blackshades | 9d9119a14307b53c31fa217e17139c761b27d45694a154dc7b4bf6eacd058466

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
30-01-2025 17:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
Size

200KB
MD5

64e4580da28c25452a79e455f34f9f15
SHA1

68e5aec49ed2d8e8cbc98eb01bff04d2592ae934
SHA256

9d9119a14307b53c31fa217e17139c761b27d45694a154dc7b4bf6eacd058466
SHA512

317f212da0258265715985c5197bc0fc61683fec42b54078b44bd1d1cf5ee64f5a5c9e77e1a6eda0e7d52e76e33bcaf9d3d8b72283c22ce80e4dd677b46ed6c0
SSDEEP

3072:zT4HhLP12rkIbgfebWDuNR1vnexA+5sbr+7WHG1Zxhc+tSxqkm78i:zUB7oBgfHD6R1Pexn5s27d5Sxjmo

Score

10^/10

blackshades defense_evasion discovery rat upx

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 14 IoCs

resource	yara_rule
behavioral2/memory/1720-25-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral2/memory/1720-59-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral2/memory/1720-61-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral2/memory/1720-63-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral2/memory/1720-64-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral2/memory/1720-65-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral2/memory/1720-67-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral2/memory/1720-68-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral2/memory/1720-69-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral2/memory/1720-70-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral2/memory/1720-72-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral2/memory/1720-73-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral2/memory/1720-74-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral2/memory/1720-76-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 10 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe:*:Enabled:Windows Messanger"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Rename Server.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Rename Server.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4896 set thread context of 1720	4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe	89

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1720-18-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/1720-23-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/1720-25-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/1720-59-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/1720-61-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/1720-63-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/1720-64-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/1720-65-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/1720-67-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/1720-68-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/1720-69-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/1720-70-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/1720-72-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/1720-73-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/1720-74-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/1720-76-0x0000000000400000-0x000000000045D000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
3600	reg.exe
1036	reg.exe
868	reg.exe
4856	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeDebugPrivilege	4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
Token: 1	1720	vbc.exe
Token: SeCreateTokenPrivilege	1720	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	1720	vbc.exe
Token: SeLockMemoryPrivilege	1720	vbc.exe
Token: SeIncreaseQuotaPrivilege	1720	vbc.exe
Token: SeMachineAccountPrivilege	1720	vbc.exe
Token: SeTcbPrivilege	1720	vbc.exe
Token: SeSecurityPrivilege	1720	vbc.exe
Token: SeTakeOwnershipPrivilege	1720	vbc.exe
Token: SeLoadDriverPrivilege	1720	vbc.exe
Token: SeSystemProfilePrivilege	1720	vbc.exe
Token: SeSystemtimePrivilege	1720	vbc.exe
Token: SeProfSingleProcessPrivilege	1720	vbc.exe
Token: SeIncBasePriorityPrivilege	1720	vbc.exe
Token: SeCreatePagefilePrivilege	1720	vbc.exe
Token: SeCreatePermanentPrivilege	1720	vbc.exe
Token: SeBackupPrivilege	1720	vbc.exe
Token: SeRestorePrivilege	1720	vbc.exe
Token: SeShutdownPrivilege	1720	vbc.exe
Token: SeDebugPrivilege	1720	vbc.exe
Token: SeAuditPrivilege	1720	vbc.exe
Token: SeSystemEnvironmentPrivilege	1720	vbc.exe
Token: SeChangeNotifyPrivilege	1720	vbc.exe
Token: SeRemoteShutdownPrivilege	1720	vbc.exe
Token: SeUndockPrivilege	1720	vbc.exe
Token: SeSyncAgentPrivilege	1720	vbc.exe
Token: SeEnableDelegationPrivilege	1720	vbc.exe
Token: SeManageVolumePrivilege	1720	vbc.exe
Token: SeImpersonatePrivilege	1720	vbc.exe
Token: SeCreateGlobalPrivilege	1720	vbc.exe
Token: 31	1720	vbc.exe
Token: 32	1720	vbc.exe
Token: 33	1720	vbc.exe
Token: 34	1720	vbc.exe
Token: 35	1720	vbc.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1720	vbc.exe
1720	vbc.exe
1720	vbc.exe

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 4896 wrote to memory of 4652	4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe	86
PID 4896 wrote to memory of 4652	4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe	86
PID 4896 wrote to memory of 4652	4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe	86
PID 4652 wrote to memory of 2444	4652	csc.exe	88
PID 4652 wrote to memory of 2444	4652	csc.exe	88
PID 4652 wrote to memory of 2444	4652	csc.exe	88
PID 4896 wrote to memory of 1720	4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe	89
PID 4896 wrote to memory of 1720	4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe	89
PID 4896 wrote to memory of 1720	4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe	89
PID 4896 wrote to memory of 1720	4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe	89
PID 4896 wrote to memory of 1720	4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe	89
PID 4896 wrote to memory of 1720	4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe	89
PID 4896 wrote to memory of 1720	4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe	89
PID 4896 wrote to memory of 1720	4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe	89
PID 4896 wrote to memory of 2136	4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe	90
PID 4896 wrote to memory of 2136	4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe	90
PID 4896 wrote to memory of 2136	4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe	90
PID 2136 wrote to memory of 5068	2136	csc.exe	92
PID 2136 wrote to memory of 5068	2136	csc.exe	92
PID 2136 wrote to memory of 5068	2136	csc.exe	92
PID 1720 wrote to memory of 2400	1720	vbc.exe	93
PID 1720 wrote to memory of 2400	1720	vbc.exe	93
PID 1720 wrote to memory of 2400	1720	vbc.exe	93
PID 1720 wrote to memory of 2944	1720	vbc.exe	94
PID 1720 wrote to memory of 2944	1720	vbc.exe	94
PID 1720 wrote to memory of 2944	1720	vbc.exe	94
PID 4896 wrote to memory of 2864	4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe	95
PID 4896 wrote to memory of 2864	4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe	95
PID 4896 wrote to memory of 2864	4896	JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe	95
PID 1720 wrote to memory of 5092	1720	vbc.exe	96
PID 1720 wrote to memory of 5092	1720	vbc.exe	96
PID 1720 wrote to memory of 5092	1720	vbc.exe	96
PID 1720 wrote to memory of 3500	1720	vbc.exe	97
PID 1720 wrote to memory of 3500	1720	vbc.exe	97
PID 1720 wrote to memory of 3500	1720	vbc.exe	97
PID 2944 wrote to memory of 3600	2944	cmd.exe	103
PID 2944 wrote to memory of 3600	2944	cmd.exe	103
PID 2944 wrote to memory of 3600	2944	cmd.exe	103
PID 2400 wrote to memory of 1036	2400	cmd.exe	104
PID 2400 wrote to memory of 1036	2400	cmd.exe	104
PID 2400 wrote to memory of 1036	2400	cmd.exe	104
PID 5092 wrote to memory of 868	5092	cmd.exe	105
PID 5092 wrote to memory of 868	5092	cmd.exe	105
PID 5092 wrote to memory of 868	5092	cmd.exe	105
PID 3500 wrote to memory of 4856	3500	cmd.exe	106
PID 3500 wrote to memory of 4856	3500	cmd.exe	106
PID 3500 wrote to memory of 4856	3500	cmd.exe	106
PID 2864 wrote to memory of 2368	2864	csc.exe	107
PID 2864 wrote to memory of 2368	2864	csc.exe	107
PID 2864 wrote to memory of 2368	2864	csc.exe	107

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64e4580da28c25452a79e455f34f9f15.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4896
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\8ailbhu9.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4652
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA104.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA0F3.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2444
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2400
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:1036
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:3600
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5092
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:868
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Rename Server.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Rename Server.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3500
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Rename Server.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Rename Server.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:4856
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\8ailbhu9.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2136
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA307.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA306.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5068
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\8ailbhu9.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA3D2.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA3D1.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8ailbhu9.dll

Filesize
9KB

MD5
5a0f5d155702770e06e9aa741cc9596f

SHA1
1f4be2e1a2653d7582fdfe2c977b03be186d70cd

SHA256
4e1016bc49c15bbdffd84c20fd55634b3c01fb62e9562cd239ad4a0623b5ecfb

SHA512
271fcf3a06a2365f8b993c10089dd24acec433d1191d753d0da46e253ffdba5bbfb05a9732287383adc6b2d4c447881de981f448e1a438545c0af2983903a137

Download Submit
C:\Users\Admin\AppData\Local\Temp\8ailbhu9.dll

Filesize
3KB

MD5
5cfcf08f765322d440005a82bf2f6d8f

SHA1
ad0aeb17a46f939b0421b64c599b76dbd66117a6

SHA256
6236d3fb0f81ffebbdb84584c98e88a009394437826d264b34f564d215acf44c

SHA512
2e84277a9372503bd91c47dd3c98da83cad67d192de8b293fd9c47859bbbe7ca4b4259a8a4b5e4ccf292582d258b2e2d603f463567f512b854ff7cb7d96e9a38

Download Submit
C:\Users\Admin\AppData\Local\Temp\8ailbhu9.dll

Filesize
5KB

MD5
5e415e3ebf69cb8c23ff2dec042d009a

SHA1
4a6378ecc3e12e2d16891e6eda3ef22509c83740

SHA256
ea74c626c40c6fb3f66c68d0a2ec2fd41d5f9dd71252edb873442fa6d38d8aa1

SHA512
5f723017e7125ad4968d9ee303e7f61376212a2aea584afe3c3a2e9479acb80137a3caee884671f75f84817fc348b8b0ec36aafa2d74d90c070eccabf494aa22

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA104.tmp

Filesize
1KB

MD5
80422d0d2e7563e31bb3885ddfe3b3ce

SHA1
601f5587c35ab5eff033085d0ebd9b6444f33fa8

SHA256
f156a171a40b27f45392d5938228cf3f4ba9543104ea8d1b13329f094c52d2ae

SHA512
58b54b3ba01b5a841cb6d42a8c28601367ba0c650973f607d7a1ec4f5b58d923f4ffb31d0ae901a8ff0a3a5f86343b4609d886191ee5504d88b700a80ffa4555

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA307.tmp

Filesize
1KB

MD5
de1d54b49d72fc7863b5547ccf88070a

SHA1
665e979e96f3ade86dd02d0b61fefdbd54e7077c

SHA256
a655b3e731ef2faba1d5499322e6def6b2a0e80fc7e991148cecadeb64167bbb

SHA512
fcb1270296c5e79bd02988f2c4b84fe9468ae1b8d606babe73114e765103b52518338474d13462b1e9b777df5f858389e12b92c6b11dbc6ca4c8d6e8f9a82c24

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA3D2.tmp

Filesize
1KB

MD5
92e5aa9ac9c7a2542d6993b6ec14837f

SHA1
73edcdbe181645fb6ab75ab97f56cee7f62ade17

SHA256
1cbf662494ad55d316feaccfcd1e92ebdac44fdb050fffa931b4a8c8f65d8e57

SHA512
93a22ed75a9f91644c76d7fc5dfe2b43aee36d1806e0f0287a0118f6bc83de0b14bd069ae5bd08cdaa00f686f318f0ed5f462c7ecc598fa0e74112bc4e97e186

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\8ailbhu9.0.cs

Filesize
7KB

MD5
c79c02b8be614ba0ad11b9a2deac9067

SHA1
5338181abf8d8436df240ec8bfe8699ed40eac83

SHA256
aeb41fe4117e42c32d7c61fe9caa02f2ec937418a3ffb6ee64b5a8309e0d7b78

SHA512
4b0efe655b237185454a41c79c1b5cd9b8e80cfa36f7abb8a5d63629f400bb73d58f196584ec5421a8b2e6608b9c00d44514ada9651bcf19aea8ba4cce5b4a4e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\8ailbhu9.0.cs

Filesize
106B

MD5
7b2710d3c14f50327d82682f1788ac9c

SHA1
db6323843b42649f002accea370f951ad10452bd

SHA256
cf3742c2d19768ac180864c89a57abffca72120fa2fa3d2872ddc5fb9901704f

SHA512
7f0c429790ac2a29c37fa802e150ec6cb96f906c6b33d6b61bda74690a06a68be016e062d141a1499d5bf521ef379f6531e7274e270bbf20aac8af49710d6479

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\8ailbhu9.0.cs

Filesize
3KB

MD5
412e1c803f61cea207aa4b53c9b4a3bb

SHA1
79b56c2016e0eb4e0de20ef8085dd8caa2b0a810

SHA256
03928f10904ba363d8e763f42883e9c9e6a54f5514b323c48fca4ace6f8d2b71

SHA512
9cb9f92cee9e2b22424c8c0f60b53143ff7799a61a06a02291102912208311fb41ea95e16a175f46fbf0cce41b2f18f4eacaa5ae60625aa0e89beec5ac299b3b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\8ailbhu9.cmdline

Filesize
187B

MD5
2d3667e1244b4d1fe6b84fb2bdeea529

SHA1
eb8799cc36bb6384dbda3cb0839442bbcc5f3596

SHA256
15fe19ecb60a8be70c4529d84007988c69d8efe33eec833420d825bb2c49d0de

SHA512
db2eaf8698210dcce0fb4b879b70c0562fd0cc347d9690d3fb08e50893730889b7452f972cdd8e99fd73a5c78b190fbd3970ceea8c3b039ee700ae6703c07e9b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\8ailbhu9.cmdline

Filesize
203B

MD5
c8c669a1b858b6a38d68e7a56810aaab

SHA1
3945e0842f964e15611dd76b5bc7e7519c70707e

SHA256
2e9499a2021479ab9474542465071eb849529e1bd3cfa0ef9c855f1b70eb83ec

SHA512
1ba347caa59a480cca9f81e30f7fea142f869e997b2bb270b7de42c7686df41acbf727d6816b8cd36d676c07683aac3580ed4e9085ab330ee0a7396ddd4bcb98

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\8ailbhu9.cmdline

Filesize
219B

MD5
d717fdd1850d31203b714ad4816b21fb

SHA1
2ddd6497b6036f5e6ebb20d7e1ad28c59b87e36c

SHA256
022019f5dcc61e9284ebe396652a0b29944a4271c47b0bdae7f7e8a9c8b0a49d

SHA512
dbcb7b6377fbd6ac0db0e61407cf98fb86629eaa57bf86a08defc6802d68bf801f34b6460e8cc79d9c638eabf9b8c5db5b061e5c0b90136f64fd35dca13975d7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCA0F3.tmp

Filesize
652B

MD5
fa76b56b8b8f96dec85f3c0584c134ea

SHA1
7a435737cdce2adcbe70c2439e7627ce7f3de56f

SHA256
a72a973f235b503d9d280ead1664255cf182a27e7786d7b5d457d8262cab9f6a

SHA512
4a4729b5ad0fe5fa2b9cf2a24547e9c472b2f9dbf510b652d4ab87fa6c5440d8c3b421c838c2225824cdf34e824db009e6e705ae0eafc5534c0e9296045f9fe4

Download Submit
memory/1720-59-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1720-74-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1720-68-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1720-67-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1720-76-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1720-23-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1720-65-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1720-64-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1720-25-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1720-18-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1720-73-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1720-72-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1720-70-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1720-69-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1720-61-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1720-63-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2136-38-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2136-33-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4652-15-0x0000000074670000-0x0000000074C21000-memory.dmp

Filesize
5.7MB

Download
memory/4652-8-0x0000000074670000-0x0000000074C21000-memory.dmp

Filesize
5.7MB

Download
memory/4896-0-0x0000000074672000-0x0000000074673000-memory.dmp

Filesize
4KB

Download
memory/4896-58-0x0000000074670000-0x0000000074C21000-memory.dmp

Filesize
5.7MB

Download
memory/4896-57-0x0000000074670000-0x0000000074C21000-memory.dmp

Filesize
5.7MB

Download
memory/4896-56-0x0000000074672000-0x0000000074673000-memory.dmp

Filesize
4KB

Download
memory/4896-1-0x0000000074670000-0x0000000074C21000-memory.dmp

Filesize
5.7MB

Download
memory/4896-2-0x0000000074670000-0x0000000074C21000-memory.dmp

Filesize
5.7MB

Download