blackshades | b00ad5d45951570a60ecb684397ecc7f4ea74383423a4b178870f898ac4da487

Analysis

max time kernel
148s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11/03/2025, 04:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b00ad5d45951570a60ecb684397ecc7f4ea74383423a4b178870f898ac4da487.exe
Size

520KB
MD5

36a828650bba44e1b32b96bd0c15f427
SHA1

17c64a0eff01a4175eb0b521338edebde76cdb92
SHA256

b00ad5d45951570a60ecb684397ecc7f4ea74383423a4b178870f898ac4da487
SHA512

3b2d16a3741ae17d3fae894370d6dd483e72e4ee4e9abecdeda13178c1a86504770e7ee2122b5a66eecb29cffc15665a101d46e493ad9bea4ed0abf829003608
SSDEEP

12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioXQ:zW6ncoyqOp6IsTl/mXQ

Score

10^/10

blackshades defense_evasion discovery persistence rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 10 IoCs

resource	yara_rule
behavioral1/memory/2724-498-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2724-503-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2724-506-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2724-507-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2724-508-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2724-510-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2724-511-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2724-512-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2724-516-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/2724-518-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 8 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLDTKJUR\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ORHBXGPFLDTKJUR\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe

Executes dropped EXE 19 IoCs

pid	Process
2632	service.exe
2848	service.exe
2564	service.exe
784	service.exe
2028	service.exe
2300	service.exe
1916	service.exe
2180	service.exe
2288	service.exe
2316	service.exe
2524	service.exe
2644	service.exe
2260	service.exe
548	service.exe
1216	service.exe
980	service.exe
1512	service.exe
2888	service.exe
2724	service.exe

Loads dropped DLL 37 IoCs

pid	Process
2816	b00ad5d45951570a60ecb684397ecc7f4ea74383423a4b178870f898ac4da487.exe
2816	b00ad5d45951570a60ecb684397ecc7f4ea74383423a4b178870f898ac4da487.exe
2632	service.exe
2632	service.exe
2848	service.exe
2848	service.exe
2564	service.exe
2564	service.exe
784	service.exe
784	service.exe
2028	service.exe
2028	service.exe
2300	service.exe
2300	service.exe
1916	service.exe
1916	service.exe
2180	service.exe
2180	service.exe
2288	service.exe
2288	service.exe
2316	service.exe
2316	service.exe
2524	service.exe
2524	service.exe
2644	service.exe
2644	service.exe
2260	service.exe
2260	service.exe
548	service.exe
548	service.exe
1216	service.exe
1216	service.exe
980	service.exe
980	service.exe
1512	service.exe
1512	service.exe
2888	service.exe

Adds Run key to start application 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\OLLXTRVQYNOAGNO = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UNMUIHJECJFUIPK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\VAXLXIHLYCMSKBB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FYIUTVQOVQGUCKB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\TSEMEVNJEUNOYOP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HDYRXPFQJHKWAXF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\JWDMWUEALEYFVOS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VPIOVGHAUBRNYOK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\QUILHFWUKKMHADE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ORHBXGPFLDTKJUR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\NOJHKNUEPUERCAF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GPYGDRVHIFOAGLB\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\DEAVQDLFKXHSYPN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FTORVTWHLREBQYP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\FERHVRPUGAUWBRK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YQKDJQBCPVMUITJ\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\RVHIFOAGLCNOJIK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YRQAYMLNIGNIYMT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\NREIECSYQHHJEAB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LODWUDXMCIQHGRO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\IEDQGUQOTFSVQJM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XPJCIPYABOTLTHS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\MABWSNAWIXCHWXV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CQLYOYSQTEJOBNV\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\TKUQLUFVAFUVSBN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ANJXVMWPOQCGLYK\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\RVSGSDCGYXTVHNU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UATDPOQLJQLBPWF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\FSIWSPAUHAUWBRK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RLEJQCCQVNVJUKG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\POSFJFDTRIHJEBC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MPEXVEXNDIARIHR\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\INJKVSQUPXLMFMM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TLKSHGHDBHDYTGO\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\KXGHSYPNRMUIJCJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QIYHPDDEEAVQDKF\\service.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b00ad5d45951570a60ecb684397ecc7f4ea74383423a4b178870f898ac4da487.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2696	reg.exe
2288	reg.exe
588	reg.exe
1008	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	2724	service.exe
Token: SeCreateTokenPrivilege	2724	service.exe
Token: SeAssignPrimaryTokenPrivilege	2724	service.exe
Token: SeLockMemoryPrivilege	2724	service.exe
Token: SeIncreaseQuotaPrivilege	2724	service.exe
Token: SeMachineAccountPrivilege	2724	service.exe
Token: SeTcbPrivilege	2724	service.exe
Token: SeSecurityPrivilege	2724	service.exe
Token: SeTakeOwnershipPrivilege	2724	service.exe
Token: SeLoadDriverPrivilege	2724	service.exe
Token: SeSystemProfilePrivilege	2724	service.exe
Token: SeSystemtimePrivilege	2724	service.exe
Token: SeProfSingleProcessPrivilege	2724	service.exe
Token: SeIncBasePriorityPrivilege	2724	service.exe
Token: SeCreatePagefilePrivilege	2724	service.exe
Token: SeCreatePermanentPrivilege	2724	service.exe
Token: SeBackupPrivilege	2724	service.exe
Token: SeRestorePrivilege	2724	service.exe
Token: SeShutdownPrivilege	2724	service.exe
Token: SeDebugPrivilege	2724	service.exe
Token: SeAuditPrivilege	2724	service.exe
Token: SeSystemEnvironmentPrivilege	2724	service.exe
Token: SeChangeNotifyPrivilege	2724	service.exe
Token: SeRemoteShutdownPrivilege	2724	service.exe
Token: SeUndockPrivilege	2724	service.exe
Token: SeSyncAgentPrivilege	2724	service.exe
Token: SeEnableDelegationPrivilege	2724	service.exe
Token: SeManageVolumePrivilege	2724	service.exe
Token: SeImpersonatePrivilege	2724	service.exe
Token: SeCreateGlobalPrivilege	2724	service.exe
Token: 31	2724	service.exe
Token: 32	2724	service.exe
Token: 33	2724	service.exe
Token: 34	2724	service.exe
Token: 35	2724	service.exe

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
2816	b00ad5d45951570a60ecb684397ecc7f4ea74383423a4b178870f898ac4da487.exe
2632	service.exe
2848	service.exe
2564	service.exe
784	service.exe
2028	service.exe
2300	service.exe
1916	service.exe
2180	service.exe
2288	service.exe
2316	service.exe
2524	service.exe
2644	service.exe
2260	service.exe
548	service.exe
1216	service.exe
980	service.exe
1512	service.exe
2888	service.exe
2724	service.exe
2724	service.exe
2724	service.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 2812	2816	b00ad5d45951570a60ecb684397ecc7f4ea74383423a4b178870f898ac4da487.exe	30
PID 2816 wrote to memory of 2812	2816	b00ad5d45951570a60ecb684397ecc7f4ea74383423a4b178870f898ac4da487.exe	30
PID 2816 wrote to memory of 2812	2816	b00ad5d45951570a60ecb684397ecc7f4ea74383423a4b178870f898ac4da487.exe	30
PID 2816 wrote to memory of 2812	2816	b00ad5d45951570a60ecb684397ecc7f4ea74383423a4b178870f898ac4da487.exe	30
PID 2812 wrote to memory of 1540	2812	cmd.exe	32
PID 2812 wrote to memory of 1540	2812	cmd.exe	32
PID 2812 wrote to memory of 1540	2812	cmd.exe	32
PID 2812 wrote to memory of 1540	2812	cmd.exe	32
PID 2816 wrote to memory of 2632	2816	b00ad5d45951570a60ecb684397ecc7f4ea74383423a4b178870f898ac4da487.exe	33
PID 2816 wrote to memory of 2632	2816	b00ad5d45951570a60ecb684397ecc7f4ea74383423a4b178870f898ac4da487.exe	33
PID 2816 wrote to memory of 2632	2816	b00ad5d45951570a60ecb684397ecc7f4ea74383423a4b178870f898ac4da487.exe	33
PID 2816 wrote to memory of 2632	2816	b00ad5d45951570a60ecb684397ecc7f4ea74383423a4b178870f898ac4da487.exe	33
PID 2632 wrote to memory of 592	2632	service.exe	34
PID 2632 wrote to memory of 592	2632	service.exe	34
PID 2632 wrote to memory of 592	2632	service.exe	34
PID 2632 wrote to memory of 592	2632	service.exe	34
PID 592 wrote to memory of 1072	592	cmd.exe	36
PID 592 wrote to memory of 1072	592	cmd.exe	36
PID 592 wrote to memory of 1072	592	cmd.exe	36
PID 592 wrote to memory of 1072	592	cmd.exe	36
PID 2632 wrote to memory of 2848	2632	service.exe	37
PID 2632 wrote to memory of 2848	2632	service.exe	37
PID 2632 wrote to memory of 2848	2632	service.exe	37
PID 2632 wrote to memory of 2848	2632	service.exe	37
PID 2848 wrote to memory of 1240	2848	service.exe	38
PID 2848 wrote to memory of 1240	2848	service.exe	38
PID 2848 wrote to memory of 1240	2848	service.exe	38
PID 2848 wrote to memory of 1240	2848	service.exe	38
PID 1240 wrote to memory of 3020	1240	cmd.exe	40
PID 1240 wrote to memory of 3020	1240	cmd.exe	40
PID 1240 wrote to memory of 3020	1240	cmd.exe	40
PID 1240 wrote to memory of 3020	1240	cmd.exe	40
PID 2848 wrote to memory of 2564	2848	service.exe	41
PID 2848 wrote to memory of 2564	2848	service.exe	41
PID 2848 wrote to memory of 2564	2848	service.exe	41
PID 2848 wrote to memory of 2564	2848	service.exe	41
PID 2564 wrote to memory of 2836	2564	service.exe	42
PID 2564 wrote to memory of 2836	2564	service.exe	42
PID 2564 wrote to memory of 2836	2564	service.exe	42
PID 2564 wrote to memory of 2836	2564	service.exe	42
PID 2836 wrote to memory of 3040	2836	cmd.exe	44
PID 2836 wrote to memory of 3040	2836	cmd.exe	44
PID 2836 wrote to memory of 3040	2836	cmd.exe	44
PID 2836 wrote to memory of 3040	2836	cmd.exe	44
PID 2564 wrote to memory of 784	2564	service.exe	45
PID 2564 wrote to memory of 784	2564	service.exe	45
PID 2564 wrote to memory of 784	2564	service.exe	45
PID 2564 wrote to memory of 784	2564	service.exe	45
PID 784 wrote to memory of 2156	784	service.exe	46
PID 784 wrote to memory of 2156	784	service.exe	46
PID 784 wrote to memory of 2156	784	service.exe	46
PID 784 wrote to memory of 2156	784	service.exe	46
PID 2156 wrote to memory of 2172	2156	cmd.exe	48
PID 2156 wrote to memory of 2172	2156	cmd.exe	48
PID 2156 wrote to memory of 2172	2156	cmd.exe	48
PID 2156 wrote to memory of 2172	2156	cmd.exe	48
PID 784 wrote to memory of 2028	784	service.exe	49
PID 784 wrote to memory of 2028	784	service.exe	49
PID 784 wrote to memory of 2028	784	service.exe	49
PID 784 wrote to memory of 2028	784	service.exe	49
PID 2028 wrote to memory of 1976	2028	service.exe	50
PID 2028 wrote to memory of 1976	2028	service.exe	50
PID 2028 wrote to memory of 1976	2028	service.exe	50
PID 2028 wrote to memory of 1976	2028	service.exe	50

C:\Users\Admin\AppData\Local\Temp\b00ad5d45951570a60ecb684397ecc7f4ea74383423a4b178870f898ac4da487.exe
"C:\Users\Admin\AppData\Local\Temp\b00ad5d45951570a60ecb684397ecc7f4ea74383423a4b178870f898ac4da487.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\TempUFYNW.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RVSGSDCGYXTVHNU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQLBPWF\service.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:1540
- C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQLBPWF\service.exe
  "C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQLBPWF\service.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\TempXWSST.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:592
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NOJHKNUEPUERCAF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GPYGDRVHIFOAGLB\service.exe" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:1072
- - C:\Users\Admin\AppData\Local\Temp\GPYGDRVHIFOAGLB\service.exe
    "C:\Users\Admin\AppData\Local\Temp\GPYGDRVHIFOAGLB\service.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\TempOPYUB.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1240
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FSIWSPAUHAUWBRK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\RLEJQCCQVNVJUKG\service.exe" /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3020
  - - C:\Users\Admin\AppData\Local\Temp\RLEJQCCQVNVJUKG\service.exe
      "C:\Users\Admin\AppData\Local\Temp\RLEJQCCQVNVJUKG\service.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2564
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempWSSHP.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2836
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OLLXTRVQYNOAGNO" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJFUIPK\service.exe" /f
        6⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3040
    - - C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJFUIPK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJFUIPK\service.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:784
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempLHVUG.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "POSFJFDTRIHJEBC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHR\service.exe" /f
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2172
      - C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHR\service.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempDESAO.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1976
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VAXLXIHLYCMSKBB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FYIUTVQOVQGUCKB\service.exe" /f
        8⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\FYIUTVQOVQGUCKB\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FYIUTVQOVQGUCKB\service.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempVQQFO.bat" "
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1644
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "INJKVSQUPXLMFMM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TLKSHGHDBHDYTGO\service.exe" /f
        9⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\TLKSHGHDBHDYTGO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TLKSHGHDBHDYTGO\service.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempRMUIJ.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1964
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DEAVQDLFKXHSYPN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FTORVTWHLREBQYP\service.exe" /f
        10⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\FTORVTWHLREBQYP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FTORVTWHLREBQYP\service.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempNWSAF.bat" "
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2408
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "IEDQGUQOTFSVQJM" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOTLTHS\service.exe" /f
        11⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOTLTHS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XPJCIPYABOTLTHS\service.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempMUGNR.bat" "
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TSEMEVNJEUNOYOP" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HDYRXPFQJHKWAXF\service.exe" /f
        12⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\HDYRXPFQJHKWAXF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HDYRXPFQJHKWAXF\service.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempNOXTA.bat" "
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2468
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FERHVRPUGAUWBRK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUITJ\service.exe" /f
        13⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUITJ\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUITJ\service.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempANVEP.bat" "
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "RVHIFOAGLCNOJIK" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNIYMT\service.exe" /f
        14⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNIYMT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNIYMT\service.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempTYFGD.bat" "
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:2872
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JWDMWUEALEYFVOS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBRNYOK\service.exe" /f
        15⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBRNYOK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VPIOVGHAUBRNYOK\service.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempEPVMK.bat" "
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:1268
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MABWSNAWIXCHWXV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\CQLYOYSQTEJOBNV\service.exe" /f
        16⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1168
        
        C:\Users\Admin\AppData\Local\Temp\CQLYOYSQTEJOBNV\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CQLYOYSQTEJOBNV\service.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempLYGUT.bat" "
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:280
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NREIECSYQHHJEAB" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LODWUDXMCIQHGRO\service.exe" /f
        17⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\LODWUDXMCIQHGRO\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LODWUDXMCIQHGRO\service.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1216
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempJSNWN.bat" "
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:2300
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "KXGHSYPNRMUIJCJ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\QIYHPDDEEAVQDKF\service.exe" /f
        18⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\QIYHPDDEEAVQDKF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\QIYHPDDEEAVQDKF\service.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempTYKIM.bat" "
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TKUQLUFVAFUVSBN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ANJXVMWPOQCGLYK\service.exe" /f
        19⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\ANJXVMWPOQCGLYK\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ANJXVMWPOQCGLYK\service.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempOKXWJ.bat" "
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:2732
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "QUILHFWUKKMHADE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLDTKJUR\service.exe" /f
        20⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLDTKJUR\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLDTKJUR\service.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLDTKJUR\service.exe
        
        C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLDTKJUR\service.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:1536
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        22⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLDTKJUR\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLDTKJUR\service.exe:*:Enabled:Windows Messanger" /f
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:2588
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLDTKJUR\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ORHBXGPFLDTKJUR\service.exe:*:Enabled:Windows Messanger" /f
        22⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:2140
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        22⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:2572
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        22⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempANVEP.bat

Filesize
163B

MD5
d1587e20902eed79e46b7157a81f01c1

SHA1
0ca4e64d08bae3257494bac4db5d6235a4e467d2

SHA256
1152f8caa9466ba245d3994feec16d7e5ea4a3e5cff587e5e5c40bc615c9415b

SHA512
51c12b11e01096fe47a0cfeb188b00f280a3c420c3370e01fe9032a4e51543d92fcbc92cd016f6e4ba5d879a4b5867a062c3e6cb8e543b7cf3667d3ac3f000a5

Download Submit
C:\Users\Admin\AppData\Local\TempDESAO.bat

Filesize
163B

MD5
f87f2a2302ff9fb2ce0ccac609ed428e

SHA1
38b530c63a0daa01a432ddfff8162f1a12824529

SHA256
8bf748b00c9ddc35bba4135ae3b8f4ba5b0c1084888ba6cc29fb14e64d86f1a8

SHA512
a1daa692c16497c120d861086602cb57e98d133fcd9359e8dafb433706264abdc79cf965e9dc7c7c9b158c66c62739c2f437766eabb1c1d94a627843dceaf560

Download Submit
C:\Users\Admin\AppData\Local\TempEPVMK.bat

Filesize
163B

MD5
6df101e5793392a3a4687cb3f0d05d43

SHA1
8bde684a4b0df6d745ccf82ac144b7f10552c5f0

SHA256
89213ed3a57910f62abb88be0afd10006ad3c0229991b8387f4d6a915970e9cc

SHA512
d918b19bf4e2ae9a0678321b6253aa4efec4b87d2248d3faa05e282fe1a85625f777df6bde8e6be7d92de6901528a29c97fba82027281fde1f7cefa2f827bea9

Download Submit
C:\Users\Admin\AppData\Local\TempJSNWN.bat

Filesize
163B

MD5
3aa1f329efa98263ae6cc7490d68de80

SHA1
a1dbf8a2daf345103f9b40ab592015ecd1bf2247

SHA256
7f36f38822581f1e739154d1aaf807c671e26fa73e6507474034732ea3d4b61d

SHA512
7cdd827d7dd312388aa55eeb73a0e5606ca1b48eb3c8c954f16f31b6ac24af788f9a47cda3283adc6179d7b7a5a9ae9e33b40444c571a50a8e7dcd61ebc2a4a7

Download Submit
C:\Users\Admin\AppData\Local\TempLHVUG.bat

Filesize
163B

MD5
d07fc104ba0fcc46760900f097ca77b4

SHA1
cfda47f3bf080962addedbafeb751b4ad7ec41b5

SHA256
1a55ed5d4569d784479ae58e985f8f615ece597f0ecaefb74c74977d7eb6d30f

SHA512
b91c91efb7700b1e1568ce3d00127579da7c96afde45b41937b1e2cc4771c75c08cdb23d7a417300b233f110881a21d024db0b58a7a56de1adfe9f9cb2d2c4d8

Download Submit
C:\Users\Admin\AppData\Local\TempLYGUT.bat

Filesize
163B

MD5
86d89aea799f13b0be1fcfabde9f65fc

SHA1
2cbf6de761e7e053e8ea817f0527da385faf03d3

SHA256
b273a92ecc13311880d4d9393e2b4a1b17ea45c7766c8c24a5536ee620c6d7f7

SHA512
cd99fdd6dc6763511ae0858b69d8d705359867cafd58c9aac203d39dcbc77e99269915d976ccdd2fa08fd66e9f9ff4639954e120d45919018d673a87965cc28f

Download Submit
C:\Users\Admin\AppData\Local\TempMUGNR.bat

Filesize
163B

MD5
e65890858f7fb8dad52e80356b191005

SHA1
2c6e3801a0cc15203581fe5fef35fbe2883edc74

SHA256
54f999d041ba8ca3afddfbe7d58063ea4c3b83fd7463b3216b5e7b0aaa20336d

SHA512
0e8e3164328b88513002fd82fb81dfea8e91e3e08e1f80fbbd47e395409ac56c6ee2847bbdead49d0cceaa33231c415ee570a30ccf90b047e1b44212296f35fd

Download Submit
C:\Users\Admin\AppData\Local\TempNOXTA.bat

Filesize
163B

MD5
2f639433a90ffd80f88b06472aaee1ca

SHA1
dd95f3059098502e98cb1f11ac51b756c509fb67

SHA256
1adf52f8a0dd36c614052aa308038793d2c314af5e50719c6d987888c77f4866

SHA512
24bf0e75536c0e50be3e88c7e95ef7fcf6f9fb17e54620d35e05bbaf251556a81a552f0d5cae5d1c1d8d79d62d87e3ee591e3126de0c0fedacd2c684820db5d4

Download Submit
C:\Users\Admin\AppData\Local\TempNWSAF.bat

Filesize
163B

MD5
afeb668f213817d4b1a9be76781efc92

SHA1
ee411b15b31e74668760c6336509caf7c1ea4014

SHA256
67e6ee9618639ad12271873b3ca1a28f253cc564a8824b20ccaa02d987ca7e12

SHA512
84a77b223af978e42dfd83be7a7707a174f3547843128ab0a384c73dac443ea15fa2844c39b4c220c6c1baf45962557095b711a90b16d3426a0af14442ddfa04

Download Submit
C:\Users\Admin\AppData\Local\TempOKXWJ.bat

Filesize
163B

MD5
a0fd59f2c4e441e3a766d6872c79d8fa

SHA1
69cc925ccae797afc0ce8894a9ae5e243b5bd2fe

SHA256
242d8eb860a3c0a7fb972d393f85a8d4143d356daa3d63326dadea0ce366b0d2

SHA512
94c3615331e8a0a2906b3a7eeaba01ff6a6e8e3e99dea7278c3a31594f424cb5d2fecb9f9ca17aaf1b895f0e7ff6807ac89b84cdb176d0e7b1ecfcc4e7aba99f

Download Submit
C:\Users\Admin\AppData\Local\TempOPYUB.bat

Filesize
163B

MD5
fd57fa28b96aa63b9bf7237817711272

SHA1
a3c675fcf77412ecebcd072c7c29836170b3e2d5

SHA256
94ed8c09695dd7503351259ff03f581948c810b7c1bbe4c9068a1e455bf345b5

SHA512
0daf00af6a649da5d4c3c4541c2cbf4a96c13898b720eb2b4089dcbc24ed9b42e9cccbd9195278bd4e4759bae2ad7656f530dea64d2d844226c4211d3f75d2f9

Download Submit
C:\Users\Admin\AppData\Local\TempRMUIJ.bat

Filesize
163B

MD5
3424321275be7781c76281275c55f309

SHA1
036f761b84acdd5985db09aa97830e9bfaccb0d5

SHA256
996b8480983577a6b0d3725878db018e51f711cfa241ae1ae9859b32ec512536

SHA512
ae20da90975d9d685e536a0eedcfedef9e4bbe5b0ecced73f9ea0949e3b561d6bcabf9256d08dcbc7a109c816fdcb331aa834d245de48e45f1d52818032d1e5a

Download Submit
C:\Users\Admin\AppData\Local\TempTYFGD.bat

Filesize
163B

MD5
aa510925a91da17df6f2479054fc901c

SHA1
4fd8e7069325bf317c22bb49b0c518eb4d93a412

SHA256
45e8a1390fb5978ab378da95221d5e80ba13f641359be868cacb2883b1979666

SHA512
ba521c6179bda3a83ac0d2f16240e84db86322c3622f0def94e5bc0bf77c6c98afbe56dccfa999893824f00b4fc006e5ced6f35d80e63ceccff1e8360923b6ae

Download Submit
C:\Users\Admin\AppData\Local\TempTYKIM.bat

Filesize
163B

MD5
d6c294e6681b6ed947cd0025c2ceaf19

SHA1
eb4c2dd273775666d2bda0086805bd5d93f4f0f7

SHA256
674ca72e2f46c3e4d64ffd731659d9a183b71ad9bd6f2dffb4a63da0995189e0

SHA512
bf3f172d1b8d9316c76d0f2feea7f7cbdcbf7fb3e4376041589ceb866605d1a8dbe57fe2f0c9a3f0c0e3d457b19f259ae625dab51d8571b2de056e3f72eff378

Download Submit
C:\Users\Admin\AppData\Local\TempUFYNW.bat

Filesize
163B

MD5
8e2cdfcb68ab80a91b19acd0bf1e498e

SHA1
2f13701b6e7e1bcb042b14225fa04bcdd22052fc

SHA256
f8f5b95e5d6dde02b4a18f9ef2395222de0c20c221e0bbf558d1eae0c4d98368

SHA512
b460f9d9df74d6aaf66b7b2a103481fa7b089d3092ddbab5c5b0c2a9ac750f35bf4c7ec56b8b19d70cb9e72663065c6433b885367e3fb0b06da94405a85b183f

Download Submit
C:\Users\Admin\AppData\Local\TempVQQFO.bat

Filesize
163B

MD5
bcbbef31d719a1f315f549c0891ab2a9

SHA1
7584ca97576b5ea8dc45b60561feb59d7b807ff0

SHA256
5447661f2ac75a31dcac90c7aa8d421517b33bcaca2fcd7f73dbe11ce2e06305

SHA512
0116c8d44a3306096ead6536087567afde9d930d73c1cdde0ca014891d2f4b872bd911380bca66c46f1544d4812ad810825fb9f34027e5488bdd3a0c19493ada

Download Submit
C:\Users\Admin\AppData\Local\TempWSSHP.bat

Filesize
163B

MD5
40fd2eb397fe6438934c7f2717fa4b27

SHA1
dd83f066f368c414a1f4379271d1de36847c1aa5

SHA256
935322d22cb8d3a8cb22dc881d77bb0af719fc0a3bd7abc154c45274d5c8ffea

SHA512
aa59d8b6e5313279b59b9c4ff9d5392ead400f43cc450b0f74d42997c7a6c6841b5cf6296d9863ec94b97da627b6fefb35208633886421d3701bb924ec26987b

Download Submit
C:\Users\Admin\AppData\Local\TempXWSST.bat

Filesize
163B

MD5
da8b8cfbccd8ff46867d915fb4f0ce64

SHA1
d677da0fa2389853aee1357f530d4d7f41e14309

SHA256
bf81368bd5776172179ad0e8425a48419aac39b80f6e095487a6457c38701e1c

SHA512
245c0eebbcd86c84a1005d1b7a3cec24483e0800244a2f642ca265d019de8396560950ad464833105126cf94c84a1ac2610da3e026e0464f561eb0a5299800a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\GPYGDRVHIFOAGLB\service.exe

Filesize
520KB

MD5
4efe9d93905308633fd9b0c6552103d0

SHA1
1d507659850867e87648367f1df64a2d7b54db93

SHA256
d7c4fdf00d63f717eed91bfb9b5e05d6a8888b03369aa19a1d8e1a78df3c1db7

SHA512
3625c35286e1cd0e04d8ea19e3caffcddfc8fbf43b84b286a761f4f01d013b6204b94c2311a68943cf997f977a7aa783931856706b667e1602d870d34bd3955e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MPEXVEXNDIARIHR\service.exe

Filesize
520KB

MD5
6497f497654ba4c3c8ad725b189e25c1

SHA1
65cd0704db92ac0ba1fbc76ffb114489095f6b1b

SHA256
b9aa02e4368c82b8b83b9fc042cc912ffa9b284b6009bfb65d8dec4f42c83a8c

SHA512
63077db8034285962df7fd1a3524f59ba9882234985dee3ae95238640d8cffa45e92132d62fdff45a2b638eaeb6ebdc96b3dbd60528e96869129857e5434720f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RLEJQCCQVNVJUKG\service.exe

Filesize
520KB

MD5
96e6a28c3e839c91e0ee04046df9a84f

SHA1
92f1fc5febd40f295acc27aa72d64de7347f3692

SHA256
ec37e5505956beddaa7dab00bee1dc200c0e4b6598c925c68d3c69f02d147d6a

SHA512
c2c676b103d092e017fd12b4e67c8d12618c60294b26e0e5310f921919d2e839cbdbd1b6604b89a3ccb3029bd166139b5b19207b9670690e2fc0eb2e4382dbf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\UATDPOQLJQLBPWF\service.exe

Filesize
520KB

MD5
eddb1ea873e6f3b5218765ecee4eac17

SHA1
34d54e7995dcf1802c5b57de985a2be1d3d11572

SHA256
204131a3a45f23fadfb2b48a303bf6e23527a8933a3098e3d46b3a73450a3e66

SHA512
0a8c7e77ba7e97a6499a40079dc922d92dc52cd3ae1bc72a7957789acbd557ad15c232016f3f1f50e706d215feaafbd3966aa9de4d909a27167b2ff73338be46

Download Submit
C:\Users\Admin\AppData\Local\Temp\UNMUIHJECJFUIPK\service.exe

Filesize
520KB

MD5
59da707dcb6a06c88807431f6ec89ad8

SHA1
48d6b04bfc294dec471b9355416d223279c3c22c

SHA256
bfca5b63041c71792ddfb5bf61dfcc7e46bbc67b3fe7520033e7abfae301e077

SHA512
4d39e15ba9af11af7327820171e6a7bd6acc4da2f6a38e05b9f8007b8e5eeb0d94a99546e59fcf970aed9aba9dc836c66f847c93d3e3f323fb114e611810ba97

Download Submit
\Users\Admin\AppData\Local\Temp\FTORVTWHLREBQYP\service.exe

Filesize
520KB

MD5
b922e33e13b8b2c1e89776edcfb06af6

SHA1
47ee7add903f1998a7c07c0c57ec87b214a7c721

SHA256
ca7d6c9f4885b88139fa1a1ae4be8e5dcdfec1fd1267c470ca26a2f0bf8d3819

SHA512
bf3cb9bc7aa9f2ea599ebed95c7cfb6d5a830d008b52de038abc618b888b620bef82808c396e164ef502caaceebcb678d53266a46a98059e7a5d8c776b45d957

Download Submit
\Users\Admin\AppData\Local\Temp\FYIUTVQOVQGUCKB\service.exe

Filesize
520KB

MD5
6684d6193bc73bb6cb0804b92c8f7f1d

SHA1
81e44c7b1f727ef907a19de5d52a76ccd64ec592

SHA256
bb35f2ab2d9c0cfba7ee5190937ccfd67ca3ea533bd03ab0746de0f5060dcb27

SHA512
43c2ba9ee3c3f9c690136186d14024c1f6700c71f9d8ba8db40cabc8fa4e3342c7d56fb7d5cf7ea10aa3756ac78c861b6318e3532a897b970639bd8196595aaf

Download Submit
\Users\Admin\AppData\Local\Temp\HDYRXPFQJHKWAXF\service.exe

Filesize
520KB

MD5
9a1d7abfd627f6c34e7c7ed8bba3e80a

SHA1
86aaf10f7ae207b2302eef21528b30343ae920b3

SHA256
655c647e9a6f32f2a17926e8ec7b15b1a75aeb8801242c8a60261d21a25d739a

SHA512
74288a89d538ca016822d89b901bcbc3bae99fe8a4704717f48a4cf3b2da302843a1f7b14d2d0d6a6e15c81f092766a1407a22f35a4b48a0a3b9ff56b22f345f

Download Submit
\Users\Admin\AppData\Local\Temp\TLKSHGHDBHDYTGO\service.exe

Filesize
520KB

MD5
6632bebf9ca2c799dece47a57c5148e1

SHA1
08b2e39d8f93bf53fcd4c7990f534d251692be6f

SHA256
10abc31c7fac41f9beff6e00a303fed05699eebaee23fe602f8d912580d245ce

SHA512
846d6aa011604683f397825ece21f842e0058ff4688001f178b16fcfd26cf57b6ec4343031ed24cfea1d183274d5ba4e33b3c098cc247bb7a84ad9dfaf3819f1

Download Submit
\Users\Admin\AppData\Local\Temp\VPIOVGHAUBRNYOK\service.exe

Filesize
520KB

MD5
c6005713ab5793c7214e48bd4a60f5c4

SHA1
9cd4f76b749feed965cdc66f565f91c5369ba662

SHA256
e0e83f239ea30b8398c764c63f7cb41949190401e81234dec1dcc2d270608981

SHA512
549b2b763dc2e97797f80fb21861738b18d10a09895f23fb9ef49f856dc3b0086d42d1bf81961a69682ecc3a0edf70e3e3906be59fba9b7bac1eebbc8a8992ea

Download Submit
\Users\Admin\AppData\Local\Temp\XPJCIPYABOTLTHS\service.exe

Filesize
520KB

MD5
22a3c58743bb7ce4e65d807879e84b8a

SHA1
56a809ec9395e8f385ca32ab0cdce7c90dad61c6

SHA256
38a6d5fe99145cc92e7dfd8197213711939043b73a53f8d0a3c6a1940263e613

SHA512
82d9796d55d8ae7bd1f5639eac1b20a2677d50e0dd21abb20d9f5376d1f4467b2159fe52a404df37c45d472da69ca1f40fd9d81bd4c3de03eb9001717b5d1317

Download Submit
\Users\Admin\AppData\Local\Temp\YQKDJQBCPVMUITJ\service.exe

Filesize
520KB

MD5
955c7f5942d15e29c08461e862ca52f6

SHA1
a744d70009647b309c104b4a359305fcf2d59db3

SHA256
6c84b615d94a43a3442d04482214fc32b8bac26334fe2c62fa8976f068f43ab5

SHA512
dca152449690387364d13bfdfd40d30313a0e7d2b502d81e7a93aa032f5b50e3f40f8348f03a25eeaacbbd222878e1aa120b39e64f46e0ea752e06563a9e135f

Download Submit
\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNIYMT\service.exe

Filesize
520KB

MD5
79c84bdb90dc03b6121ffc89c3beb6c8

SHA1
4a434fe38ff9faec2ec23c62d14a4b4cb31dcd4e

SHA256
34a5831cc7031fa640c25e33503a7fd174267348020e8a2bd8e25bd748984d60

SHA512
7dab51b3d2247cf7c132aa12057e66e6aa5c99f12d8774cf3b279a95d34d7b183fb72e5579e38b18fea8226cb60c20ba25e6cefd607d7dae2d8df805bfb7120e

Download Submit
memory/2724-498-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2724-503-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2724-506-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2724-507-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2724-508-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2724-510-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2724-511-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2724-512-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2724-516-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2724-518-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads