asyncrat | 55af1ee79176f2503dc6cee5464344e6bbcaa4e37b4ae7217922c8e56ec395cf

Analysis

max time kernel
156s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
28-08-2022 04:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Fortnite Internal Esp AIm Clean Full_nls..scr
Size

2.6MB
MD5

5361a2f1d174599ebc5b6cc31daf86f2
SHA1

ade74d0abac77203629b81513a739f11b39a52ef
SHA256

55af1ee79176f2503dc6cee5464344e6bbcaa4e37b4ae7217922c8e56ec395cf
SHA512

96381c583b975e4c2cd7ec70bd955936c48a9737036234241e37e73baf81c96cb28ab28d2fe3c53ed1e8ce0be641fba653d7e6877770cb8f60fb32f2c7b703b4
SSDEEP

49152:j8ASxr7FEi5LbunhHpj5G3FVhIdag5SNHeGJWrz:jTSt7FEGnCdpj5G3FVq18gGJ

Score

10^/10

asyncrat blacknet uzvhe6 windowsdefendrsmartscreen evasion persistence rat trojan

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

WindowsDefendrSmartScreen

217.64.31.3:9742

Mutex

WindowsDefendrSmartScreen

Attributes

delay
1
install
false
install_file
WindowsDefendrSmartScreen.exe
install_folder
%AppData%

aes.plain

Extracted

Family

blacknet

Version

v3.7.0 Public

Botnet

uzVHE6

http://fakirlerclub.xyz/blacknet

Mutex

BN[fdc98aef8b987490ccd4d376d67d69a7]

Attributes

antivm
false
elevate_uac
false
install_name
WindowsUpdate.exe
splitter
|BN|
start_name
e162b1333458a713bc6916cc8ac4110c
startup
false
usb_spread
false

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
BlackNET
BlackNET is an open source remote access tool written in VB.NET.
trojan blacknet

BlackNET payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\tmpB726.tmp.exe	family_blacknet
C:\Users\Admin\AppData\Local\Temp\tmpB726.tmp.exe	family_blacknet
behavioral2/memory/4776-215-0x00000000009F0000-0x0000000000A0E000-memory.dmp	family_blacknet

Contains code to disable Windows Defender 3 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\tmpB726.tmp.exe	disable_win_def
C:\Users\Admin\AppData\Local\Temp\tmpB726.tmp.exe	disable_win_def
behavioral2/memory/4776-215-0x00000000009F0000-0x0000000000A0E000-memory.dmp	disable_win_def

Modifies WinLogon for persistence 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

Fortnite Internal Esp AIm Clean Full_nls..scrSERVICEEDEFENDER.EXEWINDOWSDEFENDRSMARTSCREEN.EXEWINDOWSSECUTIYHALTHYSERVICE.EXEBLACKNET.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoftt\\DefenderProtector.exe\","	Fortnite Internal Esp AIm Clean Full_nls..scr
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Discord\\ServiceDefender.exe\","	SERVICEEDEFENDER.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Discord\\ServiceDefender.exe\","	WINDOWSDEFENDRSMARTSCREEN.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Discord\\ServiceDefender.exe\","	WINDOWSSECUTIYHALTHYSERVICE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Discord\\ServiceDefender.exe\","	BLACKNET.EXE

Async RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\tmp69D1.tmp.exe	asyncrat
C:\Users\Admin\AppData\Local\Temp\tmp69D1.tmp.exe	asyncrat
behavioral2/memory/3524-194-0x0000000000090000-0x00000000000A6000-memory.dmp	asyncrat

Downloads MZ/PE file

Executes dropped EXE 9 IoCs

Processes:

tmp4B32.tmp.exeBLACKNET.EXESERVICEEDEFENDER.EXEWINDOWSDEFENDRSMARTSCREEN.EXEWINDOWSSECUTIYHALTHYSERVICE.EXEtmp69D1.tmp.exetmp69C1.tmp.exetmp6B86.tmp.exetmpB726.tmp.exe

pid	process
2200	tmp4B32.tmp.exe
4104	BLACKNET.EXE
4904	SERVICEEDEFENDER.EXE
1548	WINDOWSDEFENDRSMARTSCREEN.EXE
4032	WINDOWSSECUTIYHALTHYSERVICE.EXE
3524	tmp69D1.tmp.exe
2552	tmp69C1.tmp.exe
4600	tmp6B86.tmp.exe
4776	tmpB726.tmp.exe

Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

4680 attrib.exe
3044 attrib.exe

pid	process
4680	attrib.exe
3044	attrib.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

BLACKNET.EXEtmp6B86.tmp.exetmpB726.tmp.exetmp4B32.tmp.exeSERVICEEDEFENDER.EXEWINDOWSDEFENDRSMARTSCREEN.EXEWINDOWSSECUTIYHALTHYSERVICE.EXE

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	BLACKNET.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp6B86.tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmpB726.tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp4B32.tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	SERVICEEDEFENDER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WINDOWSDEFENDRSMARTSCREEN.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WINDOWSSECUTIYHALTHYSERVICE.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp6B86.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\ProgramData\\WindowsSecutiyHalthyService\\WindowsSecutiyHalthyService.exe\""	tmp6B86.tmp.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 4 IoCs

Processes:

SERVICEEDEFENDER.EXEWINDOWSDEFENDRSMARTSCREEN.EXEWINDOWSSECUTIYHALTHYSERVICE.EXEBLACKNET.EXE

description	pid	process	target process
PID 4904 set thread context of 3752	4904	SERVICEEDEFENDER.EXE	InstallUtil.exe
PID 1548 set thread context of 1516	1548	WINDOWSDEFENDRSMARTSCREEN.EXE	InstallUtil.exe
PID 4032 set thread context of 4712	4032	WINDOWSSECUTIYHALTHYSERVICE.EXE	InstallUtil.exe
PID 4104 set thread context of 1748	4104	BLACKNET.EXE	InstallUtil.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4256 timeout.exe

pid	process
4256	timeout.exe

Modifies registry class 4 IoCs

Processes:

Explorer.EXEFortnite Internal Esp AIm Clean Full_nls..scrOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	Fortnite Internal Esp AIm Clean Full_nls..scr
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4464 PING.EXE

pid	process
4464	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Fortnite Internal Esp AIm Clean Full_nls..scrSERVICEEDEFENDER.EXEWINDOWSDEFENDRSMARTSCREEN.EXEpowershell.exeWINDOWSSECUTIYHALTHYSERVICE.EXEpowershell.exepowershell.exeBLACKNET.EXEpowershell.exetmp6B86.tmp.exetmpB726.tmp.exe

pid	process
4440	Fortnite Internal Esp AIm Clean Full_nls..scr
4440	Fortnite Internal Esp AIm Clean Full_nls..scr
4440	Fortnite Internal Esp AIm Clean Full_nls..scr
4904	SERVICEEDEFENDER.EXE
1548	WINDOWSDEFENDRSMARTSCREEN.EXE
2132	powershell.exe
4032	WINDOWSSECUTIYHALTHYSERVICE.EXE
4952	powershell.exe
2132	powershell.exe
4952	powershell.exe
4952	powershell.exe
2924	powershell.exe
2924	powershell.exe
2924	powershell.exe
4104	BLACKNET.EXE
4104	BLACKNET.EXE
4256	powershell.exe
4256	powershell.exe
4256	powershell.exe
1548	WINDOWSDEFENDRSMARTSCREEN.EXE
4904	SERVICEEDEFENDER.EXE
4904	SERVICEEDEFENDER.EXE
1548	WINDOWSDEFENDRSMARTSCREEN.EXE
1548	WINDOWSDEFENDRSMARTSCREEN.EXE
1548	WINDOWSDEFENDRSMARTSCREEN.EXE
1548	WINDOWSDEFENDRSMARTSCREEN.EXE
1548	WINDOWSDEFENDRSMARTSCREEN.EXE
1548	WINDOWSDEFENDRSMARTSCREEN.EXE
4032	WINDOWSSECUTIYHALTHYSERVICE.EXE
4032	WINDOWSSECUTIYHALTHYSERVICE.EXE
4104	BLACKNET.EXE
4104	BLACKNET.EXE
4600	tmp6B86.tmp.exe
4600	tmp6B86.tmp.exe
4600	tmp6B86.tmp.exe
4600	tmp6B86.tmp.exe
4600	tmp6B86.tmp.exe
4600	tmp6B86.tmp.exe
4600	tmp6B86.tmp.exe
4600	tmp6B86.tmp.exe
4600	tmp6B86.tmp.exe
4600	tmp6B86.tmp.exe
4600	tmp6B86.tmp.exe
4600	tmp6B86.tmp.exe
4600	tmp6B86.tmp.exe
4600	tmp6B86.tmp.exe
4600	tmp6B86.tmp.exe
4600	tmp6B86.tmp.exe
4600	tmp6B86.tmp.exe
4600	tmp6B86.tmp.exe
4600	tmp6B86.tmp.exe
4776	tmpB726.tmp.exe
4776	tmpB726.tmp.exe
4776	tmpB726.tmp.exe
4776	tmpB726.tmp.exe
4776	tmpB726.tmp.exe
4776	tmpB726.tmp.exe
4776	tmpB726.tmp.exe
4776	tmpB726.tmp.exe
4776	tmpB726.tmp.exe
4776	tmpB726.tmp.exe
4776	tmpB726.tmp.exe
4776	tmpB726.tmp.exe
4776	tmpB726.tmp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

OpenWith.exe

pid process

4936 OpenWith.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Fortnite Internal Esp AIm Clean Full_nls..scrExplorer.EXEWINDOWSSECUTIYHALTHYSERVICE.EXEWINDOWSDEFENDRSMARTSCREEN.EXESERVICEEDEFENDER.EXEBLACKNET.EXEpowershell.exepowershell.exepowershell.exepowershell.exeInstallUtil.exeInstallUtil.exeInstallUtil.exetmp6B86.tmp.exetmp69D1.tmp.exetmp69C1.tmp.exeInstallUtil.exetmpB726.tmp.exe

description	pid	process
Token: SeDebugPrivilege	4440	Fortnite Internal Esp AIm Clean Full_nls..scr
Token: SeShutdownPrivilege	724	Explorer.EXE
Token: SeCreatePagefilePrivilege	724	Explorer.EXE
Token: SeShutdownPrivilege	724	Explorer.EXE
Token: SeCreatePagefilePrivilege	724	Explorer.EXE
Token: SeShutdownPrivilege	724	Explorer.EXE
Token: SeCreatePagefilePrivilege	724	Explorer.EXE
Token: SeShutdownPrivilege	724	Explorer.EXE
Token: SeCreatePagefilePrivilege	724	Explorer.EXE
Token: SeShutdownPrivilege	724	Explorer.EXE
Token: SeCreatePagefilePrivilege	724	Explorer.EXE
Token: SeDebugPrivilege	724	Explorer.EXE
Token: SeDebugPrivilege	4032	WINDOWSSECUTIYHALTHYSERVICE.EXE
Token: SeDebugPrivilege	1548	WINDOWSDEFENDRSMARTSCREEN.EXE
Token: SeDebugPrivilege	4904	SERVICEEDEFENDER.EXE
Token: SeDebugPrivilege	4104	BLACKNET.EXE
Token: SeDebugPrivilege	2132	powershell.exe
Token: SeDebugPrivilege	4952	powershell.exe
Token: SeDebugPrivilege	2924	powershell.exe
Token: SeShutdownPrivilege	724	Explorer.EXE
Token: SeCreatePagefilePrivilege	724	Explorer.EXE
Token: SeDebugPrivilege	4256	powershell.exe
Token: SeShutdownPrivilege	724	Explorer.EXE
Token: SeCreatePagefilePrivilege	724	Explorer.EXE
Token: SeShutdownPrivilege	724	Explorer.EXE
Token: SeCreatePagefilePrivilege	724	Explorer.EXE
Token: SeShutdownPrivilege	724	Explorer.EXE
Token: SeCreatePagefilePrivilege	724	Explorer.EXE
Token: SeShutdownPrivilege	724	Explorer.EXE
Token: SeCreatePagefilePrivilege	724	Explorer.EXE
Token: SeShutdownPrivilege	724	Explorer.EXE
Token: SeCreatePagefilePrivilege	724	Explorer.EXE
Token: SeShutdownPrivilege	724	Explorer.EXE
Token: SeCreatePagefilePrivilege	724	Explorer.EXE
Token: SeShutdownPrivilege	724	Explorer.EXE
Token: SeCreatePagefilePrivilege	724	Explorer.EXE
Token: SeShutdownPrivilege	724	Explorer.EXE
Token: SeCreatePagefilePrivilege	724	Explorer.EXE
Token: SeShutdownPrivilege	724	Explorer.EXE
Token: SeCreatePagefilePrivilege	724	Explorer.EXE
Token: SeShutdownPrivilege	724	Explorer.EXE
Token: SeCreatePagefilePrivilege	724	Explorer.EXE
Token: SeShutdownPrivilege	724	Explorer.EXE
Token: SeCreatePagefilePrivilege	724	Explorer.EXE
Token: SeShutdownPrivilege	724	Explorer.EXE
Token: SeCreatePagefilePrivilege	724	Explorer.EXE
Token: SeShutdownPrivilege	724	Explorer.EXE
Token: SeCreatePagefilePrivilege	724	Explorer.EXE
Token: SeDebugPrivilege	3752	InstallUtil.exe
Token: SeDebugPrivilege	1516	InstallUtil.exe
Token: SeDebugPrivilege	4712	InstallUtil.exe
Token: SeDebugPrivilege	4600	tmp6B86.tmp.exe
Token: SeDebugPrivilege	3524	tmp69D1.tmp.exe
Token: SeDebugPrivilege	2552	tmp69C1.tmp.exe
Token: SeShutdownPrivilege	724	Explorer.EXE
Token: SeCreatePagefilePrivilege	724	Explorer.EXE
Token: SeShutdownPrivilege	724	Explorer.EXE
Token: SeCreatePagefilePrivilege	724	Explorer.EXE
Token: SeShutdownPrivilege	724	Explorer.EXE
Token: SeCreatePagefilePrivilege	724	Explorer.EXE
Token: SeDebugPrivilege	1748	InstallUtil.exe
Token: SeShutdownPrivilege	724	Explorer.EXE
Token: SeCreatePagefilePrivilege	724	Explorer.EXE
Token: SeDebugPrivilege	4776	tmpB726.tmp.exe

Suspicious use of SetWindowsHookEx 33 IoCs

Processes:

OpenWith.exetmpB726.tmp.exe

pid	process
4936	OpenWith.exe
4936	OpenWith.exe
4936	OpenWith.exe
4936	OpenWith.exe
4936	OpenWith.exe
4936	OpenWith.exe
4936	OpenWith.exe
4936	OpenWith.exe
4936	OpenWith.exe
4936	OpenWith.exe
4936	OpenWith.exe
4936	OpenWith.exe
4936	OpenWith.exe
4936	OpenWith.exe
4936	OpenWith.exe
4936	OpenWith.exe
4936	OpenWith.exe
4936	OpenWith.exe
4936	OpenWith.exe
4936	OpenWith.exe
4936	OpenWith.exe
4936	OpenWith.exe
4936	OpenWith.exe
4936	OpenWith.exe
4936	OpenWith.exe
4936	OpenWith.exe
4936	OpenWith.exe
4936	OpenWith.exe
4936	OpenWith.exe
4936	OpenWith.exe
4936	OpenWith.exe
4776	tmpB726.tmp.exe
4776	tmpB726.tmp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Fortnite Internal Esp AIm Clean Full_nls..scrExplorer.EXEtmp4B32.tmp.exeSERVICEEDEFENDER.EXEWINDOWSDEFENDRSMARTSCREEN.EXEWINDOWSSECUTIYHALTHYSERVICE.EXEBLACKNET.EXEInstallUtil.exe

description	pid	process	target process
PID 4440 wrote to memory of 724	4440	Fortnite Internal Esp AIm Clean Full_nls..scr	Explorer.EXE
PID 724 wrote to memory of 2200	724	Explorer.EXE	tmp4B32.tmp.exe
PID 724 wrote to memory of 2200	724	Explorer.EXE	tmp4B32.tmp.exe
PID 724 wrote to memory of 2200	724	Explorer.EXE	tmp4B32.tmp.exe
PID 2200 wrote to memory of 4104	2200	tmp4B32.tmp.exe	BLACKNET.EXE
PID 2200 wrote to memory of 4104	2200	tmp4B32.tmp.exe	BLACKNET.EXE
PID 2200 wrote to memory of 4104	2200	tmp4B32.tmp.exe	BLACKNET.EXE
PID 2200 wrote to memory of 4904	2200	tmp4B32.tmp.exe	SERVICEEDEFENDER.EXE
PID 2200 wrote to memory of 4904	2200	tmp4B32.tmp.exe	SERVICEEDEFENDER.EXE
PID 2200 wrote to memory of 4904	2200	tmp4B32.tmp.exe	SERVICEEDEFENDER.EXE
PID 2200 wrote to memory of 1548	2200	tmp4B32.tmp.exe	WINDOWSDEFENDRSMARTSCREEN.EXE
PID 2200 wrote to memory of 1548	2200	tmp4B32.tmp.exe	WINDOWSDEFENDRSMARTSCREEN.EXE
PID 2200 wrote to memory of 1548	2200	tmp4B32.tmp.exe	WINDOWSDEFENDRSMARTSCREEN.EXE
PID 2200 wrote to memory of 4032	2200	tmp4B32.tmp.exe	WINDOWSSECUTIYHALTHYSERVICE.EXE
PID 2200 wrote to memory of 4032	2200	tmp4B32.tmp.exe	WINDOWSSECUTIYHALTHYSERVICE.EXE
PID 2200 wrote to memory of 4032	2200	tmp4B32.tmp.exe	WINDOWSSECUTIYHALTHYSERVICE.EXE
PID 4904 wrote to memory of 2132	4904	SERVICEEDEFENDER.EXE	powershell.exe
PID 4904 wrote to memory of 2132	4904	SERVICEEDEFENDER.EXE	powershell.exe
PID 4904 wrote to memory of 2132	4904	SERVICEEDEFENDER.EXE	powershell.exe
PID 1548 wrote to memory of 4952	1548	WINDOWSDEFENDRSMARTSCREEN.EXE	powershell.exe
PID 1548 wrote to memory of 4952	1548	WINDOWSDEFENDRSMARTSCREEN.EXE	powershell.exe
PID 1548 wrote to memory of 4952	1548	WINDOWSDEFENDRSMARTSCREEN.EXE	powershell.exe
PID 4032 wrote to memory of 2924	4032	WINDOWSSECUTIYHALTHYSERVICE.EXE	powershell.exe
PID 4032 wrote to memory of 2924	4032	WINDOWSSECUTIYHALTHYSERVICE.EXE	powershell.exe
PID 4032 wrote to memory of 2924	4032	WINDOWSSECUTIYHALTHYSERVICE.EXE	powershell.exe
PID 4104 wrote to memory of 4256	4104	BLACKNET.EXE	powershell.exe
PID 4104 wrote to memory of 4256	4104	BLACKNET.EXE	powershell.exe
PID 4104 wrote to memory of 4256	4104	BLACKNET.EXE	powershell.exe
PID 4904 wrote to memory of 3752	4904	SERVICEEDEFENDER.EXE	InstallUtil.exe
PID 4904 wrote to memory of 3752	4904	SERVICEEDEFENDER.EXE	InstallUtil.exe
PID 4904 wrote to memory of 3752	4904	SERVICEEDEFENDER.EXE	InstallUtil.exe
PID 1548 wrote to memory of 1040	1548	WINDOWSDEFENDRSMARTSCREEN.EXE	InstallUtil.exe
PID 1548 wrote to memory of 1040	1548	WINDOWSDEFENDRSMARTSCREEN.EXE	InstallUtil.exe
PID 1548 wrote to memory of 1040	1548	WINDOWSDEFENDRSMARTSCREEN.EXE	InstallUtil.exe
PID 4904 wrote to memory of 3752	4904	SERVICEEDEFENDER.EXE	InstallUtil.exe
PID 4904 wrote to memory of 3752	4904	SERVICEEDEFENDER.EXE	InstallUtil.exe
PID 4904 wrote to memory of 3752	4904	SERVICEEDEFENDER.EXE	InstallUtil.exe
PID 4904 wrote to memory of 3752	4904	SERVICEEDEFENDER.EXE	InstallUtil.exe
PID 4904 wrote to memory of 3752	4904	SERVICEEDEFENDER.EXE	InstallUtil.exe
PID 1548 wrote to memory of 1516	1548	WINDOWSDEFENDRSMARTSCREEN.EXE	InstallUtil.exe
PID 1548 wrote to memory of 1516	1548	WINDOWSDEFENDRSMARTSCREEN.EXE	InstallUtil.exe
PID 1548 wrote to memory of 1516	1548	WINDOWSDEFENDRSMARTSCREEN.EXE	InstallUtil.exe
PID 1548 wrote to memory of 1516	1548	WINDOWSDEFENDRSMARTSCREEN.EXE	InstallUtil.exe
PID 1548 wrote to memory of 1516	1548	WINDOWSDEFENDRSMARTSCREEN.EXE	InstallUtil.exe
PID 1548 wrote to memory of 1516	1548	WINDOWSDEFENDRSMARTSCREEN.EXE	InstallUtil.exe
PID 1548 wrote to memory of 1516	1548	WINDOWSDEFENDRSMARTSCREEN.EXE	InstallUtil.exe
PID 1548 wrote to memory of 1516	1548	WINDOWSDEFENDRSMARTSCREEN.EXE	InstallUtil.exe
PID 4032 wrote to memory of 4712	4032	WINDOWSSECUTIYHALTHYSERVICE.EXE	InstallUtil.exe
PID 4032 wrote to memory of 4712	4032	WINDOWSSECUTIYHALTHYSERVICE.EXE	InstallUtil.exe
PID 4032 wrote to memory of 4712	4032	WINDOWSSECUTIYHALTHYSERVICE.EXE	InstallUtil.exe
PID 4032 wrote to memory of 4712	4032	WINDOWSSECUTIYHALTHYSERVICE.EXE	InstallUtil.exe
PID 4032 wrote to memory of 4712	4032	WINDOWSSECUTIYHALTHYSERVICE.EXE	InstallUtil.exe
PID 4032 wrote to memory of 4712	4032	WINDOWSSECUTIYHALTHYSERVICE.EXE	InstallUtil.exe
PID 4032 wrote to memory of 4712	4032	WINDOWSSECUTIYHALTHYSERVICE.EXE	InstallUtil.exe
PID 4032 wrote to memory of 4712	4032	WINDOWSSECUTIYHALTHYSERVICE.EXE	InstallUtil.exe
PID 4104 wrote to memory of 1748	4104	BLACKNET.EXE	InstallUtil.exe
PID 4104 wrote to memory of 1748	4104	BLACKNET.EXE	InstallUtil.exe
PID 4104 wrote to memory of 1748	4104	BLACKNET.EXE	InstallUtil.exe
PID 4104 wrote to memory of 1748	4104	BLACKNET.EXE	InstallUtil.exe
PID 4104 wrote to memory of 1748	4104	BLACKNET.EXE	InstallUtil.exe
PID 4104 wrote to memory of 1748	4104	BLACKNET.EXE	InstallUtil.exe
PID 4104 wrote to memory of 1748	4104	BLACKNET.EXE	InstallUtil.exe
PID 4104 wrote to memory of 1748	4104	BLACKNET.EXE	InstallUtil.exe
PID 1516 wrote to memory of 3524	1516	InstallUtil.exe	tmp69D1.tmp.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

4680 attrib.exe
3044 attrib.exe

pid	process
4680	attrib.exe
3044	attrib.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:724

C:\Users\Admin\AppData\Local\Temp\Fortnite Internal Esp AIm Clean Full_nls..scr
"C:\Users\Admin\AppData\Local\Temp\Fortnite Internal Esp AIm Clean Full_nls..scr" /S
2⤵
- Modifies WinLogon for persistence
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4440

C:\Users\Admin\AppData\Local\Temp\tmp4B32.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp4B32.tmp.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2200

C:\Users\Admin\AppData\Roaming\BLACKNET.EXE
"C:\Users\Admin\AppData\Roaming\BLACKNET.EXE"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4104

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwAxAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4256

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1748

C:\Users\Admin\AppData\Local\Temp\tmpB726.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpB726.tmp.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4776

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 1.1.1.1 -n 5 -w 5000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\tmpB726.tmp.exe"
6⤵
PID:540

C:\Windows\system32\PING.EXE
ping 1.1.1.1 -n 5 -w 5000
7⤵
- Runs ping.exe
PID:4464

C:\Users\Admin\AppData\Roaming\SERVICEEDEFENDER.EXE
"C:\Users\Admin\AppData\Roaming\SERVICEEDEFENDER.EXE"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4904

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwAxAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2132

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3752

C:\Users\Admin\AppData\Local\Temp\tmp69C1.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp69C1.tmp.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2552

C:\Users\Admin\AppData\Roaming\WINDOWSDEFENDRSMARTSCREEN.EXE
"C:\Users\Admin\AppData\Roaming\WINDOWSDEFENDRSMARTSCREEN.EXE"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1548

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwAxAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
4⤵
PID:1040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1516

C:\Users\Admin\AppData\Local\Temp\tmp69D1.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp69D1.tmp.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3524

C:\Users\Admin\AppData\Roaming\WINDOWSSECUTIYHALTHYSERVICE.EXE
"C:\Users\Admin\AppData\Roaming\WINDOWSSECUTIYHALTHYSERVICE.EXE"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4032

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwAxAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4712

C:\Users\Admin\AppData\Local\Temp\tmp6B86.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp6B86.tmp.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4600

C:\Windows\System32\attrib.exe
"C:\Windows\System32\attrib.exe" +s +h "C:\ProgramData\WindowsSecutiyHalthyService"
6⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4680

C:\Windows\System32\attrib.exe
"C:\Windows\System32\attrib.exe" +s +h "C:\ProgramData\WindowsSecutiyHalthyService\WindowsSecutiyHalthyService.exe"
6⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD0C8.tmp.bat""
6⤵
PID:3732

C:\Windows\system32\timeout.exe
timeout 3
7⤵
- Delays execution with timeout.exe
PID:4256

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4936

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log
Filesize
847B

MD5
f8ec7f563d06ccddddf6c96b8957e5c8

SHA1
73bdc49dcead32f8c29168645a0f080084132252

SHA256
38ef57aec780edd2c8dab614a85ce87351188fce5896ffebc9f69328df2056ed

SHA512
8830821ac9edb4cdf4d8a3d7bc30433987ae4c158cf81b705654f54aaeba366c5fa3509981aceae21e193dd4483f03b9d449bc0a32545927d3ca94b0f9367684

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
e55bb2ca6da9e31a9d39fc667ac8f649

SHA1
822bb4f964aa352d127111e3cc646ba6ed9ac467

SHA256
f485f09de5eb100a9bffb41a84f6debfb880ac26d7196b93c4df4f49e8d8a899

SHA512
f8e723b7f603e92fb86e4ebe22a416695e121a54ab5a1167a2981dd54d7583b56726979410365ea2d4c3c3f70f531460fe9cb25d576551e281b6aa4d46ae31c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
10KB

MD5
5c352c352742bc6b26b3be43d61c1b0b

SHA1
2ffdbb0093d39ca9e8538ec5a43b8e7879c5ee7d

SHA256
754d860eddef37c98476ff4dc5f0721953a44d60271eed985e28254a09475c46

SHA512
6f48e25b6069e30c095b37e18f1d8755767935cf7c238ca1bfb96627e6124beeff317bda5751804141ebb418c3ce0873c45b4eda0e8a2ac89347a064de2e1c61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
ffd12bec98d4630b9f90989e1b316210

SHA1
e79559a67b872c362bcaf701f9a40524bb86507e

SHA256
7e0e5fe40b64f57324d52f7aae56224e931a2a6f10f88c756c527523663062c4

SHA512
885b895ca34dfc7e5af70448108e5dd5eb20f4b95e044b7d61dbbac6018c8e83e740987a383969990965b8f9bde13a080226969fd4c7f320b2ba2ddffb3d60d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4B32.tmp.exe
Filesize
928KB

MD5
a1cb188468d9e8699e98a07eec4e1a86

SHA1
ed41e241d733496ad0edcfe3c2270c55f55884ca

SHA256
dcb96304f914dad4a7766c66c5847fa13b872e6188e426ae59038c6e11e3c594

SHA512
8cf987d14158f78c69952a42dbbcc2861174331d034841a6d78e42926b470fa0e5f9a31740595b98b1c4e54028f6a9680d8790424f893918388d771c87438ce6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4B32.tmp.exe
Filesize
928KB

MD5
a1cb188468d9e8699e98a07eec4e1a86

SHA1
ed41e241d733496ad0edcfe3c2270c55f55884ca

SHA256
dcb96304f914dad4a7766c66c5847fa13b872e6188e426ae59038c6e11e3c594

SHA512
8cf987d14158f78c69952a42dbbcc2861174331d034841a6d78e42926b470fa0e5f9a31740595b98b1c4e54028f6a9680d8790424f893918388d771c87438ce6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp69C1.tmp.exe
Filesize
277KB

MD5
e949748135b6c02c5bccb863d5a08756

SHA1
065e4388c952c5f423a15d1fd6da1e227edc2666

SHA256
06ae959dd3a5846cee2521fcba821993bc2ed8fc4cf98226b10d30c5c5e30e57

SHA512
438fa197a8b7f6179d2315dde2755eb49eca2f0eca4c39f380596437f71936f664e2be5750b2c93ab925314569fc4e5d3f89c208cb5750c1b0fbb826e5e94875

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp69C1.tmp.exe
Filesize
277KB

MD5
e949748135b6c02c5bccb863d5a08756

SHA1
065e4388c952c5f423a15d1fd6da1e227edc2666

SHA256
06ae959dd3a5846cee2521fcba821993bc2ed8fc4cf98226b10d30c5c5e30e57

SHA512
438fa197a8b7f6179d2315dde2755eb49eca2f0eca4c39f380596437f71936f664e2be5750b2c93ab925314569fc4e5d3f89c208cb5750c1b0fbb826e5e94875

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp69D1.tmp.exe
Filesize
63KB

MD5
a86428bf106aca22a89abcb647e7e933

SHA1
eac42598d4d0f59c6da73fc8a6dfd887469accef

SHA256
ad04c8476ffb23cc924de259e79e5adf8b4c48014b55d7e17027fce6b94e123e

SHA512
cb66171ec2f4e095ada5126f57dbdce98d9295e3a33d820794b4bc49e87c8a3aede2ca864fb1ad2a3ace0118b4590d2fd76c9e9c1b996a77e2fc530451e34886

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp69D1.tmp.exe
Filesize
63KB

MD5
a86428bf106aca22a89abcb647e7e933

SHA1
eac42598d4d0f59c6da73fc8a6dfd887469accef

SHA256
ad04c8476ffb23cc924de259e79e5adf8b4c48014b55d7e17027fce6b94e123e

SHA512
cb66171ec2f4e095ada5126f57dbdce98d9295e3a33d820794b4bc49e87c8a3aede2ca864fb1ad2a3ace0118b4590d2fd76c9e9c1b996a77e2fc530451e34886

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6B86.tmp.exe
Filesize
48KB

MD5
403b136becfcf5142ba17b19a4d0def1

SHA1
58d5f6c0ecf67fe16a94587a4cfa229e038d7328

SHA256
deaae877a2950cc155c258217db435d1dad0672e8323a6be983c1300247cab96

SHA512
4070393972bc7bccbe52eb0a3297932da9d9c9cb7631936c03c1d7a585b2996ff5e62758f98617913417ea53ff4467db385d9cf5ef46eb404ab083c807ec2719

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6B86.tmp.exe
Filesize
48KB

MD5
403b136becfcf5142ba17b19a4d0def1

SHA1
58d5f6c0ecf67fe16a94587a4cfa229e038d7328

SHA256
deaae877a2950cc155c258217db435d1dad0672e8323a6be983c1300247cab96

SHA512
4070393972bc7bccbe52eb0a3297932da9d9c9cb7631936c03c1d7a585b2996ff5e62758f98617913417ea53ff4467db385d9cf5ef46eb404ab083c807ec2719

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB726.tmp.exe
Filesize
99KB

MD5
b15b8d5c4bdc9694e7c8fbfba9f2d7cf

SHA1
6d6cd9b33d691c709eef1bce227a2966af32b050

SHA256
f80bf7bdeca461e9901eb8ab4143ea128d5557821c5f7e5b00ef921bda24c015

SHA512
28f3ce0b26b023116b24c9d8399fed056ccfae2c35b4e65a8adddf0804c8339d04809b9c3b2d94e55be0670e27920c73ffd68658cb16d3a172aef0c3179b6af0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB726.tmp.exe
Filesize
99KB

MD5
b15b8d5c4bdc9694e7c8fbfba9f2d7cf

SHA1
6d6cd9b33d691c709eef1bce227a2966af32b050

SHA256
f80bf7bdeca461e9901eb8ab4143ea128d5557821c5f7e5b00ef921bda24c015

SHA512
28f3ce0b26b023116b24c9d8399fed056ccfae2c35b4e65a8adddf0804c8339d04809b9c3b2d94e55be0670e27920c73ffd68658cb16d3a172aef0c3179b6af0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD0C8.tmp.bat
Filesize
183B

MD5
1b4e84f72ad818269d01ba1b9220dfac

SHA1
ef73909766c2315a16ce72cb76937c6fe89cf196

SHA256
70df9fbddf611781387f560cec0947b3a8e71228bdd73ce9ef5b94e299f916c5

SHA512
66ef50ca454cee264a5d03fc6e429d53ba6a57d6db4434dc8b0fc6d8ebb0bf8639a7bf934052f1649dcba7b8ffdb6f7c212ff44e5e235957e477f63fdcda1b82

Download Submit
C:\Users\Admin\AppData\Roaming\BLACKNET.EXE
Filesize
132KB

MD5
5361492a445395b3abdd3a8d430090dd

SHA1
a0f92e46bfcdcdda574130abd6f57a9e6b2a90f0

SHA256
1eebad9bce22f20abfb8b61eeeaf8ad1166fd23d8b350af22b06392c53bc2802

SHA512
92bf6b2fa52a208387bc5c5970d26208b91668e95196708bf393ff1a781fc4174cbbcf8942ce9fc4df2d6fdbe751a46517daa2c28081b4862434304deebda305

Download Submit
C:\Users\Admin\AppData\Roaming\BLACKNET.EXE
Filesize
132KB

MD5
5361492a445395b3abdd3a8d430090dd

SHA1
a0f92e46bfcdcdda574130abd6f57a9e6b2a90f0

SHA256
1eebad9bce22f20abfb8b61eeeaf8ad1166fd23d8b350af22b06392c53bc2802

SHA512
92bf6b2fa52a208387bc5c5970d26208b91668e95196708bf393ff1a781fc4174cbbcf8942ce9fc4df2d6fdbe751a46517daa2c28081b4862434304deebda305

Download Submit
C:\Users\Admin\AppData\Roaming\Discord\ServiceDefender.exe
Filesize
132KB

MD5
e8a55a613d23e48cec6bcffe953f422e

SHA1
3140be37c0cfc5d128ad7558ce88cb520ad4ee20

SHA256
bad7ea46205f801d461cd295f246b7ab6c8a0dbd6d93c0021f9e04b0c8f49f97

SHA512
dd6e34824d0811c3f7409bf8882b033bba270fc0d7a4d783d21359ac0043975700e0d1f6a08f33e41d8283eb1ba65881a29e67eaa3ea11ccc4d32eabaca28daf

Download Submit
C:\Users\Admin\AppData\Roaming\Discord\ServiceDefender.exe
Filesize
132KB

MD5
5361492a445395b3abdd3a8d430090dd

SHA1
a0f92e46bfcdcdda574130abd6f57a9e6b2a90f0

SHA256
1eebad9bce22f20abfb8b61eeeaf8ad1166fd23d8b350af22b06392c53bc2802

SHA512
92bf6b2fa52a208387bc5c5970d26208b91668e95196708bf393ff1a781fc4174cbbcf8942ce9fc4df2d6fdbe751a46517daa2c28081b4862434304deebda305

Download Submit
C:\Users\Admin\AppData\Roaming\SERVICEEDEFENDER.EXE
Filesize
346KB

MD5
c21905b87778932cb51b4715d00e7e7e

SHA1
642c4371d36e27cb165a4eb0b7037d4eebdf4dd5

SHA256
4f120c8ebabebcb9de147e7e0d087b38d86c67aed5889b72a417afdba8008551

SHA512
213e611b240041b2e1eaa91d5d28cec7d309e06fc528e37cacc64b1014128f106e906bb1ccbdd22d6df59de938af5c76542e7f3f05534cb0662dff57adbedde3

Download Submit
C:\Users\Admin\AppData\Roaming\SERVICEEDEFENDER.EXE
Filesize
346KB

MD5
c21905b87778932cb51b4715d00e7e7e

SHA1
642c4371d36e27cb165a4eb0b7037d4eebdf4dd5

SHA256
4f120c8ebabebcb9de147e7e0d087b38d86c67aed5889b72a417afdba8008551

SHA512
213e611b240041b2e1eaa91d5d28cec7d309e06fc528e37cacc64b1014128f106e906bb1ccbdd22d6df59de938af5c76542e7f3f05534cb0662dff57adbedde3

Download Submit
C:\Users\Admin\AppData\Roaming\WINDOWSDEFENDRSMARTSCREEN.EXE
Filesize
132KB

MD5
17fb18573b1dc1054c54f75d03f6a654

SHA1
35215aab38d1c308f2ed7c42b0d363d083e2b23b

SHA256
d131775334ba49896d6566cc77063010bb6f2221ae4816e6dab133bad691f2f1

SHA512
b6e4ce10eb1342bcbddbb9801de1a7b78c6e385005914adbaad8580d4ceeb125202528d22b4c13ec3e7976f5a471ce7c763aea19eb980282627d0383ba712b3f

Download Submit
C:\Users\Admin\AppData\Roaming\WINDOWSDEFENDRSMARTSCREEN.EXE
Filesize
132KB

MD5
17fb18573b1dc1054c54f75d03f6a654

SHA1
35215aab38d1c308f2ed7c42b0d363d083e2b23b

SHA256
d131775334ba49896d6566cc77063010bb6f2221ae4816e6dab133bad691f2f1

SHA512
b6e4ce10eb1342bcbddbb9801de1a7b78c6e385005914adbaad8580d4ceeb125202528d22b4c13ec3e7976f5a471ce7c763aea19eb980282627d0383ba712b3f

Download Submit
C:\Users\Admin\AppData\Roaming\WINDOWSSECUTIYHALTHYSERVICE.EXE
Filesize
132KB

MD5
e8a55a613d23e48cec6bcffe953f422e

SHA1
3140be37c0cfc5d128ad7558ce88cb520ad4ee20

SHA256
bad7ea46205f801d461cd295f246b7ab6c8a0dbd6d93c0021f9e04b0c8f49f97

SHA512
dd6e34824d0811c3f7409bf8882b033bba270fc0d7a4d783d21359ac0043975700e0d1f6a08f33e41d8283eb1ba65881a29e67eaa3ea11ccc4d32eabaca28daf

Download Submit
C:\Users\Admin\AppData\Roaming\WINDOWSSECUTIYHALTHYSERVICE.EXE
Filesize
132KB

MD5
e8a55a613d23e48cec6bcffe953f422e

SHA1
3140be37c0cfc5d128ad7558ce88cb520ad4ee20

SHA256
bad7ea46205f801d461cd295f246b7ab6c8a0dbd6d93c0021f9e04b0c8f49f97

SHA512
dd6e34824d0811c3f7409bf8882b033bba270fc0d7a4d783d21359ac0043975700e0d1f6a08f33e41d8283eb1ba65881a29e67eaa3ea11ccc4d32eabaca28daf

Download Submit
memory/540-217-0x0000000000000000-mapping.dmp

Download
memory/724-141-0x00007FFB54A80000-0x00007FFB55541000-memory.dmp

Filesize
10.8MB

Download
memory/724-139-0x00007FFB54A80000-0x00007FFB55541000-memory.dmp

Filesize
10.8MB

Download
memory/1040-180-0x0000000000000000-mapping.dmp

Download
memory/1516-182-0x0000000000000000-mapping.dmp

Download
memory/1516-183-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1548-156-0x0000000000250000-0x0000000000276000-memory.dmp

Filesize
152KB

Download
memory/1548-151-0x0000000000000000-mapping.dmp

Download
memory/1748-189-0x0000000000000000-mapping.dmp

Download
memory/1748-190-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2132-164-0x00000000059C0000-0x0000000005FE8000-memory.dmp

Filesize
6.2MB

Download
memory/2132-169-0x0000000006920000-0x000000000693E000-memory.dmp

Filesize
120KB

Download
memory/2132-170-0x0000000007F80000-0x00000000085FA000-memory.dmp

Filesize
6.5MB

Download
memory/2132-167-0x0000000006320000-0x0000000006386000-memory.dmp

Filesize
408KB

Download
memory/2132-163-0x0000000003340000-0x0000000003376000-memory.dmp

Filesize
216KB

Download
memory/2132-162-0x0000000000000000-mapping.dmp

Download
memory/2132-166-0x0000000006240000-0x00000000062A6000-memory.dmp

Filesize
408KB

Download
memory/2200-142-0x0000000000000000-mapping.dmp

Download
memory/2552-200-0x0000015BEE0E0000-0x0000015BEE12A000-memory.dmp

Filesize
296KB

Download
memory/2552-211-0x00007FFB54A80000-0x00007FFB55541000-memory.dmp

Filesize
10.8MB

Download
memory/2552-206-0x00007FFB54A80000-0x00007FFB55541000-memory.dmp

Filesize
10.8MB

Download
memory/2552-195-0x0000000000000000-mapping.dmp

Download
memory/2924-168-0x0000000000000000-mapping.dmp

Download
memory/3044-208-0x0000000000000000-mapping.dmp

Download
memory/3524-209-0x00007FFB54A80000-0x00007FFB55541000-memory.dmp

Filesize
10.8MB

Download
memory/3524-191-0x0000000000000000-mapping.dmp

Download
memory/3524-194-0x0000000000090000-0x00000000000A6000-memory.dmp

Filesize
88KB

Download
memory/3524-199-0x00007FFB54A80000-0x00007FFB55541000-memory.dmp

Filesize
10.8MB

Download
memory/3732-220-0x0000000000000000-mapping.dmp

Download
memory/3752-181-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3752-179-0x0000000000000000-mapping.dmp

Download
memory/4032-160-0x0000000000150000-0x0000000000176000-memory.dmp

Filesize
152KB

Download
memory/4032-157-0x0000000000000000-mapping.dmp

Download
memory/4104-145-0x0000000000000000-mapping.dmp

Download
memory/4104-153-0x0000000000E10000-0x0000000000E36000-memory.dmp

Filesize
152KB

Download
memory/4256-222-0x0000000000000000-mapping.dmp

Download
memory/4256-174-0x0000000000000000-mapping.dmp

Download
memory/4440-136-0x00007FFB72D50000-0x00007FFB72F45000-memory.dmp

Filesize
2.0MB

Download
memory/4440-135-0x00007FFB72D50000-0x00007FFB72F45000-memory.dmp

Filesize
2.0MB

Download
memory/4440-140-0x00007FFB72D50000-0x00007FFB72F45000-memory.dmp

Filesize
2.0MB

Download
memory/4440-132-0x0000019101D10000-0x0000019101FB0000-memory.dmp

Filesize
2.6MB

Download
memory/4440-133-0x0000019102340000-0x0000019102362000-memory.dmp

Filesize
136KB

Download
memory/4440-138-0x00007FFB54A80000-0x00007FFB55541000-memory.dmp

Filesize
10.8MB

Download
memory/4440-137-0x00007FFB54A80000-0x00007FFB55541000-memory.dmp

Filesize
10.8MB

Download
memory/4440-134-0x00007FFB54A80000-0x00007FFB55541000-memory.dmp

Filesize
10.8MB

Download
memory/4464-218-0x0000000000000000-mapping.dmp

Download
memory/4600-205-0x00007FFB54A80000-0x00007FFB55541000-memory.dmp

Filesize
10.8MB

Download
memory/4600-196-0x0000000000000000-mapping.dmp

Download
memory/4600-223-0x00007FFB54A80000-0x00007FFB55541000-memory.dmp

Filesize
10.8MB

Download
memory/4600-210-0x00007FFB54A80000-0x00007FFB55541000-memory.dmp

Filesize
10.8MB

Download
memory/4600-203-0x0000000000A30000-0x0000000000A42000-memory.dmp

Filesize
72KB

Download
memory/4680-207-0x0000000000000000-mapping.dmp

Download
memory/4712-185-0x0000000000000000-mapping.dmp

Download
memory/4712-186-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4776-212-0x0000000000000000-mapping.dmp

Download
memory/4776-216-0x00007FFB54A80000-0x00007FFB55541000-memory.dmp

Filesize
10.8MB

Download
memory/4776-215-0x00000000009F0000-0x0000000000A0E000-memory.dmp

Filesize
120KB

Download
memory/4776-219-0x00007FFB54A80000-0x00007FFB55541000-memory.dmp

Filesize
10.8MB

Download
memory/4904-152-0x0000000000C20000-0x0000000000C7C000-memory.dmp

Filesize
368KB

Download
memory/4904-148-0x0000000000000000-mapping.dmp

Download
memory/4904-161-0x00000000062F0000-0x0000000006312000-memory.dmp

Filesize
136KB

Download
memory/4952-165-0x0000000000000000-mapping.dmp

Download
memory/4952-171-0x0000000006600000-0x000000000661A000-memory.dmp

Filesize
104KB

Download