blackshades | e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49

Analysis

max time kernel
147s
max time network
145s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
08/03/2025, 23:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe
Size

520KB
MD5

481090609ca307c7630403cdebdf988a
SHA1

7476081b41b122a1ef39bd7b0ea7c41259df8c9c
SHA256

e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49
SHA512

e4d4ba737881a6deaf6f92af13c6a018880e434c8eed7e4095257895f142658d103ef20d33b7cefa0a92605f87150ead8b1f40bbfd53a59fd2d76e93796d5fd6
SSDEEP

12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioXg:zW6ncoyqOp6IsTl/mXg

Score

10^/10

blackshades defense_evasion discovery persistence rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 9 IoCs

resource	yara_rule
behavioral1/memory/1576-546-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/1576-551-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/1576-552-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/1576-554-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/1576-555-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/1576-556-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/1576-558-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/1576-559-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/1576-564-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 8 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KNYDVTCWLBHPGFQ\\service.exe:*:Enabled:Windows Messanger"	reg.exe

Executes dropped EXE 21 IoCs

pid	Process
2824	service.exe
2604	service.exe
340	service.exe
2008	service.exe
2212	service.exe
1816	service.exe
2456	service.exe
2996	service.exe
2028	service.exe
2788	service.exe
752	service.exe
1164	service.exe
2024	service.exe
1276	service.exe
1304	service.exe
2344	service.exe
2980	service.exe
2760	service.exe
2028	service.exe
1444	service.exe
1576	service.exe

Loads dropped DLL 41 IoCs

pid	Process
2384	e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe
2384	e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe
2824	service.exe
2824	service.exe
2604	service.exe
2604	service.exe
340	service.exe
340	service.exe
2008	service.exe
2008	service.exe
2212	service.exe
2212	service.exe
1816	service.exe
1816	service.exe
2456	service.exe
2456	service.exe
2996	service.exe
2996	service.exe
2028	service.exe
2028	service.exe
2788	service.exe
2788	service.exe
752	service.exe
752	service.exe
1164	service.exe
1164	service.exe
2024	service.exe
2024	service.exe
1276	service.exe
1276	service.exe
1304	service.exe
1304	service.exe
2344	service.exe
2344	service.exe
2980	service.exe
2980	service.exe
2760	service.exe
2760	service.exe
2028	service.exe
2028	service.exe
1444	service.exe

Adds Run key to start application 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\EDOLKOBFBPVNEEG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ILXWAYTRAYTJXFN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\UCPPBJASKGBRKLU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\OHWGOCBDXDUOCJE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\ACFQRNLNDQYHSXI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BJASKGBUKLJRDJO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\DQGUQOTFSVQJMNW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DLCUMIDWMNKTFLQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\EJYAXLMIGIYLTCN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VPINUGGAUBRNXOJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\DXTOCXJYDIYWFQX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DRNPTRUFKPCOWOB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\YDNLKOBFBPVNDDF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IKWWAXSRXTJWENE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\SJTPKTEUETURBMS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MIWULVONPBFKYXJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\JOTABGDSSFHCACX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YFXHTTUPOUQGTBK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\DBFAITVQOQGUCKB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EMEVNJEYOPMUGNR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\DNTLCCEFTBPOAJA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DRMPTRUFKPCOWNB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\MRNBNWBTYTPQDIP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WPOWKKLGELHXKRA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\OQCGLYKSKTPKUFV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YQPAXMLMHGMIYLT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\GOFXPLGWPBQAPQN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IETYRHRLJMYBHUU\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\TTGIDBDYTHOJNKV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IWSAVYWKPUBBHAE\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\CNKJNAEAOUMDCFA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HKWVWSQXSIVDMDX\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\TYUIUGEIWXKPWXI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WCVFRRSNLSODRYH\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\NMQDHDBRXPGGIDA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KNYDVTCWLBHPGFQ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\GKYHHTPNRMUIKCJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QJYIQEDFAFAVQEL\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\CXTOBXJYDIYWFQX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DRNPTRUFKPCOWNB\\service.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
752	reg.exe
276	reg.exe
2620	reg.exe
1136	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	1576	service.exe
Token: SeCreateTokenPrivilege	1576	service.exe
Token: SeAssignPrimaryTokenPrivilege	1576	service.exe
Token: SeLockMemoryPrivilege	1576	service.exe
Token: SeIncreaseQuotaPrivilege	1576	service.exe
Token: SeMachineAccountPrivilege	1576	service.exe
Token: SeTcbPrivilege	1576	service.exe
Token: SeSecurityPrivilege	1576	service.exe
Token: SeTakeOwnershipPrivilege	1576	service.exe
Token: SeLoadDriverPrivilege	1576	service.exe
Token: SeSystemProfilePrivilege	1576	service.exe
Token: SeSystemtimePrivilege	1576	service.exe
Token: SeProfSingleProcessPrivilege	1576	service.exe
Token: SeIncBasePriorityPrivilege	1576	service.exe
Token: SeCreatePagefilePrivilege	1576	service.exe
Token: SeCreatePermanentPrivilege	1576	service.exe
Token: SeBackupPrivilege	1576	service.exe
Token: SeRestorePrivilege	1576	service.exe
Token: SeShutdownPrivilege	1576	service.exe
Token: SeDebugPrivilege	1576	service.exe
Token: SeAuditPrivilege	1576	service.exe
Token: SeSystemEnvironmentPrivilege	1576	service.exe
Token: SeChangeNotifyPrivilege	1576	service.exe
Token: SeRemoteShutdownPrivilege	1576	service.exe
Token: SeUndockPrivilege	1576	service.exe
Token: SeSyncAgentPrivilege	1576	service.exe
Token: SeEnableDelegationPrivilege	1576	service.exe
Token: SeManageVolumePrivilege	1576	service.exe
Token: SeImpersonatePrivilege	1576	service.exe
Token: SeCreateGlobalPrivilege	1576	service.exe
Token: 31	1576	service.exe
Token: 32	1576	service.exe
Token: 33	1576	service.exe
Token: 34	1576	service.exe
Token: 35	1576	service.exe

Suspicious use of SetWindowsHookEx 24 IoCs

pid	Process
2384	e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe
2824	service.exe
2604	service.exe
340	service.exe
2008	service.exe
2212	service.exe
1816	service.exe
2456	service.exe
2996	service.exe
2028	service.exe
2788	service.exe
752	service.exe
1164	service.exe
2024	service.exe
1276	service.exe
1304	service.exe
2344	service.exe
2980	service.exe
2760	service.exe
2028	service.exe
1444	service.exe
1576	service.exe
1576	service.exe
1576	service.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2420	2384	e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe	30
PID 2384 wrote to memory of 2420	2384	e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe	30
PID 2384 wrote to memory of 2420	2384	e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe	30
PID 2384 wrote to memory of 2420	2384	e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe	30
PID 2420 wrote to memory of 568	2420	cmd.exe	32
PID 2420 wrote to memory of 568	2420	cmd.exe	32
PID 2420 wrote to memory of 568	2420	cmd.exe	32
PID 2420 wrote to memory of 568	2420	cmd.exe	32
PID 2384 wrote to memory of 2824	2384	e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe	33
PID 2384 wrote to memory of 2824	2384	e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe	33
PID 2384 wrote to memory of 2824	2384	e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe	33
PID 2384 wrote to memory of 2824	2384	e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe	33
PID 2824 wrote to memory of 2632	2824	service.exe	34
PID 2824 wrote to memory of 2632	2824	service.exe	34
PID 2824 wrote to memory of 2632	2824	service.exe	34
PID 2824 wrote to memory of 2632	2824	service.exe	34
PID 2632 wrote to memory of 2788	2632	cmd.exe	36
PID 2632 wrote to memory of 2788	2632	cmd.exe	36
PID 2632 wrote to memory of 2788	2632	cmd.exe	36
PID 2632 wrote to memory of 2788	2632	cmd.exe	36
PID 2824 wrote to memory of 2604	2824	service.exe	37
PID 2824 wrote to memory of 2604	2824	service.exe	37
PID 2824 wrote to memory of 2604	2824	service.exe	37
PID 2824 wrote to memory of 2604	2824	service.exe	37
PID 2604 wrote to memory of 2020	2604	service.exe	38
PID 2604 wrote to memory of 2020	2604	service.exe	38
PID 2604 wrote to memory of 2020	2604	service.exe	38
PID 2604 wrote to memory of 2020	2604	service.exe	38
PID 2020 wrote to memory of 1444	2020	cmd.exe	40
PID 2020 wrote to memory of 1444	2020	cmd.exe	40
PID 2020 wrote to memory of 1444	2020	cmd.exe	40
PID 2020 wrote to memory of 1444	2020	cmd.exe	40
PID 2604 wrote to memory of 340	2604	service.exe	41
PID 2604 wrote to memory of 340	2604	service.exe	41
PID 2604 wrote to memory of 340	2604	service.exe	41
PID 2604 wrote to memory of 340	2604	service.exe	41
PID 340 wrote to memory of 1232	340	service.exe	42
PID 340 wrote to memory of 1232	340	service.exe	42
PID 340 wrote to memory of 1232	340	service.exe	42
PID 340 wrote to memory of 1232	340	service.exe	42
PID 1232 wrote to memory of 836	1232	cmd.exe	44
PID 1232 wrote to memory of 836	1232	cmd.exe	44
PID 1232 wrote to memory of 836	1232	cmd.exe	44
PID 1232 wrote to memory of 836	1232	cmd.exe	44
PID 340 wrote to memory of 2008	340	service.exe	45
PID 340 wrote to memory of 2008	340	service.exe	45
PID 340 wrote to memory of 2008	340	service.exe	45
PID 340 wrote to memory of 2008	340	service.exe	45
PID 2008 wrote to memory of 2188	2008	service.exe	46
PID 2008 wrote to memory of 2188	2008	service.exe	46
PID 2008 wrote to memory of 2188	2008	service.exe	46
PID 2008 wrote to memory of 2188	2008	service.exe	46
PID 2188 wrote to memory of 2436	2188	cmd.exe	48
PID 2188 wrote to memory of 2436	2188	cmd.exe	48
PID 2188 wrote to memory of 2436	2188	cmd.exe	48
PID 2188 wrote to memory of 2436	2188	cmd.exe	48
PID 2008 wrote to memory of 2212	2008	service.exe	49
PID 2008 wrote to memory of 2212	2008	service.exe	49
PID 2008 wrote to memory of 2212	2008	service.exe	49
PID 2008 wrote to memory of 2212	2008	service.exe	49
PID 2212 wrote to memory of 540	2212	service.exe	51
PID 2212 wrote to memory of 540	2212	service.exe	51
PID 2212 wrote to memory of 540	2212	service.exe	51
PID 2212 wrote to memory of 540	2212	service.exe	51

C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe
"C:\Users\Admin\AppData\Local\Temp\e09e3cbed6ed86382ebf97e6f3d3ddd1ba40e892cda2340765c1d90c4aec7d49.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\TempSAFDR.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DQGUQOTFSVQJMNW" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe" /f
    3⤵
    - Adds Run key to start application
    PID:568
- C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe
  "C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\TempSGNIM.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JOTABGDSSFHCACX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YFXHTTUPOUQGTBK\service.exe" /f
      4⤵
      Adds Run key to start application
      PID:2788
- - C:\Users\Admin\AppData\Local\Temp\YFXHTTUPOUQGTBK\service.exe
    "C:\Users\Admin\AppData\Local\Temp\YFXHTTUPOUQGTBK\service.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\TempSDPAX.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2020
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EJYAXLMIGIYLTCN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOJ\service.exe" /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1444
  - - C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOJ\service.exe
      "C:\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOJ\service.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:340
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempWLXIH.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1232
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DBFAITVQOQGUCKB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUGNR\service.exe" /f
        6⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:836
    - - C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUGNR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUGNR\service.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2008
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempJSOWN.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GKYHHTPNRMUIKCJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe" /f
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2436
      - C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempNLPKS.bat" "
        7⤵
        
        PID:540
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CXTOBXJYDIYWFQX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DRNPTRUFKPCOWNB\service.exe" /f
        8⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\DRNPTRUFKPCOWNB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DRNPTRUFKPCOWNB\service.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempESYKG.bat" "
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1500
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DNTLCCEFTBPOAJA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DRMPTRUFKPCOWNB\service.exe" /f
        9⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\DRMPTRUFKPCOWNB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DRMPTRUFKPCOWNB\service.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempNLPKS.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3024
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DXTOCXJYDIYWFQX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DRNPTRUFKPCOWOB\service.exe" /f
        10⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\DRNPTRUFKPCOWOB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DRNPTRUFKPCOWOB\service.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempAHVDR.bat" "
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2536
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "YDNLKOBFBPVNDDF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IKWWAXSRXTJWENE\service.exe" /f
        11⤵
        Adds Run key to start application
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\IKWWAXSRXTJWENE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IKWWAXSRXTJWENE\service.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempQYBUU.bat" "
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2880
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MRNBNWBTYTPQDIP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WPOWKKLGELHXKRA\service.exe" /f
        12⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\WPOWKKLGELHXKRA\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WPOWKKLGELHXKRA\service.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempAEUVS.bat" "
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OQCGLYKSKTPKUFV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YQPAXMLMHGMIYLT\service.exe" /f
        13⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\YQPAXMLMHGMIYLT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YQPAXMLMHGMIYLT\service.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempBHVDR.bat" "
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EDOLKOBFBPVNEEG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ILXWAYTRAYTJXFN\service.exe" /f
        14⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\ILXWAYTRAYTJXFN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ILXWAYTRAYTJXFN\service.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1164
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempACQLL.bat" "
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:1236
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TYUIUGEIWXKPWXI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WCVFRRSNLSODRYH\service.exe" /f
        15⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\WCVFRRSNLSODRYH\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WCVFRRSNLSODRYH\service.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempWIOTF.bat" "
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:2588
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GOFXPLGWPBQAPQN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IETYRHRLJMYBHUU\service.exe" /f
        16⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\IETYRHRLJMYBHUU\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IETYRHRLJMYBHUU\service.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1276
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempXKLIR.bat" "
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:2212
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UCPPBJASKGBRKLU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OHWGOCBDXDUOCJE\service.exe" /f
        17⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\OHWGOCBDXDUOCJE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\OHWGOCBDXDUOCJE\service.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempSQUPX.bat" "
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:2060
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TTGIDBDYTHOJNKV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IWSAVYWKPUBBHAE\service.exe" /f
        18⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\IWSAVYWKPUBBHAE\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IWSAVYWKPUBBHAE\service.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempGUCQP.bat" "
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:2376
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CNKJNAEAOUMDCFA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe" /f
        19⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempXJHLG.bat" "
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:2580
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SJTPKTEUETURBMS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe" /f
        20⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MIWULVONPBFKYXJ\service.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempUFEIV.bat" "
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:2944
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ACFQRNLNDQYHSXI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BJASKGBUKLJRDJO\service.exe" /f
        21⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\BJASKGBUKLJRDJO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BJASKGBUKLJRDJO\service.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempKXFTS.bat" "
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:1640
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NMQDHDBRXPGGIDA" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe" /f
        22⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2576
        
        C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe
        
        C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1576
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:2896
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        24⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:276
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe:*:Enabled:Windows Messanger" /f
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:1116
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KNYDVTCWLBHPGFQ\service.exe:*:Enabled:Windows Messanger" /f
        24⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:2068
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        24⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        24⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempACQLL.bat

Filesize
163B

MD5
e914726db013849135a3df270ea01fe1

SHA1
f7ed91af109707b20d461db51899f12a08493601

SHA256
001c411f3a5a19e9475e3cb644d4f0a905c57a27aad76c26a204436e269c8e2c

SHA512
541ffd82cbe7796b307f0aea75f6ed52c4e6bcc85e562cd2cbb91cc8b6ab5fb2edcdceae98e86d68dab110f55984c94dedfe0524ca5babaffd01f54262d8f889

Download Submit
C:\Users\Admin\AppData\Local\TempAEUVS.bat

Filesize
163B

MD5
9b8950a8d2bc44b20c8555984b0fee86

SHA1
5b90fc89e089f39f4f46195eb7395e9924eb7289

SHA256
1664f35e7f04db5ca4158768ea6fe08e153f32b2320d3ff54864351e30fa99fd

SHA512
0254a17c49b2b010018972df13bd67aedbc0355332fb1f91dc9dd6e6a33f94d3ac1facb2eab0ad177987c2f326fa523358ffe448dfaef0b2de2f0870093f07ca

Download Submit
C:\Users\Admin\AppData\Local\TempAHVDR.bat

Filesize
163B

MD5
b322b260bc7c43ddb07a39c989a405db

SHA1
de69c53a1e9258e7e1bcdd0507556094bce84765

SHA256
24c0c16d249f7d34a6b0c43b6a4788ec6ecb5182cfdc7c4c59784393411f6e7f

SHA512
a4704ea88b9e0a96f0c6863e834af7daa01279ed541228721f137bbed5f59c415eca7c11fe6ce97d22ee18b2ab49f477337aed7ff6ed5897aa214b6afaba72ea

Download Submit
C:\Users\Admin\AppData\Local\TempBHVDR.bat

Filesize
163B

MD5
b8382e28e36c2f79e4c6aabc88e01934

SHA1
4e0d6b24e341d2c38e2043978ff08d6a962a765f

SHA256
4aaf2c1c77ad5f3e02e53ac5a383d88f2a933e530dee51dc72c7d0a18f321129

SHA512
d5179a9bbd4a238041217dc5a41a28420026424357e30f9e5c553e90ca230a29779185d9679224d8919a6b59edaa181b2f10ac582323f9f5e6aae9583a5dbb65

Download Submit
C:\Users\Admin\AppData\Local\TempESYKG.bat

Filesize
163B

MD5
cf19074d3946734560f4b830120b1980

SHA1
afe4272b7e414b84e4c48cc84094a4689110f999

SHA256
ffb98d0b4bfb3d89942ac3d8bead9f59cd323947a0da72323e5bfc6891e604ec

SHA512
8f2ce9819c08fdfe637f832104af54802b71dac5ec185113e285298ccaf123d934ddf84ee7ffa3829253056ec7ed68bb0957d5971be260eb6007540b98838fc8

Download Submit
C:\Users\Admin\AppData\Local\TempGUCQP.bat

Filesize
163B

MD5
a05bc5c948181b8882b7b95448172f1e

SHA1
9dcd6a7078ad15bd61db8a84bbf43688fb27742b

SHA256
42691c7bac5d448be2e134d9011b898323a2329d4bae67b70058574e0563b226

SHA512
24d9d2f4ad6f7b0c5707928055102c4219220aa55df2cd05340728fdb09121e74ea9a5a3ad10c9deb1cbf1d134f2a6f73bf904111318d0ca1aec583d3680880a

Download Submit
C:\Users\Admin\AppData\Local\TempJSOWN.bat

Filesize
163B

MD5
d39cccc913240baa6efa209416c54650

SHA1
a80a7efbabf2efeb182cf64e9f19153c475cf2b1

SHA256
305e94792baf3df0a537a78527dd659f5359f28291242e09928d6c78f916f545

SHA512
c951547be1a48011283fa7bfcb0dbadc01e21b377b1fd1fab96f61c4ef692544fcbfa87f5d981221e6a8c7e2520dc87ba269c8cd8532e833df6d5a5df047f5c5

Download Submit
C:\Users\Admin\AppData\Local\TempKXFTS.bat

Filesize
163B

MD5
85842b09d2dea6667cbd548ebd2c2f39

SHA1
4a6bbfb6ada10a281cd14a93715cbd68fecf37b8

SHA256
6fdf41a5560410dbc0042c77162b6bd350cd664aaa17d4aee2f5017612c939ba

SHA512
d9ed6d2d98c9fd790028e4aa53df353d7c0feacef9b867598b2f989f3ca4cefae3503e0d0d23a1b44d56c781150a1582ca722a470f2c6eefd2b6b17105aebd88

Download Submit
C:\Users\Admin\AppData\Local\TempNLPKS.bat

Filesize
163B

MD5
ff1096bdb764d5e5ffa3853c6f8d10fd

SHA1
d7563e6018e800da0f64153cfe8e2e08f19abc36

SHA256
552658e30429ce40cd19d44609910307c5fdffb2b508ec40f15f87c1fe013e6a

SHA512
8249d1ed3d93707c76efe96a1a9e894ac806673f19e5f68112f7cfc1f555c3c3e6f2ee7bd726e6b857b15e8a571cb65d5de0f580530324de2cf7cf8fcce386d7

Download Submit
C:\Users\Admin\AppData\Local\TempNLPKS.bat

Filesize
163B

MD5
3d8d60c4d48e5cea304780e7de64b91d

SHA1
71bbda9893833549aacd60c69b9c102d16500cbe

SHA256
b33ee359035ad5092c99a826c6bfae75e74c95f1eb6edde6b69f1057a35cdd62

SHA512
3e91aa7fe8832f7a9c92f64c60a56d3ece677650e35158c9d1a805067b2a9c5d33539eb1105c1149cdb998f2416c0633eb4ad55e14490a4df12e6daef01ea1a3

Download Submit
C:\Users\Admin\AppData\Local\TempQYBUU.bat

Filesize
163B

MD5
e2fde989efdfa9c12af7ee59baa74dfd

SHA1
496290188649323aeb029f1cf8f70cae43d00d99

SHA256
f31507d060c2098a8887e1d7b0fd0027d7c1377c0619d70c81536feb4f0344b2

SHA512
6e49925b5f00549760fdedebc04f53716c4943d0d1d0f303ef771a061767b8cda3e6226f564e8641433fac63d7cf33b598615f31c5059779093239d4351fe282

Download Submit
C:\Users\Admin\AppData\Local\TempSAFDR.bat

Filesize
163B

MD5
c541ca326e9cab14239fa381d2add0c1

SHA1
e4327cbc1daa11a505e095a583a276100d1f88e0

SHA256
570a3efb6c12a7a2465549e466754bf40a6f15ac8e4e8dd39d5ddd19d7e3b0ca

SHA512
214b9b135eff188df2c1a60277ca46575bda48642069126b6318dd27cfd28274b4631bc2e87f727520f7123be19a5e03391935be5e6e2fe84243e975df20d4cc

Download Submit
C:\Users\Admin\AppData\Local\TempSDPAX.bat

Filesize
163B

MD5
8844eeb126afca7fa25f6f14477b1a72

SHA1
072ffd238a85c812a89a89a92a6fb96687ba837d

SHA256
7d3ef7b49800d1008c33d74501dbedfbefb92de774f2c5a3d7980f401b6c9eef

SHA512
9916ecf047f120dbb20877aa2f889b6453b306643a0e4e9634696d897338eaf63b6e11959f06992b3a5208c5daf84589e7f14daf35f668fd5d8cb545d887b58b

Download Submit
C:\Users\Admin\AppData\Local\TempSGNIM.bat

Filesize
163B

MD5
c7e6cfe4c4dab03ab6a54ac46e1efca8

SHA1
2d481e8da8f75b4631227922ac95cfee543c14f6

SHA256
b4e3f4b47b9ca54f8f5c46b04160c59fc6dc9eda3cc4ca82e63d69553d89459c

SHA512
634f9120980313a0a67f88d4806b07339f9472b350db202ecfbbe345fbd724c41efdb3aba14787f6d8fc7ab95cb7cdfe6a9952ca7821e98c73a7d7b74c3941fb

Download Submit
C:\Users\Admin\AppData\Local\TempSQUPX.bat

Filesize
163B

MD5
233641eac719ddd5cf2761f64e75aad9

SHA1
0d8aca9fdc3454d7137cf3f603b645aa4bc286ee

SHA256
3c9d793f5675ba25e754d1cb5a56811cccb610d16d58181d10e2deedab4e5c03

SHA512
9bbe40aec69451757fd6a04884b6df2defeb2319d265030a4da7f50bb45063f7ad2a86c048466cb59b0f0deb715b31cf1a9f89dc7d171d93412a1b298ea7b8a3

Download Submit
C:\Users\Admin\AppData\Local\TempUFEIV.bat

Filesize
163B

MD5
87e6dda0e31203e87c351d11011a0020

SHA1
876ecf8c33da30448557a82401f32f1bd56fec7d

SHA256
4abcf181eaceb32b5111d062d95f4fa9893f37a5be5caa03caf42d5bc1c2e1ff

SHA512
d53f49e1d0ee687bffb9f29bffc36ec242e31665daf1ddff836d1f41ad49216b0876d65e9a6133da5d2c4fcdf6ce4d357b480b9d99ae098b1822e6bcb0bdd206

Download Submit
C:\Users\Admin\AppData\Local\TempWIOTF.bat

Filesize
163B

MD5
fdce57b6b98e201e03df95e0ad110d92

SHA1
20d68760a99ba37d163926c3ab2e0695e8fbe592

SHA256
c4ec711aea998303f686d537c3318c6214b9761b2c9ac39cf43e98ee4c24da8f

SHA512
bf0cf7db9e0a9c23cf9492408f993a18c13804074e318e348677c92133948280ae274e4012209b744fe1c449b4a84d8c85ff266f643640dc953652e224163eb4

Download Submit
C:\Users\Admin\AppData\Local\TempWLXIH.bat

Filesize
163B

MD5
9e6a09d1b6789e118c5221700b64948b

SHA1
29602221dbaae443b3d986d775f17f4ad4c48d46

SHA256
d27cb363bcf91dc7e2665ad18be66222c4118112f72ac1803755adcc941b2725

SHA512
0a12facd0d1de1664f345a19af20632837763ef7e6b4760cb0ea7b08c95690c9eff85b2839c669303f27564b1a27ef06ebed8d4290ac7c56b2c7d30abb0802a9

Download Submit
C:\Users\Admin\AppData\Local\TempXJHLG.bat

Filesize
163B

MD5
7625fe0e989a8bb599d145b6483418dc

SHA1
20a35acebe2f17ef4c51bea383e7a64647742307

SHA256
2a834cf9b1b3b911f5066bb0a235cb39932c91fc755247925653434158af2e05

SHA512
a6a2f26ace1143252fb85611c5916fe570dfd305295e69db80607aad58e2405b63bb3bcf4f2bfc487da40a418042c543e172926ecd6cb5538171019e2dc2447e

Download Submit
C:\Users\Admin\AppData\Local\TempXKLIR.bat

Filesize
163B

MD5
d809c53a4dd225a669f8fabff704fa04

SHA1
62a666433aece79e30f34ab35b5ad4a98dc5ef89

SHA256
e6116444e247226193adc0cdc220015a1ff36c8b07a435e72e48fc7e7cd27842

SHA512
e64e2a0084422d2d7f2fb35db9c42a01d40ce8934c37b8b8f0aa239f7e2846cbe78c6c34bb5a463b0b15f82c9f6a5e6e39abeaf45efd02c35c27c6caed2b8d27

Download Submit
C:\Users\Admin\AppData\Local\Temp\DLCUMIDWMNKTFLQ\service.exe

Filesize
520KB

MD5
b711b37fe1827d094f49245996fb6586

SHA1
f18cce62ba76149d0212f74818cba48753a8cabf

SHA256
91ab007af9df49861eb0b67a580eaad8d44c768260621a8652b1bbf2b1fa88bf

SHA512
9c4afedc3a8ba4972bfdcbbdab53cf7ab50a62dfeeea32c43544a3a86e57081dc2671ee861a8f946cc7e615fcafe7eb87c7548289f376867e61aef9fdef0efa6

Download Submit
\Users\Admin\AppData\Local\Temp\DRMPTRUFKPCOWNB\service.exe

Filesize
520KB

MD5
53e43faf440a57ec7e2c5cd816f67e0b

SHA1
9c2aed4715aa3090eb9ddec13ae5167878fe673f

SHA256
8aeede5f2a1020457d2ae26aa7666061c143483fa24b0d160b6ce187adf83d87

SHA512
39d9a2ea41f3c01f71485607370ba6f1dd2ffb50140176a35ffa2b7fef39a8e91791980b891f0684dc4586f1897318a7b39012b83d67ad046ab59f3ccf611d9e

Download Submit
\Users\Admin\AppData\Local\Temp\DRNPTRUFKPCOWNB\service.exe

Filesize
520KB

MD5
d1c03e0a4148395cf59bc81e793a3b63

SHA1
36b74528726c5170102a7617f89923d7f815a373

SHA256
5bdc61d57307fed50ac097dc45f78f4acacc0bbca00f6e0c99aa5344d508ae6a

SHA512
9e1c5a399a12b97b32c710bf90748d7b889f9ddd6cf5ab54696e46513ffdeb8b8bb4d7c725ac6c16b2654bef445323ad997a36191bdbca3e8b9ad4c2e9d21b80

Download Submit
\Users\Admin\AppData\Local\Temp\DRNPTRUFKPCOWOB\service.exe

Filesize
520KB

MD5
d6a6795605aff8bbcaeda4a1dafd0314

SHA1
9f482f6fb143920d9493b86d20cdbb72793d260e

SHA256
d0b70b313f2ef600c0e4a72637fe3c7e2a3a18ba9a337fd41608e15e9c85e71d

SHA512
8090527a05e1700e800591ec97f7e479d2a420fe4e5f7425a630ed6e15b4eca12b818fade6e034963135fba7442631d834de9994329e10aafa350261bea7564f

Download Submit
\Users\Admin\AppData\Local\Temp\EMEVNJEYOPMUGNR\service.exe

Filesize
520KB

MD5
f5d293580fd8f57ca5b931c6d0915aa1

SHA1
f8aee0b6910026c576c3cf75688b4a1b40e9ec99

SHA256
ae487d212c4c6de9f33ecf6dc3f90ba3e67d2cad0848839a737b8d11e964fa95

SHA512
5544a8918033402c606eb4bb6fcae6436dbf86112a8478e29133560eae53e922d38785ed6c0b19855005481a648466887307db25dbb9bc23802bd3e3f3913642

Download Submit
\Users\Admin\AppData\Local\Temp\IKWWAXSRXTJWENE\service.exe

Filesize
520KB

MD5
d5d174bfe80168a990e14bc3a2fa9073

SHA1
6db5b8e9e7827f8dc6a8836f0ff96dc707215920

SHA256
9eab405103bb56061d78784680b0e55ef3611c5975d05745c43a8559d3eff311

SHA512
978698aa765457d040b47ae0c320dcbcc2f65fe7f380822c9a77ea8487cc04d89acce7747f3855a14f4ea8c82945feb0d41f7810f7660080123470b8230fd220

Download Submit
\Users\Admin\AppData\Local\Temp\ILXWAYTRAYTJXFN\service.exe

Filesize
520KB

MD5
11b1e9a6fc566d31850400087536a27c

SHA1
5d12db7bbc9865ca32e54e3ae9432a9a33d4acf3

SHA256
b4b3517031bbb90afdacc36de850820668e242e88ca6fefea963f64ac0d08b23

SHA512
878f39c108c30dfaae3c65dfa1a92a97e44fe1ffa88931b5cacb360f69f6e7e8d5bf0a77a4a4e32665bd12a5dfa68da9ebd9dc4516aeb0d0bf422d8c3155f041

Download Submit
\Users\Admin\AppData\Local\Temp\QJYIQEDFAFAVQEL\service.exe

Filesize
520KB

MD5
38038ab30bb1cfad50b17114cf3bf353

SHA1
ea8eb9a9cb2d2787e9f18d154e99681f6fcfa14d

SHA256
44c4bc2fd899570af1832f6c4607bf931d245f732ff883de2dc2f782e9a16a5b

SHA512
58f594d88d8e8ff5088c427018ee80a131798a9670fb1b53473b8c84c7ea354a4a37146e44954a2f6f7cefd665b97bd0bbb0f8a613e7ba4890368ea1cb3f71aa

Download Submit
\Users\Admin\AppData\Local\Temp\VPINUGGAUBRNXOJ\service.exe

Filesize
520KB

MD5
aa76f6250780e72832a01b73d0cf060a

SHA1
7bfbb53388255ef1d442eb56e1123ab0df98b3b6

SHA256
ef80ec09d68e01466a3d273a96575018acc57833a6d84f176554a76c0e3743d7

SHA512
8a65bb252be6f49ecd3f0dc68210e1ff538518ec818cb26b62446327fc93aefa5faa8da14221f6e231f1572fc1e606c253aef063b29e2f9c7f6224e351539d2d

Download Submit
\Users\Admin\AppData\Local\Temp\WCVFRRSNLSODRYH\service.exe

Filesize
520KB

MD5
366907e90cf59a2bec35f2b2be683631

SHA1
6e8705fe82b2454f160b86d178b1f194d2034134

SHA256
8323f573e3aadca9f62bfdb4569ddf295ef07eb494526110b2b65ea21e793357

SHA512
79fcf94af645a599f32b2fc4bc9c700b752ebb7245217f59a77080f42b00fde714d5f0c26fa93362987da8d3c066913f89496f62bca23506b15b5143798f5983

Download Submit
\Users\Admin\AppData\Local\Temp\WPOWKKLGELHXKRA\service.exe

Filesize
520KB

MD5
414ba6d6e8ae340056ae5899d209668f

SHA1
c0cc0f07595db4ef13eba4159527f99389309158

SHA256
089f5efe8b722d8de13b927055b18d8986c22794202579774bafe25146403302

SHA512
17ede3781e487534753ee8ef66803ee2027cc17d45e4006efc2647beaf89c802851189b037f311187d988c2eea1eca2d2fed7fdeda0932ce0466a02969e89f87

Download Submit
\Users\Admin\AppData\Local\Temp\YFXHTTUPOUQGTBK\service.exe

Filesize
520KB

MD5
76a130096fc769350712dc7a1cc65687

SHA1
cadd7187f3a55a2ff9a4108a03e4f108b7b38e70

SHA256
df813dabee17f0bf49d2402d71dc4a09836b7dcf2e08ed22e5113cf15de39a8b

SHA512
42af491b53a90b963015f5b8c56d5ed2106e6018962bc4584b2f00ef6516c6f7d085ebc7e60e1d9a61366ed273495dc14b245c5dbafb53cacf329f33b0ae3f2d

Download Submit
\Users\Admin\AppData\Local\Temp\YQPAXMLMHGMIYLT\service.exe

Filesize
520KB

MD5
bc91f4641dcdabf6399d002212ca52e8

SHA1
e1c26000acc3b94f1b16fb2ecdadc766f90884be

SHA256
8b6a7887cf1f04b76215537e23ccd1c340f44a65b719ae2ff49e2b7f7d78f7d5

SHA512
8d152682ec42fb1fd4e36f1c8989bea2300b55ced073936606ac52b64060ee286893431126d33235f5c946ff1b127bd34f92b2bd27bdbbc63d8f27ccb5a262db

Download Submit
memory/1576-546-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1576-551-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1576-552-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1576-554-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1576-555-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1576-556-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1576-558-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1576-559-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1576-564-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads