blackshades | 3e8903c39c33c28c3dd3a5f2116750f1ddc6a287cdda4f405c2028f439201bba

Analysis

max time kernel
149s
max time network
143s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01/03/2025, 22:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e8903c39c33c28c3dd3a5f2116750f1ddc6a287cdda4f405c2028f439201bba.exe
Size

520KB
MD5

231b70e02dcab0e5f503c58166606891
SHA1

56af8431911a339fcbfa02bd70dfb0a7ac3e63b6
SHA256

3e8903c39c33c28c3dd3a5f2116750f1ddc6a287cdda4f405c2028f439201bba
SHA512

5d0dc0beaccb04b0fe8f94937f5d7de6b19e0e941f39bf7dd69404d02ab036ba2d42c9d1f89a554042d383e6d86902ba8446797c0b131009b0f7d3ac201afe3a
SSDEEP

12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioXM:zW6ncoyqOp6IsTl/mXM

Score

10^/10

blackshades defense_evasion discovery persistence rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 11 IoCs

resource	yara_rule
behavioral1/memory/1932-500-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/1932-505-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/1932-506-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/1932-508-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/1932-509-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/1932-510-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/1932-512-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/1932-513-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/1932-516-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/1932-517-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/1932-518-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 8 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VYNHAGNWMRJRFQG\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe

Executes dropped EXE 19 IoCs

pid	Process
2596	service.exe
1428	service.exe
1992	service.exe
2008	service.exe
2180	service.exe
1588	service.exe
1676	service.exe
2216	service.exe
1960	service.exe
2620	service.exe
576	service.exe
1656	service.exe
1952	service.exe
1964	service.exe
840	service.exe
1956	service.exe
996	service.exe
2716	service.exe
1932	service.exe

Loads dropped DLL 37 IoCs

pid	Process
2324	3e8903c39c33c28c3dd3a5f2116750f1ddc6a287cdda4f405c2028f439201bba.exe
2324	3e8903c39c33c28c3dd3a5f2116750f1ddc6a287cdda4f405c2028f439201bba.exe
2596	service.exe
2596	service.exe
1428	service.exe
1428	service.exe
1992	service.exe
1992	service.exe
2008	service.exe
2008	service.exe
2180	service.exe
2180	service.exe
1588	service.exe
1588	service.exe
1676	service.exe
1676	service.exe
2216	service.exe
2216	service.exe
1960	service.exe
1960	service.exe
2620	service.exe
2620	service.exe
576	service.exe
576	service.exe
1656	service.exe
1656	service.exe
1952	service.exe
1952	service.exe
1964	service.exe
1964	service.exe
840	service.exe
840	service.exe
1956	service.exe
1956	service.exe
996	service.exe
996	service.exe
2716	service.exe

Adds Run key to start application 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\CAEHSUPNQFTBJAV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DLDUMIDXNOLTGMR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\FBPVNEEGBHVDRQC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HQIETXJKHPCINAD\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\INJKVSQUPWLMELM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SLKSGGHCAHDYTGN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\DBFAITUPOQGTBKB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EMDVNJEXNOLUGMR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\DEYAVPDKFKXGSYP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ESORUTVHLQDBPXP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\HMJJURPTOWKLELL = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SKJRGFGCAHCXSFN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\HXYVEEPWMKOJRFG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NFVFNBABWCSNBIC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\HVCLUSDXKDXEUNQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UOGMTFFSYQYMWNI\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\XUTXKAOKIYWNNPK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RUJDCJSIOFWNBMC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\OAIARJFAQKKUXYK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DUNTLCMFDGWSTBP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\CYXBOESOMRDQTOH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VYNHAGNWMRJRFQG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\SIEDQGUQOTFTVQJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\OGWFNCBCXDTOBJD\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\OGXPLGWPBQAQROW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JFTRHSLJMYCHVUG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\RPUHLHEVTJJLGDE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\OQGAYWFPFKCTKIT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\GYQMHXQBRBQROXJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JFTSISLKMCHVUGP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\OTPDPBYDVURSFKR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YRQAYMMNIGNJMTC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\WTRVQXMNAFMNWRR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DUNTLCMFEGWTTBP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\XKMHFIXLSBNRCOW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DMWEAPTYFGDLEIX\\service.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3e8903c39c33c28c3dd3a5f2116750f1ddc6a287cdda4f405c2028f439201bba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
3044	reg.exe
2868	reg.exe
2768	reg.exe
2588	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	1932	service.exe
Token: SeCreateTokenPrivilege	1932	service.exe
Token: SeAssignPrimaryTokenPrivilege	1932	service.exe
Token: SeLockMemoryPrivilege	1932	service.exe
Token: SeIncreaseQuotaPrivilege	1932	service.exe
Token: SeMachineAccountPrivilege	1932	service.exe
Token: SeTcbPrivilege	1932	service.exe
Token: SeSecurityPrivilege	1932	service.exe
Token: SeTakeOwnershipPrivilege	1932	service.exe
Token: SeLoadDriverPrivilege	1932	service.exe
Token: SeSystemProfilePrivilege	1932	service.exe
Token: SeSystemtimePrivilege	1932	service.exe
Token: SeProfSingleProcessPrivilege	1932	service.exe
Token: SeIncBasePriorityPrivilege	1932	service.exe
Token: SeCreatePagefilePrivilege	1932	service.exe
Token: SeCreatePermanentPrivilege	1932	service.exe
Token: SeBackupPrivilege	1932	service.exe
Token: SeRestorePrivilege	1932	service.exe
Token: SeShutdownPrivilege	1932	service.exe
Token: SeDebugPrivilege	1932	service.exe
Token: SeAuditPrivilege	1932	service.exe
Token: SeSystemEnvironmentPrivilege	1932	service.exe
Token: SeChangeNotifyPrivilege	1932	service.exe
Token: SeRemoteShutdownPrivilege	1932	service.exe
Token: SeUndockPrivilege	1932	service.exe
Token: SeSyncAgentPrivilege	1932	service.exe
Token: SeEnableDelegationPrivilege	1932	service.exe
Token: SeManageVolumePrivilege	1932	service.exe
Token: SeImpersonatePrivilege	1932	service.exe
Token: SeCreateGlobalPrivilege	1932	service.exe
Token: 31	1932	service.exe
Token: 32	1932	service.exe
Token: 33	1932	service.exe
Token: 34	1932	service.exe
Token: 35	1932	service.exe

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
2324	3e8903c39c33c28c3dd3a5f2116750f1ddc6a287cdda4f405c2028f439201bba.exe
2596	service.exe
1428	service.exe
1992	service.exe
2008	service.exe
2180	service.exe
1588	service.exe
1676	service.exe
2216	service.exe
1960	service.exe
2620	service.exe
576	service.exe
1656	service.exe
1952	service.exe
1964	service.exe
840	service.exe
1956	service.exe
996	service.exe
2716	service.exe
1932	service.exe
1932	service.exe
1932	service.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 2732	2324	3e8903c39c33c28c3dd3a5f2116750f1ddc6a287cdda4f405c2028f439201bba.exe	30
PID 2324 wrote to memory of 2732	2324	3e8903c39c33c28c3dd3a5f2116750f1ddc6a287cdda4f405c2028f439201bba.exe	30
PID 2324 wrote to memory of 2732	2324	3e8903c39c33c28c3dd3a5f2116750f1ddc6a287cdda4f405c2028f439201bba.exe	30
PID 2324 wrote to memory of 2732	2324	3e8903c39c33c28c3dd3a5f2116750f1ddc6a287cdda4f405c2028f439201bba.exe	30
PID 2732 wrote to memory of 1856	2732	cmd.exe	32
PID 2732 wrote to memory of 1856	2732	cmd.exe	32
PID 2732 wrote to memory of 1856	2732	cmd.exe	32
PID 2732 wrote to memory of 1856	2732	cmd.exe	32
PID 2324 wrote to memory of 2596	2324	3e8903c39c33c28c3dd3a5f2116750f1ddc6a287cdda4f405c2028f439201bba.exe	33
PID 2324 wrote to memory of 2596	2324	3e8903c39c33c28c3dd3a5f2116750f1ddc6a287cdda4f405c2028f439201bba.exe	33
PID 2324 wrote to memory of 2596	2324	3e8903c39c33c28c3dd3a5f2116750f1ddc6a287cdda4f405c2028f439201bba.exe	33
PID 2324 wrote to memory of 2596	2324	3e8903c39c33c28c3dd3a5f2116750f1ddc6a287cdda4f405c2028f439201bba.exe	33
PID 2596 wrote to memory of 2648	2596	service.exe	34
PID 2596 wrote to memory of 2648	2596	service.exe	34
PID 2596 wrote to memory of 2648	2596	service.exe	34
PID 2596 wrote to memory of 2648	2596	service.exe	34
PID 2648 wrote to memory of 3048	2648	cmd.exe	36
PID 2648 wrote to memory of 3048	2648	cmd.exe	36
PID 2648 wrote to memory of 3048	2648	cmd.exe	36
PID 2648 wrote to memory of 3048	2648	cmd.exe	36
PID 2596 wrote to memory of 1428	2596	service.exe	37
PID 2596 wrote to memory of 1428	2596	service.exe	37
PID 2596 wrote to memory of 1428	2596	service.exe	37
PID 2596 wrote to memory of 1428	2596	service.exe	37
PID 1428 wrote to memory of 2888	1428	service.exe	38
PID 1428 wrote to memory of 2888	1428	service.exe	38
PID 1428 wrote to memory of 2888	1428	service.exe	38
PID 1428 wrote to memory of 2888	1428	service.exe	38
PID 2888 wrote to memory of 1120	2888	cmd.exe	40
PID 2888 wrote to memory of 1120	2888	cmd.exe	40
PID 2888 wrote to memory of 1120	2888	cmd.exe	40
PID 2888 wrote to memory of 1120	2888	cmd.exe	40
PID 1428 wrote to memory of 1992	1428	service.exe	41
PID 1428 wrote to memory of 1992	1428	service.exe	41
PID 1428 wrote to memory of 1992	1428	service.exe	41
PID 1428 wrote to memory of 1992	1428	service.exe	41
PID 1992 wrote to memory of 2072	1992	service.exe	42
PID 1992 wrote to memory of 2072	1992	service.exe	42
PID 1992 wrote to memory of 2072	1992	service.exe	42
PID 1992 wrote to memory of 2072	1992	service.exe	42
PID 2072 wrote to memory of 2540	2072	cmd.exe	44
PID 2072 wrote to memory of 2540	2072	cmd.exe	44
PID 2072 wrote to memory of 2540	2072	cmd.exe	44
PID 2072 wrote to memory of 2540	2072	cmd.exe	44
PID 1992 wrote to memory of 2008	1992	service.exe	45
PID 1992 wrote to memory of 2008	1992	service.exe	45
PID 1992 wrote to memory of 2008	1992	service.exe	45
PID 1992 wrote to memory of 2008	1992	service.exe	45
PID 2008 wrote to memory of 1492	2008	service.exe	46
PID 2008 wrote to memory of 1492	2008	service.exe	46
PID 2008 wrote to memory of 1492	2008	service.exe	46
PID 2008 wrote to memory of 1492	2008	service.exe	46
PID 1492 wrote to memory of 2392	1492	cmd.exe	48
PID 1492 wrote to memory of 2392	1492	cmd.exe	48
PID 1492 wrote to memory of 2392	1492	cmd.exe	48
PID 1492 wrote to memory of 2392	1492	cmd.exe	48
PID 2008 wrote to memory of 2180	2008	service.exe	49
PID 2008 wrote to memory of 2180	2008	service.exe	49
PID 2008 wrote to memory of 2180	2008	service.exe	49
PID 2008 wrote to memory of 2180	2008	service.exe	49
PID 2180 wrote to memory of 2916	2180	service.exe	50
PID 2180 wrote to memory of 2916	2180	service.exe	50
PID 2180 wrote to memory of 2916	2180	service.exe	50
PID 2180 wrote to memory of 2916	2180	service.exe	50

C:\Users\Admin\AppData\Local\Temp\3e8903c39c33c28c3dd3a5f2116750f1ddc6a287cdda4f405c2028f439201bba.exe
"C:\Users\Admin\AppData\Local\Temp\3e8903c39c33c28c3dd3a5f2116750f1ddc6a287cdda4f405c2028f439201bba.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\TempKWHGK.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CAEHSUPNQFTBJAV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DLDUMIDXNOLTGMR\service.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:1856
- C:\Users\Admin\AppData\Local\Temp\DLDUMIDXNOLTGMR\service.exe
  "C:\Users\Admin\AppData\Local\Temp\DLDUMIDXNOLTGMR\service.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\TempNJXWI.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RPUHLHEVTJJLGDE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OQGAYWFPFKCTKIT\service.exe" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:3048
- - C:\Users\Admin\AppData\Local\Temp\OQGAYWFPFKCTKIT\service.exe
    "C:\Users\Admin\AppData\Local\Temp\OQGAYWFPFKCTKIT\service.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1428
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\TempLCGUL.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2888
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FBPVNEEGBHVDRQC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HQIETXJKHPCINAD\service.exe" /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1120
  - - C:\Users\Admin\AppData\Local\Temp\HQIETXJKHPCINAD\service.exe
      "C:\Users\Admin\AppData\Local\Temp\HQIETXJKHPCINAD\service.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1992
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempSXDEB.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2072
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HVCLUSDXKDXEUNQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UOGMTFFSYQYMWNI\service.exe" /f
        6⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2540
    - - C:\Users\Admin\AppData\Local\Temp\UOGMTFFSYQYMWNI\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UOGMTFFSYQYMWNI\service.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2008
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempVQQFO.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "INJKVSQUPWLMELM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SLKSGGHCAHDYTGN\service.exe" /f
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2392
      - C:\Users\Admin\AppData\Local\Temp\SLKSGGHCAHDYTGN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SLKSGGHCAHDYTGN\service.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempPUGEI.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2916
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GYQMHXQBRBQROXJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JFTSISLKMCHVUGP\service.exe" /f
        8⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\JFTSISLKMCHVUGP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JFTSISLKMCHVUGP\service.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempDGHQM.bat" "
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2964
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XUTXKAOKIYWNNPK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RUJDCJSIOFWNBMC\service.exe" /f
        9⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\RUJDCJSIOFWNBMC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RUJDCJSIOFWNBMC\service.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempVKXIH.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1808
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DBFAITUPOQGTBKB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOLUGMR\service.exe" /f
        10⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2532
        
        C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOLUGMR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOLUGMR\service.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMQLTI.bat" "
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2024
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DEYAVPDKFKXGSYP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDBPXP\service.exe" /f
        11⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDBPXP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDBPXP\service.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempSDWWL.bat" "
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2868
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OTPDPBYDVURSFKR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YRQAYMMNIGNJMTC\service.exe" /f
        12⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\YRQAYMMNIGNJMTC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YRQAYMMNIGNJMTC\service.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempUQYPE.bat" "
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3016
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HMJJURPTOWKLELL" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SKJRGFGCAHCXSFN\service.exe" /f
        13⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:680
        
        C:\Users\Admin\AppData\Local\Temp\SKJRGFGCAHCXSFN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SKJRGFGCAHCXSFN\service.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:576
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempLIQDJ.bat" "
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2904
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OAIARJFAQKKUXYK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DUNTLCMFDGWSTBP\service.exe" /f
        14⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\DUNTLCMFDGWSTBP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DUNTLCMFDGWSTBP\service.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempGPCYW.bat" "
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:2384
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WTRVQXMNAFMNWRR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWTTBP\service.exe" /f
        15⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWTTBP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWTTBP\service.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMNWSA.bat" "
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:1288
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SIEDQGUQOTFTVQJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OGWFNCBCXDTOBJD\service.exe" /f
        16⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\OGWFNCBCXDTOBJD\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OGWFNCBCXDTOBJD\service.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempIPTFD.bat" "
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:1280
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OGXPLGWPBQAQROW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JFTRHSLJMYCHVUG\service.exe" /f
        17⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\JFTRHSLJMYCHVUG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JFTRHSLJMYCHVUG\service.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempCUYTP.bat" "
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:2964
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "XKMHFIXLSBNRCOW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DMWEAPTYFGDLEIX\service.exe" /f
        18⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\DMWEAPTYFGDLEIX\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DMWEAPTYFGDLEIX\service.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempXGGPL.bat" "
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:1948
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HXYVEEPWMKOJRFG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NFVFNBABWCSNBIC\service.exe" /f
        19⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\NFVFNBABWCSNBIC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\NFVFNBABWCSNBIC\service.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempKLUQD.bat" "
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:2020
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CYXBOESOMRDQTOH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe" /f
        20⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe
        
        C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:2340
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        22⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe:*:Enabled:Windows Messanger" /f
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:2216
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMRJRFQG\service.exe:*:Enabled:Windows Messanger" /f
        22⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        22⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:2692
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        22⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempCUYTP.bat

Filesize
163B

MD5
6c81cd95fa1e622550bcc9503aded9df

SHA1
2bb370eb566277968a8b4ce91e4ac4bd3cf841f7

SHA256
f737f02284d240e78b8cb7cac731e3599964d2e1cf9e249090d1121202b79133

SHA512
30522dbb6332cfb6aeba6ae5772a44bab5301a875a945d2618fa3b1740917493bcfd2e7c491dbbe238bf8ec4cee0f8bfa8ed80aea932693fea7edd144d309727

Download Submit
C:\Users\Admin\AppData\Local\TempDGHQM.bat

Filesize
163B

MD5
0a642b13e305d30ca155412d35b152af

SHA1
781496d9955791faa48807abc37e66baaf0169f5

SHA256
1da282d9ea78c8ceacef47f322ce5a859f7514d84cb168119c85ef6bc174f797

SHA512
de8b280b6b40187615fdf3ab82d65a639c3e42251508328f6559a93b0e6c4a1b9b37b156b10f38c7dd068213d3dbe2871b1ff73670f056531fa4f76648df8578

Download Submit
C:\Users\Admin\AppData\Local\TempGPCYW.bat

Filesize
163B

MD5
8d3d64087a4de4c30625e2aae52a4a59

SHA1
e2eda5fe67085dc2d6364c42ea3917580f043bbf

SHA256
3dc0265b5e3ccf15f8bbf2afd33677233eaa1eaac2f898ebc1047c991eb42e04

SHA512
8d41deea71c634930a4672e2adf2a092caf16b35ee2dd20ea2679efdda0202790d492402f388f2cf1e3561ddf9f7378673e603dd50a2eeadbfd8db0c7f1894e9

Download Submit
C:\Users\Admin\AppData\Local\TempIPTFD.bat

Filesize
163B

MD5
13c37c974a81b3bee474200cafab0cb1

SHA1
fca5969136b58f6fb5d544a7073ed304b33429ec

SHA256
72801a866cfd1ecb3df595ad44bbdc01348b040d981fb00addde95dfa28fe82b

SHA512
e9965be0d02e15219e1f6f6cce2414dac147d9eaf2fdd2d044cd6875a8bf2971981a54e59798c2e6722337cead878720b24a1516dbe7ec06f8878ec6214405cf

Download Submit
C:\Users\Admin\AppData\Local\TempKLUQD.bat

Filesize
163B

MD5
6a401fac14448a283b090176a53a6b0a

SHA1
d154a2cb98ece0bbe8a6f2d73a905132a15235a3

SHA256
25b5dfefe526d611b4e691a065a0a720f6ff92ec69dfb886fa4120c3d224818f

SHA512
4c2308e6af81edcce42193761419bf3017336aa6858191b30bc2342128273deb45486b44874813e5182715b6b7e472874db8a4d3a9343ea3dce1c94c98434887

Download Submit
C:\Users\Admin\AppData\Local\TempKWHGK.bat

Filesize
163B

MD5
2a95ba44c2086fe0819c10ad4004477b

SHA1
dfdb66480f554c5d74a172cc33a3e3bfad477b45

SHA256
f9cc54aef9f0aaeb5e1b43e1ba33da55ed22f40103e1405bb33f699677da0185

SHA512
6e82cfce263d7963cca791d7f75f14bb703c8d09084f45a5ab62b5b629b175e66871081a6e92ff903de7df3977ab9d9d8a8368c3ce146aab712edf7f6378ea3f

Download Submit
C:\Users\Admin\AppData\Local\TempLCGUL.bat

Filesize
163B

MD5
1ab2467ba93c895c7986fe7f8326d7bb

SHA1
3f42c5d73084dd99315d48690502c0ff45dd784b

SHA256
7a33d6ac864351cf23216a34f3e6f286066b08c518e1305b3e0ad4a6339d8a08

SHA512
ba2944c46068af2766c88a08bc9bee8ffefd6c59f44894c8d3502355d60dfb948acfdabecc80c8367f26acda6421a4afece402f39cc6954768b86241e67d40d0

Download Submit
C:\Users\Admin\AppData\Local\TempLIQDJ.bat

Filesize
163B

MD5
957ad5dbaa44ac91d5d250272d2a94e1

SHA1
d6c101bb30848098ab9c181fbbc422278ab6f6e3

SHA256
64b0e81a7b92bcd7830d11fd3c39e32283c4a7fb1c38688c28fa581186061582

SHA512
052d798609fb80f14c32c1ee87a9741d11fbf89a72e53e08c146031c943dbe2f450ef3c4ca6d35d9d015574eaf7a41f773418fc0c6637b3d5914e6ffd405e857

Download Submit
C:\Users\Admin\AppData\Local\TempMNWSA.bat

Filesize
163B

MD5
131210905627673c5ae571e39e8a8452

SHA1
d80a4b519768c168d712bee75aa85c9fe7571777

SHA256
8048df984bb7d8de1994f0b1785e87798ae8786c8a2ab1aad0dc4150d1b8ac81

SHA512
f6b380b90432b1f577352cc756acdde39e74ccff5b6c00e52223d7a3a4f8129cff7c5b3c9a101399ee8d518af3a72e53f85777610b3e7ef35beedb2b52771b0b

Download Submit
C:\Users\Admin\AppData\Local\TempMQLTI.bat

Filesize
163B

MD5
5d5e18098b3cf11c1c03c39e3a4f55b2

SHA1
e4abcfae36455e36bae3444131488fb3f5b4de18

SHA256
ddca790c8f551f43ee598e3d5b7502657ea2ff8cfc01342e020fedc7ceca6266

SHA512
87fe2947d348c3b2a3f1d635edc9b01604f4bac699823ec4102a7664f9f083dae09a57e26b2a5ae357b80a065941d1bcf4d862e32f83405d11dc159c2cad90e0

Download Submit
C:\Users\Admin\AppData\Local\TempNJXWI.bat

Filesize
163B

MD5
6f37bf87416de1c98fafbe87180d9d03

SHA1
fb17273119e4df1d10c79a78bd0a9872580856a1

SHA256
9de1012d1bd2cb99ed801dd9ea89da00edc61dc142c9a41626680d69d0777717

SHA512
58f51727285195df90c585a09793f500b4144bb4f19b21da2803e6eba65e08eacc002e21d72b2a7c46c91c05530f5cbb96674112c73315f11e96d7a8774e72b8

Download Submit
C:\Users\Admin\AppData\Local\TempPUGEI.bat

Filesize
163B

MD5
bd3265b33a7a2565da521c9c3a486153

SHA1
4c7164dc5142483ce424a84793f43c158053e0a4

SHA256
612043966a179f96b5ff883b465f352b6380e0cb0cece327cddd9aba34bfb6e0

SHA512
40dbcf6f63a893ccd243a58ca79df2447e7a8dec864ee394fb46b289fbf794d071ab59383e080d83918ff859bf1ae4d94bc4a27cb4d2581c94a0afa4f5988b01

Download Submit
C:\Users\Admin\AppData\Local\TempSDWWL.bat

Filesize
163B

MD5
d1373dcdb5ea981bd6b6a0eafac85c19

SHA1
b77fe0448194225c8e4548829c1153edb1f23084

SHA256
ae3ce6354d0e5f00ff3d52e8639010dd7acaa5de99c9ba01f54371cbf106aac2

SHA512
faacd05b9034fc27158a32df21905b7d9cf12aae188c006473d8476643d9d318642022b751b4ed499fffaad13b9b5b962a9cf5093df073eec133dd06308feadd

Download Submit
C:\Users\Admin\AppData\Local\TempSXDEB.bat

Filesize
163B

MD5
a53945ba40a1f1ba3a3dd3219661dcf7

SHA1
f31dd2d0a1207cd3faa495441735d4bb330dfcad

SHA256
5a15db2c39d1a5e509699f75a05dc7d02d289e9b3ca68ff3b7118e27ef1641bd

SHA512
88126ebf274fb8c8459f7018a5cefb61ca9a8ad95decf7cb2e32487bca2654bc6a7f5a5c6121c59f4f51564bb4b0743b8896c8b43fd769471007e305d60251ce

Download Submit
C:\Users\Admin\AppData\Local\TempUQYPE.bat

Filesize
163B

MD5
ba65ad51a6ea0d752a264e010d91bb07

SHA1
cc0125350670bbe8a445cc9619e733aab97f0ca9

SHA256
b98c4714bbef3d1764e48098bb3063bb4d3724831fef2571451bce68bf40c169

SHA512
935618892f9f6d1696b43493ce5005266f8f11c931e2305c01957e1f22c91b6508996d82fa24f1d27ef702bebf6138359b879aac81dfeb34335d2c19deedcc2b

Download Submit
C:\Users\Admin\AppData\Local\TempVKXIH.bat

Filesize
163B

MD5
e7792e2ee8b0db9d6aef46a16822d686

SHA1
e7c5969d2c03ac61c338a8bac6382db34bc0bb79

SHA256
4864ea3f28f4bd0b65484c0d898c44c437142ed4e264713892a777d9a6b4b08b

SHA512
f8915f8685e72ccaed95af32a760ec07cb4443f5e173e4750e5c1f1a9e12d7bc1f76c355d34caa12bce075c42b444d67241df0225e357a8c6ba8c90d0a4c5337

Download Submit
C:\Users\Admin\AppData\Local\TempVQQFO.bat

Filesize
163B

MD5
f8c5b8c01d0f3064f4e5253ed8a1ac79

SHA1
a6cef7d1a764ed399a998ea4837319e9cafeb50f

SHA256
9596e5ebc3be9558618b8471e48cd8b148e10133538dda04db7207801a1a71a0

SHA512
49d49437e216d69dff581309b125e6717ff964266b5e17d23819fa3424f43820115d090fe6484458064705b856c1681980390c11d4b7506a1fed0f6879b41d84

Download Submit
C:\Users\Admin\AppData\Local\TempXGGPL.bat

Filesize
163B

MD5
d0cc57b8aeb870248d4832941d065d6d

SHA1
380ae7f36ba203be88c88db8eeb6f23ef1fb0035

SHA256
936d0ed97ed9f38925df0d488b4d00410535652b1c64232262ac59c753a89d8b

SHA512
3ae95b0452adbdeb6285848d7c5c53cbf10d895d1d3f41b4e8b6e8d0d30a12358f203d04a887b0606006204ffac9b71f28262649ecb1567808e391493592ea9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DLDUMIDXNOLTGMR\service.exe

Filesize
520KB

MD5
73a832874944053091c6eff632745aa8

SHA1
4a3c83f3ef9173d1d68372a3f79ee6ab762d0ca4

SHA256
fbc096286cc845039d8004fd41e97773cdb698a05eaef92c3452147587f280ff

SHA512
5dc5e2c1367ec3ab4ec37f31bda71808f951b5430e3a2f478f9d2a9a0a76ff62ea379e0af2799cca4b0d2bc794830f25b76a44e1c6558b94449a65dbee0a073f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DUNTLCMFDGWSTBP\service.exe

Filesize
520KB

MD5
2e1c85227a001689225c5e70e2d8900b

SHA1
e031182f03c2f3d808f1a7f827d1b910bc01c148

SHA256
4dab29ac272f43476ad9f7759f640564a06e1d3c34c75a45a1e12c215c3fc25c

SHA512
6b01a08e1598ef8b430f02f6f74ab2516b2748b4a52a7f5939dc8cc7940f4203de24dc7c908583c3342483e7412132fca9b9319134bc9e55a0404f6b9d1dd833

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMDVNJEXNOLUGMR\service.exe

Filesize
520KB

MD5
27ad6a7af0d41d6a310961fefc7269cc

SHA1
28744c7f8b55269215b02e8f5ae6184feb45fdc7

SHA256
1eb632baad30f7cd0eb695ea27ea6135f933a0969ee843f2174f28be3123fb25

SHA512
925ef7307ea2aee2b6b109c8079c3b783b9ab638402ede6df821c0184b45e33dfb10f377948337279f0648cc7153eb6053860c09023fc4e88ea02d53022da392

Download Submit
C:\Users\Admin\AppData\Local\Temp\ESORUTVHLQDBPXP\service.exe

Filesize
520KB

MD5
8aec343b23dbcd3f5184fbbff57cf52e

SHA1
675de6484eab49e93bc4423c7f1d9c647f9786cb

SHA256
e6f6038bdfaa3213e8dbac931b823064670c1449e733de89e64afbbdce1267a3

SHA512
0007b517f150fadefa6fae878966b7568e760678fb5f6b4f7ccab947101962d96d5a6f87eb34d44d82ad50402082cbdc13cdab12299a5e2d5d95aabbe2b44be3

Download Submit
C:\Users\Admin\AppData\Local\Temp\HQIETXJKHPCINAD\service.exe

Filesize
520KB

MD5
aab3ed912e2092c7acbeeb465b3d2b25

SHA1
ee3708406a319c56f4cdf37fdb039159f382dd33

SHA256
70c477cf0644a55b793faa9e48c8a193f56a608b989d29b5dabb72fa96bc358b

SHA512
8b7cd210e0b6547db3ab1fbf919da6dcb9b3496ffc0191b1b9e35a6132c2b0da4dda26717f6657aa95c645e9f9484ea77da5040349ff89d66fef8c65d1f72ca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\JFTSISLKMCHVUGP\service.exe

Filesize
520KB

MD5
1668bcc6fd07cb77aa2e29971ed96302

SHA1
ff25271550af7c8d92e1bce036118919fbfe083b

SHA256
952e4da22fcee6a43b5b49a99c779b83842edcc6f426351e7c0a254d4c586785

SHA512
bac16eef1c2b681d41552e76e596dd95acb80743e0aa016594d1cf27288b104f5c585424ffe967e6b97e89507e8bd9f3d8baae397948a673c091f37b0f7ffb86

Download Submit
C:\Users\Admin\AppData\Local\Temp\RUJDCJSIOFWNBMC\service.exe

Filesize
520KB

MD5
679cd693823461ff93903d6a809fe4bd

SHA1
abff8596080edd941706acd32f96ad9954a7839f

SHA256
81097291bd0e81016580f391d6e3e3c38e13e05f9233357dead123a716c9d8e8

SHA512
f414641cc944c6e8165870d465c4b7d9d8713310818330f911368a80f37627223cd5fed2370de10dac69186ab6a1bcad8137d8e731519598e0a733850e54edf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SKJRGFGCAHCXSFN\service.exe

Filesize
520KB

MD5
fe5d233fc0f8ad14f0ddf69e2251962b

SHA1
4eb8a6456f3072e9959049dee16200e5ae25de7c

SHA256
06d55a69a3fa1a6841b3c3b14ff404f219217e5d357325b42855be58321a6091

SHA512
b5a506eb2e6fda9db4e7b27ee06634a7854728b19f39815a9c36e22e35f9664fd2be0b836a9818a65998e105840d0b14091649a4ecbd55ddb70c66e09221dd5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\SLKSGGHCAHDYTGN\service.exe

Filesize
520KB

MD5
2ce3a6b2b1bbac0a5a1b50b5a34f1b29

SHA1
c96cbed83386224e3f900793e43cb360b9174586

SHA256
dba896e7b238674100b4d42eb762f11bee09587929996661a5f8d1730611f14a

SHA512
4f4191963b0f497869b23718ca6084a1cffa7ff9612a0acaa9ed2a54797629d45cfd12fbeef6b321700dab7b1efe65754816dae15fffe7f3cda7dd02f1affafa

Download Submit
C:\Users\Admin\AppData\Local\Temp\YRQAYMMNIGNJMTC\service.exe

Filesize
520KB

MD5
da0c027dd245688b4ffa8cfc1bc26f27

SHA1
20d9219802e29c839575fae7edd77da7bdbf423f

SHA256
8bd7ee8e57885ea4edffcebf8dea60dafa0e784446bf62d44b242a66d189c3c5

SHA512
c0e597fefd523acff32284b8dbe3d52d25f685493b03032f8770ea65ba44c4c5dfbe1a6f4ca61996111b86f529da7acc0fc1bea85526bec762b789290f582d2f

Download Submit
\Users\Admin\AppData\Local\Temp\DUNTLCMFEGWTTBP\service.exe

Filesize
520KB

MD5
e45b2bb98c50b8718d2c1f43b8a7c60b

SHA1
c07de751f52cb1678236865fc7ca54c73953f4cc

SHA256
5a192c9cc03e6adcb6f185ac7b93d164fa00193cfda42a4b883d0df139ccdc61

SHA512
4caf2b5a4c3e5647e5b4d2b626b1ec7d346c1c2b7e565b38aca4e03e15c8cd4f3159fd9d19c766e2d50fdc7a5668803e10bb9252bcaf45578eb123c0c9d822b4

Download Submit
\Users\Admin\AppData\Local\Temp\OQGAYWFPFKCTKIT\service.exe

Filesize
520KB

MD5
a401795ee8139de86f36079bdd6b2eee

SHA1
2f5e2c4457299c9937f8bfc3f061a3ed284fb217

SHA256
b99e509758be7dcbe8909623cc31cae0c2a1537649979bdd410aa5da8ea3f2cf

SHA512
a3b80ecebf457a95a620deefa245bff0220ad3856334b0db9edf51db6b9f813e8d450afeeb867999c6567158b8bb675b28650132fb88da2c088eeedba9fca135

Download Submit
\Users\Admin\AppData\Local\Temp\UOGMTFFSYQYMWNI\service.exe

Filesize
520KB

MD5
fbc1806d6766ea2cacab96f68679205a

SHA1
d0395b8ef80037cfa8f3ee519eda8c15b8931724

SHA256
db02433f5b76034e2d2252d8c3f9757738bdf491ccc16d5dcefd76f6a21b08aa

SHA512
8dd260af00c0ecce1d322f11bfed98497ead0ee83bd09ad4f1cadccfe67c328585cb910e5a0d92cdf05726695b5deb324c2c904f468e4400e2619f7ddf07ad74

Download Submit
memory/1932-505-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1932-500-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1932-506-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1932-508-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1932-509-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1932-510-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1932-512-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1932-513-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1932-516-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1932-517-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1932-518-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2304-487-0x00000000772B0000-0x00000000773AA000-memory.dmp

Filesize
1000KB

Download
memory/2304-486-0x0000000077190000-0x00000000772AF000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads