blackshades | 18d948ab2ce3e9c9fc68d0fde58adeea76f354ec9a1aa038811e5acccf802d5d

Analysis

max time kernel
148s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
29/03/2025, 19:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_95d1c10659e169bf73da92e4ee39060c.exe
Size

876KB
MD5

95d1c10659e169bf73da92e4ee39060c
SHA1

9c19015abb21ec2ad033624267ea6d476fed3899
SHA256

18d948ab2ce3e9c9fc68d0fde58adeea76f354ec9a1aa038811e5acccf802d5d
SHA512

74c12459d337a81c40f6b7f009a0deb63aa8546ddc79b6e9f955f4865ca4166607b5f2156b57795bdbe82e0d974fbfa587e3917b4f9fc4637ae45f91464d6b0f
SSDEEP

12288:hsPPfxSfzaIsqF5P6gjS22okDRRi8/SokLgYN6/TwkB9aVp+pkWCSLDOTOJMd:u/xSbaSF5oourScYN6/Ue9aV/S/OTYM

Score

10^/10

blackshades defense_evasion discovery rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 12 IoCs

resource	yara_rule
behavioral2/memory/3132-5-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackshades
behavioral2/memory/3132-7-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackshades
behavioral2/memory/3132-33-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackshades
behavioral2/memory/3132-35-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackshades
behavioral2/memory/3132-37-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackshades
behavioral2/memory/3132-38-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackshades
behavioral2/memory/3132-39-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackshades
behavioral2/memory/3132-41-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackshades
behavioral2/memory/3132-42-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackshades
behavioral2/memory/3132-46-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackshades
behavioral2/memory/3132-47-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackshades
behavioral2/memory/3132-50-0x0000000000400000-0x0000000000478000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 10 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\1OJQI276R7.exe = "C:\\Users\\Admin\\AppData\\Roaming\\1OJQI276R7.exe:*:Enabled:Windows Messanger"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	JaffaCakes118_95d1c10659e169bf73da92e4ee39060c.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_95d1c10659e169bf73da92e4ee39060c.exe	887341.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_95d1c10659e169bf73da92e4ee39060c.exe	887341.exe

Executes dropped EXE 1 IoCs

pid	Process
1680	887341.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	JaffaCakes118_95d1c10659e169bf73da92e4ee39060c.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	JaffaCakes118_95d1c10659e169bf73da92e4ee39060c.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2140 set thread context of 3132	2140	JaffaCakes118_95d1c10659e169bf73da92e4ee39060c.exe	87

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	JaffaCakes118_95d1c10659e169bf73da92e4ee39060c.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	JaffaCakes118_95d1c10659e169bf73da92e4ee39060c.exe
File opened for modification	C:\Windows\assembly	JaffaCakes118_95d1c10659e169bf73da92e4ee39060c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_95d1c10659e169bf73da92e4ee39060c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	887341.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
3388	reg.exe
2340	reg.exe
3608	reg.exe
4208	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	3132	vbc.exe
Token: SeCreateTokenPrivilege	3132	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	3132	vbc.exe
Token: SeLockMemoryPrivilege	3132	vbc.exe
Token: SeIncreaseQuotaPrivilege	3132	vbc.exe
Token: SeMachineAccountPrivilege	3132	vbc.exe
Token: SeTcbPrivilege	3132	vbc.exe
Token: SeSecurityPrivilege	3132	vbc.exe
Token: SeTakeOwnershipPrivilege	3132	vbc.exe
Token: SeLoadDriverPrivilege	3132	vbc.exe
Token: SeSystemProfilePrivilege	3132	vbc.exe
Token: SeSystemtimePrivilege	3132	vbc.exe
Token: SeProfSingleProcessPrivilege	3132	vbc.exe
Token: SeIncBasePriorityPrivilege	3132	vbc.exe
Token: SeCreatePagefilePrivilege	3132	vbc.exe
Token: SeCreatePermanentPrivilege	3132	vbc.exe
Token: SeBackupPrivilege	3132	vbc.exe
Token: SeRestorePrivilege	3132	vbc.exe
Token: SeShutdownPrivilege	3132	vbc.exe
Token: SeDebugPrivilege	3132	vbc.exe
Token: SeAuditPrivilege	3132	vbc.exe
Token: SeSystemEnvironmentPrivilege	3132	vbc.exe
Token: SeChangeNotifyPrivilege	3132	vbc.exe
Token: SeRemoteShutdownPrivilege	3132	vbc.exe
Token: SeUndockPrivilege	3132	vbc.exe
Token: SeSyncAgentPrivilege	3132	vbc.exe
Token: SeEnableDelegationPrivilege	3132	vbc.exe
Token: SeManageVolumePrivilege	3132	vbc.exe
Token: SeImpersonatePrivilege	3132	vbc.exe
Token: SeCreateGlobalPrivilege	3132	vbc.exe
Token: 31	3132	vbc.exe
Token: 32	3132	vbc.exe
Token: 33	3132	vbc.exe
Token: 34	3132	vbc.exe
Token: 35	3132	vbc.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3132	vbc.exe
3132	vbc.exe
3132	vbc.exe
3132	vbc.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 3132	2140	JaffaCakes118_95d1c10659e169bf73da92e4ee39060c.exe	87
PID 2140 wrote to memory of 3132	2140	JaffaCakes118_95d1c10659e169bf73da92e4ee39060c.exe	87
PID 2140 wrote to memory of 3132	2140	JaffaCakes118_95d1c10659e169bf73da92e4ee39060c.exe	87
PID 2140 wrote to memory of 3132	2140	JaffaCakes118_95d1c10659e169bf73da92e4ee39060c.exe	87
PID 2140 wrote to memory of 3132	2140	JaffaCakes118_95d1c10659e169bf73da92e4ee39060c.exe	87
PID 2140 wrote to memory of 3132	2140	JaffaCakes118_95d1c10659e169bf73da92e4ee39060c.exe	87
PID 2140 wrote to memory of 3132	2140	JaffaCakes118_95d1c10659e169bf73da92e4ee39060c.exe	87
PID 2140 wrote to memory of 3132	2140	JaffaCakes118_95d1c10659e169bf73da92e4ee39060c.exe	87
PID 2140 wrote to memory of 4272	2140	JaffaCakes118_95d1c10659e169bf73da92e4ee39060c.exe	88
PID 2140 wrote to memory of 4272	2140	JaffaCakes118_95d1c10659e169bf73da92e4ee39060c.exe	88
PID 2140 wrote to memory of 4272	2140	JaffaCakes118_95d1c10659e169bf73da92e4ee39060c.exe	88
PID 3132 wrote to memory of 1032	3132	vbc.exe	91
PID 3132 wrote to memory of 1032	3132	vbc.exe	91
PID 3132 wrote to memory of 1032	3132	vbc.exe	91
PID 3132 wrote to memory of 696	3132	vbc.exe	92
PID 3132 wrote to memory of 696	3132	vbc.exe	92
PID 3132 wrote to memory of 696	3132	vbc.exe	92
PID 3132 wrote to memory of 2960	3132	vbc.exe	93
PID 3132 wrote to memory of 2960	3132	vbc.exe	93
PID 3132 wrote to memory of 2960	3132	vbc.exe	93
PID 3132 wrote to memory of 4556	3132	vbc.exe	94
PID 3132 wrote to memory of 4556	3132	vbc.exe	94
PID 3132 wrote to memory of 4556	3132	vbc.exe	94
PID 4272 wrote to memory of 4764	4272	vbc.exe	99
PID 4272 wrote to memory of 4764	4272	vbc.exe	99
PID 4272 wrote to memory of 4764	4272	vbc.exe	99
PID 4556 wrote to memory of 4208	4556	cmd.exe	100
PID 4556 wrote to memory of 4208	4556	cmd.exe	100
PID 4556 wrote to memory of 4208	4556	cmd.exe	100
PID 696 wrote to memory of 3388	696	cmd.exe	101
PID 696 wrote to memory of 3388	696	cmd.exe	101
PID 696 wrote to memory of 3388	696	cmd.exe	101
PID 1032 wrote to memory of 2340	1032	cmd.exe	102
PID 1032 wrote to memory of 2340	1032	cmd.exe	102
PID 1032 wrote to memory of 2340	1032	cmd.exe	102
PID 2960 wrote to memory of 3608	2960	cmd.exe	103
PID 2960 wrote to memory of 3608	2960	cmd.exe	103
PID 2960 wrote to memory of 3608	2960	cmd.exe	103
PID 2140 wrote to memory of 1680	2140	JaffaCakes118_95d1c10659e169bf73da92e4ee39060c.exe	109
PID 2140 wrote to memory of 1680	2140	JaffaCakes118_95d1c10659e169bf73da92e4ee39060c.exe	109
PID 2140 wrote to memory of 1680	2140	JaffaCakes118_95d1c10659e169bf73da92e4ee39060c.exe	109

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d1c10659e169bf73da92e4ee39060c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_95d1c10659e169bf73da92e4ee39060c.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3132
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1032
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2340
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:696
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:3388
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2960
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:3608
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\1OJQI276R7.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\1OJQI276R7.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4556
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\1OJQI276R7.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\1OJQI276R7.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:4208
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\czv9kqap.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4272
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5F56.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC34EFA12E654B4D985259B17458EC5D.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4764
- C:\Users\Admin\AppData\Roaming\887341.exe
  "C:\Users\Admin\AppData\Roaming\887341.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES5F56.tmp

Filesize
1KB

MD5
b79b192e4602c584d48f9115ff3df530

SHA1
602f681c9aa0d973aaf0a276831c0d0913d04009

SHA256
ed541b397703bb3562170e7930c4282d60b247a3bd0e090e0756801987d606c6

SHA512
f57566ee5b9b6b35a2c5bf149fb6966e2c7746269619c57281783dbbe8cc1f6d1bfd7bd712e893892bca832e89db42ef0640ce8f3b63db31d667efc8b3261513

Download Submit
C:\Users\Admin\AppData\Local\Temp\czv9kqap.0.vb

Filesize
1KB

MD5
0217d35fceda857215d865e9c6788501

SHA1
2c6968fe3409e744eeb4f2066fbaa0144e5c3d0f

SHA256
3189d9c2e4176dd9ffa36c0618bde741b87641a2e3f5e85527e74111eba5b0ff

SHA512
8586aeb1c3727f9607dbd4481ffebab88aae8afbb0d36ab4bb09c4df30b3e7e2e07ffac966d9e0cdc0a11524d644660931e0c1a97b8dcafbd6bf707869eedd71

Download Submit
C:\Users\Admin\AppData\Local\Temp\czv9kqap.cmdline

Filesize
234B

MD5
d0f2e838370f812d624f37c40003cba5

SHA1
fb01d4ec854291b88cdd9f478f9e9531f962fc83

SHA256
bcb183ecc247c51fcaf8738baad64bdb5fa199a00ecdea29c3b1aa982cb6ffe6

SHA512
b4fc8ce5b3b5bd72df088d0ed784a0417e59b59aaa28e6f49e33229524d04ddf11b05b5f5cd9f8a694b8992fdd899fe5558d8abd46a73ac8301c5194cca05275

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC34EFA12E654B4D985259B17458EC5D.TMP

Filesize
880B

MD5
8234df8b27f5673e86c27b88f009825c

SHA1
0ce51d321cb2482447635da6652ddfee8412235b

SHA256
7bcd33922ef46d3424156c17e0238ab1ce0f2990eca7594ac0ecb8d1a510f5dd

SHA512
06dd92fd3f81d94a2708c2a4f77dfedab3fcb268f2857f305ac3a43cb444a3b6fc3c4b3b214c8a1cb51c2cec8c2624dbff92ba82a670499c8705e724990ca606

Download Submit
C:\Users\Admin\AppData\Roaming\887341.exe

Filesize
7KB

MD5
58020617f69925fb7a22d039c6d29b9f

SHA1
e4424c587f2870b2f2cd02d8a95b2504de959b5f

SHA256
1ac4508ec150e593610228ee05f46cc53a29d0ebafddce565bfdd2800dbdf4ce

SHA512
70a29a2c840b2993c3ee7e053360f53c34b86ef373b3748b8871c44a5054404072ecc1a0b47af3f83fe94d57e5717b32a7339bad02841903391e3ecbd786aab9

Download Submit
memory/2140-1-0x0000000075300000-0x00000000758B1000-memory.dmp

Filesize
5.7MB

Download
memory/2140-2-0x0000000075300000-0x00000000758B1000-memory.dmp

Filesize
5.7MB

Download
memory/2140-0-0x0000000075302000-0x0000000075303000-memory.dmp

Filesize
4KB

Download
memory/2140-30-0x0000000075300000-0x00000000758B1000-memory.dmp

Filesize
5.7MB

Download
memory/3132-37-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3132-38-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3132-50-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3132-7-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3132-33-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3132-35-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3132-5-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3132-47-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3132-39-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3132-41-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3132-42-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3132-46-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4272-25-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/4272-16-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads