blackshades | 3fa5edd595da40c3265463c80aaac6df8b297d1e8c03705de4a8d649f73c5411

Analysis

max time kernel
147s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11/03/2025, 22:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3fa5edd595da40c3265463c80aaac6df8b297d1e8c03705de4a8d649f73c5411.exe
Size

520KB
MD5

b6e7ae9dcdc1c06c607e37f2c0240a06
SHA1

c5ea127bc8bb47220b913907e0a5912f4dd54210
SHA256

3fa5edd595da40c3265463c80aaac6df8b297d1e8c03705de4a8d649f73c5411
SHA512

28c34816e9abed4467a0b469f0a8a90d1210d64994c5d256535e14b2a8507d5afd73148b0aeff32a19a43d8ded6169ded2e5a6fa6046ac32b1c24efdfd4e6ab2
SSDEEP

12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioXC:zW6ncoyqOp6IsTl/mXC

Score

10^/10

blackshades defense_evasion discovery persistence rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 12 IoCs

resource	yara_rule
behavioral1/memory/484-546-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/484-551-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/484-552-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/484-554-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/484-555-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/484-556-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/484-558-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/484-559-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/484-560-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/484-562-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/484-563-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/484-564-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 8 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\ESNQUSVGLQDAPXO\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ESNQUSVGLQDAPXO\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe

Executes dropped EXE 21 IoCs

pid	Process
2712	service.exe
3008	service.exe
1688	service.exe
2388	service.exe
2248	service.exe
1364	service.exe
1648	service.exe
1592	service.exe
2876	service.exe
2684	service.exe
3012	service.exe
1036	service.exe
1144	service.exe
1052	service.exe
2256	service.exe
2312	service.exe
2356	service.exe
2180	service.exe
2888	service.exe
1776	service.exe
484	service.exe

Loads dropped DLL 41 IoCs

pid	Process
2452	3fa5edd595da40c3265463c80aaac6df8b297d1e8c03705de4a8d649f73c5411.exe
2452	3fa5edd595da40c3265463c80aaac6df8b297d1e8c03705de4a8d649f73c5411.exe
2712	service.exe
2712	service.exe
3008	service.exe
3008	service.exe
1688	service.exe
1688	service.exe
2388	service.exe
2388	service.exe
2248	service.exe
2248	service.exe
1364	service.exe
1364	service.exe
1648	service.exe
1648	service.exe
1592	service.exe
1592	service.exe
2876	service.exe
2876	service.exe
2684	service.exe
2684	service.exe
3012	service.exe
3012	service.exe
1036	service.exe
1036	service.exe
1144	service.exe
1144	service.exe
1052	service.exe
1052	service.exe
2256	service.exe
2256	service.exe
2312	service.exe
2312	service.exe
2356	service.exe
2356	service.exe
2180	service.exe
2180	service.exe
2888	service.exe
2888	service.exe
1776	service.exe

Adds Run key to start application 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\EDOLKOCFBPVOEEG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ILXWBYTRAYUJXFN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\CYXBOESOMRDRTOH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VYNHAGNWMSJRFQG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\CPFTPNSERTOHLMV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HAPHYQMHCBRSPXJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\MREIDBSXQGGIDBK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KNDVTCWLCHQHFQO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\VWJOVWHBPYKJXEU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ESNQUSVGLQDAPXO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\MABVSNAWHXCHWXU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CPLXOYRQSEINBMV\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\AONHQXIEPIJSVXI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CTMRYKAKEYCFVRS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\RWSGSDCGYXUVINU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UATDPPQLJQMBPWF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\VJKGEGWJRALQANY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CLUDXNSXDEBKCHW\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\GVUIJEDFVIPKPMX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BKXTCWYMQWCDAJB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\RWSGSECGYUVINUV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UATDPPQLJQMBPWG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\EPQLKMCPXGRWGTE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IRJFATXJKHQCINB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\RQCKCTLHCSMMWMN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FBWPVNEOHFIYUVD\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\RJSOJSETDTURALS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MIWUKVOMPAFKYXJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\FJOCOWNBCXTOBXI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GYJVUVRPVRHUCLC\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\FEOMLPCGCAQWOFE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JMYXBYUSBUKXAFO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\BYMYJIMADNTMCCE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GJVUWRPWSHVDLCX\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\NREIECSYQHGIDAB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LODWUDWMCHQHGQO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\HIFOAGLBNOJHKNU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SUKECJTJOGXOCMD\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\VHFJEMAXBUSBBUK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IAQHRNIDCRSQYKR\\service.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3fa5edd595da40c3265463c80aaac6df8b297d1e8c03705de4a8d649f73c5411.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
1704	reg.exe
1632	reg.exe
1012	reg.exe
2096	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	484	service.exe
Token: SeCreateTokenPrivilege	484	service.exe
Token: SeAssignPrimaryTokenPrivilege	484	service.exe
Token: SeLockMemoryPrivilege	484	service.exe
Token: SeIncreaseQuotaPrivilege	484	service.exe
Token: SeMachineAccountPrivilege	484	service.exe
Token: SeTcbPrivilege	484	service.exe
Token: SeSecurityPrivilege	484	service.exe
Token: SeTakeOwnershipPrivilege	484	service.exe
Token: SeLoadDriverPrivilege	484	service.exe
Token: SeSystemProfilePrivilege	484	service.exe
Token: SeSystemtimePrivilege	484	service.exe
Token: SeProfSingleProcessPrivilege	484	service.exe
Token: SeIncBasePriorityPrivilege	484	service.exe
Token: SeCreatePagefilePrivilege	484	service.exe
Token: SeCreatePermanentPrivilege	484	service.exe
Token: SeBackupPrivilege	484	service.exe
Token: SeRestorePrivilege	484	service.exe
Token: SeShutdownPrivilege	484	service.exe
Token: SeDebugPrivilege	484	service.exe
Token: SeAuditPrivilege	484	service.exe
Token: SeSystemEnvironmentPrivilege	484	service.exe
Token: SeChangeNotifyPrivilege	484	service.exe
Token: SeRemoteShutdownPrivilege	484	service.exe
Token: SeUndockPrivilege	484	service.exe
Token: SeSyncAgentPrivilege	484	service.exe
Token: SeEnableDelegationPrivilege	484	service.exe
Token: SeManageVolumePrivilege	484	service.exe
Token: SeImpersonatePrivilege	484	service.exe
Token: SeCreateGlobalPrivilege	484	service.exe
Token: 31	484	service.exe
Token: 32	484	service.exe
Token: 33	484	service.exe
Token: 34	484	service.exe
Token: 35	484	service.exe

Suspicious use of SetWindowsHookEx 24 IoCs

pid	Process
2452	3fa5edd595da40c3265463c80aaac6df8b297d1e8c03705de4a8d649f73c5411.exe
2712	service.exe
3008	service.exe
1688	service.exe
2388	service.exe
2248	service.exe
1364	service.exe
1648	service.exe
1592	service.exe
2876	service.exe
2684	service.exe
3012	service.exe
1036	service.exe
1144	service.exe
1052	service.exe
2256	service.exe
2312	service.exe
2356	service.exe
2180	service.exe
2888	service.exe
1776	service.exe
484	service.exe
484	service.exe
484	service.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2452 wrote to memory of 2216	2452	3fa5edd595da40c3265463c80aaac6df8b297d1e8c03705de4a8d649f73c5411.exe	31
PID 2452 wrote to memory of 2216	2452	3fa5edd595da40c3265463c80aaac6df8b297d1e8c03705de4a8d649f73c5411.exe	31
PID 2452 wrote to memory of 2216	2452	3fa5edd595da40c3265463c80aaac6df8b297d1e8c03705de4a8d649f73c5411.exe	31
PID 2452 wrote to memory of 2216	2452	3fa5edd595da40c3265463c80aaac6df8b297d1e8c03705de4a8d649f73c5411.exe	31
PID 2216 wrote to memory of 2844	2216	cmd.exe	33
PID 2216 wrote to memory of 2844	2216	cmd.exe	33
PID 2216 wrote to memory of 2844	2216	cmd.exe	33
PID 2216 wrote to memory of 2844	2216	cmd.exe	33
PID 2452 wrote to memory of 2712	2452	3fa5edd595da40c3265463c80aaac6df8b297d1e8c03705de4a8d649f73c5411.exe	34
PID 2452 wrote to memory of 2712	2452	3fa5edd595da40c3265463c80aaac6df8b297d1e8c03705de4a8d649f73c5411.exe	34
PID 2452 wrote to memory of 2712	2452	3fa5edd595da40c3265463c80aaac6df8b297d1e8c03705de4a8d649f73c5411.exe	34
PID 2452 wrote to memory of 2712	2452	3fa5edd595da40c3265463c80aaac6df8b297d1e8c03705de4a8d649f73c5411.exe	34
PID 2712 wrote to memory of 2144	2712	service.exe	35
PID 2712 wrote to memory of 2144	2712	service.exe	35
PID 2712 wrote to memory of 2144	2712	service.exe	35
PID 2712 wrote to memory of 2144	2712	service.exe	35
PID 2144 wrote to memory of 2888	2144	cmd.exe	37
PID 2144 wrote to memory of 2888	2144	cmd.exe	37
PID 2144 wrote to memory of 2888	2144	cmd.exe	37
PID 2144 wrote to memory of 2888	2144	cmd.exe	37
PID 2712 wrote to memory of 3008	2712	service.exe	38
PID 2712 wrote to memory of 3008	2712	service.exe	38
PID 2712 wrote to memory of 3008	2712	service.exe	38
PID 2712 wrote to memory of 3008	2712	service.exe	38
PID 3008 wrote to memory of 3012	3008	service.exe	39
PID 3008 wrote to memory of 3012	3008	service.exe	39
PID 3008 wrote to memory of 3012	3008	service.exe	39
PID 3008 wrote to memory of 3012	3008	service.exe	39
PID 3012 wrote to memory of 2984	3012	cmd.exe	41
PID 3012 wrote to memory of 2984	3012	cmd.exe	41
PID 3012 wrote to memory of 2984	3012	cmd.exe	41
PID 3012 wrote to memory of 2984	3012	cmd.exe	41
PID 3008 wrote to memory of 1688	3008	service.exe	42
PID 3008 wrote to memory of 1688	3008	service.exe	42
PID 3008 wrote to memory of 1688	3008	service.exe	42
PID 3008 wrote to memory of 1688	3008	service.exe	42
PID 1688 wrote to memory of 1604	1688	service.exe	43
PID 1688 wrote to memory of 1604	1688	service.exe	43
PID 1688 wrote to memory of 1604	1688	service.exe	43
PID 1688 wrote to memory of 1604	1688	service.exe	43
PID 1604 wrote to memory of 2304	1604	cmd.exe	45
PID 1604 wrote to memory of 2304	1604	cmd.exe	45
PID 1604 wrote to memory of 2304	1604	cmd.exe	45
PID 1604 wrote to memory of 2304	1604	cmd.exe	45
PID 1688 wrote to memory of 2388	1688	service.exe	46
PID 1688 wrote to memory of 2388	1688	service.exe	46
PID 1688 wrote to memory of 2388	1688	service.exe	46
PID 1688 wrote to memory of 2388	1688	service.exe	46
PID 2388 wrote to memory of 2860	2388	service.exe	47
PID 2388 wrote to memory of 2860	2388	service.exe	47
PID 2388 wrote to memory of 2860	2388	service.exe	47
PID 2388 wrote to memory of 2860	2388	service.exe	47
PID 2860 wrote to memory of 532	2860	cmd.exe	49
PID 2860 wrote to memory of 532	2860	cmd.exe	49
PID 2860 wrote to memory of 532	2860	cmd.exe	49
PID 2860 wrote to memory of 532	2860	cmd.exe	49
PID 2388 wrote to memory of 2248	2388	service.exe	50
PID 2388 wrote to memory of 2248	2388	service.exe	50
PID 2388 wrote to memory of 2248	2388	service.exe	50
PID 2388 wrote to memory of 2248	2388	service.exe	50
PID 2248 wrote to memory of 1084	2248	service.exe	51
PID 2248 wrote to memory of 1084	2248	service.exe	51
PID 2248 wrote to memory of 1084	2248	service.exe	51
PID 2248 wrote to memory of 1084	2248	service.exe	51

C:\Users\Admin\AppData\Local\Temp\3fa5edd595da40c3265463c80aaac6df8b297d1e8c03705de4a8d649f73c5411.exe
"C:\Users\Admin\AppData\Local\Temp\3fa5edd595da40c3265463c80aaac6df8b297d1e8c03705de4a8d649f73c5411.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2452
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\TempVGAOW.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RWSGSDCGYXUVINU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWF\service.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2844
- C:\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWF\service.exe
  "C:\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWF\service.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\TempVBTXS.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2144
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VJKGEGWJRALQANY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CLUDXNSXDEBKCHW\service.exe" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:2888
- - C:\Users\Admin\AppData\Local\Temp\CLUDXNSXDEBKCHW\service.exe
    "C:\Users\Admin\AppData\Local\Temp\CLUDXNSXDEBKCHW\service.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3008
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\TempYFOFD.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3012
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VHFJEMAXBUSBBUK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCRSQYKR\service.exe" /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2984
  - - C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCRSQYKR\service.exe
      "C:\Users\Admin\AppData\Local\Temp\IAQHRNIDCRSQYKR\service.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1688
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempUASWR.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1604
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GVUIJEDFVIPKPMX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BKXTCWYMQWCDAJB\service.exe" /f
        6⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2304
    - - C:\Users\Admin\AppData\Local\Temp\BKXTCWYMQWCDAJB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BKXTCWYMQWCDAJB\service.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2388
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempBIWDR.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EDOLKOCFBPVOEEG" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ILXWBYTRAYUJXFN\service.exe" /f
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:532
      - C:\Users\Admin\AppData\Local\Temp\ILXWBYTRAYUJXFN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ILXWBYTRAYUJXFN\service.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempKLUQE.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1084
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CYXBOESOMRDRTOH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMSJRFQG\service.exe" /f
        8⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMSJRFQG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMSJRFQG\service.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1364
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempYDIXY.bat" "
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:920
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FJOCOWNBCXTOBXI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GYJVUVRPVRHUCLC\service.exe" /f
        9⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\GYJVUVRPVRHUCLC\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GYJVUVRPVRHUCLC\service.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempGAOXK.bat" "
        9⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RWSGSECGYUVINUV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWG\service.exe" /f
        10⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:580
        
        C:\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWG\service.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempDHYUV.bat" "
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1580
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "EPQLKMCPXGRWGTE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe" /f
        11⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempGBIWE.bat" "
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2776
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FEOMLPCGCAQWOFE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKXAFO\service.exe" /f
        12⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKXAFO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKXAFO\service.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempDPVMJ.bat" "
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2568
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MABVSNAWHXCHWXU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CPLXOYRQSEINBMV\service.exe" /f
        13⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\CPLXOYRQSEINBMV\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CPLXOYRQSEINBMV\service.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempGTBPO.bat" "
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2468
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BYMYJIMADNTMCCE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GJVUWRPWSHVDLCX\service.exe" /f
        14⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\GJVUWRPWSHVDLCX\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GJVUWRPWSHVDLCX\service.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempJGPBH.bat" "
        14⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AONHQXIEPIJSVXI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CTMRYKAKEYCFVRS\service.exe" /f
        15⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\CTMRYKAKEYCFVRS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CTMRYKAKEYCFVRS\service.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1144
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempREBQY.bat" "
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:2752
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CPFTPNSERTOHLMV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HAPHYQMHCBRSPXJ\service.exe" /f
        16⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\HAPHYQMHCBRSPXJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HAPHYQMHCBRSPXJ\service.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempYGUTF.bat" "
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:996
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MREIDBSXQGGIDBK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe" /f
        17⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KNDVTCWLCHQHFQO\service.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempKYGUT.bat" "
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:1356
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NREIECSYQHGIDAB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LODWUDWMCHQHGQO\service.exe" /f
        18⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\LODWUDWMCHQHGQO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LODWUDWMCHQHGQO\service.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempEPUER.bat" "
        18⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HIFOAGLBNOJHKNU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SUKECJTJOGXOCMD\service.exe" /f
        19⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\SUKECJTJOGXOCMD\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SUKECJTJOGXOCMD\service.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempKSFLQ.bat" "
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:1580
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RQCKCTLHCSMMWMN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHFIYUVD\service.exe" /f
        20⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHFIYUVD\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FBWPVNEOHFIYUVD\service.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempWIGKF.bat" "
        20⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RJSOJSETDTURALS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MIWUKVOMPAFKYXJ\service.exe" /f
        21⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\MIWUKVOMPAFKYXJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MIWUKVOMPAFKYXJ\service.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempNTFBL.bat" "
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:2488
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VWJOVWHBPYKJXEU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ESNQUSVGLQDAPXO\service.exe" /f
        22⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\ESNQUSVGLQDAPXO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ESNQUSVGLQDAPXO\service.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\ESNQUSVGLQDAPXO\service.exe
        
        C:\Users\Admin\AppData\Local\Temp\ESNQUSVGLQDAPXO\service.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:2684
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        24⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\ESNQUSVGLQDAPXO\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ESNQUSVGLQDAPXO\service.exe:*:Enabled:Windows Messanger" /f
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:1936
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\ESNQUSVGLQDAPXO\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ESNQUSVGLQDAPXO\service.exe:*:Enabled:Windows Messanger" /f
        24⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:3052
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        24⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:1700
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        24⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempBIWDR.bat

Filesize
163B

MD5
07bdcc8f46797f3abf73a8a329437fc1

SHA1
ca4c65dd543c0f6c8e5c96a5582949865e01d368

SHA256
d9a2385369660d031efcddbc26c701e0681299544687b01ad8989c1e427b273f

SHA512
96fbf3d9762704250b922fa3b942cba41a8404c117060d66b726317428841f16088d018c3d3b4386dc2ba5a56df59114ba3369daadd7bbec82ef5397d85a6a04

Download Submit
C:\Users\Admin\AppData\Local\TempDHYUV.bat

Filesize
163B

MD5
6caee54811290c0ba3ad2e07b1957507

SHA1
d17ad892eba53ec95a587751b70b718f9a9bd42c

SHA256
5b17da4a0e30b6ed93655ae29f8d466765d1de54fcdcdddeae272322c9cae0fd

SHA512
5404129996074ef92229cbd4e6f3fb8fa84bf7136147a893bfd1b187bb6c8975627ebba2304d9cfbebc4706919bae80b75b5e62bb420bb498840575cadf6aba8

Download Submit
C:\Users\Admin\AppData\Local\TempDPVMJ.bat

Filesize
163B

MD5
ed9689e07fdf60cab6c2bca4ade0a238

SHA1
68b7b1813ea1e258adadfa1703feb2535fb94988

SHA256
908bbf857152b33eeffb703091070e2fdc14df83a892787e1a618962face28b3

SHA512
55eaf7d70572cd9d28ea9debf315a6bdae049672db74a7a5f6baf0a80aecb4e03b430131279e440cdd32b15f1c2fc7c05d0a265e8f94269a72f10ea18d6dd581

Download Submit
C:\Users\Admin\AppData\Local\TempEPUER.bat

Filesize
163B

MD5
2f396e4b618ee91ff4cd1ffd66f5d6b2

SHA1
7eec9fc877396db68a8f8e0d6715e33041ebe64d

SHA256
cde512c0cdeee25f26fa3b5b1ae6963c86eafccaa91d1482cd330c5d61681f87

SHA512
dbaeb1e557971e48475591cbd6c0ee5196ec8e90b1620b70abde5b43cca4938fc0f3aec5dc8f16353e72b6694d837bf358e5b141915d31cdc2d4b910b25795aa

Download Submit
C:\Users\Admin\AppData\Local\TempGAOXK.bat

Filesize
163B

MD5
ea99077dd8758310f19ad9172122a78c

SHA1
6ba9d95ba98422497ebd4f9176cf41c2acc010ae

SHA256
b972f9aa8c477325951d9ac58a5428980c44ec8d1ece77d28755dd2850009fed

SHA512
9a6906eee4d9c3cbc69fbb9f0c0466a4639ba6a5628e0bf43b2d47bb70b75c84be13a321821c2d46bbf73d29b6523146bb8a9d461123b1d30f803b041185e046

Download Submit
C:\Users\Admin\AppData\Local\TempGBIWE.bat

Filesize
163B

MD5
9d8a73676ceac800fa001ece1f4e52f3

SHA1
789fff73252bda26653a511337e96d9121f836b7

SHA256
aafc7d8db206d922031bd9a5dbf1ca1464ac43ea064d603a0b121df667734d51

SHA512
b12df097cd279226c2d14d973c512569288e0dd08cba97f8c17648413ec34dff158e34061896954d0fd016e01297c2ffc636d0b70494672ff697cb74c4d401df

Download Submit
C:\Users\Admin\AppData\Local\TempGTBPO.bat

Filesize
163B

MD5
9b656d82a7cc8cdb63de9c9c277f3855

SHA1
955a19e44ecc27718e7791664b1c43dd422a983c

SHA256
b67985c3804d7856040a4af7169866340aa6921633f1a0b292eed0679171356b

SHA512
c5c4ef71f09fee74a8d762125b71859bf5189fd2dec379266f9bcabe4fb54b295041469222a3d2ae4a3f33c2ee44fcf595b42a01dbd0f88288747f38d47ae90b

Download Submit
C:\Users\Admin\AppData\Local\TempJGPBH.bat

Filesize
163B

MD5
2d776f5619f2154257a667d8b10d04bd

SHA1
1757d5fe8f690f695fa7a5fb86104f7389065602

SHA256
be47c29859ec4d22fbe7182e97e14050fd1a2e8f452b8cf1c0b5ad374e66bc18

SHA512
ed51a27a9ea02a2f0bb0fe0c752937ed63124cf0769fae92250846f6297017facb715ed32003c234da02a48fc401920015a779806d156808bb08d45049fdb65d

Download Submit
C:\Users\Admin\AppData\Local\TempKLUQE.bat

Filesize
163B

MD5
7d45cdc80375c5f3de4f93c29f836de4

SHA1
2a8d2e36e0bc939663044d0bc07abadf4c4ca1c2

SHA256
9a6da83ea8053446d3fa4c4648d6e2cf8cd866a7b7c1340e8812dc0f4b5b1cab

SHA512
8efacfd15a6cf31949ddadaebc8ed69f685cddd3f2152ae7469b31b837a91c7bc7a48a9bbd889d8620438ecb675a3f4fb4fc8ac70b9cdf14f14f262979a7cdad

Download Submit
C:\Users\Admin\AppData\Local\TempKSFLQ.bat

Filesize
163B

MD5
9908f25a4b21479670cd8b26e43eebc8

SHA1
d9e8ab8de17e76da16add3ed9ac9ebd723b23a2a

SHA256
a2edaa3bb568e4a0c10822f588e0c3d115c576aa7c125ae8201aefe888866890

SHA512
4675f0d69687376e2a2ae73738115cedac4f929ec5d2d4268aa23e59484710cf7990c9b683772badaa92128ccf0f9f867eff04badab49ed34f8d75fa93f3f2e8

Download Submit
C:\Users\Admin\AppData\Local\TempKYGUT.bat

Filesize
163B

MD5
2f70e9379344813a815197448a4689c6

SHA1
79943117610b026b9e4b42de1c0c133f52a8e11b

SHA256
9cbb7f116eacdbf49c260bde9687edfad3eb799bb0f6a3b9546074010dec2842

SHA512
e7176888313531b4ba8e3e8c12a58b4f0b3af562caa68f6e73c3f9612171c4f7040f7b730508fbd356eaf17bce736dcc3e1ad1ab572d1a4937d937890015faa1

Download Submit
C:\Users\Admin\AppData\Local\TempNTFBL.bat

Filesize
163B

MD5
60febb555d7380a45741d90c0905ef3c

SHA1
74ea91bcfc404caceaad46cd529ca941b949477a

SHA256
85a771d54b5bdb04b7a44916546c860675231ff680e389ef5e292e5b2d9b88d4

SHA512
e603edc2365cb44a73340e7831632f4a200dd571007b8f7ba78affbde8991e766b6f7da82d3d474ef3584df55ddb09e4dc8cdae5e96678bf43e0da16237f5cd5

Download Submit
C:\Users\Admin\AppData\Local\TempREBQY.bat

Filesize
163B

MD5
5d3f8c9f7ed635f4e6fdebdae32e64d6

SHA1
463326b0e09f78fdcfe26e29ad3e802cf55a4f8f

SHA256
83e84c2e1c5aa7c04c1f9ddfc80399035abffb68ac7700ba12d18aacf7f89359

SHA512
ad44dad082d299f9b3bedc2006dfdc70445a8b3d460d68c0a9a8c2964d33d2d9419912c27e72b3d2a191eef1de6e1d7dc9681b1b5d9a3dbe756b288f50cde882

Download Submit
C:\Users\Admin\AppData\Local\TempUASWR.bat

Filesize
163B

MD5
553bef3381654ce8d6afdd841befeff7

SHA1
684eb6c54b3cf697860d781e42f49e172d0ba589

SHA256
651fa337db94e08aee6ad768a72f0013798d0727aaff3d88e50ed99fa5ba1813

SHA512
ed873df1f2d15117b19d2b3d8546fc8b62705e27838fa48cd59ccf1d0676f80eb66cf1211bc9c45b1ea2a0555acb65ae98aa50cb1b14fc6abe275702217d694b

Download Submit
C:\Users\Admin\AppData\Local\TempVBTXS.bat

Filesize
163B

MD5
f286a997dafd3f45392758cd25adb9c7

SHA1
dd9863ba8a55910f95341ac38268e7bbd6c27330

SHA256
5e6541f54dfab8ef75e8af742526b73008d832be582cac12e866c730228ecfc1

SHA512
68071827c9ea291a46a5931c8a87d56a0e1122b46b420173919c818bd47ce3caa4a273b161301890cc48fba61b5867a8461cffe2ad7edd796a808d8238e3355d

Download Submit
C:\Users\Admin\AppData\Local\TempVGAOW.bat

Filesize
163B

MD5
ef7d3e47e7ac91a456aafd8305c0823a

SHA1
500d4ecbfdcea75427f6e8221397182987d0cff5

SHA256
d4ba551d70c77d3e2ccd4809c99c5e13a27ac54c53540dbc3ae2dd3b1e3b28db

SHA512
ed1a712f19e6584548677608b5f5beaec71d8860ab2c82972b9be43aabcb42abc6b3d660ed59562e0c872b0d7aac11d8ab522ab46b2921471fc87a6d08957c85

Download Submit
C:\Users\Admin\AppData\Local\TempWIGKF.bat

Filesize
163B

MD5
b96c1ebb8b5ae79aaf417f1571d5ca9d

SHA1
4c6aaa43c13cdaedfa9081a4b25ce410d9f7c22f

SHA256
5d01af8e8cfdfc694da1b87e6cf5e43d43c0ebd49c7683ad8bd1f7e6a3bdb85d

SHA512
63a1dc44375831ad55eb83976cdcfcbed3c69f6d6eae78802ec684e4c77dbb29d477e29cfff6d57c1916b43687d7180e4c4620abe20b5bcb611eef764fe3b60f

Download Submit
C:\Users\Admin\AppData\Local\TempYDIXY.bat

Filesize
163B

MD5
bda7f980f3c39146c43dfd47d87efc83

SHA1
a4e34668c7ff07df93487e75ea08b45024c080e5

SHA256
398cbd5aa46f5e414e5ac1b52ea369cb497d2f533020be1608a95f243056ba7f

SHA512
f1e6ac503771378f5d362cda6304b352abe48559d804e68232bd8d19abd1ea186b691489303e41e63ca729041e2922c629016df0653f3d340b756a96d8c35046

Download Submit
C:\Users\Admin\AppData\Local\TempYFOFD.bat

Filesize
163B

MD5
f6d55ff0113f44a119a4722dd6ea313f

SHA1
2d9ff9c01d46a84a0cd4b61c793883c1bed8d788

SHA256
9e63770450745008295c97ead79dc42f126302efbe92a4726a50ad5f0e777678

SHA512
a486decafab6fab43c13de6ee46a994efb65976cf63737bc7ce6e5941350ada6317f845290f01134612664d0118d91598ef91bde6c2b769d0ab26340fd4d7e4c

Download Submit
C:\Users\Admin\AppData\Local\TempYGUTF.bat

Filesize
163B

MD5
69786475f46eff7a611d5d485b9a9507

SHA1
306206beab8da223f7a0f2dc5c488c4da9fea3ee

SHA256
4612f74b03bbdc0afef06ca91661f4e639f58571e065e9beed2ef884b8750a42

SHA512
3c28606386ee67a2eb70d64abf07f4ab002be80073372d8bde65f37d59e3dd1309c9b018e8a4ad8a6cccc4cafae21b99a6ac8a8fb0f568149f4c02c88ed480bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\JMYXBYUSBUKXAFO\service.exe

Filesize
520KB

MD5
bee910bb03d8bb2934730552d87aeee5

SHA1
5b212a0bce180dcf40c31c9286dadbf611480c9f

SHA256
4db4c36bca8d61a2635c3556fbba3b194cd7342cfb77f5a67b0142ec9921e16f

SHA512
a12cf691e2466b323626234b19ef26c5ebf03f0989520d7d27c0825b540e33f430a6dee68940fbc240a7cf5bcd8d7f0cfdcfb00ced5f0cf2de125d1e656ef3de

Download Submit
C:\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWF\service.exe

Filesize
520KB

MD5
a6af6a1bddc78fe23737bcdc7984d43b

SHA1
db5fe52d6508e4a96dafdc10988428e703b3b96b

SHA256
7506eefb8a244a50baa0de5f1b61172d5f2749fc7266d4ba4df30759b824c83c

SHA512
77da718f44b0f4e963e07d182b2e75a7cfa6a60fd59984f258916477f5db2bcfda3f36e9fd881ad82a5af7ef305fbc35e98b956e8f58b9b2b3ae48e04e2456fb

Download Submit
\Users\Admin\AppData\Local\Temp\BKXTCWYMQWCDAJB\service.exe

Filesize
520KB

MD5
b4f2e249fe1d2ae9aedc0403555d33df

SHA1
b72ad1057c3748134852aa1585e4d852d6a4c9f3

SHA256
ca5e5928939f8baf6cc49d1a74d42f7f3f00ca3b3df5d46bb2cde13a87f86fb4

SHA512
a22c79a325f498633ce815b3fccb2ec0f146c3f148d4ed0921f616baf21e1a55b6bdc8084198d398a9862c85a88c9a8961cd51a6fc607da9d792f4840c268f4d

Download Submit
\Users\Admin\AppData\Local\Temp\CLUDXNSXDEBKCHW\service.exe

Filesize
520KB

MD5
074328bef4a8b5779fbd2e00f152ffa0

SHA1
8e47491723cef83301882e596d13f51802036be4

SHA256
9766de6fca822c601767cba5ec24a506c5340e8e2b63c884b32b0b62406f0206

SHA512
c71d1a07c5f20054c6e3c9962d41789d72c52819c249d0e4da6ffda2b50aed67c1e15a0846b062a3561c08cb7ee39349de4b0db2cbfcacc7ca9a4aedf767bb29

Download Submit
\Users\Admin\AppData\Local\Temp\CPLXOYRQSEINBMV\service.exe

Filesize
520KB

MD5
d2b2eac199b9cd29d9a7c4dca8655e15

SHA1
5e71efb7708c38f3c3bea13e93d06d462c651dc7

SHA256
0380fd8e81c42354625c966f7dcbfda32109f4bf36135dcbdc76264567488e78

SHA512
5d3fab9803a85cd2a0a4598a96e054786b10a8f1db8718fe35a66564ffcb98290e6fc4fc1a71b38697a28f6e5184d1371f4c039f2b1c7d716b05bc72c3f78653

Download Submit
\Users\Admin\AppData\Local\Temp\CTMRYKAKEYCFVRS\service.exe

Filesize
520KB

MD5
8df46f46d1f8dc61c09fa6506581e2e7

SHA1
9660254bd1610246d37244286f5e9a3d0c9f8a80

SHA256
7c4095822f1592bf1eb356633fb3ab6ec70e6acfddc23e71ea0d6055a1e994b7

SHA512
bf8995d3370193f3b407968fb43530a9a069aa832191f7c89692849b424b20399371a1d65839d5629d8f730c8f59f65ca156f0de5959d0b1c939d2ddb6439e15

Download Submit
\Users\Admin\AppData\Local\Temp\GJVUWRPWSHVDLCX\service.exe

Filesize
520KB

MD5
b6c590ce443cf1e3a0715dffcef54d12

SHA1
a024051b99e39570ebce6990e21f7be9c2da16ee

SHA256
eebc438d2a0defd8f30ac6e6b7db15281e961746405ae77a67e89fd1eabbb08e

SHA512
c3acfc662e5b1eab47c60d2f80853d7a4b431121229c5e30842d0060995ecbcc8be94d8d93bd08adcf12df06b5fe52f8a3bd09228aabd6ab82bbc23160b73899

Download Submit
\Users\Admin\AppData\Local\Temp\GYJVUVRPVRHUCLC\service.exe

Filesize
520KB

MD5
5955a291debcf955c60b19129bca2c38

SHA1
74d1dcda949f054e8780456080fac5f17427db14

SHA256
15e437d84fb6e6cf91d1a161b5e7d4fee5606f6262899c2849b7c6608f9aba7f

SHA512
4a71def12e13d4384b6d064801ae5c20ce509086d76e2121ebda01031dabdbad33a5c0ca899ef60c8d5d54cd0d04df1ca2ee6fe059722de4b7fd4e96b7109e9f

Download Submit
\Users\Admin\AppData\Local\Temp\IAQHRNIDCRSQYKR\service.exe

Filesize
520KB

MD5
25dd5e5917807fe47ea65fe7cbc8ba6d

SHA1
b0677177abb4dfaf5f0beb8633748e572e162613

SHA256
462d139c27d41d83f87ae8af4a47a45124b86a3aa61ff147258ff7abf973d5a3

SHA512
5628ef3ccc67708b7969f976174d54290a2be90c3c50e9953d472730683e69af453ba457076d8ed62f5c52d2847c42f166ca9b6cbe7c1e171f97359b94e5b771

Download Submit
\Users\Admin\AppData\Local\Temp\ILXWBYTRAYUJXFN\service.exe

Filesize
520KB

MD5
42413418c9d6e06290e1df60059862af

SHA1
8403c300cec927374e162c3f530c77e04bbe87cc

SHA256
2317ef52adeb084fc4e96142f2b66a6ea6a047d92d987021faf5df0ce6fbca51

SHA512
4c06f1e18e174e1e8572bd73dd90d89e01a0d4d360ae19fdeac75cb9b02a3a320bb5b79ffe1f61d61e4adda75bf8801007a94098a2c2234c537d2f49bbbcd3b0

Download Submit
\Users\Admin\AppData\Local\Temp\IRJFATXJKHQCINB\service.exe

Filesize
520KB

MD5
e4de60287c247f705f5bd46fc89e0212

SHA1
6eef9d7e726e441adbc0a36704a1abd429f8f45a

SHA256
8c446a8ff087a896275569aa90033fd37bb9a6781b5c19616d6ee56279d95697

SHA512
4a596fa453d98eeac6ca7f4434e60c8ee6fbb7e9c935e4cf849693a7306a2aefc31e7b0d20cad2f113afd161becbe818504385715ce2bbc30009e2e461c00707

Download Submit
\Users\Admin\AppData\Local\Temp\UATDPPQLJQMBPWG\service.exe

Filesize
520KB

MD5
aeedc278835480ae820d88ab17165f81

SHA1
4ad0a200728ed48e88b0252e46ee59e113165980

SHA256
4a29dcf7551d7faeca1908032b22724127877aeabfdc631db4ec70c6b40c0a4f

SHA512
eabda4d9a852230acbd1e455b7b64a08be3afb11f0ce456daae974e825b186ef7b23b914e591c832effd7a4f72b329e00b7a7dc378e8f3a23e3c1f7164eb0ebe

Download Submit
\Users\Admin\AppData\Local\Temp\VYNHAGNWMSJRFQG\service.exe

Filesize
520KB

MD5
fd5b6efaa00beac501e3bfe55019eb7e

SHA1
4a70f92be677f7116eae3fece87f39033818e6aa

SHA256
27104ef3e12ba7a6bf8116cd953008d9670f8a628457ceb32b718f30187e0a12

SHA512
31dbd1027af1d3a8b3ea2b22d25ec98e8de61a4a1cbb315ea381d423b5fd5480c4df9c0b242786d0bde7de25cb187c418ab1697a100653eb5db95d8d3124b9a0

Download Submit
memory/484-546-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/484-551-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/484-552-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/484-554-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/484-555-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/484-556-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/484-558-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/484-559-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/484-560-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/484-562-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/484-563-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/484-564-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads