blackshades | 6ea32525bdd7fb538e97a9ec22b4e7e8c4f3d062d04ec64224f19fef3f6b76f4

Analysis

max time kernel
148s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2025, 10:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_51ac72aa5af11079f2c2ca22d0bf036e.exe
Size

2.7MB
MD5

51ac72aa5af11079f2c2ca22d0bf036e
SHA1

babda013a93e16274212ff57c1eef55856594eeb
SHA256

6ea32525bdd7fb538e97a9ec22b4e7e8c4f3d062d04ec64224f19fef3f6b76f4
SHA512

472aee0848f843784375c578a5afc6d3887099ef6e1841fe9bc24923032ec0fabce7ca0a51fac8ffc4f77393c44ec40dcc947ac5d6aa9ef2b334b7cc5e232e5f
SSDEEP

24576:7X1b1wQfjhVGQzqy7fzyW15DjezqzBxxzyVFwYF69Vi4KtftNdmQgfLaO3TE6L6f:Hn8W66KpHQoRDwNQDxn

Score

10^/10

blackshades defense_evasion discovery rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 3 IoCs

resource	yara_rule
behavioral2/memory/4120-43-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/4120-39-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral2/memory/4120-209-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 10 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\uncrypted.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uncrypted.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\uncrypted.exe = "C:\\Users\\Admin\\AppData\\Roaming\\uncrypted.exe:*:Enabled:Windows Messanger"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	JaffaCakes118_51ac72aa5af11079f2c2ca22d0bf036e.exe

Executes dropped EXE 4 IoCs

pid	Process
392	uncrypted.exe
1928	setup (2).exe
4120	WinSec.exe
116	setup (2).tmp

Loads dropped DLL 3 IoCs

pid	Process
116	setup (2).tmp
116	setup (2).tmp
116	setup (2).tmp

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 392 set thread context of 4120	392	uncrypted.exe	89

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_51ac72aa5af11079f2c2ca22d0bf036e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uncrypted.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup (2).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup (2).tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinSec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2124	reg.exe
232	reg.exe
4032	reg.exe
4484	reg.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: 1	4120	WinSec.exe
Token: SeCreateTokenPrivilege	4120	WinSec.exe
Token: SeAssignPrimaryTokenPrivilege	4120	WinSec.exe
Token: SeLockMemoryPrivilege	4120	WinSec.exe
Token: SeIncreaseQuotaPrivilege	4120	WinSec.exe
Token: SeMachineAccountPrivilege	4120	WinSec.exe
Token: SeTcbPrivilege	4120	WinSec.exe
Token: SeSecurityPrivilege	4120	WinSec.exe
Token: SeTakeOwnershipPrivilege	4120	WinSec.exe
Token: SeLoadDriverPrivilege	4120	WinSec.exe
Token: SeSystemProfilePrivilege	4120	WinSec.exe
Token: SeSystemtimePrivilege	4120	WinSec.exe
Token: SeProfSingleProcessPrivilege	4120	WinSec.exe
Token: SeIncBasePriorityPrivilege	4120	WinSec.exe
Token: SeCreatePagefilePrivilege	4120	WinSec.exe
Token: SeCreatePermanentPrivilege	4120	WinSec.exe
Token: SeBackupPrivilege	4120	WinSec.exe
Token: SeRestorePrivilege	4120	WinSec.exe
Token: SeShutdownPrivilege	4120	WinSec.exe
Token: SeDebugPrivilege	4120	WinSec.exe
Token: SeAuditPrivilege	4120	WinSec.exe
Token: SeSystemEnvironmentPrivilege	4120	WinSec.exe
Token: SeChangeNotifyPrivilege	4120	WinSec.exe
Token: SeRemoteShutdownPrivilege	4120	WinSec.exe
Token: SeUndockPrivilege	4120	WinSec.exe
Token: SeSyncAgentPrivilege	4120	WinSec.exe
Token: SeEnableDelegationPrivilege	4120	WinSec.exe
Token: SeManageVolumePrivilege	4120	WinSec.exe
Token: SeImpersonatePrivilege	4120	WinSec.exe
Token: SeCreateGlobalPrivilege	4120	WinSec.exe
Token: 31	4120	WinSec.exe
Token: 32	4120	WinSec.exe
Token: 33	4120	WinSec.exe
Token: 34	4120	WinSec.exe
Token: 35	4120	WinSec.exe
Token: SeDebugPrivilege	4120	WinSec.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4120	WinSec.exe
4120	WinSec.exe
4120	WinSec.exe
116	setup (2).tmp

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 4244 wrote to memory of 392	4244	JaffaCakes118_51ac72aa5af11079f2c2ca22d0bf036e.exe	87
PID 4244 wrote to memory of 392	4244	JaffaCakes118_51ac72aa5af11079f2c2ca22d0bf036e.exe	87
PID 4244 wrote to memory of 392	4244	JaffaCakes118_51ac72aa5af11079f2c2ca22d0bf036e.exe	87
PID 4244 wrote to memory of 1928	4244	JaffaCakes118_51ac72aa5af11079f2c2ca22d0bf036e.exe	88
PID 4244 wrote to memory of 1928	4244	JaffaCakes118_51ac72aa5af11079f2c2ca22d0bf036e.exe	88
PID 4244 wrote to memory of 1928	4244	JaffaCakes118_51ac72aa5af11079f2c2ca22d0bf036e.exe	88
PID 392 wrote to memory of 4120	392	uncrypted.exe	89
PID 392 wrote to memory of 4120	392	uncrypted.exe	89
PID 392 wrote to memory of 4120	392	uncrypted.exe	89
PID 392 wrote to memory of 4120	392	uncrypted.exe	89
PID 392 wrote to memory of 4120	392	uncrypted.exe	89
PID 392 wrote to memory of 4120	392	uncrypted.exe	89
PID 392 wrote to memory of 4120	392	uncrypted.exe	89
PID 392 wrote to memory of 4120	392	uncrypted.exe	89
PID 392 wrote to memory of 4120	392	uncrypted.exe	89
PID 392 wrote to memory of 4120	392	uncrypted.exe	89
PID 1928 wrote to memory of 116	1928	setup (2).exe	90
PID 1928 wrote to memory of 116	1928	setup (2).exe	90
PID 1928 wrote to memory of 116	1928	setup (2).exe	90
PID 4120 wrote to memory of 4516	4120	WinSec.exe	91
PID 4120 wrote to memory of 4516	4120	WinSec.exe	91
PID 4120 wrote to memory of 4516	4120	WinSec.exe	91
PID 4120 wrote to memory of 112	4120	WinSec.exe	92
PID 4120 wrote to memory of 112	4120	WinSec.exe	92
PID 4120 wrote to memory of 112	4120	WinSec.exe	92
PID 4120 wrote to memory of 744	4120	WinSec.exe	93
PID 4120 wrote to memory of 744	4120	WinSec.exe	93
PID 4120 wrote to memory of 744	4120	WinSec.exe	93
PID 4120 wrote to memory of 3528	4120	WinSec.exe	94
PID 4120 wrote to memory of 3528	4120	WinSec.exe	94
PID 4120 wrote to memory of 3528	4120	WinSec.exe	94
PID 744 wrote to memory of 4484	744	cmd.exe	99
PID 744 wrote to memory of 4484	744	cmd.exe	99
PID 744 wrote to memory of 4484	744	cmd.exe	99
PID 3528 wrote to memory of 4032	3528	cmd.exe	100
PID 3528 wrote to memory of 4032	3528	cmd.exe	100
PID 3528 wrote to memory of 4032	3528	cmd.exe	100
PID 4516 wrote to memory of 232	4516	cmd.exe	101
PID 4516 wrote to memory of 232	4516	cmd.exe	101
PID 4516 wrote to memory of 232	4516	cmd.exe	101
PID 112 wrote to memory of 2124	112	cmd.exe	102
PID 112 wrote to memory of 2124	112	cmd.exe	102
PID 112 wrote to memory of 2124	112	cmd.exe	102

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_51ac72aa5af11079f2c2ca22d0bf036e.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_51ac72aa5af11079f2c2ca22d0bf036e.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4244
- C:\Users\Admin\AppData\Local\Temp\uncrypted.exe
  "C:\Users\Admin\AppData\Local\Temp\uncrypted.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:392
- - C:\Users\Admin\AppData\Roaming\WinSec.exe
    C:\Users\Admin\AppData\Roaming\WinSec.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4120
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4516
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:232
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\uncrypted.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\uncrypted.exe:*:Enabled:Windows Messanger" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:112
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\uncrypted.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\uncrypted.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2124
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:744
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4484
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\uncrypted.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\uncrypted.exe:*:Enabled:Windows Messanger" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3528
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\uncrypted.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\uncrypted.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:4032
- C:\Users\Admin\AppData\Local\Temp\setup (2).exe
  "C:\Users\Admin\AppData\Local\Temp\setup (2).exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1928
- - C:\Users\Admin\AppData\Local\Temp\is-CFP4K.tmp\setup (2).tmp
    "C:\Users\Admin\AppData\Local\Temp\is-CFP4K.tmp\setup (2).tmp" /SL5="$60236,402752,54272,C:\Users\Admin\AppData\Local\Temp\setup (2).exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-45PQJ.tmp\Office2007.cjstyles

Filesize
529KB

MD5
663ce82c52435d68e20910f6a7252725

SHA1
ef6719db6ec6209dd832d0a336ddccef87343a4d

SHA256
b097cc6db98c456381b1c2f5e4827dde3480c2f0e9561cae81d33d5efd8104ed

SHA512
86be243024e0c055d13516c8568090f3fc5347fd0d6764be8c64f08c753c1f3cc4db00af5c2746e97c74e2f01292b5bcc855a2b94b8cb95cacfd53dd66b28fa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-45PQJ.tmp\isskin.dll

Filesize
363KB

MD5
b31ad1bacfd7c51f35e052b8c7047d44

SHA1
ba58ae4a4a28cd2a4c2a7b85d260e105fa6e79de

SHA256
117ae53cf3e8bc95e6297a15d8365efd792da04df90744d4e244bbf72075ccc3

SHA512
2a4c0d3f7065a9272bd70e8fd121e80d9c4e3d9089285841b245790f4789704c27cb88333ddbf3bbecbc26af926b7ffd7a722352c7f418c84a9087cb1a748368

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CFP4K.tmp\setup (2).tmp

Filesize
688KB

MD5
c765336f0dcf4efdcc2101eed67cd30c

SHA1
fa0279f59738c5aa3b6b20106e109ccd77f895a7

SHA256
c5177fdc6031728e10141745cd69edbc91c92d14411a2dec6e8e8caa4f74ab28

SHA512
06a67ac37c20897967e2cad453793a6ef1c7804d4c578404f845daa88c859b15b0acb51642e6ad23ca6ba6549b02d5f6c98b1fa402004bdbf9d646abab7ec891

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup (2).exe

Filesize
643KB

MD5
2c3e4950bf80b2098dce2f57b81a6611

SHA1
bc665b0584dad1e9187d52ecc35449c299e36888

SHA256
46ca5acf36f5864c677c9ccbbdffa44f3451974283e8d645834c55f4e64b4486

SHA512
d904563c9b612d1d7c655398fac5766addde83212d6df18889f28f2864d30ad20758877418fa662f1b44eeacbbba61d379690a26e596652def911cf94d50d7fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\uncrypted.exe

Filesize
544KB

MD5
05a388d845a9457b468e6eef880b0696

SHA1
9f5c19ba4b2ae0a4302efd0e5cc289cef8ebacc5

SHA256
304165716e3060cf31c91504432ab191604890e3c487a568a21d15eaae231a14

SHA512
7f5102543c5dbb296224b304eb2a3ef0c150171429e38780b092480a1fed0a2d541684a0f0453d5aa393221261695795e53d5f779c7ce1721cafb5fb85a89250

Download Submit
C:\Users\Admin\AppData\Roaming\WinSec.exe

Filesize
34KB

MD5
e118330b4629b12368d91b9df6488be0

SHA1
ce90218c7e3b90df2a3409ec253048bb6472c2fd

SHA256
3a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9

SHA512
ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0

Download Submit
memory/116-94-0x0000000076B90000-0x0000000076C3F000-memory.dmp

Filesize
700KB

Download
memory/116-87-0x00000000758A0000-0x0000000075E53000-memory.dmp

Filesize
5.7MB

Download
memory/116-126-0x00000000758A0000-0x0000000075E53000-memory.dmp

Filesize
5.7MB

Download
memory/116-124-0x0000000072A40000-0x0000000072B64000-memory.dmp

Filesize
1.1MB

Download
memory/116-125-0x0000000010000000-0x000000001005B000-memory.dmp

Filesize
364KB

Download
memory/116-120-0x00000000758A0000-0x0000000075E53000-memory.dmp

Filesize
5.7MB

Download
memory/116-123-0x0000000073BE0000-0x0000000073C54000-memory.dmp

Filesize
464KB

Download
memory/116-122-0x00000000725A0000-0x00000000727B0000-memory.dmp

Filesize
2.1MB

Download
memory/116-121-0x0000000076B90000-0x0000000076C3F000-memory.dmp

Filesize
700KB

Download
memory/116-119-0x00000000768D0000-0x00000000769B3000-memory.dmp

Filesize
908KB

Download
memory/116-114-0x00000000725A0000-0x00000000727B0000-memory.dmp

Filesize
2.1MB

Download
memory/116-118-0x0000000077120000-0x00000000771FC000-memory.dmp

Filesize
880KB

Download
memory/116-117-0x0000000010000000-0x000000001005B000-memory.dmp

Filesize
364KB

Download
memory/116-116-0x0000000072A40000-0x0000000072B64000-memory.dmp

Filesize
1.1MB

Download
memory/116-115-0x0000000073BE0000-0x0000000073C54000-memory.dmp

Filesize
464KB

Download
memory/116-112-0x00000000758A0000-0x0000000075E53000-memory.dmp

Filesize
5.7MB

Download
memory/116-111-0x0000000010000000-0x000000001005B000-memory.dmp

Filesize
364KB

Download
memory/116-110-0x0000000072A40000-0x0000000072B64000-memory.dmp

Filesize
1.1MB

Download
memory/116-109-0x0000000073BE0000-0x0000000073C54000-memory.dmp

Filesize
464KB

Download
memory/116-108-0x00000000775A0000-0x00000000775C5000-memory.dmp

Filesize
148KB

Download
memory/116-106-0x0000000076B90000-0x0000000076C3F000-memory.dmp

Filesize
700KB

Download
memory/116-105-0x00000000758A0000-0x0000000075E53000-memory.dmp

Filesize
5.7MB

Download
memory/116-104-0x0000000010000000-0x000000001005B000-memory.dmp

Filesize
364KB

Download
memory/116-103-0x0000000072A40000-0x0000000072B64000-memory.dmp

Filesize
1.1MB

Download
memory/116-102-0x0000000073BE0000-0x0000000073C54000-memory.dmp

Filesize
464KB

Download
memory/116-101-0x00000000725A0000-0x00000000727B0000-memory.dmp

Filesize
2.1MB

Download
memory/116-100-0x0000000076B90000-0x0000000076C3F000-memory.dmp

Filesize
700KB

Download
memory/116-99-0x00000000758A0000-0x0000000075E53000-memory.dmp

Filesize
5.7MB

Download
memory/116-98-0x0000000010000000-0x000000001005B000-memory.dmp

Filesize
364KB

Download
memory/116-97-0x0000000072A40000-0x0000000072B64000-memory.dmp

Filesize
1.1MB

Download
memory/116-96-0x0000000073BE0000-0x0000000073C54000-memory.dmp

Filesize
464KB

Download
memory/116-95-0x00000000725A0000-0x00000000727B0000-memory.dmp

Filesize
2.1MB

Download
memory/116-91-0x0000000077120000-0x00000000771FC000-memory.dmp

Filesize
880KB

Download
memory/116-93-0x00000000758A0000-0x0000000075E53000-memory.dmp

Filesize
5.7MB

Download
memory/116-90-0x0000000010000000-0x000000001005B000-memory.dmp

Filesize
364KB

Download
memory/116-92-0x00000000768D0000-0x00000000769B3000-memory.dmp

Filesize
908KB

Download
memory/116-78-0x0000000076FB0000-0x000000007702A000-memory.dmp

Filesize
488KB

Download
memory/116-127-0x00000000725A0000-0x00000000727B0000-memory.dmp

Filesize
2.1MB

Download
memory/116-113-0x0000000076B90000-0x0000000076C3F000-memory.dmp

Filesize
700KB

Download
memory/116-107-0x00000000725A0000-0x00000000727B0000-memory.dmp

Filesize
2.1MB

Download
memory/116-88-0x0000000076B90000-0x0000000076C3F000-memory.dmp

Filesize
700KB

Download
memory/116-86-0x00000000768D0000-0x00000000769B3000-memory.dmp

Filesize
908KB

Download
memory/116-85-0x0000000010000000-0x000000001005B000-memory.dmp

Filesize
364KB

Download
memory/116-84-0x0000000072A40000-0x0000000072B64000-memory.dmp

Filesize
1.1MB

Download
memory/116-83-0x0000000010000000-0x000000001005B000-memory.dmp

Filesize
364KB

Download
memory/116-82-0x00000000775A0000-0x00000000775C5000-memory.dmp

Filesize
148KB

Download
memory/116-81-0x0000000010000000-0x000000001005B000-memory.dmp

Filesize
364KB

Download
memory/116-80-0x0000000010000000-0x000000001005B000-memory.dmp

Filesize
364KB

Download
memory/116-79-0x00000000775A0000-0x00000000775C5000-memory.dmp

Filesize
148KB

Download
memory/116-89-0x00000000725A0000-0x00000000727B0000-memory.dmp

Filesize
2.1MB

Download
memory/116-77-0x0000000010000000-0x000000001005B000-memory.dmp

Filesize
364KB

Download
memory/116-76-0x00000000775A0000-0x00000000775C5000-memory.dmp

Filesize
148KB

Download
memory/116-75-0x0000000076FB0000-0x000000007702A000-memory.dmp

Filesize
488KB

Download
memory/116-74-0x0000000010000000-0x000000001005B000-memory.dmp

Filesize
364KB

Download
memory/116-72-0x0000000010000000-0x000000001005B000-memory.dmp

Filesize
364KB

Download
memory/116-71-0x0000000076FB0000-0x000000007702A000-memory.dmp

Filesize
488KB

Download
memory/116-70-0x0000000010000000-0x000000001005B000-memory.dmp

Filesize
364KB

Download
memory/116-69-0x0000000076FB0000-0x000000007702A000-memory.dmp

Filesize
488KB

Download
memory/116-73-0x0000000076FB0000-0x000000007702A000-memory.dmp

Filesize
488KB

Download
memory/392-32-0x0000000074E60000-0x0000000075411000-memory.dmp

Filesize
5.7MB

Download
memory/392-49-0x0000000074E60000-0x0000000075411000-memory.dmp

Filesize
5.7MB

Download
memory/392-26-0x0000000074E60000-0x0000000075411000-memory.dmp

Filesize
5.7MB

Download
memory/1928-38-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/1928-30-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4120-43-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4120-39-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4120-209-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4244-0-0x0000000074E62000-0x0000000074E63000-memory.dmp

Filesize
4KB

Download
memory/4244-1-0x0000000074E60000-0x0000000075411000-memory.dmp

Filesize
5.7MB

Download
memory/4244-2-0x0000000074E60000-0x0000000075411000-memory.dmp

Filesize
5.7MB

Download
memory/4244-34-0x0000000074E60000-0x0000000075411000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads