blackshades | c7977100fc1646569fd6950823df204803bc2cba5c99f650fb2c24a45b6b2c87

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
10/03/2025, 03:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_5cd14011db57669c8b833053723afcef.exe
Size

413KB
MD5

5cd14011db57669c8b833053723afcef
SHA1

f30309a0d9ea75fe5158c8c8a5d8f9c8cc02a3e5
SHA256

c7977100fc1646569fd6950823df204803bc2cba5c99f650fb2c24a45b6b2c87
SHA512

e249e98a59d03993847880c4841760e6a5776cd3b715533510d0a881c7c4ea46e009507fc0eaf81590171886c3d8df61ab5d79bfee54b26c02c08f05d8b783f3
SSDEEP

6144:jKyeinX6ZtSlXiVBI69xeD0JGeOvQt4I8QlcqZ7DK6mXiHZuulCk5BFVBmcabe:ainGtzVBVcYJYIt4f6HK6mud5BRNabe

Score

10^/10

blackshades defense_evasion discovery persistence rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 13 IoCs

resource	yara_rule
behavioral2/memory/4496-4-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackshades
behavioral2/memory/4496-7-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackshades
behavioral2/memory/4496-11-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackshades
behavioral2/memory/4496-35-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackshades
behavioral2/memory/4496-36-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackshades
behavioral2/memory/4496-40-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackshades
behavioral2/memory/4496-44-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackshades
behavioral2/memory/4496-47-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackshades
behavioral2/memory/4496-50-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackshades
behavioral2/memory/4496-54-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackshades
behavioral2/memory/4496-57-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackshades
behavioral2/memory/4496-60-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackshades
behavioral2/memory/4496-67-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 10 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\DC.exe = "C:\\Users\\Admin\\AppData\\Roaming\\DC.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\updater\winlogon.exe = "C:\\Users\\Admin\\AppData\\Roaming\\updater\\winlogon.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe

Executes dropped EXE 2 IoCs

pid	Process
2084	winlogon.exe
4496	winlogon.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\updater\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\updater\\winlogon.exe"	JaffaCakes118_5cd14011db57669c8b833053723afcef.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2084 set thread context of 4496	2084	winlogon.exe	88

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_5cd14011db57669c8b833053723afcef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
1940	reg.exe
944	reg.exe
1604	reg.exe
3932	reg.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: 1	4496	winlogon.exe
Token: SeCreateTokenPrivilege	4496	winlogon.exe
Token: SeAssignPrimaryTokenPrivilege	4496	winlogon.exe
Token: SeLockMemoryPrivilege	4496	winlogon.exe
Token: SeIncreaseQuotaPrivilege	4496	winlogon.exe
Token: SeMachineAccountPrivilege	4496	winlogon.exe
Token: SeTcbPrivilege	4496	winlogon.exe
Token: SeSecurityPrivilege	4496	winlogon.exe
Token: SeTakeOwnershipPrivilege	4496	winlogon.exe
Token: SeLoadDriverPrivilege	4496	winlogon.exe
Token: SeSystemProfilePrivilege	4496	winlogon.exe
Token: SeSystemtimePrivilege	4496	winlogon.exe
Token: SeProfSingleProcessPrivilege	4496	winlogon.exe
Token: SeIncBasePriorityPrivilege	4496	winlogon.exe
Token: SeCreatePagefilePrivilege	4496	winlogon.exe
Token: SeCreatePermanentPrivilege	4496	winlogon.exe
Token: SeBackupPrivilege	4496	winlogon.exe
Token: SeRestorePrivilege	4496	winlogon.exe
Token: SeShutdownPrivilege	4496	winlogon.exe
Token: SeDebugPrivilege	4496	winlogon.exe
Token: SeAuditPrivilege	4496	winlogon.exe
Token: SeSystemEnvironmentPrivilege	4496	winlogon.exe
Token: SeChangeNotifyPrivilege	4496	winlogon.exe
Token: SeRemoteShutdownPrivilege	4496	winlogon.exe
Token: SeUndockPrivilege	4496	winlogon.exe
Token: SeSyncAgentPrivilege	4496	winlogon.exe
Token: SeEnableDelegationPrivilege	4496	winlogon.exe
Token: SeManageVolumePrivilege	4496	winlogon.exe
Token: SeImpersonatePrivilege	4496	winlogon.exe
Token: SeCreateGlobalPrivilege	4496	winlogon.exe
Token: 31	4496	winlogon.exe
Token: 32	4496	winlogon.exe
Token: 33	4496	winlogon.exe
Token: 34	4496	winlogon.exe
Token: 35	4496	winlogon.exe
Token: SeDebugPrivilege	4496	winlogon.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4496	winlogon.exe
4496	winlogon.exe
4496	winlogon.exe
4496	winlogon.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 668 wrote to memory of 2084	668	JaffaCakes118_5cd14011db57669c8b833053723afcef.exe	87
PID 668 wrote to memory of 2084	668	JaffaCakes118_5cd14011db57669c8b833053723afcef.exe	87
PID 668 wrote to memory of 2084	668	JaffaCakes118_5cd14011db57669c8b833053723afcef.exe	87
PID 2084 wrote to memory of 4496	2084	winlogon.exe	88
PID 2084 wrote to memory of 4496	2084	winlogon.exe	88
PID 2084 wrote to memory of 4496	2084	winlogon.exe	88
PID 2084 wrote to memory of 4496	2084	winlogon.exe	88
PID 2084 wrote to memory of 4496	2084	winlogon.exe	88
PID 2084 wrote to memory of 4496	2084	winlogon.exe	88
PID 2084 wrote to memory of 4496	2084	winlogon.exe	88
PID 2084 wrote to memory of 4496	2084	winlogon.exe	88
PID 4496 wrote to memory of 4972	4496	winlogon.exe	89
PID 4496 wrote to memory of 4972	4496	winlogon.exe	89
PID 4496 wrote to memory of 4972	4496	winlogon.exe	89
PID 4496 wrote to memory of 2164	4496	winlogon.exe	90
PID 4496 wrote to memory of 2164	4496	winlogon.exe	90
PID 4496 wrote to memory of 2164	4496	winlogon.exe	90
PID 4496 wrote to memory of 4400	4496	winlogon.exe	91
PID 4496 wrote to memory of 4400	4496	winlogon.exe	91
PID 4496 wrote to memory of 4400	4496	winlogon.exe	91
PID 4496 wrote to memory of 2220	4496	winlogon.exe	92
PID 4496 wrote to memory of 2220	4496	winlogon.exe	92
PID 4496 wrote to memory of 2220	4496	winlogon.exe	92
PID 4972 wrote to memory of 944	4972	cmd.exe	97
PID 4972 wrote to memory of 944	4972	cmd.exe	97
PID 4972 wrote to memory of 944	4972	cmd.exe	97
PID 4400 wrote to memory of 1604	4400	cmd.exe	99
PID 4400 wrote to memory of 1604	4400	cmd.exe	99
PID 4400 wrote to memory of 1604	4400	cmd.exe	99
PID 2220 wrote to memory of 3932	2220	cmd.exe	98
PID 2220 wrote to memory of 3932	2220	cmd.exe	98
PID 2220 wrote to memory of 3932	2220	cmd.exe	98
PID 2164 wrote to memory of 1940	2164	cmd.exe	100
PID 2164 wrote to memory of 1940	2164	cmd.exe	100
PID 2164 wrote to memory of 1940	2164	cmd.exe	100

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5cd14011db57669c8b833053723afcef.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5cd14011db57669c8b833053723afcef.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:668
- C:\Users\Admin\AppData\Roaming\updater\winlogon.exe
  "C:\Users\Admin\AppData\Roaming\updater\winlogon.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Users\Admin\AppData\Roaming\updater\winlogon.exe
    "C:\Users\Admin\AppData\Roaming\updater\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4496
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4972
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:944
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\updater\winlogon.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\updater\winlogon.exe:*:Enabled:Windows Messanger" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2164
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\updater\winlogon.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\updater\winlogon.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1940
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4400
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1604
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\DC.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\DC.exe:*:Enabled:Windows Messanger" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2220
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\DC.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\DC.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
7d49674809fd6e5271c6ec98c603db1b

SHA1
a7c57d863604a401c50eae29eb47ed20fef47508

SHA256
0a8f407be70086beb8d204f6a8956b1124389061b026fda2bbe46f07ebf59718

SHA512
d797b54229642a649959f98ffd7f7980ebd41e869315a3ebb7f1d63d025e9b5c778da8b44eba862ac1e3b6146d51fce0753c1010203c4b552d8d5fb260488696

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E573CDF4C6D731D56A665145182FD759_509F9531D34B67093963A7990D344CA7

Filesize
471B

MD5
0afd98661714825565c9f4b8761bbc90

SHA1
719b65f48ef6000cd2ce0eadfdb2e4e2efda5849

SHA256
add230e06c3f2370014cc5e641d331780369ccf4e33dbe21afb15d62c3096046

SHA512
1383858194afb361a28cd976d58ef4ac71aeddef0d67c40e8a66b3b8834479024be26469350aba149d3b35e44a1d059a8a78a02b6a4e3c80fc43163e9aca68f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
340B

MD5
af9b7d21071312dc383cec83d98b7209

SHA1
016aa31d963d76249375968eaf26d3e0416daf3e

SHA256
17d4e4f18f700b0eb9547dd74225a47203f37cc6676a9d886053addf0a477e2f

SHA512
b303cb78875b2450810390412a20adf6bd2441a434fb4199da11416a50bb53187d51cb3939bcf8decd8cc7d390b5327a8b5427d4b9a9124cfedb86dddfdcac0a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
400B

MD5
1c0024f7409e8c28c1e003b1d34c4774

SHA1
b3f6f4f47764df03a195400ecb10af82d074be10

SHA256
41cddfb5a5bbcea768c4290c26c97ffc8683a4bacb8114e33b3c5ea19985350b

SHA512
c1dcfaacae71e2c1355464d46e987ad9c5d68b59a8205d28f6d1712fddab76746768cd3dd688effb78fb953e001518217d915a5bf1cc66be5538eb217b380e7f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E573CDF4C6D731D56A665145182FD759_509F9531D34B67093963A7990D344CA7

Filesize
408B

MD5
086b21ae91f23114c856fb948a7d077a

SHA1
a459e51c3d60fcebcbc6c739f8a3a3cf0444229e

SHA256
7bd737af0fe77938cc240dc847c9c802f7035dddb64ca88cb4c75fa85bb70f2b

SHA512
4f5ba4387e72ee202e983bff03b56824262d5f7f68088b635224b95dccfb5f460daaf956261b15395540b190a7b727003c6b480508bde7fb4887b31804d6c6c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E573CDF4C6D731D56A665145182FD759_509F9531D34B67093963A7990D344CA7

Filesize
408B

MD5
feba20a535f2469625dcddcc6e473849

SHA1
f13638884aafb1fc4d427fda06c47a643f6bd5ce

SHA256
cc3a12c8842ce782193f2bf322542f047ad3929af90a9bc07da05eff4731054a

SHA512
3ab6ee65fcdd50efb79a2e64cccd54b0a59222adaeb8757a0fd1f71df5bd1546ffd75795caa698db88aeefc6b091b3282a2812cdaf49ca9943164fd542202b7a

Download Submit
C:\Users\Admin\AppData\Roaming\updater\winlogon.exe

Filesize
413KB

MD5
5cd14011db57669c8b833053723afcef

SHA1
f30309a0d9ea75fe5158c8c8a5d8f9c8cc02a3e5

SHA256
c7977100fc1646569fd6950823df204803bc2cba5c99f650fb2c24a45b6b2c87

SHA512
e249e98a59d03993847880c4841760e6a5776cd3b715533510d0a881c7c4ea46e009507fc0eaf81590171886c3d8df61ab5d79bfee54b26c02c08f05d8b783f3

Download Submit
memory/4496-35-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4496-11-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4496-7-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4496-4-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4496-36-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4496-40-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4496-44-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4496-47-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4496-50-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4496-54-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4496-57-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4496-60-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4496-67-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads