blackshades | a4e4ac00d4ba53d06796e517e5153981ceb64f6c6cec9ea2498866d31967298f

Analysis

max time kernel
148s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2025, 08:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_6453b926503f0a47ace96ee12c18bc33.exe
Size

801KB
MD5

6453b926503f0a47ace96ee12c18bc33
SHA1

37cee84fa9803f42ccd049063959570adaa425ba
SHA256

a4e4ac00d4ba53d06796e517e5153981ceb64f6c6cec9ea2498866d31967298f
SHA512

b0c31b05d59dccf9ec4ad7154f1b6e1c381e3d80ea1ce80c1d795ac7d08b2857fda30a1e984d8a79859b70437729ecf14d8a5c76c76babca3c5f2ebc199d21d6
SSDEEP

12288:QwGTnyOtnxv6S4mtDuPa97JnEFEmR3PyiYg6cDL1WtThAVARl6t2YeHFvk3+f:DsyS6xcsEli8iz9uhDknOR

Score

10^/10

blackshades latentbot credential_access defense_evasion discovery persistence rat spyware stealer trojan

Malware Config

Extracted

Family

latentbot

softwaredev.zapto.org

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 13 IoCs

resource	yara_rule
behavioral2/memory/1544-49-0x0000000000400000-0x0000000000459000-memory.dmp	family_blackshades
behavioral2/memory/1544-53-0x0000000000400000-0x0000000000459000-memory.dmp	family_blackshades
behavioral2/memory/1544-62-0x0000000000400000-0x0000000000459000-memory.dmp	family_blackshades
behavioral2/memory/1544-63-0x0000000000400000-0x0000000000459000-memory.dmp	family_blackshades
behavioral2/memory/1544-65-0x0000000000400000-0x0000000000459000-memory.dmp	family_blackshades
behavioral2/memory/1544-66-0x0000000000400000-0x0000000000459000-memory.dmp	family_blackshades
behavioral2/memory/1544-69-0x0000000000400000-0x0000000000459000-memory.dmp	family_blackshades
behavioral2/memory/1544-70-0x0000000000400000-0x0000000000459000-memory.dmp	family_blackshades
behavioral2/memory/1544-71-0x0000000000400000-0x0000000000459000-memory.dmp	family_blackshades
behavioral2/memory/1544-73-0x0000000000400000-0x0000000000459000-memory.dmp	family_blackshades
behavioral2/memory/1544-74-0x0000000000400000-0x0000000000459000-memory.dmp	family_blackshades
behavioral2/memory/1544-76-0x0000000000400000-0x0000000000459000-memory.dmp	family_blackshades
behavioral2/memory/1544-78-0x0000000000400000-0x0000000000459000-memory.dmp	family_blackshades

LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot
Latentbot family
latentbot

Modifies firewall policy service 3 TTPs 10 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\svchoster.exe = "C:\\Users\\Admin\\AppData\\Roaming\\svchoster.exe:*:Enabled:Windows Messanger"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Firefox Speed Booster V 4.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	Firefox Speed Booster V 4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchoster.exe"	Firefox Speed Booster V 4.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ECD9CBEB-A1FC-AFA7-CEC8-5BFF8CD021BC}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\svchoster.exe"	Firefox Speed Booster V 4.exe
Key created	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{ECD9CBEB-A1FC-AFA7-CEC8-5BFF8CD021BC}	Firefox Speed Booster V 4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{ECD9CBEB-A1FC-AFA7-CEC8-5BFF8CD021BC}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\svchoster.exe"	Firefox Speed Booster V 4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ECD9CBEB-A1FC-AFA7-CEC8-5BFF8CD021BC}	Firefox Speed Booster V 4.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	JaffaCakes118_6453b926503f0a47ace96ee12c18bc33.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Firefox Speed Booster V 4.exe	Firefox Speed Booster V 4.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Firefox Speed Booster V 4.exe	Firefox Speed Booster V 4.exe

Executes dropped EXE 4 IoCs

pid	Process
4012	Firefox Speed Booster V 4.exe
3988	SVCH0ST.exe
4016	SVCH0ST.exe
1544	Firefox Speed Booster V 4.exe

Loads dropped DLL 4 IoCs

pid	Process
4012	Firefox Speed Booster V 4.exe
4012	Firefox Speed Booster V 4.exe
4012	Firefox Speed Booster V 4.exe
4012	Firefox Speed Booster V 4.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchoster.exe"	Firefox Speed Booster V 4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchoster.exe"	Firefox Speed Booster V 4.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3988 set thread context of 4016	3988	SVCH0ST.exe	88
PID 4012 set thread context of 1544	4012	Firefox Speed Booster V 4.exe	91

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Firefox Speed Booster V 4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCH0ST.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCH0ST.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6453b926503f0a47ace96ee12c18bc33.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Firefox Speed Booster V 4.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
760	reg.exe
232	reg.exe
2756	reg.exe
220	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	1544	Firefox Speed Booster V 4.exe
Token: SeCreateTokenPrivilege	1544	Firefox Speed Booster V 4.exe
Token: SeAssignPrimaryTokenPrivilege	1544	Firefox Speed Booster V 4.exe
Token: SeLockMemoryPrivilege	1544	Firefox Speed Booster V 4.exe
Token: SeIncreaseQuotaPrivilege	1544	Firefox Speed Booster V 4.exe
Token: SeMachineAccountPrivilege	1544	Firefox Speed Booster V 4.exe
Token: SeTcbPrivilege	1544	Firefox Speed Booster V 4.exe
Token: SeSecurityPrivilege	1544	Firefox Speed Booster V 4.exe
Token: SeTakeOwnershipPrivilege	1544	Firefox Speed Booster V 4.exe
Token: SeLoadDriverPrivilege	1544	Firefox Speed Booster V 4.exe
Token: SeSystemProfilePrivilege	1544	Firefox Speed Booster V 4.exe
Token: SeSystemtimePrivilege	1544	Firefox Speed Booster V 4.exe
Token: SeProfSingleProcessPrivilege	1544	Firefox Speed Booster V 4.exe
Token: SeIncBasePriorityPrivilege	1544	Firefox Speed Booster V 4.exe
Token: SeCreatePagefilePrivilege	1544	Firefox Speed Booster V 4.exe
Token: SeCreatePermanentPrivilege	1544	Firefox Speed Booster V 4.exe
Token: SeBackupPrivilege	1544	Firefox Speed Booster V 4.exe
Token: SeRestorePrivilege	1544	Firefox Speed Booster V 4.exe
Token: SeShutdownPrivilege	1544	Firefox Speed Booster V 4.exe
Token: SeDebugPrivilege	1544	Firefox Speed Booster V 4.exe
Token: SeAuditPrivilege	1544	Firefox Speed Booster V 4.exe
Token: SeSystemEnvironmentPrivilege	1544	Firefox Speed Booster V 4.exe
Token: SeChangeNotifyPrivilege	1544	Firefox Speed Booster V 4.exe
Token: SeRemoteShutdownPrivilege	1544	Firefox Speed Booster V 4.exe
Token: SeUndockPrivilege	1544	Firefox Speed Booster V 4.exe
Token: SeSyncAgentPrivilege	1544	Firefox Speed Booster V 4.exe
Token: SeEnableDelegationPrivilege	1544	Firefox Speed Booster V 4.exe
Token: SeManageVolumePrivilege	1544	Firefox Speed Booster V 4.exe
Token: SeImpersonatePrivilege	1544	Firefox Speed Booster V 4.exe
Token: SeCreateGlobalPrivilege	1544	Firefox Speed Booster V 4.exe
Token: 31	1544	Firefox Speed Booster V 4.exe
Token: 32	1544	Firefox Speed Booster V 4.exe
Token: 33	1544	Firefox Speed Booster V 4.exe
Token: 34	1544	Firefox Speed Booster V 4.exe
Token: 35	1544	Firefox Speed Booster V 4.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3988	SVCH0ST.exe
1544	Firefox Speed Booster V 4.exe
1544	Firefox Speed Booster V 4.exe
1544	Firefox Speed Booster V 4.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 4012	1948	JaffaCakes118_6453b926503f0a47ace96ee12c18bc33.exe	86
PID 1948 wrote to memory of 4012	1948	JaffaCakes118_6453b926503f0a47ace96ee12c18bc33.exe	86
PID 1948 wrote to memory of 4012	1948	JaffaCakes118_6453b926503f0a47ace96ee12c18bc33.exe	86
PID 1948 wrote to memory of 3988	1948	JaffaCakes118_6453b926503f0a47ace96ee12c18bc33.exe	87
PID 1948 wrote to memory of 3988	1948	JaffaCakes118_6453b926503f0a47ace96ee12c18bc33.exe	87
PID 1948 wrote to memory of 3988	1948	JaffaCakes118_6453b926503f0a47ace96ee12c18bc33.exe	87
PID 3988 wrote to memory of 4016	3988	SVCH0ST.exe	88
PID 3988 wrote to memory of 4016	3988	SVCH0ST.exe	88
PID 3988 wrote to memory of 4016	3988	SVCH0ST.exe	88
PID 3988 wrote to memory of 4016	3988	SVCH0ST.exe	88
PID 3988 wrote to memory of 4016	3988	SVCH0ST.exe	88
PID 3988 wrote to memory of 4016	3988	SVCH0ST.exe	88
PID 3988 wrote to memory of 4016	3988	SVCH0ST.exe	88
PID 3988 wrote to memory of 4016	3988	SVCH0ST.exe	88
PID 3988 wrote to memory of 4016	3988	SVCH0ST.exe	88
PID 4012 wrote to memory of 1544	4012	Firefox Speed Booster V 4.exe	91
PID 4012 wrote to memory of 1544	4012	Firefox Speed Booster V 4.exe	91
PID 4012 wrote to memory of 1544	4012	Firefox Speed Booster V 4.exe	91
PID 4012 wrote to memory of 1544	4012	Firefox Speed Booster V 4.exe	91
PID 4012 wrote to memory of 1544	4012	Firefox Speed Booster V 4.exe	91
PID 4012 wrote to memory of 1544	4012	Firefox Speed Booster V 4.exe	91
PID 4012 wrote to memory of 1544	4012	Firefox Speed Booster V 4.exe	91
PID 4012 wrote to memory of 1544	4012	Firefox Speed Booster V 4.exe	91
PID 1544 wrote to memory of 3512	1544	Firefox Speed Booster V 4.exe	92
PID 1544 wrote to memory of 3512	1544	Firefox Speed Booster V 4.exe	92
PID 1544 wrote to memory of 3512	1544	Firefox Speed Booster V 4.exe	92
PID 1544 wrote to memory of 4752	1544	Firefox Speed Booster V 4.exe	93
PID 1544 wrote to memory of 4752	1544	Firefox Speed Booster V 4.exe	93
PID 1544 wrote to memory of 4752	1544	Firefox Speed Booster V 4.exe	93
PID 1544 wrote to memory of 1944	1544	Firefox Speed Booster V 4.exe	94
PID 1544 wrote to memory of 1944	1544	Firefox Speed Booster V 4.exe	94
PID 1544 wrote to memory of 1944	1544	Firefox Speed Booster V 4.exe	94
PID 1544 wrote to memory of 4412	1544	Firefox Speed Booster V 4.exe	95
PID 1544 wrote to memory of 4412	1544	Firefox Speed Booster V 4.exe	95
PID 1544 wrote to memory of 4412	1544	Firefox Speed Booster V 4.exe	95
PID 1944 wrote to memory of 760	1944	cmd.exe	100
PID 1944 wrote to memory of 760	1944	cmd.exe	100
PID 1944 wrote to memory of 760	1944	cmd.exe	100
PID 4412 wrote to memory of 2756	4412	cmd.exe	101
PID 4412 wrote to memory of 2756	4412	cmd.exe	101
PID 4412 wrote to memory of 2756	4412	cmd.exe	101
PID 3512 wrote to memory of 232	3512	cmd.exe	102
PID 3512 wrote to memory of 232	3512	cmd.exe	102
PID 3512 wrote to memory of 232	3512	cmd.exe	102
PID 4752 wrote to memory of 220	4752	cmd.exe	103
PID 4752 wrote to memory of 220	4752	cmd.exe	103
PID 4752 wrote to memory of 220	4752	cmd.exe	103

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6453b926503f0a47ace96ee12c18bc33.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6453b926503f0a47ace96ee12c18bc33.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Users\Admin\AppData\Local\Temp\Firefox Speed Booster V 4.exe
  "C:\Users\Admin\AppData\Local\Temp\Firefox Speed Booster V 4.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4012
- - C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe
    "C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe"
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1544
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3512
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:232
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe:*:Enabled:Windows Messanger" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4752
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:220
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1944
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:760
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svchoster.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svchoster.exe:*:Enabled:Windows Messanger" /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4412
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svchoster.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svchoster.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2756
- C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe
  "C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3988
- - C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe
    C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Firefox Speed Booster V 4.exe

Filesize
532KB

MD5
a1fbc2ee381a4981c973ad8efd275e92

SHA1
ddc036889893267d8917facc48b1e3eea380f6f0

SHA256
2b361e099e0af9eed2f67973873a189c290b1f32984dc2f560d277b8e1c87a72

SHA512
b4482c7984c5676618db162accfcd507752c1463fdb40259056e14a17bb8b05cc99763b37004f6dd12d1c5e3deb00c323e6f76703d6fe47655636979e809c277

Download Submit
C:\Users\Admin\AppData\Local\Temp\SVCH0ST.exe

Filesize
444KB

MD5
cc3f40aaa43594aa6bdeb476e1e734c6

SHA1
e2268857d09aa6179f6bc50579c616f34d912545

SHA256
622997cc3aa13d63bb0a01a50082f36753d86e96b0af2b3ad78de9d46f33ffdd

SHA512
0fc5a0c3288086ffecc8149eb3bfcd585fc3cb43814df9379e738cf1d0d1ff660dfc8b1db32c7a8c62e38f5b59d4d9ed7c22e9473b19919c5c26b6c696264b77

Download Submit
C:\Users\Admin\AppData\Local\Temp\license.dll

Filesize
13KB

MD5
b5afa963a369efefb8f905594bafa2df

SHA1
18a2375501100007a067944f6c2f494fd085528e

SHA256
58fb10a17191f36961266e5a0153e81219f6c99b464b3998e8e75d636151ae95

SHA512
7ac1c5c9c9a66dff9a43aa055288a7ec8deec1c7e2b74a18a7e2509409df4094b0bf6d789bca59fd2ef3045cb768d1d9979779dcf68a91332ec1cf9c6bf118de

Download Submit
C:\Users\Admin\AppData\Roaming\Firefox Speed Booster V 4.exe

Filesize
16KB

MD5
02172c9f873de4309101c7b0aa635bb7

SHA1
fc33532d22494d1c5e841961e21dd3fcac6154cf

SHA256
cfba657e65e098fc8c5c23a260b3d1f9d0769c255b03531b7aa34a2845153a13

SHA512
bfa7fb080abb825d2cdbff2d7a7ba30f21ff20c81f30e902f826b00a63f2fe1b02f6eb77c6db8487dd31140540fcdae46ce32d6314586d68c58df787f5d6e754

Download Submit
memory/1544-65-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1544-69-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1544-78-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1544-76-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1544-74-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1544-73-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1544-49-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1544-71-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1544-53-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1544-70-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1544-66-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1544-63-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1544-62-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4012-61-0x0000000073A70000-0x0000000074021000-memory.dmp

Filesize
5.7MB

Download
memory/4012-19-0x0000000073A72000-0x0000000073A73000-memory.dmp

Filesize
4KB

Download
memory/4012-60-0x0000000073A70000-0x0000000074021000-memory.dmp

Filesize
5.7MB

Download
memory/4012-59-0x0000000073A72000-0x0000000073A73000-memory.dmp

Filesize
4KB

Download
memory/4012-23-0x0000000073A70000-0x0000000074021000-memory.dmp

Filesize
5.7MB

Download
memory/4012-24-0x0000000073A70000-0x0000000074021000-memory.dmp

Filesize
5.7MB

Download
memory/4016-27-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4016-34-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4016-31-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4016-30-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads