	setup (2).tmp
2812	setup (2).tmp

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2596 set thread context of 2108	2596	uncrypted.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup (2).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinSec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup (2).tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uncrypted.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_51ac72aa5af11079f2c2ca22d0bf036e.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
676	reg.exe
1732	reg.exe
1720	reg.exe
2340	reg.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: 1	2108	WinSec.exe
Token: SeCreateTokenPrivilege	2108	WinSec.exe
Token: SeAssignPrimaryTokenPrivilege	2108	WinSec.exe
Token: SeLockMemoryPrivilege	2108	WinSec.exe
Token: SeIncreaseQuotaPrivilege	2108	WinSec.exe
Token: SeMachineAccountPrivilege	2108	WinSec.exe
Token: SeTcbPrivilege	2108	WinSec.exe
Token: SeSecurityPrivilege	2108	WinSec.exe
Token: SeTakeOwnershipPrivilege	2108	WinSec.exe
Token: SeLoadDriverPrivilege	2108	WinSec.exe
Token: SeSystemProfilePrivilege	2108	WinSec.exe
Token: SeSystemtimePrivilege	2108	WinSec.exe
Token: SeProfSingleProcessPrivilege	2108	WinSec.exe
Token: SeIncBasePriorityPrivilege	2108	WinSec.exe
Token: SeCreatePagefilePrivilege	2108	WinSec.exe
Token: SeCreatePermanentPrivilege	2108	WinSec.exe
Token: SeBackupPrivilege	2108	WinSec.exe
Token: SeRestorePrivilege	2108	WinSec.exe
Token: SeShutdownPrivilege	2108	WinSec.exe
Token: SeDebugPrivilege	2108	WinSec.exe
Token: SeAuditPrivilege	2108	WinSec.exe
Token: SeSystemEnvironmentPrivilege	2108	WinSec.exe
Token: SeChangeNotifyPrivilege	2108	WinSec.exe
Token: SeRemoteShutdownPrivilege	2108	WinSec.exe
Token: SeUndockPrivilege	2108	WinSec.exe
Token: SeSyncAgentPrivilege	2108	WinSec.exe
Token: SeEnableDelegationPrivilege	2108	WinSec.exe
Token: SeManageVolumePrivilege	2108	WinSec.exe
Token: SeImpersonatePrivilege	2108	WinSec.exe
Token: SeCreateGlobalPrivilege	2108	WinSec.exe
Token: 31	2108	WinSec.exe
Token: 32	2108	WinSec.exe
Token: 33	2108	WinSec.exe
Token: 34	2108	WinSec.exe
Token: 35	2108	WinSec.exe
Token: SeDebugPrivilege	2108	WinSec.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2108	WinSec.exe
2108	WinSec.exe
2812	setup (2).tmp
2108	WinSec.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 2596	2604	JaffaCakes118_51ac72aa5af11079f2c2ca22d0bf036e.exe	30
PID 2604 wrote to memory of 2596	2604	JaffaCakes118_51ac72aa5af11079f2c2ca22d0bf036e.exe	30
PID 2604 wrote to memory of 2596	2604	JaffaCakes118_51ac72aa5af11079f2c2ca22d0bf036e.exe	30
PID 2604 wrote to memory of 2596	2604	JaffaCakes118_51ac72aa5af11079f2c2ca22d0bf036e.exe	30
PID 2604 wrote to memory of 2548	2604	JaffaCakes118_51ac72aa5af11079f2c2ca22d0bf036e.exe	32
PID 2604 wrote to memory of 2548	2604	JaffaCakes118_51ac72aa5af11079f2c2ca22d0bf036e.exe	32
PID 2604 wrote to memory of 2548	2604	JaffaCakes118_51ac72aa5af11079f2c2ca22d0bf036e.exe	32
PID 2604 wrote to memory of 2548	2604	JaffaCakes118_51ac72aa5af11079f2c2ca22d0bf036e.exe	32
PID 2604 wrote to memory of 2548	2604	JaffaCakes118_51ac72aa5af11079f2c2ca22d0bf036e.exe	32
PID 2604 wrote to memory of 2548	2604	JaffaCakes118_51ac72aa5af11079f2c2ca22d0bf036e.exe	32
PID 2604 wrote to memory of 2548	2604	JaffaCakes118_51ac72aa5af11079f2c2ca22d0bf036e.exe	32
PID 2596 wrote to memory of 2108	2596	uncrypted.exe	31
PID 2596 wrote to memory of 2108	2596	uncrypted.exe	31
PID 2596 wrote to memory of 2108	2596	uncrypted.exe	31
PID 2596 wrote to memory of 2108	2596	uncrypted.exe	31
PID 2596 wrote to memory of 2108	2596	uncrypted.exe	31
PID 2596 wrote to memory of 2108	2596	uncrypted.exe	31
PID 2596 wrote to memory of 2108	2596	uncrypted.exe	31
PID 2596 wrote to memory of 2108	2596	uncrypted.exe	31
PID 2596 wrote to memory of 2108	2596	uncrypted.exe	31
PID 2596 wrote to memory of 2108	2596	uncrypted.exe	31
PID 2548 wrote to memory of 2812	2548	setup (2).exe	33
PID 2548 wrote to memory of 2812	2548	setup (2).exe	33
PID 2548 wrote to memory of 2812	2548	setup (2).exe	33
PID 2548 wrote to memory of 2812	2548	setup (2).exe	33
PID 2548 wrote to memory of 2812	2548	setup (2).exe	33
PID 2548 wrote to memory of 2812	2548	setup (2).exe	33
PID 2548 wrote to memory of 2812	2548	setup (2).exe	33
PID 2108 wrote to memory of 1356	2108	WinSec.exe	34
PID 2108 wrote to memory of 1356	2108	WinSec.exe	34
PID 2108 wrote to memory of 1356	2108	WinSec.exe	34
PID 2108 wrote to memory of 1356	2108	WinSec.exe	34
PID 2108 wrote to memory of 2708	2108	WinSec.exe	35
PID 2108 wrote to memory of 2708	2108	WinSec.exe	35
PID 2108 wrote to memory of 2708	2108	WinSec.exe	35
PID 2108 wrote to memory of 2708	2108	WinSec.exe	35
PID 2108 wrote to memory of 2704	2108	WinSec.exe	36
PID 2108 wrote to memory of 2704	2108	WinSec.exe	36
PID 2108 wrote to memory of 2704	2108	WinSec.exe	36
PID 2108 wrote to memory of 2704	2108	WinSec.exe	36
PID 2108 wrote to memory of 2816	2108	WinSec.exe	37
PID 2108 wrote to memory of 2816	2108	WinSec.exe	37
PID 2108 wrote to memory of 2816	2108	WinSec.exe	37
PID 2108 wrote to memory of 2816	2108	WinSec.exe	37
PID 2704 wrote to memory of 2340	2704	cmd.exe	42
PID 2704 wrote to memory of 2340	2704	cmd.exe	42
PID 2704 wrote to memory of 2340	2704	cmd.exe	42
PID 2704 wrote to memory of 2340	2704	cmd.exe	42
PID 2816 wrote to memory of 1720	2816	cmd.exe	43
PID 2816 wrote to memory of 1720	2816	cmd.exe	43
PID 2816 wrote to memory of 1720	2816	cmd.exe	43
PID 2816 wrote to memory of 1720	2816	cmd.exe	43
PID 1356 wrote to memory of 1732	1356	cmd.exe	44
PID 1356 wrote to memory of 1732	1356	cmd.exe	44
PID 1356 wrote to memory of 1732	1356	cmd.exe	44
PID 1356 wrote to memory of 1732	1356	cmd.exe	44
PID 2708 wrote to memory of 676	2708	cmd.exe	45
PID 2708 wrote to memory of 676	2708	cmd.exe	45
PID 2708 wrote to memory of 676	2708	cmd.exe	45
PID 2708 wrote to memory of 676	2708	cmd.exe	45

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_51ac72aa5af11079f2c2ca22d0bf036e.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_51ac72aa5af11079f2c2ca22d0bf036e.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Users\Admin\AppData\Local\Temp\uncrypted.exe
  "C:\Users\Admin\AppData\Local\Temp\uncrypted.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Users\Admin\AppData\Roaming\WinSec.exe
    C:\Users\Admin\AppData\Roaming\WinSec.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2108
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1356
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1732
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\uncrypted.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\uncrypted.exe:*:Enabled:Windows Messanger" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2708
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\uncrypted.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\uncrypted.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:676
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2704
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2340
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\uncrypted.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\uncrypted.exe:*:Enabled:Windows Messanger" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2816
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\uncrypted.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\uncrypted.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1720
- C:\Users\Admin\AppData\Local\Temp\setup (2).exe
  "C:\Users\Admin\AppData\Local\Temp\setup (2).exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Users\Admin\AppData\Local\Temp\is-URSGV.tmp\setup (2).tmp
    "C:\Users\Admin\AppData\Local\Temp\is-URSGV.tmp\setup (2).tmp" /SL5="$6015E,402752,54272,C:\Users\Admin\AppData\Local\Temp\setup (2).exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\uncrypted.exe

Filesize
544KB

MD5
05a388d845a9457b468e6eef880b0696

SHA1
9f5c19ba4b2ae0a4302efd0e5cc289cef8ebacc5

SHA256
304165716e3060cf31c91504432ab191604890e3c487a568a21d15eaae231a14

SHA512
7f5102543c5dbb296224b304eb2a3ef0c150171429e38780b092480a1fed0a2d541684a0f0453d5aa393221261695795e53d5f779c7ce1721cafb5fb85a89250

Download Submit
\Users\Admin\AppData\Local\Temp\is-DAGSJ.tmp\Office2007.cjstyles

Filesize
529KB

MD5
663ce82c52435d68e20910f6a7252725

SHA1
ef6719db6ec6209dd832d0a336ddccef87343a4d

SHA256
b097cc6db98c456381b1c2f5e4827dde3480c2f0e9561cae81d33d5efd8104ed

SHA512
86be243024e0c055d13516c8568090f3fc5347fd0d6764be8c64f08c753c1f3cc4db00af5c2746e97c74e2f01292b5bcc855a2b94b8cb95cacfd53dd66b28fa0

Download Submit
\Users\Admin\AppData\Local\Temp\is-DAGSJ.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-DAGSJ.tmp\isskin.dll

Filesize
363KB

MD5
b31ad1bacfd7c51f35e052b8c7047d44

SHA1
ba58ae4a4a28cd2a4c2a7b85d260e105fa6e79de

SHA256
117ae53cf3e8bc95e6297a15d8365efd792da04df90744d4e244bbf72075ccc3

SHA512
2a4c0d3f7065a9272bd70e8fd121e80d9c4e3d9089285841b245790f4789704c27cb88333ddbf3bbecbc26af926b7ffd7a722352c7f418c84a9087cb1a748368

Download Submit
\Users\Admin\AppData\Local\Temp\is-URSGV.tmp\setup (2).tmp

Filesize
688KB

MD5
c765336f0dcf4efdcc2101eed67cd30c

SHA1
fa0279f59738c5aa3b6b20106e109ccd77f895a7

SHA256
c5177fdc6031728e10141745cd69edbc91c92d14411a2dec6e8e8caa4f74ab28

SHA512
06a67ac37c20897967e2cad453793a6ef1c7804d4c578404f845daa88c859b15b0acb51642e6ad23ca6ba6549b02d5f6c98b1fa402004bdbf9d646abab7ec891

Download Submit
\Users\Admin\AppData\Local\Temp\setup (2).exe

Filesize
643KB

MD5
2c3e4950bf80b2098dce2f57b81a6611

SHA1
bc665b0584dad1e9187d52ecc35449c299e36888

SHA256
46ca5acf36f5864c677c9ccbbdffa44f3451974283e8d645834c55f4e64b4486

SHA512
d904563c9b612d1d7c655398fac5766addde83212d6df18889f28f2864d30ad20758877418fa662f1b44eeacbbba61d379690a26e596652def911cf94d50d7fc

Download Submit
\Users\Admin\AppData\Roaming\WinSec.exe

Filesize
31KB

MD5
ed797d8dc2c92401985d162e42ffa450

SHA1
0f02fc517c7facc4baefde4fe9467fb6488ebabe

SHA256
b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e

SHA512
e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2

Download Submit
memory/2108-35-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2108-31-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2108-37-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2108-55-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2108-29-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2108-43-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2108-33-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2108-300-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2548-39-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2596-70-0x0000000074330000-0x00000000748DB000-memory.dmp

Filesize
5.7MB

Download
memory/2596-20-0x0000000074330000-0x00000000748DB000-memory.dmp

Filesize
5.7MB

Download
memory/2596-17-0x0000000074330000-0x00000000748DB000-memory.dmp

Filesize
5.7MB

Download
memory/2596-21-0x0000000074330000-0x00000000748DB000-memory.dmp

Filesize
5.7MB

Download
memory/2604-2-0x0000000074330000-0x00000000748DB000-memory.dmp

Filesize
5.7MB

Download
memory/2604-1-0x0000000074330000-0x00000000748DB000-memory.dmp

Filesize
5.7MB

Download
memory/2604-0-0x0000000074331000-0x0000000074332000-memory.dmp

Filesize
4KB

Download
memory/2604-56-0x0000000074330000-0x00000000748DB000-memory.dmp

Filesize
5.7MB

Download
memory/2812-118-0x00000000724B0000-0x00000000724E2000-memory.dmp

Filesize
200KB

Download
memory/2812-88-0x00000000727C0000-0x000000007295E000-memory.dmp

Filesize
1.6MB

Download
memory/2812-121-0x0000000075340000-0x00000000753E0000-memory.dmp

Filesize
640KB

Download
memory/2812-117-0x00000000724F0000-0x000000007257C000-memory.dmp

Filesize
560KB

Download
memory/2812-114-0x0000000076910000-0x0000000076967000-memory.dmp

Filesize
348KB

Download
memory/2812-111-0x0000000072760000-0x0000000072772000-memory.dmp

Filesize
72KB

Download
memory/2812-107-0x00000000724F0000-0x000000007257C000-memory.dmp

Filesize
560KB

Download
memory/2812-124-0x0000000074AE0000-0x0000000074AE9000-memory.dmp

Filesize
36KB

Download
memory/2812-123-0x0000000072760000-0x0000000072772000-memory.dmp

Filesize
72KB

Download
memory/2812-122-0x0000000074F90000-0x000000007501F000-memory.dmp

Filesize
572KB

Download
memory/2812-120-0x0000000075540000-0x00000000755DD000-memory.dmp

Filesize
628KB

Download
memory/2812-119-0x0000000010000000-0x000000001005B000-memory.dmp

Filesize
364KB

Download
memory/2812-98-0x0000000075340000-0x00000000753E0000-memory.dmp

Filesize
640KB

Download
memory/2812-116-0x0000000076CE0000-0x0000000076D63000-memory.dmp

Filesize
524KB

Download
memory/2812-113-0x00000000727C0000-0x000000007295E000-memory.dmp

Filesize
1.6MB

Download
memory/2812-112-0x0000000074AE0000-0x0000000074AE9000-memory.dmp

Filesize
36KB

Download
memory/2812-110-0x0000000075340000-0x00000000753E0000-memory.dmp

Filesize
640KB

Download
memory/2812-109-0x0000000010000000-0x000000001005B000-memory.dmp

Filesize
364KB

Download
memory/2812-108-0x00000000724B0000-0x00000000724E2000-memory.dmp

Filesize
200KB

Download
memory/2812-106-0x0000000076CE0000-0x0000000076D63000-memory.dmp

Filesize
524KB

Download
memory/2812-105-0x00000000748F0000-0x0000000074903000-memory.dmp

Filesize
76KB

Download
memory/2812-103-0x0000000076D70000-0x0000000076DEB000-memory.dmp

Filesize
492KB

Download
memory/2812-101-0x00000000727C0000-0x000000007295E000-memory.dmp

Filesize
1.6MB

Download
memory/2812-100-0x0000000072760000-0x0000000072772000-memory.dmp

Filesize
72KB

Download
memory/2812-90-0x0000000075A50000-0x000000007669A000-memory.dmp

Filesize
12.3MB

Download
memory/2812-126-0x0000000076910000-0x0000000076967000-memory.dmp

Filesize
348KB

Download
memory/2812-102-0x0000000076910000-0x0000000076967000-memory.dmp

Filesize
348KB

Download
memory/2812-99-0x0000000074F90000-0x000000007501F000-memory.dmp

Filesize
572KB

Download
memory/2812-97-0x0000000075540000-0x00000000755DD000-memory.dmp

Filesize
628KB

Download
memory/2812-96-0x0000000010000000-0x000000001005B000-memory.dmp

Filesize
364KB

Download
memory/2812-95-0x00000000724B0000-0x00000000724E2000-memory.dmp

Filesize
200KB

Download
memory/2812-94-0x0000000076CE0000-0x0000000076D63000-memory.dmp

Filesize
524KB

Download
memory/2812-91-0x0000000076D70000-0x0000000076DEB000-memory.dmp

Filesize
492KB

Download
memory/2812-89-0x0000000076910000-0x0000000076967000-memory.dmp

Filesize
348KB

Download
memory/2812-83-0x0000000010000000-0x000000001005B000-memory.dmp

Filesize
364KB

Download
memory/2812-82-0x00000000724B0000-0x00000000724E2000-memory.dmp

Filesize
200KB

Download
memory/2812-81-0x0000000075820000-0x000000007584A000-memory.dmp

Filesize
168KB

Download
memory/2812-79-0x00000000725A0000-0x00000000726BC000-memory.dmp

Filesize
1.1MB

Download
memory/2812-87-0x0000000074AE0000-0x0000000074AE9000-memory.dmp

Filesize
36KB

Download
memory/2812-86-0x00000000753E0000-0x000000007553C000-memory.dmp

Filesize
1.4MB

Download
memory/2812-78-0x0000000075A50000-0x000000007669A000-memory.dmp

Filesize
12.3MB

Download
memory/2812-80-0x00000000724F0000-0x000000007257C000-memory.dmp

Filesize
560KB

Download
memory/2812-84-0x0000000075340000-0x00000000753E0000-memory.dmp

Filesize
640KB

Download
memory/2812-85-0x0000000074F90000-0x000000007501F000-memory.dmp

Filesize
572KB

Download
memory/2812-76-0x00000000753E0000-0x000000007553C000-memory.dmp

Filesize
1.4MB

Download
memory/2812-77-0x0000000076910000-0x0000000076967000-memory.dmp

Filesize
348KB

Download
memory/2812-75-0x0000000074F90000-0x000000007501F000-memory.dmp

Filesize
572KB

Download
memory/2812-73-0x0000000075540000-0x00000000755DD000-memory.dmp

Filesize
628KB

Download
memory/2812-74-0x0000000075340000-0x00000000753E0000-memory.dmp

Filesize
640KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads