blackshades | 3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e

Analysis

max time kernel
149s
max time network
142s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25/02/2025, 22:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e.exe
Size

520KB
MD5

2168141fcf982917e05f4981a174947b
SHA1

212a5c866bbafabbf56df672313a81b6a722337b
SHA256

3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e
SHA512

6e7c1a8e13699214732b2079b3e13a3ce53d4818713fb0bccae6467d22287d78dfd80afe4c061e325523148228a806cec4ed5aa13c312843f835bbedb0ab7656
SSDEEP

12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioXb:zW6ncoyqOp6IsTl/mXb

Score

10^/10

blackshades defense_evasion discovery persistence rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 11 IoCs

resource	yara_rule
behavioral1/memory/2740-501-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2740-506-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2740-507-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2740-509-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2740-510-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2740-511-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2740-513-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2740-514-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2740-517-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2740-519-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2740-521-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 8 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SMFLSDERXOWKVLH\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe

Executes dropped EXE 19 IoCs

pid	Process
2636	service.exe
2820	service.exe
2100	service.exe
536	service.exe
2248	service.exe
2480	service.exe
1796	service.exe
1780	service.exe
2660	service.exe
2920	service.exe
636	service.exe
1432	service.exe
2972	service.exe
1256	service.exe
1332	service.exe
1840	service.exe
892	service.exe
2804	service.exe
2740	service.exe

Loads dropped DLL 37 IoCs

pid	Process
2996	3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e.exe
2996	3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e.exe
2636	service.exe
2636	service.exe
2820	service.exe
2820	service.exe
2100	service.exe
2100	service.exe
536	service.exe
536	service.exe
2248	service.exe
2248	service.exe
2480	service.exe
2480	service.exe
1796	service.exe
1796	service.exe
1780	service.exe
1780	service.exe
2660	service.exe
2660	service.exe
2920	service.exe
2920	service.exe
636	service.exe
636	service.exe
1432	service.exe
1432	service.exe
2972	service.exe
2972	service.exe
1256	service.exe
1256	service.exe
1332	service.exe
1332	service.exe
1840	service.exe
1840	service.exe
892	service.exe
892	service.exe
2804	service.exe

Adds Run key to start application 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\OLLWTRVQYMOAGNN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UNMUIHJECJEUIPK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\TFCGBJVWRPSHVDM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FNFXOLGAAPQNWIO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\URFRCBFXWTUGMTU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TSCONPKIPLAOVEQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\MTXJHLGOCDWUDDW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KCSBJTPKFEUVSBB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\KYFOXVGCNGHXQTU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XRJPWIIBVACTPPL\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\RJSOJSETDTURALS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MIWUKVOMPAFKYXJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\YLNIGJYMTCOSDPA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ENXFBQUGHEMFJYA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\GTAJXTRBWICWYDT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SMFLSDERXOWKVLH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSXJHLGOCDWUDDW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KCSBJTPKFETUSAB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\RWTHTEDHYUVIOVV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBUEQPQMKRMCQXG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\YBLRYKAACESNMHC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HVQTXVYJNTAGDSR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\WVHPGYQMHXQCRBQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KNYCVTCVLBGPGFQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\QPBJBTKHBRLMVYL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LOEWUDXMDIARIGR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\QDLCUMIDTMNWMNK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FBXQVOEOIGIVWER\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\VHNUUFYANWJIWDT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DQMPTRTFJOCOWNB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\SOCOXCUYTQRDJQR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BTMRYKAKEYCFVRS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\SRVIMIFWUKKMHAE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PRHBYGQGLDULJAU\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\HMJJURPTOWKMELL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SLKSGFHCAHCXSGN\\service.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2476	reg.exe
2936	reg.exe
2660	reg.exe
2116	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	2740	service.exe
Token: SeCreateTokenPrivilege	2740	service.exe
Token: SeAssignPrimaryTokenPrivilege	2740	service.exe
Token: SeLockMemoryPrivilege	2740	service.exe
Token: SeIncreaseQuotaPrivilege	2740	service.exe
Token: SeMachineAccountPrivilege	2740	service.exe
Token: SeTcbPrivilege	2740	service.exe
Token: SeSecurityPrivilege	2740	service.exe
Token: SeTakeOwnershipPrivilege	2740	service.exe
Token: SeLoadDriverPrivilege	2740	service.exe
Token: SeSystemProfilePrivilege	2740	service.exe
Token: SeSystemtimePrivilege	2740	service.exe
Token: SeProfSingleProcessPrivilege	2740	service.exe
Token: SeIncBasePriorityPrivilege	2740	service.exe
Token: SeCreatePagefilePrivilege	2740	service.exe
Token: SeCreatePermanentPrivilege	2740	service.exe
Token: SeBackupPrivilege	2740	service.exe
Token: SeRestorePrivilege	2740	service.exe
Token: SeShutdownPrivilege	2740	service.exe
Token: SeDebugPrivilege	2740	service.exe
Token: SeAuditPrivilege	2740	service.exe
Token: SeSystemEnvironmentPrivilege	2740	service.exe
Token: SeChangeNotifyPrivilege	2740	service.exe
Token: SeRemoteShutdownPrivilege	2740	service.exe
Token: SeUndockPrivilege	2740	service.exe
Token: SeSyncAgentPrivilege	2740	service.exe
Token: SeEnableDelegationPrivilege	2740	service.exe
Token: SeManageVolumePrivilege	2740	service.exe
Token: SeImpersonatePrivilege	2740	service.exe
Token: SeCreateGlobalPrivilege	2740	service.exe
Token: 31	2740	service.exe
Token: 32	2740	service.exe
Token: 33	2740	service.exe
Token: 34	2740	service.exe
Token: 35	2740	service.exe

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
2996	3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e.exe
2636	service.exe
2820	service.exe
2100	service.exe
536	service.exe
2248	service.exe
2480	service.exe
1796	service.exe
1780	service.exe
2660	service.exe
2920	service.exe
636	service.exe
1432	service.exe
2972	service.exe
1256	service.exe
1332	service.exe
1840	service.exe
892	service.exe
2804	service.exe
2740	service.exe
2740	service.exe
2740	service.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2996 wrote to memory of 1044	2996	3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e.exe	30
PID 2996 wrote to memory of 1044	2996	3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e.exe	30
PID 2996 wrote to memory of 1044	2996	3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e.exe	30
PID 2996 wrote to memory of 1044	2996	3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e.exe	30
PID 1044 wrote to memory of 2776	1044	cmd.exe	32
PID 1044 wrote to memory of 2776	1044	cmd.exe	32
PID 1044 wrote to memory of 2776	1044	cmd.exe	32
PID 1044 wrote to memory of 2776	1044	cmd.exe	32
PID 2996 wrote to memory of 2636	2996	3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e.exe	33
PID 2996 wrote to memory of 2636	2996	3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e.exe	33
PID 2996 wrote to memory of 2636	2996	3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e.exe	33
PID 2996 wrote to memory of 2636	2996	3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e.exe	33
PID 2636 wrote to memory of 2932	2636	service.exe	34
PID 2636 wrote to memory of 2932	2636	service.exe	34
PID 2636 wrote to memory of 2932	2636	service.exe	34
PID 2636 wrote to memory of 2932	2636	service.exe	34
PID 2932 wrote to memory of 2328	2932	cmd.exe	36
PID 2932 wrote to memory of 2328	2932	cmd.exe	36
PID 2932 wrote to memory of 2328	2932	cmd.exe	36
PID 2932 wrote to memory of 2328	2932	cmd.exe	36
PID 2636 wrote to memory of 2820	2636	service.exe	37
PID 2636 wrote to memory of 2820	2636	service.exe	37
PID 2636 wrote to memory of 2820	2636	service.exe	37
PID 2636 wrote to memory of 2820	2636	service.exe	37
PID 2820 wrote to memory of 1632	2820	service.exe	38
PID 2820 wrote to memory of 1632	2820	service.exe	38
PID 2820 wrote to memory of 1632	2820	service.exe	38
PID 2820 wrote to memory of 1632	2820	service.exe	38
PID 1632 wrote to memory of 1964	1632	cmd.exe	40
PID 1632 wrote to memory of 1964	1632	cmd.exe	40
PID 1632 wrote to memory of 1964	1632	cmd.exe	40
PID 1632 wrote to memory of 1964	1632	cmd.exe	40
PID 2820 wrote to memory of 2100	2820	service.exe	41
PID 2820 wrote to memory of 2100	2820	service.exe	41
PID 2820 wrote to memory of 2100	2820	service.exe	41
PID 2820 wrote to memory of 2100	2820	service.exe	41
PID 2100 wrote to memory of 1148	2100	service.exe	42
PID 2100 wrote to memory of 1148	2100	service.exe	42
PID 2100 wrote to memory of 1148	2100	service.exe	42
PID 2100 wrote to memory of 1148	2100	service.exe	42
PID 1148 wrote to memory of 2448	1148	cmd.exe	44
PID 1148 wrote to memory of 2448	1148	cmd.exe	44
PID 1148 wrote to memory of 2448	1148	cmd.exe	44
PID 1148 wrote to memory of 2448	1148	cmd.exe	44
PID 2100 wrote to memory of 536	2100	service.exe	45
PID 2100 wrote to memory of 536	2100	service.exe	45
PID 2100 wrote to memory of 536	2100	service.exe	45
PID 2100 wrote to memory of 536	2100	service.exe	45
PID 536 wrote to memory of 1696	536	service.exe	46
PID 536 wrote to memory of 1696	536	service.exe	46
PID 536 wrote to memory of 1696	536	service.exe	46
PID 536 wrote to memory of 1696	536	service.exe	46
PID 1696 wrote to memory of 2836	1696	cmd.exe	48
PID 1696 wrote to memory of 2836	1696	cmd.exe	48
PID 1696 wrote to memory of 2836	1696	cmd.exe	48
PID 1696 wrote to memory of 2836	1696	cmd.exe	48
PID 536 wrote to memory of 2248	536	service.exe	49
PID 536 wrote to memory of 2248	536	service.exe	49
PID 536 wrote to memory of 2248	536	service.exe	49
PID 536 wrote to memory of 2248	536	service.exe	49
PID 2248 wrote to memory of 2404	2248	service.exe	50
PID 2248 wrote to memory of 2404	2248	service.exe	50
PID 2248 wrote to memory of 2404	2248	service.exe	50
PID 2248 wrote to memory of 2404	2248	service.exe	50

C:\Users\Admin\AppData\Local\Temp\3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e.exe
"C:\Users\Admin\AppData\Local\Temp\3364346db0f071150f401d19894c30ce61b0de0ef3b3c0f473991f6e4e83fa3e.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\TempXQWIE.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1044
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YBLRYKAACESNMHC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HVQTXVYJNTAGDSR\service.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2776
- C:\Users\Admin\AppData\Local\Temp\HVQTXVYJNTAGDSR\service.exe
  "C:\Users\Admin\AppData\Local\Temp\HVQTXVYJNTAGDSR\service.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\TempWSRGP.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2932
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OLLWTRVQYMOAGNN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJEUIPK\service.exe" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:2328
- - C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJEUIPK\service.exe
    "C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJEUIPK\service.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\TempRPXJP.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1632
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WVHPGYQMHXQCRBQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLBGPGFQ\service.exe" /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1964
  - - C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLBGPGFQ\service.exe
      "C:\Users\Admin\AppData\Local\Temp\KNYCVTCVLBGPGFQ\service.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2100
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMSEAK.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1148
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VHNUUFYANWJIWDT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DQMPTRTFJOCOWNB\service.exe" /f
        6⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2448
    - - C:\Users\Admin\AppData\Local\Temp\DQMPTRTFJOCOWNB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DQMPTRTFJOCOWNB\service.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:536
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMJSEK.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QPBJBTKHBRLMVYL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LOEWUDXMDIARIGR\service.exe" /f
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2836
      - C:\Users\Admin\AppData\Local\Temp\LOEWUDXMDIARIGR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LOEWUDXMDIARIGR\service.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempTFLQC.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2404
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QDLCUMIDTMNWMNK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FBXQVOEOIGIVWER\service.exe" /f
        8⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\FBXQVOEOIGIVWER\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FBXQVOEOIGIVWER\service.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempDXBMK.bat" "
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TFCGBJVWRPSHVDM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FNFXOLGAAPQNWIO\service.exe" /f
        9⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\FNFXOLGAAPQNWIO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FNFXOLGAAPQNWIO\service.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempCVVKS.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2128
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SOCOXCUYTQRDJQR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BTMRYKAKEYCFVRS\service.exe" /f
        10⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\BTMRYKAKEYCFVRS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BTMRYKAKEYCFVRS\service.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempFOKYX.bat" "
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2916
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SRVIMIFWUKKMHAE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PRHBYGQGLDULJAU\service.exe" /f
        11⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\PRHBYGQGLDULJAU\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PRHBYGQGLDULJAU\service.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempFYYNV.bat" "
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "URFRCBFXWTUGMTU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TSCONPKIPLAOVEQ\service.exe" /f
        12⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\TSCONPKIPLAOVEQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TSCONPKIPLAOVEQ\service.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMIQHF.bat" "
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MTXJHLGOCDWUDDW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFEUVSBB\service.exe" /f
        13⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFEUVSBB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFEUVSBB\service.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMHQHF.bat" "
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:780
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MSXJHLGOCDWUDDW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFETUSAB\service.exe" /f
        14⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFETUSAB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFETUSAB\service.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1432
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempXDVUQ.bat" "
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:1204
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YLNIGJYMTCOSDPA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFJYA\service.exe" /f
        15⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFJYA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFJYA\service.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempGAOXK.bat" "
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:536
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RWTHTEDHYUVIOVV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VBUEQPQMKRMCQXG\service.exe" /f
        16⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:816
        
        C:\Users\Admin\AppData\Local\Temp\VBUEQPQMKRMCQXG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VBUEQPQMKRMCQXG\service.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1256
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempGHENF.bat" "
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:2384
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KYFOXVGCNGHXQTU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XRJPWIIBVACTPPL\service.exe" /f
        17⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:692
        
        C:\Users\Admin\AppData\Local\Temp\XRJPWIIBVACTPPL\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XRJPWIIBVACTPPL\service.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempWIGKF.bat" "
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:2480
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RJSOJSETDTURALS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MIWUKVOMPAFKYXJ\service.exe" /f
        18⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\Temp\MIWUKVOMPAFKYXJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MIWUKVOMPAFKYXJ\service.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempUQYPE.bat" "
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:1168
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HMJJURPTOWKMELL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe" /f
        19⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SLKSGFHCAHCXSGN\service.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMPQVC.bat" "
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:2900
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GTAJXTRBWICWYDT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe" /f
        20⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe
        
        C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:2736
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        22⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe:*:Enabled:Windows Messanger" /f
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:2580
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SMFLSDERXOWKVLH\service.exe:*:Enabled:Windows Messanger" /f
        22⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:2708
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        22⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:2996
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        22⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempCVVKS.bat

Filesize
163B

MD5
133a3fb4656dc431e688c356c81636f0

SHA1
cf26a98bf339292c4a067fb6fdb278aa80d8d844

SHA256
81cb9b68882f3b04e9674085f8799db74b4f0b7989e86f1eacb0ff4d21d6ffe1

SHA512
9a61bc8ba2da3882e75c9063cf566c1f953d262d94c32cb8e883d3a8f23fb8e5e67def9851319fc05f86c036420d0a1bf83f4bc527bd171f8d30b9a075a699bb

Download Submit
C:\Users\Admin\AppData\Local\TempDXBMK.bat

Filesize
163B

MD5
0209111bbc2fcfef39fc6801f977e786

SHA1
b124af40f009e68cad8d58a1fca9dd3af83803e5

SHA256
22b38c22966e0646cca356accc277a432c037478d4e4facdcadb1ec4184426fe

SHA512
42319942bc273dff4b2761e94e8389448b92a74beb3e35a1ca0468e8b8812a6f87f5f8e6c34e4d19f2622aa8c5d1f6564f0ec144cf8710336eb3907bb700a908

Download Submit
C:\Users\Admin\AppData\Local\TempFOKYX.bat

Filesize
163B

MD5
11b68cabe8569ca664245dab618b5c7e

SHA1
6ef2876d707696cfd3383c627c665b84b46b31fa

SHA256
ffcb75f1142bf59e3cf6428ab7783a4a61460760f50a6f8e5af7199a5285d564

SHA512
e732b5b4d1a53e2f30ee349ee8076a95d2ddbe05f0e6ef11274dc471007ba3af841c22e9ce5bb64b931b4f9c9bf5c0a11219048e6d0853e83b5a29a342b3d528

Download Submit
C:\Users\Admin\AppData\Local\TempFYYNV.bat

Filesize
163B

MD5
839d1106e87898165df42f76a5fa9125

SHA1
d6660f08080bbf0d1ae87c33bad5343120123e7b

SHA256
810660990dd89f3d36ef8f7ca9e301e8187608885a36a6643a9a2a51130bcb61

SHA512
5cfd7c2cdda1296769ed2c5d7e8e5936ca801216ce4ea7715e4b154f57e74ce7a7f6e3dce7771bf00cac0229b838671220f61ee9555752c9010de8f4b557681b

Download Submit
C:\Users\Admin\AppData\Local\TempGAOXK.bat

Filesize
163B

MD5
2300cb5af7e72558b1df29662f6ab94a

SHA1
effadf47e13d552146544ba3057559caa0e2782b

SHA256
38cf66d051374eec243a0a680b5050ae5f46f836a0ad01f1916fcc26b9abed9f

SHA512
6c33bc25136836c2f41c51a773bb9a0a3974cfffb3b7a31e8f3f6179ca37cc79be37407f12bf6dc373d8b6e0ef98dbbcef5d788b778ef3250ec43b4ffeb553ec

Download Submit
C:\Users\Admin\AppData\Local\TempGHENF.bat

Filesize
163B

MD5
d25fabf09ecb4d750d954b98c93d412f

SHA1
ea8ed935ef4a91ec148719da3fd6c69a7084ae35

SHA256
3019c2c297ace5e8c1d05be2be81148f5353268fda5b6dad38b1ae75aed45626

SHA512
7bb49eaa8030633ea1b4573d0b53aa278d2ff5a51a2eb5d81c2e3504cad8b8e11f4ae54a07839c7db2a2bd5e39f66fc0b54a8f6dc5adaad4863f5c549019ff0d

Download Submit
C:\Users\Admin\AppData\Local\TempMHQHF.bat

Filesize
163B

MD5
a5414e97da952d040b48e8c396fea4d0

SHA1
57fc81d07d933bc1abf80608360ee10ced574a07

SHA256
852fdba6e9e396ef093c00a2e8149dba075859fe89e552cdb9dfd8d0bbea15b5

SHA512
edef55b41c1c6b61812ff93816e3b3e5d9ce1ac49089ce0fff8ba7a5f41f6416f3a912930f10e8a8d57d0b119d9d284064ecac614f152ff5c9d12c3667e0fdf4

Download Submit
C:\Users\Admin\AppData\Local\TempMIQHF.bat

Filesize
163B

MD5
d0599a1e9a892afe76f42cbe1bcf621c

SHA1
ef751a540b9b623e2c20f82c4d24cb47e27b33e5

SHA256
95db162aae0b0d9018face50a8affef69cc31f339c4dceecb5f7cad02364a436

SHA512
6e71ddfb6486872377e67212b129d25ed46df1337bcc08734a9c8caa3f292d8ac73b1a4cfa962ccf9263946ecb6fe7b865faa7c075cee1dadee17a49854b9708

Download Submit
C:\Users\Admin\AppData\Local\TempMJSEK.bat

Filesize
163B

MD5
e77159f9400b36307346f4e838d3548f

SHA1
ea8e54a5773dcd1120a94024f3937219e6d18615

SHA256
6d6b2cfe9cf7c84965ecc5807b8d8f8713ba7a47112b81da77e12d8373a78ea6

SHA512
c95bf5507d262f35b7f14f669a764db383d2e7a453f24a077ffb10449f8e7d399655b025f63e7db4afec1d2a3cdb747848dfdaf6bd8cd490847704724198b51e

Download Submit
C:\Users\Admin\AppData\Local\TempMPQVC.bat

Filesize
163B

MD5
01005956b2e2f9618ee5d54677a17f9e

SHA1
d06659adf8a2855ee3ad04156b940a9563c9dc64

SHA256
ee05376f2a67ea7274259ca95873248ea3ee11b830ec3c4337651ad369e0a20a

SHA512
56de6a0800e4b55ff3bc177e923cc78f83c3254a186d5b876c4085c203f4d4b40785e8609e44074873823e1fa2b6970c8c30d677f1701b53c77efd33daa125ba

Download Submit
C:\Users\Admin\AppData\Local\TempMSEAK.bat

Filesize
163B

MD5
9c319adb38135438ce4e189b1d1ca26c

SHA1
a8f79ceedc291be87206849e55feb43bf9286818

SHA256
2be86f1e707fc160c1481ba1d3927637a448f54aae306431819701e1001131b2

SHA512
03bee7f6de91ecaeab48b7d5afd3e2af2a75ad497066209911450620f8d222fcc80e79a148c548676fb4d86d0836fc0e172095be20dbeae1114960799f8eef41

Download Submit
C:\Users\Admin\AppData\Local\TempRPXJP.bat

Filesize
163B

MD5
37c862667a98ccfe62f37f7246d5f9ca

SHA1
e89f151a97c536eaf1543a6d5ffb38938c434f57

SHA256
e71ca55cc24ebcf30c6cd17e758477294856ee373130cd0a6c258c749e6d8d62

SHA512
19c5d50aae93e70b16cf2a7e64c9321f24b0895401848713641f0e9f8538c660bb31ca0719892d1f2c04a48dd2b3698e6097c0c5ee2f95269576e5639b0d5c4b

Download Submit
C:\Users\Admin\AppData\Local\TempTFLQC.bat

Filesize
163B

MD5
332be4124670305d4298ce7777bff4f5

SHA1
32e7f0d04b0d74095b0d000cce9694b8c502cbbc

SHA256
59a598fa4e8fb77b311d695f3ad63850786546b35ba9e572b79ca00587f72c01

SHA512
ce0e32ff59f98461f51eb0196db1a6f551860aeaa67cb322be0337092353e2994b98c3eb12b033973c019f2079471e87f06f7ea8d24db890e05f112818dc2037

Download Submit
C:\Users\Admin\AppData\Local\TempUQYPE.bat

Filesize
163B

MD5
e5f6bb61139965cb6eb667a51c1c94dc

SHA1
28029916e0b2629120efac44758bac285fe4288f

SHA256
de653e425d22be0931c13a52d954bc15f722f65167d1e43906f7e363bb1e0e5e

SHA512
b83b86d6fa5b8d1491834b09c9e811c38ed253423e275b069b7fc502d070bf72eb249ee8581d109096f9ba94539323f0ad669ef122c013b8b8cd0e35bed57952

Download Submit
C:\Users\Admin\AppData\Local\TempWIGKF.bat

Filesize
163B

MD5
b96c1ebb8b5ae79aaf417f1571d5ca9d

SHA1
4c6aaa43c13cdaedfa9081a4b25ce410d9f7c22f

SHA256
5d01af8e8cfdfc694da1b87e6cf5e43d43c0ebd49c7683ad8bd1f7e6a3bdb85d

SHA512
63a1dc44375831ad55eb83976cdcfcbed3c69f6d6eae78802ec684e4c77dbb29d477e29cfff6d57c1916b43687d7180e4c4620abe20b5bcb611eef764fe3b60f

Download Submit
C:\Users\Admin\AppData\Local\TempWSRGP.bat

Filesize
163B

MD5
37450be2103b6bd05f77ac81bd64999d

SHA1
e6e0087e881ef57b93c85b257bf746ca289b4c43

SHA256
7de2ec0d83e6453074123125a857167f8c16b00ea4a99bba49d9f1f4c6ebd838

SHA512
4e5ac6cefc77d2db677b4f681166e21ea2bfdd525fcfbb04a2adcaf68735ffa2ff49b30df14955cb7a4187c541061f4593104350a653c8423d526a3054e1759f

Download Submit
C:\Users\Admin\AppData\Local\TempXDVUQ.bat

Filesize
163B

MD5
7c6b33b25d35867115c50b05fb15d28c

SHA1
f5f68fa6d475b45caa2b11fdf94f3fb337076a67

SHA256
065d97e5c0a93d56928136cc5a1e1bda166f3bb2d6d15edadafb7defa3897ab2

SHA512
4664b3f2b417375889cd0f404be9f2771a261707e07c782299f90b0efef80cf43e6278a8faec5a69f303b588c0d49d7e9d71ba2b8ef6051c6f258ce735db8b93

Download Submit
C:\Users\Admin\AppData\Local\TempXQWIE.bat

Filesize
163B

MD5
a563256e5b27640c5a670a6df0c4f257

SHA1
815cbc4a223458f04c83ddf253b015d28a557279

SHA256
fbef3874bdcc41b2fbc097b0f0a90022535cfa3ea8f899e4dcbf482ffa193461

SHA512
a4c75a9cbc67071cc5feaff3990183fb08561305d95ee8fb76b231235fe5cfd7dcec356693e3c9de0987a3e2ea3a64934dde5907906c8f45f52433f5f52a8ea0

Download Submit
C:\Users\Admin\AppData\Local\Temp\BTMRYKAKEYCFVRS\service.exe

Filesize
520KB

MD5
f397a0e699dc98c2bfb02b035b265496

SHA1
f6c86e59f700143eba89b964c2494c29a246baad

SHA256
837c9e0ac427f9964a156398f01d5f4ad6302942c49b6292ad24b20fc9f9ab25

SHA512
deff4df800b3245165d50ebc33da2d02dd2c2b88e498abb25b43098ffa0d28d21536148e0ab1f224d8052e2d92b39c9854651f3c6a0c85c3613877b3bea6582c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DQMPTRTFJOCOWNB\service.exe

Filesize
520KB

MD5
397d2ffd10ce80ab4f735bfefc7adaf4

SHA1
37b845b3c3118e7884c1a215ca246ab35cfb5974

SHA256
c898f402eccbae13bf8c7d34931bbf5ca311c5f59e1f9d6f076fd30e9655c72f

SHA512
ed9ac60d959e198303e0e46dc39c490612efc1b26443ac83778a0ee40a13e792e2b86127bc55f21c8a74228f7933b31a042462d72a8222725d0a1d480c4cb64c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ENXFBQUGHEMFJYA\service.exe

Filesize
520KB

MD5
19e5069c7220126acfa99d3369955d98

SHA1
7ffa07b5393e478b503d6bfd03b5b23712983f39

SHA256
3a70c172ef7a551e7a588bed6b6a2d26f6cc0a268aace16a305ba3a8fccde69d

SHA512
376e75522dfa6e1d2e037f139e0185f0d8be5695fa0d9e1b8c017ca2876dd25c09c597789e07bd9bdaf905a631c915b9d01e19c0e0dfeea2ff4b8a299c42a562

Download Submit
C:\Users\Admin\AppData\Local\Temp\FNFXOLGAAPQNWIO\service.exe

Filesize
520KB

MD5
df8df4acf2e6ebeba85f0ac55c2615d2

SHA1
322e7221b932b9cdbe5a1bbb587ae1d85e805297

SHA256
c736a8499ad18ee9124de261458892f9724ca5148e856e2595361acada7eedc3

SHA512
f1f96ab0acafab50eb629f1da91ee94de166a985a1d2d85e34b0d03a9321fef7e9a56d7809c5e94910a32b85fe44054c1961345e32316998a91cc4630b5756ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\HVQTXVYJNTAGDSR\service.exe

Filesize
520KB

MD5
7175f38353d4109884ba30cf44819010

SHA1
65cee5607680e5306273467f699edd424561b18c

SHA256
b285d9cdf01ff78403680f29bba210f8c99ad09c1fcf973488a9288b06edde4b

SHA512
fafeea4b30abef40336961cf83a11c60fcd00ae97e389d4a599609dce155d385e37aeaa465d16258aea3b8c44676a905b45884977a7edd98df29cd2e93b645f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\KCSBJTPKFEUVSBB\service.exe

Filesize
520KB

MD5
a4db63f61e6a5d775468fc399f7a2c4c

SHA1
893adb5a90ede7ea76f4a3656ceca5a166974c7f

SHA256
ba3207352710965eb65862f24173bdd008609c007d2dca538b9c6fd2e22ec16c

SHA512
d3cb694f54e7806fab002e83c91211c0b7d1e3d402abd6de6a420c0d16cd2fd7a023c0d07646d6e6721cb7a18ede39e8c674615c40cc4794df194d9f4608d7cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\PRHBYGQGLDULJAU\service.exe

Filesize
520KB

MD5
ba7c27413e7d8f473266df139dd8ce10

SHA1
be44daaac74320a966d6bfe9541fca43e9ac6a91

SHA256
96a5984c815a3f65f500962929f66ba5ec049e0feafaae9a1506edccb358dcf3

SHA512
293a095fe95717a3d176d478eb2dfafc89373299b4989bbbfa3f7a34d20bf9d0dac733cce16cad14f83bb49f8d830a9821786c12860f5632184e256eac41b006

Download Submit
C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJEUIPK\service.exe

Filesize
520KB

MD5
771947c66c6bf245695c6b1d98a601ac

SHA1
788f039663e5d045287c882cc9da88ad585319c1

SHA256
6fc61f1b4368f145435a32bc3f3a9735d0d6505058972abf5dcbcde6a06d2650

SHA512
35df06dc7f3cb5aed14a943fb0324359434c70d06caaef872a6737623558e67ecb295964769ae2a32e51fb995d03c6f6db3e69d3d50d5383c85b4c15de7c2a58

Download Submit
\Users\Admin\AppData\Local\Temp\FBXQVOEOIGIVWER\service.exe

Filesize
520KB

MD5
9d9cfe2fe3aa67faaa2e105b960a7d21

SHA1
5015781bc3a0eedf9093a4ed93136407900ed384

SHA256
61a6380559a4a3b3b92167eb722e17b0edd284c8bcd6f2f066e6a23dcfa62c92

SHA512
72f4daa9921a67b03e2eb7235d674e403f7ba16c6135d355bc1f14301dfe85811943a2a7e29d2f9bb6567024e53ad0506fed5518b455c2cf5a37a211486168a1

Download Submit
\Users\Admin\AppData\Local\Temp\KCSBJTPKFETUSAB\service.exe

Filesize
520KB

MD5
e6b80abae17686feac89d657953574ef

SHA1
ec0525dfc4c7781dc72b379171a145ae9a9dff3b

SHA256
0b069f9d5faa8af91efb08a01980746efe6bcc4e705e5d041b38b091527786cf

SHA512
e962eb789c6c3689b61ac0435667431b3a34482029942e688da06da1ccf52050e544504022447f6e226e208617ac39e0bd312814df13717d010e85315a03fb80

Download Submit
\Users\Admin\AppData\Local\Temp\KNYCVTCVLBGPGFQ\service.exe

Filesize
520KB

MD5
57ba2ca6903f57be858b83fefc333c68

SHA1
2b7f9a1be723e57db98868823a51816e5127ea2e

SHA256
1070643f5cc3e503fbbe98a81adbcb34ef5e80c8ca10c5af0e36465b1153340c

SHA512
1b37d3046194fe3cfd7db1c091bf51dc18e80a196739919f47dd13b6e8f9d275d1f77b6a4cf92001f40607dadd3eece8635abbc7ef0c0de567f91dc5defbce8d

Download Submit
\Users\Admin\AppData\Local\Temp\LOEWUDXMDIARIGR\service.exe

Filesize
520KB

MD5
8fc5a2b5ea33ece96a07c2873d12ada4

SHA1
ce3966736e248575706f07b763ee46010401926b

SHA256
4e4c58c1b9ab0d5fd1f44f22202c8857a94fca769618aa2c4d165b0ef7fc162a

SHA512
ebb00fe5ccd24b62c89a5744a305ed3f0742ad50ea2303a5bfed2941d656a0696727f5b5af044e52026e2d25aed10035aad81d25acd11bf9d29eeb0134153f22

Download Submit
\Users\Admin\AppData\Local\Temp\TSCONPKIPLAOVEQ\service.exe

Filesize
520KB

MD5
ef381899105c388cdd715cbd3a7d6372

SHA1
0fb84a5b961b3f6914f40fe3a03adbb658ae3763

SHA256
98ac10462e133d0f6c76d253928db434997ab53234c36bf9f36257f07639d37f

SHA512
09de0e890259095f654851426460f7eb660fdd54ad9fc9b2c7f30910e5dcb565734366df423753a83279c934fc0dafea11b3876300de11db71b3724479e8b232

Download Submit
memory/2740-510-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2740-506-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2740-507-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2740-509-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2740-501-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2740-511-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2740-513-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2740-514-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2740-517-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2740-519-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2740-521-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads