Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    24/01/2025, 01:54

General

  • Target

    30bfa720ec95d0518b040d9d2462904b1af104e320599473e09503845897709d.exe

  • Size

    520KB

  • MD5

    d6377d393ff9cc3ca85ca60ac9997e85

  • SHA1

    bd92903c8a00e7ec22d80c5ea0578ee9b5f074c6

  • SHA256

    30bfa720ec95d0518b040d9d2462904b1af104e320599473e09503845897709d

  • SHA512

    2e1ed2ddea8cce3bea358b0c459c77dee7d8c13ac16fd266f3d5d7cf598c02383c90be692aaa13bf07cbe83eaffcd8f13e12a478982cd02ea208dcb9d37e547c

  • SSDEEP

    12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioX9:zW6ncoyqOp6IsTl/mX9

Malware Config

Signatures

  • Blackshades

    Blackshades is a remote access trojan with various capabilities.

  • Blackshades family
  • Blackshades payload 10 IoCs
  • Modifies firewall policy service 3 TTPs 8 IoCs
  • Executes dropped EXE 18 IoCs
  • Loads dropped DLL 35 IoCs
  • Adds Run key to start application 2 TTPs 17 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 61 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of SetWindowsHookEx 21 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\30bfa720ec95d0518b040d9d2462904b1af104e320599473e09503845897709d.exe
    "C:\Users\Admin\AppData\Local\Temp\30bfa720ec95d0518b040d9d2462904b1af104e320599473e09503845897709d.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2384
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\TempDWWLU.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1164
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TPDQBYEWVRSFLSS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe" /f
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:2024
    • C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe
      "C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2408
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\TempHYAHH.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3000
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DIXYVEFQWNLPKSG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IKWWAXSRXTJWENE\service.exe" /f
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          PID:2840
      • C:\Users\Admin\AppData\Local\Temp\IKWWAXSRXTJWENE\service.exe
        "C:\Users\Admin\AppData\Local\Temp\IKWWAXSRXTJWENE\service.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1200
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Local\TempUHPJO.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:752
          • C:\Windows\SysWOW64\reg.exe
            REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LQVBCIAFUTHIECE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGOF\service.exe" /f
            5⤵
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            PID:2148
        • C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGOF\service.exe
          "C:\Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGOF\service.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1144
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\Users\Admin\AppData\Local\TempEDHYU.bat" "
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2680
            • C:\Windows\SysWOW64\reg.exe
              REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BEPRMKMCQXGRWHT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\AIRJFATYKKIQCJN\service.exe" /f
              6⤵
              • Adds Run key to start application
              • System Location Discovery: System Language Discovery
              PID:2416
          • C:\Users\Admin\AppData\Local\Temp\AIRJFATYKKIQCJN\service.exe
            "C:\Users\Admin\AppData\Local\Temp\AIRJFATYKKIQCJN\service.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2936
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c ""C:\Users\Admin\AppData\Local\TempKLUQD.bat" "
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2908
              • C:\Windows\SysWOW64\reg.exe
                REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CYXBOESOMRDRTOH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe" /f
                7⤵
                • Adds Run key to start application
                • System Location Discovery: System Language Discovery
                PID:2972
            • C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe
              "C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:2232
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c ""C:\Users\Admin\AppData\Local\TempAHUCQ.bat" "
                7⤵
                • System Location Discovery: System Language Discovery
                PID:488
                • C:\Windows\SysWOW64\reg.exe
                  REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YCNKJNBEAOUNDDF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWVAXSQXTIWEMD\service.exe" /f
                  8⤵
                  • Adds Run key to start application
                  • System Location Discovery: System Language Discovery
                  PID:1996
              • C:\Users\Admin\AppData\Local\Temp\HKWVAXSQXTIWEMD\service.exe
                "C:\Users\Admin\AppData\Local\Temp\HKWVAXSQXTIWEMD\service.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:1148
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c ""C:\Users\Admin\AppData\Local\TempKSOXO.bat" "
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1356
                  • C:\Windows\SysWOW64\reg.exe
                    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GLYHHTQNRMUJKCJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QJYIQEEFAFBWQEL\service.exe" /f
                    9⤵
                    • Adds Run key to start application
                    • System Location Discovery: System Language Discovery
                    PID:1452
                • C:\Users\Admin\AppData\Local\Temp\QJYIQEEFAFBWQEL\service.exe
                  "C:\Users\Admin\AppData\Local\Temp\QJYIQEEFAFBWQEL\service.exe"
                  8⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of SetWindowsHookEx
                  PID:692
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c ""C:\Users\Admin\AppData\Local\TempSDXWL.bat" "
                    9⤵
                    • System Location Discovery: System Language Discovery
                    PID:1940
                    • C:\Windows\SysWOW64\reg.exe
                      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TQEQBAYEWVRSFLS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RRBYNMNJHOJMUDO\service.exe" /f
                      10⤵
                      • Adds Run key to start application
                      • System Location Discovery: System Language Discovery
                      PID:2324
                  • C:\Users\Admin\AppData\Local\Temp\RRBYNMNJHOJMUDO\service.exe
                    "C:\Users\Admin\AppData\Local\Temp\RRBYNMNJHOJMUDO\service.exe"
                    9⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of SetWindowsHookEx
                    PID:1892
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c ""C:\Users\Admin\AppData\Local\TempLHVUG.bat" "
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2120
                      • C:\Windows\SysWOW64\reg.exe
                        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "POSFJFDTRIIKFBC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDJARIHS\service.exe" /f
                        11⤵
                        • Adds Run key to start application
                        • System Location Discovery: System Language Discovery
                        PID:1652
                    • C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDJARIHS\service.exe
                      "C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDJARIHS\service.exe"
                      10⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of SetWindowsHookEx
                      PID:1164
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd /c ""C:\Users\Admin\AppData\Local\TempXWSTT.bat" "
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:2784
                        • C:\Windows\SysWOW64\reg.exe
                          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "PKIKAOVEPUFRCBF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GPHDRWIIGOAHLCN\service.exe" /f
                          12⤵
                          • Adds Run key to start application
                          • System Location Discovery: System Language Discovery
                          PID:2588
                      • C:\Users\Admin\AppData\Local\Temp\GPHDRWIIGOAHLCN\service.exe
                        "C:\Users\Admin\AppData\Local\Temp\GPHDRWIIGOAHLCN\service.exe"
                        11⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of SetWindowsHookEx
                        PID:2812
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd /c ""C:\Users\Admin\AppData\Local\TempNOXTA.bat" "
                          12⤵
                          • System Location Discovery: System Language Discovery
                          PID:2584
                          • C:\Windows\SysWOW64\reg.exe
                            REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FERHVRPUGATWARK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPUMUITJ\service.exe" /f
                            13⤵
                            • Adds Run key to start application
                            • System Location Discovery: System Language Discovery
                            PID:2144
                        • C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPUMUITJ\service.exe
                          "C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPUMUITJ\service.exe"
                          12⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of SetWindowsHookEx
                          PID:2208
                          • C:\Windows\SysWOW64\cmd.exe
                            cmd /c ""C:\Users\Admin\AppData\Local\TempMGBWP.bat" "
                            13⤵
                            • System Location Discovery: System Language Discovery
                            PID:2032
                            • C:\Windows\SysWOW64\reg.exe
                              REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HFJXYALQXYJBDRM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KCSBJTPKEETURAB\service.exe" /f
                              14⤵
                              • Adds Run key to start application
                              • System Location Discovery: System Language Discovery
                              PID:2648
                          • C:\Users\Admin\AppData\Local\Temp\KCSBJTPKEETURAB\service.exe
                            "C:\Users\Admin\AppData\Local\Temp\KCSBJTPKEETURAB\service.exe"
                            13⤵
                            • Executes dropped EXE
                            • Loads dropped DLL
                            • System Location Discovery: System Language Discovery
                            • Suspicious use of SetWindowsHookEx
                            PID:264
                            • C:\Windows\SysWOW64\cmd.exe
                              cmd /c ""C:\Users\Admin\AppData\Local\TempWCUYT.bat" "
                              14⤵
                              • System Location Discovery: System Language Discovery
                              PID:1236
                              • C:\Windows\SysWOW64\reg.exe
                                REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XWKLHFHXKSBMRBO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DMVEAYOTYEFCLDI\service.exe" /f
                                15⤵
                                • Adds Run key to start application
                                • System Location Discovery: System Language Discovery
                                PID:2988
                            • C:\Users\Admin\AppData\Local\Temp\DMVEAYOTYEFCLDI\service.exe
                              "C:\Users\Admin\AppData\Local\Temp\DMVEAYOTYEFCLDI\service.exe"
                              14⤵
                              • Executes dropped EXE
                              • Loads dropped DLL
                              • System Location Discovery: System Language Discovery
                              • Suspicious use of SetWindowsHookEx
                              PID:2896
                              • C:\Windows\SysWOW64\cmd.exe
                                cmd /c ""C:\Users\Admin\AppData\Local\TempFXWST.bat" "
                                15⤵
                                • System Location Discovery: System Language Discovery
                                PID:2436
                                • C:\Windows\SysWOW64\reg.exe
                                  REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NOKIKANVEPUERCB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GPYHDRWHIFOAGLC\service.exe" /f
                                  16⤵
                                  • Adds Run key to start application
                                  • System Location Discovery: System Language Discovery
                                  PID:1968
                              • C:\Users\Admin\AppData\Local\Temp\GPYHDRWHIFOAGLC\service.exe
                                "C:\Users\Admin\AppData\Local\Temp\GPYHDRWHIFOAGLC\service.exe"
                                15⤵
                                • Executes dropped EXE
                                • Loads dropped DLL
                                • System Location Discovery: System Language Discovery
                                • Suspicious use of SetWindowsHookEx
                                PID:488
                                • C:\Windows\SysWOW64\cmd.exe
                                  cmd /c ""C:\Users\Admin\AppData\Local\TempKNOYT.bat" "
                                  16⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:1868
                                  • C:\Windows\SysWOW64\reg.exe
                                    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FESIVRPAUHAUWBR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YRLDJQBCPVMUJTJ\service.exe" /f
                                    17⤵
                                    • Adds Run key to start application
                                    • System Location Discovery: System Language Discovery
                                    PID:1828
                                • C:\Users\Admin\AppData\Local\Temp\YRLDJQBCPVMUJTJ\service.exe
                                  "C:\Users\Admin\AppData\Local\Temp\YRLDJQBCPVMUJTJ\service.exe"
                                  16⤵
                                  • Executes dropped EXE
                                  • Loads dropped DLL
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious use of SetWindowsHookEx
                                  PID:324
                                  • C:\Windows\SysWOW64\cmd.exe
                                    cmd /c ""C:\Users\Admin\AppData\Local\TempLPQVB.bat" "
                                    17⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:980
                                    • C:\Windows\SysWOW64\reg.exe
                                      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GTAJXTQBVIBVXCS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKVLH\service.exe" /f
                                      18⤵
                                      • Adds Run key to start application
                                      • System Location Discovery: System Language Discovery
                                      PID:2248
                                  • C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKVLH\service.exe
                                    "C:\Users\Admin\AppData\Local\Temp\SMFKRDDRWOWKVLH\service.exe"
                                    17⤵
                                    • Executes dropped EXE
                                    • Loads dropped DLL
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious use of SetWindowsHookEx
                                    PID:328
                                    • C:\Windows\SysWOW64\cmd.exe
                                      cmd /c ""C:\Users\Admin\AppData\Local\TempLHVUG.bat" "
                                      18⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:876
                                      • C:\Windows\SysWOW64\reg.exe
                                        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "POSFJFDTRIHKFBC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe" /f
                                        19⤵
                                        • Adds Run key to start application
                                        • System Location Discovery: System Language Discovery
                                        PID:1400
                                    • C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe
                                      "C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe"
                                      18⤵
                                      • Executes dropped EXE
                                      • Loads dropped DLL
                                      • System Location Discovery: System Language Discovery
                                      • Suspicious use of SetWindowsHookEx
                                      PID:2456
                                      • C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe
                                        C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe
                                        19⤵
                                        • Executes dropped EXE
                                        • System Location Discovery: System Language Discovery
                                        • Suspicious use of AdjustPrivilegeToken
                                        • Suspicious use of SetWindowsHookEx
                                        PID:1604
                                        • C:\Windows\SysWOW64\cmd.exe
                                          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
                                          20⤵
                                          • System Location Discovery: System Language Discovery
                                          PID:1652
                                          • C:\Windows\SysWOW64\reg.exe
                                            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
                                            21⤵
                                            • Modifies firewall policy service
                                            • System Location Discovery: System Language Discovery
                                            • Modifies registry key
                                            PID:2852
                                        • C:\Windows\SysWOW64\cmd.exe
                                          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe:*:Enabled:Windows Messanger" /f
                                          20⤵
                                          • System Location Discovery: System Language Discovery
                                          PID:880
                                          • C:\Windows\SysWOW64\reg.exe
                                            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHS\service.exe:*:Enabled:Windows Messanger" /f
                                            21⤵
                                            • Modifies firewall policy service
                                            • System Location Discovery: System Language Discovery
                                            • Modifies registry key
                                            PID:1872
                                        • C:\Windows\SysWOW64\cmd.exe
                                          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
                                          20⤵
                                          • System Location Discovery: System Language Discovery
                                          PID:2224
                                          • C:\Windows\SysWOW64\reg.exe
                                            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
                                            21⤵
                                            • Modifies firewall policy service
                                            • System Location Discovery: System Language Discovery
                                            • Modifies registry key
                                            PID:2340
                                        • C:\Windows\SysWOW64\cmd.exe
                                          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
                                          20⤵
                                          • System Location Discovery: System Language Discovery
                                          PID:704
                                          • C:\Windows\SysWOW64\reg.exe
                                            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
                                            21⤵
                                            • Modifies firewall policy service
                                            • System Location Discovery: System Language Discovery
                                            • Modifies registry key
                                            PID:2540

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\TempAHUCQ.bat

    Filesize

    163B

    MD5

    4b0d872f3f416957a182ff7e52c309eb

    SHA1

    0f1b526a0543465b9e3dbeda4d433788776401c9

    SHA256

    6432bfed5b2ad0c9a8af3893a8ba1adc4366ebfb2bc5c0d373404ddac44baa88

    SHA512

    4655e8922a7735416c318b9fcbc22580b512c35518ca7ccc8085fba08adb232deb54b6266167f54a7911ae83310c9dc563da8189d836a2ee6d393e074749beb2

  • C:\Users\Admin\AppData\Local\TempDWWLU.bat

    Filesize

    163B

    MD5

    21d51ecedc46e539f6209a6366720a52

    SHA1

    a2b59a2415b66162f8f3953e9227853ee1ab3186

    SHA256

    29d97e122e271f038c88da17c66955d2e8df8775b6dda841f1d1bd324e16e7cd

    SHA512

    29711e705ad80ca54f15b5e4a572a89067f332b163e706f05b47723236b6bf314df7d60e8060828a00224ca342b5e9a6a7b9c8cd27fdc17ad29f3036fd31197d

  • C:\Users\Admin\AppData\Local\TempEDHYU.bat

    Filesize

    163B

    MD5

    b0e3f78dd578c1827bffd537f7263b0f

    SHA1

    866ca32b655e01effdd00b4526f5756a5a6df846

    SHA256

    da7a574d162e97a70dbce195f1ab7df74022ad3ef406bf41325a0ab8c5554018

    SHA512

    73a574929bca426493fbebdea7a601429811a25462d827b9c0011529ec14a7831b005af48b66cfde904ad8c37c055f48c06c0a077a0e7b5a67c960bf62b86897

  • C:\Users\Admin\AppData\Local\TempFXWST.bat

    Filesize

    163B

    MD5

    f5dddc8c8195b915447e8eca984daf4a

    SHA1

    92ac8e13c3544047b426c6a188f1e272801f7f73

    SHA256

    b06d5882fc6605999b1c1165924a3d714579131c568bf8042f795dacbeac91a4

    SHA512

    f2bb539fa5e023adfd3371e6623b7104a9339046af16b3bb64dd54ac15de7f4924414e2eeb5de51270df6e69f66a6a734e3955dc4edd2afe9299c6046921db77

  • C:\Users\Admin\AppData\Local\TempHYAHH.bat

    Filesize

    163B

    MD5

    d3b77b280a7cb43a7da70fbf515d72be

    SHA1

    fe28f5a1bf33d4f85896df6a2b134f96c85f11b6

    SHA256

    52eb451fa10d4ea85ad4adcfdbc23f05b07ef9e04f701fcf5255dc827afbb83f

    SHA512

    6b533800bb7fcd2b1c667d270c9d4f42240c0a6173b33811d8173bdaa344377520332d5ef344671a4e99ca18f800c076a88fc77c66cd523b2d82a9ab9852a825

  • C:\Users\Admin\AppData\Local\TempKLUQD.bat

    Filesize

    163B

    MD5

    d47175ceaacf560d2223f3a3d44fba27

    SHA1

    0d93ef4ec8d42c668c62ab148e2059347178421d

    SHA256

    7162b8b04111eda39d91132300930e3fba148a261394f77f6d2ed50a5a47bb57

    SHA512

    ce4a1856b81ee1bf877a47b2c76c7c675656bd5a4b140f894cab4389acf54d0be0dfed8dc890735412464d503e732dcfe1a99026839173998040c5b19157a7bc

  • C:\Users\Admin\AppData\Local\TempKNOYT.bat

    Filesize

    163B

    MD5

    f485eb466d124afe4f05082cc3b835ff

    SHA1

    00bd1a4c37f772616c2e3f6e3fd4c53341e1d523

    SHA256

    6246d34daef7970b9cab9952ec458e097ce05455408db8ddb3589dab848a9f9f

    SHA512

    dc0bb4ddbfef6bd302503539ea82d43aa0bd338da0a46a4e63a2701a77e87bb41c6f447ac5504908c900a7f511d6c9e516395b56235c00f56ee2eb5ca12325af

  • C:\Users\Admin\AppData\Local\TempKSOXO.bat

    Filesize

    163B

    MD5

    090a59c0660d2a9aa20174a68b2c87aa

    SHA1

    c8b63fa0d9a493948d1fb8ebd6aedac3f5b16c26

    SHA256

    39b5ab49578bfa0b316ce8a98462b1359d803e6709054e4c6b9c900810365dc4

    SHA512

    e6a0b9e38ad4b47da4a78755015abed80f1194aa244c78570998a8118708fa8f0cea4f702eee743beea51e86ead1f24b9ab221001ce1656fc81e9746b8cc3551

  • C:\Users\Admin\AppData\Local\TempLHVUG.bat

    Filesize

    163B

    MD5

    c3c3462e2857382d6b4982d0f2670492

    SHA1

    2d448b4ed6165ee31b3b48392ae09ae4337bcb54

    SHA256

    e7335fd821058e1b7b0dced6304042c8bd86ced20b87f715eaad2f7eecc66ba5

    SHA512

    9799fb74c578cad99ae28fcf8e1670b1418a589a44c365f8890cd445a642c46828e4c96ff7489f85015b67e059cddff96d86d528ceb23a0763f602391eac843b

  • C:\Users\Admin\AppData\Local\TempLHVUG.bat

    Filesize

    163B

    MD5

    de69c25118df8838f32524d5b65053ba

    SHA1

    d79b8934dab391b2f85b02ec96a6cf696e23d29b

    SHA256

    40bc559d58b0e666ed60c4caf6195b223cfc22e29d8c3a3558037fd37dcca921

    SHA512

    71fb69382480d582d5d09e9458754c925e45eaff1a3d5c9835895de02fd930a8b1bfa9008a1ed1b8ff2ada1d29742cc5eaf96af9dd68186f95ee97b9075d5bbe

  • C:\Users\Admin\AppData\Local\TempLPQVB.bat

    Filesize

    163B

    MD5

    0b5902a513078dce612bdb0904f70d14

    SHA1

    96280bd49e5a5305afd1e9564f063b95218562e6

    SHA256

    e1a1bdbf6313d19210601de717b5f513cae9cf90ccfb50ba9e06b6627b20bae4

    SHA512

    76067c4641dd3e186b1cbf0f8c969fd58a38b5b72f444ba6c1be91e0b1d9d2dacaab831691e972d1fda45e9546469f6400ed3d2814d2435fb91b838e6ac6095f

  • C:\Users\Admin\AppData\Local\TempMGBWP.bat

    Filesize

    163B

    MD5

    81ecb0ab40151e671376d193c693fe6c

    SHA1

    cafdd1788bb3f98758a0e9d1dcad376e83dad883

    SHA256

    d1ddfaaf26aff03f199177601135bcb60d336079f7cd066861b78288ad8c164c

    SHA512

    fe68e7c30baff506b8d7d15954c9499908f73afe6d311e3138001d441f17fc3facaee25afde536490e2d007a7694e92e21c3a5cc324465460b8fea60860b962e

  • C:\Users\Admin\AppData\Local\TempNOXTA.bat

    Filesize

    163B

    MD5

    118316f9ac71d39001143c26a9796aa1

    SHA1

    47625f74d7f4be3a906e1954be2d451457fcd8a1

    SHA256

    123f455976de4f294a2fed91f4550a52696a3e4c13e3e525ed2077aafe9ded8e

    SHA512

    dac6691ac29cae9d8771513a0017ee180dfb8cf7fdc9d76c703cda99b72793c9f4dd2795fab7d35ecfc0d863e8d85e7d698a328daf01df1f7ff58cb52ea8222a

  • C:\Users\Admin\AppData\Local\TempSDXWL.bat

    Filesize

    163B

    MD5

    1a3da698ee8fa36e10bff6662c71beca

    SHA1

    6ef93721e781a68c788b0f3adf5c402e66b49f00

    SHA256

    02effddc870eab367d08f4d09ebc710e98bc02f3ec9fcca5a98db8e9b0637e3a

    SHA512

    61ed3b5665204732e3a6d2398e769a5fe6414afa3560a2451e38a5ce5bc4c63a30ebdca8fc84a137fd7f9c0d29682d1b3806630a9c17db2d5d610357500b0200

  • C:\Users\Admin\AppData\Local\TempUHPJO.bat

    Filesize

    163B

    MD5

    ebb995f81295c2868c6edafeb7a65b84

    SHA1

    100b44a8a8684bacee2ed36e165ff3d6f457b3ef

    SHA256

    4332530bbb9b6c9a54f11683c8d706fcc0a5c3d7b52a1353f5a34336db82493b

    SHA512

    3ba539e1c2b37c7a4a80bb4c7323a40f16c52b7e5db2a2930b2e090999d7033909ce68c3604f3643ca6bab68281dc16f3930f98d8a81e80499cb90e7fd9019ab

  • C:\Users\Admin\AppData\Local\TempWCUYT.bat

    Filesize

    163B

    MD5

    797a05802a5f3d6699024252559afe38

    SHA1

    ab85f1b33d35de1a5d5f55187c816bb4237eeca1

    SHA256

    16ece4416c7c79a88f037672e5112e72167eb8966b82d95dfa64060b2465f074

    SHA512

    73ae53e16e0d28cb8f05850a58e3cfe2cea6364681d940e303acef6f7c82d2fd074bf7bc20eac39b43e87fbc658367806467cad260307ceec19e8a13faf27a4d

  • C:\Users\Admin\AppData\Local\TempXWSTT.bat

    Filesize

    163B

    MD5

    b0365534dd53081ab289eaa1f406d160

    SHA1

    2520a131bac7e82546a7c2f699d87e7e9d79987f

    SHA256

    b34a0d1c87116939b294e31492dd97f4f15695a8f11aef5c01ca626794fc9d14

    SHA512

    fedfa78fb3552323408d533ade49c7808907fd74f95fe2a9de01b2b75dfa2cd0e70d3ea77c38477e0e68277ea6f6d6c436b51c5d187961add5cad3f8954366e7

  • C:\Users\Admin\AppData\Local\Temp\UOHNUFGTYAQYMXN\service.exe

    Filesize

    520KB

    MD5

    ce047197e105d577647d4a1de7211f16

    SHA1

    3ababd2ff909c29cef5b309c23856c5c06f1aed8

    SHA256

    ed4c348dca267adcd02d20f01c0b4572351ed8d019f700bb484949faa21118a6

    SHA512

    3c15440871ae87da1b6cbf37cb8fc56a1b2c355c9ccc8202df447f043ccbcc14ed307967cfe8ef24970bb658b2d7d339bc7ab729f067346472ef34e52f2e6a4d

  • \Users\Admin\AppData\Local\Temp\AIRJFATYKKIQCJN\service.exe

    Filesize

    520KB

    MD5

    02408cee13c5a674b57f517ec523c3ce

    SHA1

    a61311b16a5a33e9319563f4fe406b1ca77e2683

    SHA256

    4cbcff077a07f7a1707165e0b5e42f24a4a577847fd9765718eb2ceb0b55dd30

    SHA512

    4fe3674e5073731300230c58721c44b2e37d43149fd776ba6b3fa527f750ba4a24f7132822cc424906bda1dc5a3e1fd582dab1ecf71a51671e3738f41702fe1b

  • \Users\Admin\AppData\Local\Temp\DMVEAYOTYEFCLDI\service.exe

    Filesize

    520KB

    MD5

    6ca3ef898dcf7e53d5617385c1755e0a

    SHA1

    001f933c01599b2ec010132dca6459279a1fed81

    SHA256

    896162e80ebe40d78051c1138f5284aead669a0870573c0c29969fd8a574842d

    SHA512

    da3e6bf63a0af6e86d66349daa58e472f31f72b6ab7bed6114f2805406508fb954db650bf3280b9173e7e2b9bdf9f6d40274d6df4577ed4c0eae8204432d7e49

  • \Users\Admin\AppData\Local\Temp\GPHDRWIIGOAHLCN\service.exe

    Filesize

    520KB

    MD5

    50531e7ac29b1ba6d7d53d18a03e471f

    SHA1

    d2b0b58f27d5fdeeb676a3e1ec652c44b1914044

    SHA256

    fb25eba1a050bda4b641497d3d3534816dd5a8645131085cf9838367d5822e0a

    SHA512

    b1090e256be32eb1f56a489585b9ef7a8a35c61efe449b6f936c2323c31273a7f02c101e2bd407e3fcb946474a0eb47f10b5389939217e704123f92666896de4

  • \Users\Admin\AppData\Local\Temp\HKWVAXSQXTIWEMD\service.exe

    Filesize

    520KB

    MD5

    09d6167fd94df9f3b1a3f8e6ed9016da

    SHA1

    e5e5fa98ce8b42c5be7260dc7b7b2ff01140eca8

    SHA256

    ed3541daf5e2a6487f9635a37f5508e40a312b57e9ceb73b2c3f80e7fce337c4

    SHA512

    864ff401811a2457c648f17b30c0e30578a23b319aaf6a8f79f1fe816e14a37c57e9a99b74823603d23e70ec03e8374ecc78ff2b21397969ed8b9aa7c87b1992

  • \Users\Admin\AppData\Local\Temp\IKWWAXSRXTJWENE\service.exe

    Filesize

    520KB

    MD5

    556d8626a37aa8b412f2ee6b8fb47be1

    SHA1

    83b3bdba3e60b1cbe3da8f26934a98adddfee5cb

    SHA256

    a9459a314e0d6d8b5fb4887ba181ae9a5b7f8feed72c72615c44a422d1a00c91

    SHA512

    317d5baa4a4ae54c971435a66704f10af92e502d5d950a4a1a4fedfd0636c09452f6a716c544574d7e7ed9a7a772a4118e31b5c5d20011ca4e23d0b07243798f

  • \Users\Admin\AppData\Local\Temp\JMYYCUSBVKYAGOF\service.exe

    Filesize

    520KB

    MD5

    8247ef8ef91bbcc663783ada5bf0a4cb

    SHA1

    be7e2a80be3dd755b6d21c3bfa63f43831128eae

    SHA256

    91ac882d3db5473cfe6e3ad86a1c74e563dd65e745c0baddf800f6b86bec3da4

    SHA512

    cf40e44bc106f68289d8d063d22f9fbb3ce7b4cea71f5272d2f29fa9fbfb3eae067c6b7bb237f7fc55977a4cebecbf25a381793604e26c56e0eae063c5fb9e56

  • \Users\Admin\AppData\Local\Temp\KCSBJTPKEETURAB\service.exe

    Filesize

    520KB

    MD5

    dbc872b7f7e5bf9ca0f89d0b6ade74d2

    SHA1

    a89c873335f6d3874c5bf9c11924412131db85b0

    SHA256

    e219fdc65ee9d99551d8762e312eb6a713df034f0dc95372244f9ed534fe9bb0

    SHA512

    ea8b6402f4d8cdaa832235f167db35bb702c6664b5e99c18effff01b3ca0407737ae55e38364443215b0d9c0762bc19bbee07aca074147c77d9dcd86a4d43b5e

  • \Users\Admin\AppData\Local\Temp\MPEXVEXNDJARIHS\service.exe

    Filesize

    520KB

    MD5

    7c978bd9fe9466bdf3ad8a1a92fb721f

    SHA1

    689bf572239e8994ad575a7ace7cb3fd02a15b31

    SHA256

    d1900cdfd52dd0dbf05e0a12d924fe108a0581257e6437d9696aee90a276faa7

    SHA512

    d9a141e4973710794b936ee6e142f95e3469ce88ec126f31af6c5eef505865ca28594be07bb06e35c6bc3a969678230e55e5cb9a0ac4d02d1002e8fc6361d521

  • \Users\Admin\AppData\Local\Temp\QJYIQEEFAFBWQEL\service.exe

    Filesize

    520KB

    MD5

    157bbefaf94997383d034e0ad65927c0

    SHA1

    d03406ad8b31b478d7b18b0df3d7ad591a76574e

    SHA256

    c0076c42386ad73a1c30c3ab1797ac2b3b2148ea7663d176a46c7caf20310c52

    SHA512

    ed4f20024f7eeaf12a01387623013526d1406f2d3c7f723cf1fb4aca77ecfbafb2a393179af87e6dc0ff1859256149c1b36408ed48f4751dfcbccf6e214996c4

  • \Users\Admin\AppData\Local\Temp\RRBYNMNJHOJMUDO\service.exe

    Filesize

    520KB

    MD5

    bd9e1dd80e2075258b0183d68e4d333b

    SHA1

    c07a687cdc3d3820d0a6ece3218ca9e56232c9c1

    SHA256

    a27d55505e67bc770447a20b6f7b579b604b343b65d3b5014c81976f51be65b1

    SHA512

    4cff15d4c9bbf3d23c13ff5dd0bab48bff1fb2356860b926c029d31c6b9717454c8f1746a32b78a7516978d1838a80e01631f25c55ff9029b8e4a471ce439c8b

  • \Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe

    Filesize

    520KB

    MD5

    7fc3f7113a94178bb247eacb45eec902

    SHA1

    6e63d6d7b8e50621d3725b9658f3c3e8c4c3fcf5

    SHA256

    caba49ebacc6998a3f76e4a5a2112d57ac55fc93e8035fe63d76092c3118a099

    SHA512

    87b0d56744786f46f761046e3ecc253620171e5a2238a169a073f526e60189b75de53f783d12518a9c3e0d7ab4273e9a355bbfc109bfb76de21c9341ec9e8ef9

  • \Users\Admin\AppData\Local\Temp\YQKDJQBCPUMUITJ\service.exe

    Filesize

    520KB

    MD5

    7f5b66a9057143b2a5f2b885ad61d2a0

    SHA1

    8402bb85e76818057716f8d2471f876d659b821a

    SHA256

    c5d1aee7ac4ddcd4312ab5f1ffe938791f3aa193d06626f5fe853a466b4b116a

    SHA512

    670be86b4816ad01321b1b8bcd136c6af2e857ef1606d110000e852412550c14feb9cc08d02583cf0aaad3928bec7ac9b0072775d836c7e104551f94237a8c7a

  • memory/1604-474-0x0000000000400000-0x0000000000471000-memory.dmp

    Filesize

    452KB

  • memory/1604-479-0x0000000000400000-0x0000000000471000-memory.dmp

    Filesize

    452KB

  • memory/1604-480-0x0000000000400000-0x0000000000471000-memory.dmp

    Filesize

    452KB

  • memory/1604-482-0x0000000000400000-0x0000000000471000-memory.dmp

    Filesize

    452KB

  • memory/1604-483-0x0000000000400000-0x0000000000471000-memory.dmp

    Filesize

    452KB

  • memory/1604-484-0x0000000000400000-0x0000000000471000-memory.dmp

    Filesize

    452KB

  • memory/1604-486-0x0000000000400000-0x0000000000471000-memory.dmp

    Filesize

    452KB

  • memory/1604-487-0x0000000000400000-0x0000000000471000-memory.dmp

    Filesize

    452KB

  • memory/1604-488-0x0000000000400000-0x0000000000471000-memory.dmp

    Filesize

    452KB

  • memory/1604-490-0x0000000000400000-0x0000000000471000-memory.dmp

    Filesize

    452KB