blackshades | 7f4c3c0133233a9eec5e8c97e905b767f3a9e9a642f54da068d31f39c6311e76

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11/03/2025, 02:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f4c3c0133233a9eec5e8c97e905b767f3a9e9a642f54da068d31f39c6311e76.exe
Size

520KB
MD5

45215ec7f8b8c4970d04c8aa7fe60c6d
SHA1

18c3f4806fe113ad86a062fb7bbb264c7faa6bed
SHA256

7f4c3c0133233a9eec5e8c97e905b767f3a9e9a642f54da068d31f39c6311e76
SHA512

b85585ee0a0fda99228e6b6fbd5cf9542182645ad20b9d71a0f9f507e6e279c3ca2d2f67dba0d0e43a2b4e9e9e04c518a126f8f0b4463aad28e0ba73f1d8e4cb
SSDEEP

12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioXq:zW6ncoyqOp6IsTl/mXq

Score

10^/10

blackshades defense_evasion discovery persistence rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 15 IoCs

resource	yara_rule
behavioral1/memory/2588-62-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2588-67-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2588-68-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2588-70-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2588-71-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2588-72-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2588-74-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2588-75-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2588-76-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2588-78-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2588-79-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2588-80-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2588-82-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2588-83-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2588-84-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 8 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TNGMTEFSXPXLWMI\\service.exe:*:Enabled:Windows Messanger"	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
2344	service.exe
2876	service.exe
2588	service.exe

Loads dropped DLL 5 IoCs

pid	Process
2304	7f4c3c0133233a9eec5e8c97e905b767f3a9e9a642f54da068d31f39c6311e76.exe
2304	7f4c3c0133233a9eec5e8c97e905b767f3a9e9a642f54da068d31f39c6311e76.exe
2344	service.exe
2344	service.exe
2876	service.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\TCCOULIMHPEFXVE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LETDLAUARMGBGVW\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\HUBKYUSCXJCWDUN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TNGMTEFSXPXLWMI\\service.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7f4c3c0133233a9eec5e8c97e905b767f3a9e9a642f54da068d31f39c6311e76.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
3052	reg.exe
3068	reg.exe
1324	reg.exe
2576	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	2588	service.exe
Token: SeCreateTokenPrivilege	2588	service.exe
Token: SeAssignPrimaryTokenPrivilege	2588	service.exe
Token: SeLockMemoryPrivilege	2588	service.exe
Token: SeIncreaseQuotaPrivilege	2588	service.exe
Token: SeMachineAccountPrivilege	2588	service.exe
Token: SeTcbPrivilege	2588	service.exe
Token: SeSecurityPrivilege	2588	service.exe
Token: SeTakeOwnershipPrivilege	2588	service.exe
Token: SeLoadDriverPrivilege	2588	service.exe
Token: SeSystemProfilePrivilege	2588	service.exe
Token: SeSystemtimePrivilege	2588	service.exe
Token: SeProfSingleProcessPrivilege	2588	service.exe
Token: SeIncBasePriorityPrivilege	2588	service.exe
Token: SeCreatePagefilePrivilege	2588	service.exe
Token: SeCreatePermanentPrivilege	2588	service.exe
Token: SeBackupPrivilege	2588	service.exe
Token: SeRestorePrivilege	2588	service.exe
Token: SeShutdownPrivilege	2588	service.exe
Token: SeDebugPrivilege	2588	service.exe
Token: SeAuditPrivilege	2588	service.exe
Token: SeSystemEnvironmentPrivilege	2588	service.exe
Token: SeChangeNotifyPrivilege	2588	service.exe
Token: SeRemoteShutdownPrivilege	2588	service.exe
Token: SeUndockPrivilege	2588	service.exe
Token: SeSyncAgentPrivilege	2588	service.exe
Token: SeEnableDelegationPrivilege	2588	service.exe
Token: SeManageVolumePrivilege	2588	service.exe
Token: SeImpersonatePrivilege	2588	service.exe
Token: SeCreateGlobalPrivilege	2588	service.exe
Token: 31	2588	service.exe
Token: 32	2588	service.exe
Token: 33	2588	service.exe
Token: 34	2588	service.exe
Token: 35	2588	service.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2304	7f4c3c0133233a9eec5e8c97e905b767f3a9e9a642f54da068d31f39c6311e76.exe
2344	service.exe
2876	service.exe
2588	service.exe
2588	service.exe
2588	service.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 2480	2304	7f4c3c0133233a9eec5e8c97e905b767f3a9e9a642f54da068d31f39c6311e76.exe	30
PID 2304 wrote to memory of 2480	2304	7f4c3c0133233a9eec5e8c97e905b767f3a9e9a642f54da068d31f39c6311e76.exe	30
PID 2304 wrote to memory of 2480	2304	7f4c3c0133233a9eec5e8c97e905b767f3a9e9a642f54da068d31f39c6311e76.exe	30
PID 2304 wrote to memory of 2480	2304	7f4c3c0133233a9eec5e8c97e905b767f3a9e9a642f54da068d31f39c6311e76.exe	30
PID 2480 wrote to memory of 1856	2480	cmd.exe	32
PID 2480 wrote to memory of 1856	2480	cmd.exe	32
PID 2480 wrote to memory of 1856	2480	cmd.exe	32
PID 2480 wrote to memory of 1856	2480	cmd.exe	32
PID 2304 wrote to memory of 2344	2304	7f4c3c0133233a9eec5e8c97e905b767f3a9e9a642f54da068d31f39c6311e76.exe	33
PID 2304 wrote to memory of 2344	2304	7f4c3c0133233a9eec5e8c97e905b767f3a9e9a642f54da068d31f39c6311e76.exe	33
PID 2304 wrote to memory of 2344	2304	7f4c3c0133233a9eec5e8c97e905b767f3a9e9a642f54da068d31f39c6311e76.exe	33
PID 2304 wrote to memory of 2344	2304	7f4c3c0133233a9eec5e8c97e905b767f3a9e9a642f54da068d31f39c6311e76.exe	33
PID 2344 wrote to memory of 2780	2344	service.exe	34
PID 2344 wrote to memory of 2780	2344	service.exe	34
PID 2344 wrote to memory of 2780	2344	service.exe	34
PID 2344 wrote to memory of 2780	2344	service.exe	34
PID 2780 wrote to memory of 2208	2780	cmd.exe	36
PID 2780 wrote to memory of 2208	2780	cmd.exe	36
PID 2780 wrote to memory of 2208	2780	cmd.exe	36
PID 2780 wrote to memory of 2208	2780	cmd.exe	36
PID 2344 wrote to memory of 2876	2344	service.exe	37
PID 2344 wrote to memory of 2876	2344	service.exe	37
PID 2344 wrote to memory of 2876	2344	service.exe	37
PID 2344 wrote to memory of 2876	2344	service.exe	37
PID 2876 wrote to memory of 2588	2876	service.exe	38
PID 2876 wrote to memory of 2588	2876	service.exe	38
PID 2876 wrote to memory of 2588	2876	service.exe	38
PID 2876 wrote to memory of 2588	2876	service.exe	38
PID 2876 wrote to memory of 2588	2876	service.exe	38
PID 2876 wrote to memory of 2588	2876	service.exe	38
PID 2876 wrote to memory of 2588	2876	service.exe	38
PID 2876 wrote to memory of 2588	2876	service.exe	38
PID 2876 wrote to memory of 2588	2876	service.exe	38
PID 2588 wrote to memory of 2604	2588	service.exe	39
PID 2588 wrote to memory of 2604	2588	service.exe	39
PID 2588 wrote to memory of 2604	2588	service.exe	39
PID 2588 wrote to memory of 2604	2588	service.exe	39
PID 2588 wrote to memory of 2796	2588	service.exe	40
PID 2588 wrote to memory of 2796	2588	service.exe	40
PID 2588 wrote to memory of 2796	2588	service.exe	40
PID 2588 wrote to memory of 2796	2588	service.exe	40
PID 2588 wrote to memory of 2556	2588	service.exe	42
PID 2588 wrote to memory of 2556	2588	service.exe	42
PID 2588 wrote to memory of 2556	2588	service.exe	42
PID 2588 wrote to memory of 2556	2588	service.exe	42
PID 2604 wrote to memory of 2576	2604	cmd.exe	43
PID 2604 wrote to memory of 2576	2604	cmd.exe	43
PID 2604 wrote to memory of 2576	2604	cmd.exe	43
PID 2604 wrote to memory of 2576	2604	cmd.exe	43
PID 2588 wrote to memory of 2592	2588	service.exe	44
PID 2588 wrote to memory of 2592	2588	service.exe	44
PID 2588 wrote to memory of 2592	2588	service.exe	44
PID 2588 wrote to memory of 2592	2588	service.exe	44
PID 2556 wrote to memory of 3068	2556	cmd.exe	49
PID 2556 wrote to memory of 3068	2556	cmd.exe	49
PID 2556 wrote to memory of 3068	2556	cmd.exe	49
PID 2556 wrote to memory of 3068	2556	cmd.exe	49
PID 2796 wrote to memory of 3052	2796	cmd.exe	48
PID 2796 wrote to memory of 3052	2796	cmd.exe	48
PID 2796 wrote to memory of 3052	2796	cmd.exe	48
PID 2796 wrote to memory of 3052	2796	cmd.exe	48
PID 2592 wrote to memory of 1324	2592	cmd.exe	50
PID 2592 wrote to memory of 1324	2592	cmd.exe	50
PID 2592 wrote to memory of 1324	2592	cmd.exe	50

C:\Users\Admin\AppData\Local\Temp\7f4c3c0133233a9eec5e8c97e905b767f3a9e9a642f54da068d31f39c6311e76.exe
"C:\Users\Admin\AppData\Local\Temp\7f4c3c0133233a9eec5e8c97e905b767f3a9e9a642f54da068d31f39c6311e76.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\TempFYNJS.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TCCOULIMHPEFXVE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LETDLAUARMGBGVW\service.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:1856
- C:\Users\Admin\AppData\Local\Temp\LETDLAUARMGBGVW\service.exe
  "C:\Users\Admin\AppData\Local\Temp\LETDLAUARMGBGVW\service.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\TempQRWDE.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HUBKYUSCXJCWDUN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:2208
- - C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe
    "C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2876
  - - C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe
      C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2588
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2604
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        6⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2576
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe:*:Enabled:Windows Messanger" /f
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2796
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe:*:Enabled:Windows Messanger" /f
        6⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3052
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2556
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        6⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3068
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2592
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        6⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempFYNJS.bat

Filesize
163B

MD5
748ae393e5989b410dfb895266f7a269

SHA1
835cd872e97c2fc98e602c6bba86e05d7fab3fcc

SHA256
d864c0c0dd4ce72ab9c0456adb769e10fb99626b46cd17e21dc8bfd118313137

SHA512
b5486ea1d3b8678683ca5cd394bf35b5b005c2bc5bf3ff8960f2ea36aadc8b73371b5f66c247ce36fcf6e795390a70cd1a40f965b5026a3140ad71814def45a0

Download Submit
C:\Users\Admin\AppData\Local\TempQRWDE.bat

Filesize
163B

MD5
5f86bd202bfcd38eb1df9dc3f99b3f2d

SHA1
20eb5c3c335c0ae536940a2687e7a4b19f36ce56

SHA256
d321062aed8a7c06ac93888227db15ce99c621f0c1f748ed53813a296aa4ab84

SHA512
4ce449ef9cbe9707adba1be3be1a650c1ff846ad9f3af74ed8428ab64f9c35f0425482af8c5d68afc7d9eff857e369b949b65d9f03e4f7f515f1f3fb3b02045c

Download Submit
C:\Users\Admin\AppData\Local\Temp\LETDLAUARMGBGVW\service.exe

Filesize
520KB

MD5
ef973386711ce7bea7dbd0b72532b061

SHA1
5a0400b2561aae4ec23c0d34d37eb5d182504e53

SHA256
6d7bb17d221217b0449fe99c4f5ac270dac81b6649b86c4fe134dbfe4cca8ddc

SHA512
d7f7b2fa91ea247de0a33e2f73b7b079fbee68e76533ef483f7b69770a8f620a58276a0d6c6ef457d64ff2f35c469830e0daeeb8eb703b177728e7a1982e3c12

Download Submit
\Users\Admin\AppData\Local\Temp\TNGMTEFSXPXLWMI\service.exe

Filesize
520KB

MD5
e0269e99a3d5ebbe7a9061f49ae420f9

SHA1
a73a6e743145e4bff1ee04f0b456563e6390f9b6

SHA256
447d82721ffb445bc5db9f778745b1b98b657bca3411b770562aa2fb01d39474

SHA512
1cb815b612f10b7bc6408dcfc107ff58097f4e50c0005e1939dc8910888c036c482862550dda2d1594904af1b98bde7eeaa61028a0f527307c94367bd944377e

Download Submit
memory/2588-71-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2588-75-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2588-68-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2588-70-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2588-62-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2588-72-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2588-74-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2588-67-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2588-76-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2588-78-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2588-79-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2588-80-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2588-82-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2588-83-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2588-84-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads