blackshades | f5eee0d3720ede3b730db419f35d66db1c8b58c412fe036057268c0d9ea0dd46

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2025, 02:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_6298a152c6181a7d3a0ad5e4eff01e2f.exe
Size

4.3MB
MD5

6298a152c6181a7d3a0ad5e4eff01e2f
SHA1

e38bfcab531a2a6ac8c27ceda42a31db6e984dd5
SHA256

f5eee0d3720ede3b730db419f35d66db1c8b58c412fe036057268c0d9ea0dd46
SHA512

b22f14a064c999279888fd6b5710dedeef0194ef7cec61af765bdcdc09bcf3ca684e9fecb871c38b43af2a1afbcf036001cfffe1f1c9cc72b55c9e2b672ed06f
SSDEEP

49152:mVsW61NqFAVsW6uVsW61NqnNqajr5TP72pJt1BQeHqqnogEzszcENpYSLu6s2rw9:mVsW61NqFAVsW6uVsW61NqnNqajD

Score

10^/10

blackshades defense_evasion discovery rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 11 IoCs

resource	yara_rule
behavioral2/memory/1176-35-0x0000000000400000-0x0000000000470000-memory.dmp	family_blackshades
behavioral2/memory/1176-33-0x0000000000400000-0x0000000000470000-memory.dmp	family_blackshades
behavioral2/memory/1176-120-0x0000000000400000-0x0000000000470000-memory.dmp	family_blackshades
behavioral2/memory/1176-136-0x0000000000400000-0x0000000000470000-memory.dmp	family_blackshades
behavioral2/memory/1176-145-0x0000000000400000-0x0000000000470000-memory.dmp	family_blackshades
behavioral2/memory/1176-152-0x0000000000400000-0x0000000000470000-memory.dmp	family_blackshades
behavioral2/memory/1176-161-0x0000000000400000-0x0000000000470000-memory.dmp	family_blackshades
behavioral2/memory/1176-165-0x0000000000400000-0x0000000000470000-memory.dmp	family_blackshades
behavioral2/memory/1176-171-0x0000000000400000-0x0000000000470000-memory.dmp	family_blackshades
behavioral2/memory/1176-178-0x0000000000400000-0x0000000000470000-memory.dmp	family_blackshades
behavioral2/memory/1176-180-0x0000000000400000-0x0000000000470000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 10 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\Server2.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Server2.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\svchost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	JaffaCakes118_6298a152c6181a7d3a0ad5e4eff01e2f.exe

Executes dropped EXE 2 IoCs

pid	Process
3436	Server2.exe
1176	Server2.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3436 set thread context of 1176	3436	Server2.exe	89

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server2.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings	JaffaCakes118_6298a152c6181a7d3a0ad5e4eff01e2f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	javaw.exe
Key created	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	javaw.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2744	reg.exe
2728	reg.exe
2008	reg.exe
2568	reg.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeDebugPrivilege	1076	JaffaCakes118_6298a152c6181a7d3a0ad5e4eff01e2f.exe
Token: 1	1176	Server2.exe
Token: SeCreateTokenPrivilege	1176	Server2.exe
Token: SeAssignPrimaryTokenPrivilege	1176	Server2.exe
Token: SeLockMemoryPrivilege	1176	Server2.exe
Token: SeIncreaseQuotaPrivilege	1176	Server2.exe
Token: SeMachineAccountPrivilege	1176	Server2.exe
Token: SeTcbPrivilege	1176	Server2.exe
Token: SeSecurityPrivilege	1176	Server2.exe
Token: SeTakeOwnershipPrivilege	1176	Server2.exe
Token: SeLoadDriverPrivilege	1176	Server2.exe
Token: SeSystemProfilePrivilege	1176	Server2.exe
Token: SeSystemtimePrivilege	1176	Server2.exe
Token: SeProfSingleProcessPrivilege	1176	Server2.exe
Token: SeIncBasePriorityPrivilege	1176	Server2.exe
Token: SeCreatePagefilePrivilege	1176	Server2.exe
Token: SeCreatePermanentPrivilege	1176	Server2.exe
Token: SeBackupPrivilege	1176	Server2.exe
Token: SeRestorePrivilege	1176	Server2.exe
Token: SeShutdownPrivilege	1176	Server2.exe
Token: SeDebugPrivilege	1176	Server2.exe
Token: SeAuditPrivilege	1176	Server2.exe
Token: SeSystemEnvironmentPrivilege	1176	Server2.exe
Token: SeChangeNotifyPrivilege	1176	Server2.exe
Token: SeRemoteShutdownPrivilege	1176	Server2.exe
Token: SeUndockPrivilege	1176	Server2.exe
Token: SeSyncAgentPrivilege	1176	Server2.exe
Token: SeEnableDelegationPrivilege	1176	Server2.exe
Token: SeManageVolumePrivilege	1176	Server2.exe
Token: SeImpersonatePrivilege	1176	Server2.exe
Token: SeCreateGlobalPrivilege	1176	Server2.exe
Token: 31	1176	Server2.exe
Token: 32	1176	Server2.exe
Token: 33	1176	Server2.exe
Token: 34	1176	Server2.exe
Token: 35	1176	Server2.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
3436	Server2.exe
3436	Server2.exe
1176	Server2.exe
1176	Server2.exe
1176	Server2.exe
3044	javaw.exe
3044	javaw.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 1076 wrote to memory of 392	1076	JaffaCakes118_6298a152c6181a7d3a0ad5e4eff01e2f.exe	87
PID 1076 wrote to memory of 392	1076	JaffaCakes118_6298a152c6181a7d3a0ad5e4eff01e2f.exe	87
PID 1076 wrote to memory of 3436	1076	JaffaCakes118_6298a152c6181a7d3a0ad5e4eff01e2f.exe	88
PID 1076 wrote to memory of 3436	1076	JaffaCakes118_6298a152c6181a7d3a0ad5e4eff01e2f.exe	88
PID 1076 wrote to memory of 3436	1076	JaffaCakes118_6298a152c6181a7d3a0ad5e4eff01e2f.exe	88
PID 3436 wrote to memory of 1176	3436	Server2.exe	89
PID 3436 wrote to memory of 1176	3436	Server2.exe	89
PID 3436 wrote to memory of 1176	3436	Server2.exe	89
PID 3436 wrote to memory of 1176	3436	Server2.exe	89
PID 3436 wrote to memory of 1176	3436	Server2.exe	89
PID 3436 wrote to memory of 1176	3436	Server2.exe	89
PID 3436 wrote to memory of 1176	3436	Server2.exe	89
PID 3436 wrote to memory of 1176	3436	Server2.exe	89
PID 1176 wrote to memory of 4364	1176	Server2.exe	90
PID 1176 wrote to memory of 4364	1176	Server2.exe	90
PID 1176 wrote to memory of 4364	1176	Server2.exe	90
PID 1176 wrote to memory of 3512	1176	Server2.exe	91
PID 1176 wrote to memory of 3512	1176	Server2.exe	91
PID 1176 wrote to memory of 3512	1176	Server2.exe	91
PID 1176 wrote to memory of 2556	1176	Server2.exe	92
PID 1176 wrote to memory of 2556	1176	Server2.exe	92
PID 1176 wrote to memory of 2556	1176	Server2.exe	92
PID 1176 wrote to memory of 3804	1176	Server2.exe	93
PID 1176 wrote to memory of 3804	1176	Server2.exe	93
PID 1176 wrote to memory of 3804	1176	Server2.exe	93
PID 392 wrote to memory of 3044	392	javaw.exe	97
PID 392 wrote to memory of 3044	392	javaw.exe	97
PID 3512 wrote to memory of 2744	3512	cmd.exe	99
PID 3512 wrote to memory of 2744	3512	cmd.exe	99
PID 3512 wrote to memory of 2744	3512	cmd.exe	99
PID 3804 wrote to memory of 2568	3804	cmd.exe	100
PID 3804 wrote to memory of 2568	3804	cmd.exe	100
PID 3804 wrote to memory of 2568	3804	cmd.exe	100
PID 2556 wrote to memory of 2008	2556	cmd.exe	101
PID 2556 wrote to memory of 2008	2556	cmd.exe	101
PID 2556 wrote to memory of 2008	2556	cmd.exe	101
PID 4364 wrote to memory of 2728	4364	cmd.exe	102
PID 4364 wrote to memory of 2728	4364	cmd.exe	102
PID 4364 wrote to memory of 2728	4364	cmd.exe	102

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6298a152c6181a7d3a0ad5e4eff01e2f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6298a152c6181a7d3a0ad5e4eff01e2f.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1076
- C:\Program Files\Java\jre-1.8\bin\javaw.exe
  "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\RSBuddy.jar"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:392
- - C:\Program Files\Java\jre-1.8\bin\javaw.exe
    javaw -Xmx512m -Dsun.java2d.d3d=false -classpath "/C:/Users/Admin/AppData/Local/Temp/RSBuddy.jar" com.rsbuddy.RSBuddy
    3⤵
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:3044
- C:\Users\Admin\AppData\Local\Temp\Server2.exe
  "C:\Users\Admin\AppData\Local\Temp\Server2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3436
- - C:\Users\Admin\AppData\Local\Temp\Server2.exe
    "C:\Users\Admin\AppData\Local\Temp\Server2.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1176
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4364
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2728
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\Server2.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Server2.exe:*:Enabled:Windows Messanger" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3512
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\Server2.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Server2.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2744
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2556
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2008
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svchost.exe:*:Enabled:Windows Messanger" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3804
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svchost.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RSBuddy.jar

Filesize
2.5MB

MD5
491cc3d00f1e75ebd7f45311c85e5ec9

SHA1
3fe7fea9e8b59a14f4742cb0b2015e8d79d96535

SHA256
f4be4b34d5967c4a27c59bc6be56e515fc7c94f87a749731f3249e78fa068a51

SHA512
984b6d3d1eb26375582368bfdacb85a8ba4ba325c56e9c19ed7bc156e00889a1bdc48b34660492917794dd00c7e7174f36d3c5901be8dd733065b4ccff8dde29

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server2.exe

Filesize
483KB

MD5
7db37b4ce12510e4abd0a6ff5497e2ca

SHA1
66266955b7085c082cde71959d3eeb5f23438e46

SHA256
80b22edd7e306eafa5a745c424b0be7d2213a31574fcf635640a74cde6823d83

SHA512
68201a7e5a72c3ac4ead69989bbe9adc1fc3f5c31b0411a8f95150f175f8c8f12abe2ffa5e0830b58615c34303f45eb0537b0eadfdc5a4148fd3a5bfb00153ac

Download Submit
memory/392-49-0x00000235BD620000-0x00000235BD621000-memory.dmp

Filesize
4KB

Download
memory/392-50-0x00000235BF030000-0x00000235BF2A0000-memory.dmp

Filesize
2.4MB

Download
memory/392-26-0x00000235BF030000-0x00000235BF2A0000-memory.dmp

Filesize
2.4MB

Download
memory/1076-8-0x00007FF9D7920000-0x00007FF9D82C1000-memory.dmp

Filesize
9.6MB

Download
memory/1076-2-0x00007FF9D7920000-0x00007FF9D82C1000-memory.dmp

Filesize
9.6MB

Download
memory/1076-0-0x00007FF9D7BD5000-0x00007FF9D7BD6000-memory.dmp

Filesize
4KB

Download
memory/1076-7-0x000000001C580000-0x000000001C5CC000-memory.dmp

Filesize
304KB

Download
memory/1076-27-0x00007FF9D7920000-0x00007FF9D82C1000-memory.dmp

Filesize
9.6MB

Download
memory/1076-5-0x000000001C470000-0x000000001C50C000-memory.dmp

Filesize
624KB

Download
memory/1076-6-0x0000000001050000-0x0000000001058000-memory.dmp

Filesize
32KB

Download
memory/1076-1-0x000000001B8E0000-0x000000001B986000-memory.dmp

Filesize
664KB

Download
memory/1076-4-0x00007FF9D7920000-0x00007FF9D82C1000-memory.dmp

Filesize
9.6MB

Download
memory/1076-3-0x000000001BFA0000-0x000000001C46E000-memory.dmp

Filesize
4.8MB

Download
memory/1176-171-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1176-145-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1176-35-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1176-33-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1176-165-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1176-178-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1176-161-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1176-152-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1176-120-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1176-180-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1176-136-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3044-121-0x0000015027620000-0x0000015027621000-memory.dmp

Filesize
4KB

Download
memory/3044-112-0x0000015027620000-0x0000015027621000-memory.dmp

Filesize
4KB

Download
memory/3044-103-0x0000015027620000-0x0000015027621000-memory.dmp

Filesize
4KB

Download
memory/3044-78-0x0000015027620000-0x0000015027621000-memory.dmp

Filesize
4KB

Download
memory/3044-67-0x0000015027620000-0x0000015027621000-memory.dmp

Filesize
4KB

Download
memory/3436-38-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3436-22-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads