blackshades | f3aa6207798c65267372992fc5b909c59c00b8f40b5d9ba21d156f7c95977498

Analysis

max time kernel
149s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/03/2025, 08:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f3aa6207798c65267372992fc5b909c59c00b8f40b5d9ba21d156f7c95977498.exe
Size

520KB
MD5

098f6a0ea095bcaf9af1895393a7e081
SHA1

bdd92ca4e6b0071fce2b5c01ad2f6f190e32cc44
SHA256

f3aa6207798c65267372992fc5b909c59c00b8f40b5d9ba21d156f7c95977498
SHA512

3a8521393b5b048c35ecda2ff67c09eb2be3645733c8db5c387cd6c72da652f689685301c9e2b514a1a3b7c9859f4b76736d168488fe8d2cc10daeaae4b305c8
SSDEEP

12288:zW6n3sX4yCFr2ZemYOpSPIsGWeKZl4q7sioXN:zW6ncoyqOp6IsTl/mXN

Score

10^/10

blackshades defense_evasion discovery persistence rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 12 IoCs

resource	yara_rule
behavioral1/memory/3052-498-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/3052-503-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/3052-506-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/3052-507-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/3052-508-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/3052-510-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/3052-511-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/3052-512-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/3052-514-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/3052-515-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/3052-516-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades
behavioral1/memory/3052-518-0x0000000000400000-0x0000000000471000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 8 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNIYMT\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YRQAYMLNIGNIYMT\\service.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\service.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe:*:Enabled:Windows Messanger"	reg.exe

Executes dropped EXE 19 IoCs

pid	Process
2452	service.exe
2996	service.exe
2504	service.exe
2484	service.exe
1848	service.exe
2196	service.exe
1296	service.exe
1200	service.exe
1520	service.exe
2568	service.exe
2044	service.exe
2808	service.exe
1640	service.exe
1840	service.exe
1872	service.exe
1788	service.exe
1636	service.exe
2928	service.exe
3052	service.exe

Loads dropped DLL 37 IoCs

pid	Process
2608	f3aa6207798c65267372992fc5b909c59c00b8f40b5d9ba21d156f7c95977498.exe
2608	f3aa6207798c65267372992fc5b909c59c00b8f40b5d9ba21d156f7c95977498.exe
2452	service.exe
2452	service.exe
2996	service.exe
2996	service.exe
2504	service.exe
2504	service.exe
2484	service.exe
2484	service.exe
1848	service.exe
1848	service.exe
2196	service.exe
2196	service.exe
1296	service.exe
1296	service.exe
1200	service.exe
1200	service.exe
1520	service.exe
1520	service.exe
2568	service.exe
2568	service.exe
2044	service.exe
2044	service.exe
2808	service.exe
2808	service.exe
1640	service.exe
1640	service.exe
1840	service.exe
1840	service.exe
1872	service.exe
1872	service.exe
1788	service.exe
1788	service.exe
1636	service.exe
1636	service.exe
2928	service.exe

Adds Run key to start application 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\FKYGHSYPNRMUIJC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TASDPOPLJQLBOWF\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\TFOFXOLGVPAQAPQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IESYQHRKJLYBYGU\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\URFRCBFXWSTGMTT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SRCONOKIPKANVEP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\TFNFWOKFVOAPYPQ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IESYQGRKILXBYGU\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\TCCOUKIMHPEFXVE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LETDLAUAQLGBFVW\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\ANNHQXIEPIJSVXI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BTMRYKAKEYCFVRS\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\CYXBOESOMRDRTOH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VYNHAGNWMSJRFQG\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\VXJNSAGDRRFGBCX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\YRQAYMLNIGNIYMT\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\SGHDBDYTGOINKVS = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IWRAUYWKPUABHET\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\CYMKJNAEAOUMDCE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HKWVWSQXSIVDMDX\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\LQNBNYVBTXSOPCI = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WPOWKJLGELGWKRA\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\DEAAVQDLFKYHSPN = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FTORVTWHMREBQYP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\GCAQWOFEHCIWESR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\KFUSISMKNDIWVHP\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\UMBVRMAWHXCGWXU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DMWEAPTYFGDLEJX\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\OKIKANVEPUFRCBF = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GPHDRWHIFOAGLCN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\DIWVHQHRNIYRCSC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ILXWAXTRAYTJWEN\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\BYMYJIMADNTMCCE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GJVUWRPWSHVDLCX\\service.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\VVIKFDFVJQLPAMY = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BKYUCXNRWDEBJCG\\service.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f3aa6207798c65267372992fc5b909c59c00b8f40b5d9ba21d156f7c95977498.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
1520	reg.exe
2556	reg.exe
2892	reg.exe
2576	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	3052	service.exe
Token: SeCreateTokenPrivilege	3052	service.exe
Token: SeAssignPrimaryTokenPrivilege	3052	service.exe
Token: SeLockMemoryPrivilege	3052	service.exe
Token: SeIncreaseQuotaPrivilege	3052	service.exe
Token: SeMachineAccountPrivilege	3052	service.exe
Token: SeTcbPrivilege	3052	service.exe
Token: SeSecurityPrivilege	3052	service.exe
Token: SeTakeOwnershipPrivilege	3052	service.exe
Token: SeLoadDriverPrivilege	3052	service.exe
Token: SeSystemProfilePrivilege	3052	service.exe
Token: SeSystemtimePrivilege	3052	service.exe
Token: SeProfSingleProcessPrivilege	3052	service.exe
Token: SeIncBasePriorityPrivilege	3052	service.exe
Token: SeCreatePagefilePrivilege	3052	service.exe
Token: SeCreatePermanentPrivilege	3052	service.exe
Token: SeBackupPrivilege	3052	service.exe
Token: SeRestorePrivilege	3052	service.exe
Token: SeShutdownPrivilege	3052	service.exe
Token: SeDebugPrivilege	3052	service.exe
Token: SeAuditPrivilege	3052	service.exe
Token: SeSystemEnvironmentPrivilege	3052	service.exe
Token: SeChangeNotifyPrivilege	3052	service.exe
Token: SeRemoteShutdownPrivilege	3052	service.exe
Token: SeUndockPrivilege	3052	service.exe
Token: SeSyncAgentPrivilege	3052	service.exe
Token: SeEnableDelegationPrivilege	3052	service.exe
Token: SeManageVolumePrivilege	3052	service.exe
Token: SeImpersonatePrivilege	3052	service.exe
Token: SeCreateGlobalPrivilege	3052	service.exe
Token: 31	3052	service.exe
Token: 32	3052	service.exe
Token: 33	3052	service.exe
Token: 34	3052	service.exe
Token: 35	3052	service.exe

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
2608	f3aa6207798c65267372992fc5b909c59c00b8f40b5d9ba21d156f7c95977498.exe
2452	service.exe
2996	service.exe
2504	service.exe
2484	service.exe
1848	service.exe
2196	service.exe
1296	service.exe
1200	service.exe
1520	service.exe
2568	service.exe
2044	service.exe
2808	service.exe
1640	service.exe
1840	service.exe
1872	service.exe
1788	service.exe
1636	service.exe
2928	service.exe
3052	service.exe
3052	service.exe
3052	service.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2608 wrote to memory of 2632	2608	f3aa6207798c65267372992fc5b909c59c00b8f40b5d9ba21d156f7c95977498.exe	28
PID 2608 wrote to memory of 2632	2608	f3aa6207798c65267372992fc5b909c59c00b8f40b5d9ba21d156f7c95977498.exe	28
PID 2608 wrote to memory of 2632	2608	f3aa6207798c65267372992fc5b909c59c00b8f40b5d9ba21d156f7c95977498.exe	28
PID 2608 wrote to memory of 2632	2608	f3aa6207798c65267372992fc5b909c59c00b8f40b5d9ba21d156f7c95977498.exe	28
PID 2632 wrote to memory of 2544	2632	cmd.exe	30
PID 2632 wrote to memory of 2544	2632	cmd.exe	30
PID 2632 wrote to memory of 2544	2632	cmd.exe	30
PID 2632 wrote to memory of 2544	2632	cmd.exe	30
PID 2608 wrote to memory of 2452	2608	f3aa6207798c65267372992fc5b909c59c00b8f40b5d9ba21d156f7c95977498.exe	31
PID 2608 wrote to memory of 2452	2608	f3aa6207798c65267372992fc5b909c59c00b8f40b5d9ba21d156f7c95977498.exe	31
PID 2608 wrote to memory of 2452	2608	f3aa6207798c65267372992fc5b909c59c00b8f40b5d9ba21d156f7c95977498.exe	31
PID 2608 wrote to memory of 2452	2608	f3aa6207798c65267372992fc5b909c59c00b8f40b5d9ba21d156f7c95977498.exe	31
PID 2452 wrote to memory of 2460	2452	service.exe	32
PID 2452 wrote to memory of 2460	2452	service.exe	32
PID 2452 wrote to memory of 2460	2452	service.exe	32
PID 2452 wrote to memory of 2460	2452	service.exe	32
PID 2460 wrote to memory of 1968	2460	cmd.exe	34
PID 2460 wrote to memory of 1968	2460	cmd.exe	34
PID 2460 wrote to memory of 1968	2460	cmd.exe	34
PID 2460 wrote to memory of 1968	2460	cmd.exe	34
PID 2452 wrote to memory of 2996	2452	service.exe	35
PID 2452 wrote to memory of 2996	2452	service.exe	35
PID 2452 wrote to memory of 2996	2452	service.exe	35
PID 2452 wrote to memory of 2996	2452	service.exe	35
PID 2996 wrote to memory of 1400	2996	service.exe	36
PID 2996 wrote to memory of 1400	2996	service.exe	36
PID 2996 wrote to memory of 1400	2996	service.exe	36
PID 2996 wrote to memory of 1400	2996	service.exe	36
PID 1400 wrote to memory of 684	1400	cmd.exe	38
PID 1400 wrote to memory of 684	1400	cmd.exe	38
PID 1400 wrote to memory of 684	1400	cmd.exe	38
PID 1400 wrote to memory of 684	1400	cmd.exe	38
PID 2996 wrote to memory of 2504	2996	service.exe	39
PID 2996 wrote to memory of 2504	2996	service.exe	39
PID 2996 wrote to memory of 2504	2996	service.exe	39
PID 2996 wrote to memory of 2504	2996	service.exe	39
PID 2504 wrote to memory of 840	2504	service.exe	40
PID 2504 wrote to memory of 840	2504	service.exe	40
PID 2504 wrote to memory of 840	2504	service.exe	40
PID 2504 wrote to memory of 840	2504	service.exe	40
PID 840 wrote to memory of 1956	840	cmd.exe	42
PID 840 wrote to memory of 1956	840	cmd.exe	42
PID 840 wrote to memory of 1956	840	cmd.exe	42
PID 840 wrote to memory of 1956	840	cmd.exe	42
PID 2504 wrote to memory of 2484	2504	service.exe	43
PID 2504 wrote to memory of 2484	2504	service.exe	43
PID 2504 wrote to memory of 2484	2504	service.exe	43
PID 2504 wrote to memory of 2484	2504	service.exe	43
PID 2484 wrote to memory of 2672	2484	service.exe	44
PID 2484 wrote to memory of 2672	2484	service.exe	44
PID 2484 wrote to memory of 2672	2484	service.exe	44
PID 2484 wrote to memory of 2672	2484	service.exe	44
PID 2672 wrote to memory of 2964	2672	cmd.exe	46
PID 2672 wrote to memory of 2964	2672	cmd.exe	46
PID 2672 wrote to memory of 2964	2672	cmd.exe	46
PID 2672 wrote to memory of 2964	2672	cmd.exe	46
PID 2484 wrote to memory of 1848	2484	service.exe	47
PID 2484 wrote to memory of 1848	2484	service.exe	47
PID 2484 wrote to memory of 1848	2484	service.exe	47
PID 2484 wrote to memory of 1848	2484	service.exe	47
PID 1848 wrote to memory of 2284	1848	service.exe	48
PID 1848 wrote to memory of 2284	1848	service.exe	48
PID 1848 wrote to memory of 2284	1848	service.exe	48
PID 1848 wrote to memory of 2284	1848	service.exe	48

C:\Users\Admin\AppData\Local\Temp\f3aa6207798c65267372992fc5b909c59c00b8f40b5d9ba21d156f7c95977498.exe
"C:\Users\Admin\AppData\Local\Temp\f3aa6207798c65267372992fc5b909c59c00b8f40b5d9ba21d156f7c95977498.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2608
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\TempRSPYK.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DIWVHQHRNIYRCSC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ILXWAXTRAYTJWEN\service.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2544
- C:\Users\Admin\AppData\Local\Temp\ILXWAXTRAYTJWEN\service.exe
  "C:\Users\Admin\AppData\Local\Temp\ILXWAXTRAYTJWEN\service.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2452
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\TempGTBPO.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2460
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "BYMYJIMADNTMCCE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GJVUWRPWSHVDLCX\service.exe" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:1968
- - C:\Users\Admin\AppData\Local\Temp\GJVUWRPWSHVDLCX\service.exe
    "C:\Users\Admin\AppData\Local\Temp\GJVUWRPWSHVDLCX\service.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2996
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\TempPPYAU.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1400
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "LQNBNYVBTXSOPCI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe" /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:684
  - - C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe
      "C:\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2504
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempQUPXL.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:840
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SGHDBDYTGOINKVS" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IWRAUYWKPUABHET\service.exe" /f
        6⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1956
    - - C:\Users\Admin\AppData\Local\Temp\IWRAUYWKPUABHET\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IWRAUYWKPUABHET\service.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2484
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempRMUIJ.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "DEAAVQDLFKYHSPN" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FTORVTWHMREBQYP\service.exe" /f
        7⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2964
      - C:\Users\Admin\AppData\Local\Temp\FTORVTWHMREBQYP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FTORVTWHMREBQYP\service.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1848
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempUASWR.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VVIKFDFVJQLPAMY" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCG\service.exe" /f
        8⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCG\service.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempDLDGV.bat" "
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:992
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "GCAQWOFEHCIWESR" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\KFUSISMKNDIWVHP\service.exe" /f
        9⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:688
        
        C:\Users\Admin\AppData\Local\Temp\KFUSISMKNDIWVHP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KFUSISMKNDIWVHP\service.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1296
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempDPVLJ.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1908
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UMBVRMAWHXCGWXU" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\DMWEAPTYFGDLEJX\service.exe" /f
        10⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\DMWEAPTYFGDLEJX\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DMWEAPTYFGDLEJX\service.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1200
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempJJSNW.bat" "
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1904
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "FKYGHSYPNRMUIJC" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\TASDPOPLJQLBOWF\service.exe" /f
        11⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:880
        
        C:\Users\Admin\AppData\Local\Temp\TASDPOPLJQLBOWF\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TASDPOPLJQLBOWF\service.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempNVHOS.bat" "
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2560
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TFNFWOKFVOAPYPQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IESYQGRKILXBYGU\service.exe" /f
        12⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\IESYQGRKILXBYGU\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IESYQGRKILXBYGU\service.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempNWIOT.bat" "
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2588
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TFOFXOLGVPAQAPQ" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe" /f
        13⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempEYXMV.bat" "
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2516
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "URFRCBFXWSTGMTT" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SRCONOKIPKANVEP\service.exe" /f
        14⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\SRCONOKIPKANVEP\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SRCONOKIPKANVEP\service.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempXWSTT.bat" "
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:1928
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "OKIKANVEPUFRCBF" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\GPHDRWHIFOAGLCN\service.exe" /f
        15⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\GPHDRWHIFOAGLCN\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GPHDRWHIFOAGLCN\service.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempAGUCQ.bat" "
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:1860
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CYMKJNAEAOUMDCE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe" /f
        16⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HKWVWSQXSIVDMDX\service.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempEYNJR.bat" "
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:2916
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TCCOUKIMHPEFXVE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\LETDLAUAQLGBFVW\service.exe" /f
        17⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:668
        
        C:\Users\Admin\AppData\Local\Temp\LETDLAUAQLGBFVW\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LETDLAUAQLGBFVW\service.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempJGPBH.bat" "
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:1356
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ANNHQXIEPIJSVXI" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BTMRYKAKEYCFVRS\service.exe" /f
        18⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\BTMRYKAKEYCFVRS\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BTMRYKAKEYCFVRS\service.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempKLUQE.bat" "
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:692
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "CYXBOESOMRDRTOH" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMSJRFQG\service.exe" /f
        19⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMSJRFQG\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\VYNHAGNWMSJRFQG\service.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\TempSFMHM.bat" "
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:2896
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "VXJNSAGDRRFGBCX" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNIYMT\service.exe" /f
        20⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNIYMT\service.exe
        
        "C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNIYMT\service.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNIYMT\service.exe
        
        C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNIYMT\service.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:2644
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        22⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNIYMT\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNIYMT\service.exe:*:Enabled:Windows Messanger" /f
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:2640
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNIYMT\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\YRQAYMLNIGNIYMT\service.exe:*:Enabled:Windows Messanger" /f
        22⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:2696
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        22⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:2580
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\service.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\service.exe:*:Enabled:Windows Messanger" /f
        22⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempAGUCQ.bat

Filesize
163B

MD5
050579798afbf98ce0cdfcf10e49106f

SHA1
cd49b641a870966344baa58340df16c9e5d5aa17

SHA256
48df32178b0c2afa0018ae749a3cfdd4ae3ca92dd23d3da9e76bdbb2a8862a03

SHA512
83e2bc128b2c55b1b1a5d7f917b8c81e054a34cdd7546e75d8e07cf9a532b65835efd0895d740dec3bac4f0befc45d7b1d4367c15c04e79eec70caf447ebf934

Download Submit
C:\Users\Admin\AppData\Local\TempDLDGV.bat

Filesize
163B

MD5
4038855595a4f650dbd6d22d58e832c0

SHA1
fb0056ba39cbf0d6306776e428168c71c9661512

SHA256
1984a86a8e62ff88a864f5536e248067df26f3ca2d64400d7bb2d2ff6938f72a

SHA512
a20962f1b2308a51407854a35bef6f18ab22a046eee860d13d6a029fc074dda828000137174a1796cb1a930209a7c053a58b78d6e77f9b47ce2ab0bc9ebdd1a0

Download Submit
C:\Users\Admin\AppData\Local\TempDPVLJ.bat

Filesize
163B

MD5
444b445006c240d1042b7c173b4b75da

SHA1
33464aa7f34b5a6045d818e9467fd20c97bd6642

SHA256
ec2db76a717376204f4d1ee9daab4bdcee87fd1004ac4722b47649f224024ff6

SHA512
103d2bd1d43a9312a2a8c4d27bb8e3e5c3e0d2dc2ba3bc0ba7d794ce69949599d4cbec4ff6fe74cbbc677dc372bd5e6902d157fd3db9033c53388212dcf2419d

Download Submit
C:\Users\Admin\AppData\Local\TempEYNJR.bat

Filesize
163B

MD5
5a2d7d2fdf8d93d974d5b1e5e9e8b3ab

SHA1
b73cae44242128fcf54c491ac6d0e9a8fcc0b95a

SHA256
1a61b4e919fd369fb247a817b852f0a7bd734baaecf59f66651740439822c7d8

SHA512
8e701b26d3c19db47f9d86cfe05df722218d706b3c258557c240d2c6e9b5ea528a241eb7c4eb1be11606e9379d0ef2884839f0d4f9b591d9457e37443471a37f

Download Submit
C:\Users\Admin\AppData\Local\TempEYXMV.bat

Filesize
163B

MD5
8bea96662a5afa9d87935881b193af43

SHA1
287f5680785fee15d8da96c167a77663dedf5040

SHA256
eb6bec92c06a9b93f0d2ff6c33982c2624699bc765cbcfe9339da3ac33bf3927

SHA512
f5cd157caf9b54ce653fb8c552a970acbe974815fe818d75d87ad73c1b21b0e15f52fbba2927ea2eed685eb662e0112e9c1331588ee4f3ca7d97e94a1a48ddac

Download Submit
C:\Users\Admin\AppData\Local\TempGTBPO.bat

Filesize
163B

MD5
9b656d82a7cc8cdb63de9c9c277f3855

SHA1
955a19e44ecc27718e7791664b1c43dd422a983c

SHA256
b67985c3804d7856040a4af7169866340aa6921633f1a0b292eed0679171356b

SHA512
c5c4ef71f09fee74a8d762125b71859bf5189fd2dec379266f9bcabe4fb54b295041469222a3d2ae4a3f33c2ee44fcf595b42a01dbd0f88288747f38d47ae90b

Download Submit
C:\Users\Admin\AppData\Local\TempJGPBH.bat

Filesize
163B

MD5
204d107dd43ef702d111a72efa7285ae

SHA1
5ff359dffcb46bb4fec139f5c6a772ce63b921d2

SHA256
cfa4701cea969edc4871d7db3fc85aa9433f37db72cfc8c8b71d4adeb02b2abe

SHA512
d4c9a704015554497723bd537a6b0643e67888609036c16185d5fbf8d9922f85f2e18c242d3f9186b0fdb75d7ccfd7b36f1282434560f6a44180eb348257bc55

Download Submit
C:\Users\Admin\AppData\Local\TempJJSNW.bat

Filesize
163B

MD5
da47f5254bf44aa3db54f59b6961ec78

SHA1
57ce8bafde01f6cd8aab29a61371f5e36bdf45b8

SHA256
9c03db5945f6e0013e387386f2e26035e8b1dbf83f94b3732797b3626f71bdb8

SHA512
483d5b5a359255925644db2a296f9ef3be90533c7575bcd195df01f663ffeee65cc8a7c7c39842fd423af3d35c9165e6af9182b458e47c9d8fadccc0f01518e2

Download Submit
C:\Users\Admin\AppData\Local\TempKLUQE.bat

Filesize
163B

MD5
7d45cdc80375c5f3de4f93c29f836de4

SHA1
2a8d2e36e0bc939663044d0bc07abadf4c4ca1c2

SHA256
9a6da83ea8053446d3fa4c4648d6e2cf8cd866a7b7c1340e8812dc0f4b5b1cab

SHA512
8efacfd15a6cf31949ddadaebc8ed69f685cddd3f2152ae7469b31b837a91c7bc7a48a9bbd889d8620438ecb675a3f4fb4fc8ac70b9cdf14f14f262979a7cdad

Download Submit
C:\Users\Admin\AppData\Local\TempNVHOS.bat

Filesize
163B

MD5
9f1113f4fe391674bea21ecc74339124

SHA1
a03ee33558a6569dc4776b62d71d2ca27b8f1bb8

SHA256
0a2ba046d353c53112ba3c7b82e6c007f8d90561e64f214fcee8397d69caebfa

SHA512
14304e185205fe93d08efd498f9cf4d22a0efc7c9b28c832488361d9b18aac5d9893865b373348175b7a3653e0213bb779d881b6116ddab657763c8dc73d8143

Download Submit
C:\Users\Admin\AppData\Local\TempNWIOT.bat

Filesize
163B

MD5
5385ab3f2df8744a0cb4999c9577fb04

SHA1
26fe6b76c6a71cb798a0ac87e6b3ab5e76a56ca5

SHA256
272d1cba893caecc15ad2b2f99d7f16f68f6698a4886d181b8edf76a24a73f83

SHA512
1199937d96bb3622ba3f69f5ed15aa5656b68f81e5ae55b294f02648920a765a780ee03d0637ca6b578fbda2ac411c53b2e456e9d34afa08da9acd1bca8b4d8d

Download Submit
C:\Users\Admin\AppData\Local\TempPPYAU.bat

Filesize
163B

MD5
67410272d22b9bbd70ed450766c8c68e

SHA1
55cbd18ea08b9bf89e1dec51c5f1d91322dd8365

SHA256
0c8d1a8baa608fa81bd4c532058ab5aefbc77eb6991b1c74be9eba3a8f07b05b

SHA512
373b6cd7cef1b425a8614df4a8b617a5e4399239f34da9fe01d7939cdb4c7853fbb5d58ad64200cbdb1087726688a7c6ed8aff62fe9014b3057ca85b77bfc45e

Download Submit
C:\Users\Admin\AppData\Local\TempQUPXL.bat

Filesize
163B

MD5
5d0d5ad40d6fd09a0d716640cbfa1ac8

SHA1
ccaf0e23a3cff154b4863714b904dde9f3a05e47

SHA256
7e9d503b5dcf215ce570cee881dbf382d056c6d601e8859ff668b1348cce0159

SHA512
8b6a6f15623f84655016c2877899c30d5b3e475d666c3f08a175f1efcdd08231927338c839d2d3f4d9fb7ab6c58c68df1c09b8e28277ca9bc8b1a92d8961d4f2

Download Submit
C:\Users\Admin\AppData\Local\TempRMUIJ.bat

Filesize
163B

MD5
a4963aba3ce95dbdbc2a8b355d15db70

SHA1
6381c3fddf31277e3a643371d13707bcc036b5c0

SHA256
14acce0c2ba59b3163b863693b8832963e8ae5896d90f754a4c71215cbab6683

SHA512
6a9826e06a2574fbd4e2fb230605e8bce06012cf2bdbc8ec2f2dc7c7a31173588a916d853d35266c124748b9ac7f0044893fd9d6635cf05153b68171d6cc3795

Download Submit
C:\Users\Admin\AppData\Local\TempRSPYK.bat

Filesize
163B

MD5
090909ca1785fa80fa9dd22eead200a4

SHA1
56b9a1127770768cf49b5a9e5ee9a019b4501279

SHA256
c837fd6cfc3672b79cd9ae30027cdfafd78a5a4bbbb487e70cd700cdc7a2b7bf

SHA512
1a267a6ed956e41deb814a28ce643ba994cbb8ae9e8d4cf457c4ccf28e339a887032892db5c45e7567a33485cd6b2c6d291d01a85ab5698aa2e25f5c7fd75276

Download Submit
C:\Users\Admin\AppData\Local\TempSFMHM.bat

Filesize
163B

MD5
238b8542684c796dcc40a8519043cce6

SHA1
cc4e9375c876fd2c5869fc78d6904e4f1fd1ea1e

SHA256
0cabf21b35c73204b187b7f33a906387926523df4e9858e80409ac41e309d7dd

SHA512
b9276a1c8c48fdf452e0621617f4bdf03c05bb75741a885e4ec3e236fe82bcdbecec3e60daa7108734b0747b61c3054d628b2eddad82a90d8d9ccf5f1b3e54c0

Download Submit
C:\Users\Admin\AppData\Local\TempUASWR.bat

Filesize
163B

MD5
3e4a7a2b84381e2488076a7200d0cbc6

SHA1
7cf976355de64025fea70508b177c41d0f6ce820

SHA256
26ff5ce492555b9cbfe9af2cbf2263a042534f6ebaefd34b059a5c0587438a72

SHA512
d9cbd5204daef2832928457aaf4979b710bbb15109318a1be6e338056779f771e8fa6c5a3893461286d6657abdc264ce448163800fdf12197683ac5ca3e31600

Download Submit
C:\Users\Admin\AppData\Local\TempXWSTT.bat

Filesize
163B

MD5
037d4ccf53fb74dd09eaccf5147659f9

SHA1
8de88774768a118f44715e801f808de1fa98804c

SHA256
a8b2507cb48b4ed950fce588e63b21afae7618adc62f97bc2b855311a03d3a9e

SHA512
99fde0b1015aa9eba4db958ccd347daac52eb16fa159d6fca255bf261948c46583aeb8b1bd59e5e29f39c4062fafa1f671e300f2f3accfe9eb13fe065b8f1d55

Download Submit
C:\Users\Admin\AppData\Local\Temp\ILXWAXTRAYTJWEN\service.exe

Filesize
520KB

MD5
08cbd50f24da119fa211c52e543d9531

SHA1
6552ce86a0aa9ea037764e1dff9369561af2a797

SHA256
9da9ea74013bad949e808d3c485df22ab854295081c06ad148ca01e0f1816630

SHA512
e8f3d0fc66294fcd0ad3ff63fa0bc98828d1d8efc91611c06fa3b667dd2d5c1fb0b8d2bfb1dbe75b65888c23f90ab94b4e879215d510d00f499c7c0c1d6314d2

Download Submit
\Users\Admin\AppData\Local\Temp\BKYUCXNRWDEBJCG\service.exe

Filesize
520KB

MD5
ab80de26c060cddee3265e30d47eaad9

SHA1
a5594f6bcf6c1605bc62551c4124b60e30787b69

SHA256
18cc6b2c6c1aff3e173da284a3d01c7768cb2556c4e1df9faf947bf1893b4acb

SHA512
7f90fbfdde76bd5770ee5053ad731c0048f2862007c67dd871584917ada8ea9cfc7b4343be37943d93ce50d92945ac6fa8366dfa8b6405fa8e361907b499a718

Download Submit
\Users\Admin\AppData\Local\Temp\DMWEAPTYFGDLEJX\service.exe

Filesize
520KB

MD5
712e5f810e2b502a5e8c49fb53aa8b4c

SHA1
3dc4c8782cff5db18dd58496c3923c550619f556

SHA256
13750542086b6a033a9b8192397ed8681c4e1ed82b3629edb953dde843150d0e

SHA512
ee3f1f75b254a78640077851e8b50f086c45449ae5a2587c8b5f0762317ec4579fe840af18eacfb4c2444e8e07cf272ca8a95a5a6a55252fad799c8e8d5cb22a

Download Submit
\Users\Admin\AppData\Local\Temp\FTORVTWHMREBQYP\service.exe

Filesize
520KB

MD5
c749e65e82f6919c9cf80271c1f5507e

SHA1
afca8082539afaf944c4170aee47903ca80eec23

SHA256
78bd8f59bc43bcb59f8f7958004863b64610c682c650f72bae3f13789b94c221

SHA512
db0089ebe4ff67e47208555bbafb526b614286620dfc611e330800a2d82b3722d8e2fe10cd88f15f86bda91a6409b66625b88340cb1ad495fe706c4ec567f6ee

Download Submit
\Users\Admin\AppData\Local\Temp\GJVUWRPWSHVDLCX\service.exe

Filesize
520KB

MD5
78623beca3115976094f8b8ca74ad2fd

SHA1
611278af4018298e2b5a9f9a5211d8babcf309a0

SHA256
c4aa6af10807c5bae42cf3547d9cafaae6dfbc0cd0970cedbac03ce941099f52

SHA512
aa18c39b3bfaca5367d50645724a5306c9028fa2dcd2f53219eee3f4a69982af19b8fe0251c272b56c99d5af68aa18ae9367d06c8f2af9a12f7148e74e1933be

Download Submit
\Users\Admin\AppData\Local\Temp\GPHDRWHIFOAGLCN\service.exe

Filesize
520KB

MD5
d80eabff0a3362524f60d14b285380dd

SHA1
55d5aa6189141a6ae6a5d3a0ae3c6a8d381f4efa

SHA256
cb523d7e3d5abc6cb996bf705875b541f2d0c43dafcc9628f696cd71c932c10b

SHA512
72248d60919f74c37e55aa7f1222bbdca0cbf8ee0352fdb7493f949a4fdc2b9b564050300bbbd7071bf31ffd12486270ae70421fd92e81ca096fc734edc8f17a

Download Submit
\Users\Admin\AppData\Local\Temp\IESYQGRKILXBYGU\service.exe

Filesize
520KB

MD5
010123da3381a9acc6a3e6ce708f3062

SHA1
40f80b2a7d3d3ba32a3409b681ec396ca380e941

SHA256
d025a047ecafe5277fec39bf6ac029f9dacbb260ec8bd66e9128bf0edbcd298b

SHA512
9a2c136d205a562d3c20485c606f45e381eb7021333c5e4b52a6d5ff8a57acd653a49165d0d4e16f68cb394217bdb507974d824a71defafad4e5192fe7ba9b40

Download Submit
\Users\Admin\AppData\Local\Temp\IESYQHRKJLYBYGU\service.exe

Filesize
520KB

MD5
b26142eb9ccee28ce26d4707af0e15a3

SHA1
728ea2edc4a10ea9906402bdd262d76bf0f23981

SHA256
6f6eefc1e6774a05a6ca0ac0ba41800e046fecc670ecc37153e81b90fd79deba

SHA512
7087ce6bac72ef69073b269ddc146a5921182574e2796408e5f53705942b6628246cd1647d4255f849887ff239136975279b605387760e52a5c4f420091789c8

Download Submit
\Users\Admin\AppData\Local\Temp\IWRAUYWKPUABHET\service.exe

Filesize
520KB

MD5
c9a5d2099c94809001e7c803aa4ed896

SHA1
dac882bede2b2792d468f8ea859929004b0b051e

SHA256
149a09c144513c8d6f337a5d6be9cca4ce7becd99c9bcde68246351a7cc326fb

SHA512
aeae3dd90623fdf5b8ca629cb76a7f19e19479559a8432ac151d48d0afcb347b9ff5da35c19b0e66cccb66dd82a4925ce2d762baaae36192b00792881d63ec9d

Download Submit
\Users\Admin\AppData\Local\Temp\KFUSISMKNDIWVHP\service.exe

Filesize
520KB

MD5
3dcf68cf22b21587e9d49ec06fd71d39

SHA1
8fe65ff1d5d1f28b77e68bc24160a1f58fa72bfb

SHA256
bdba7bfb44de9ae9740d7ec51bab72c52cb2f899d2bec9169de351b14c879a61

SHA512
eb3ff73a73ff773be2ac0cb0f7bba0a9185ce6095ee37056f9a9dcb28dee4e0a5acbbd26aef59e8a598949b492f35b6c5479f1bf8c1cc4af44a8f1131bfd41dc

Download Submit
\Users\Admin\AppData\Local\Temp\SRCONOKIPKANVEP\service.exe

Filesize
520KB

MD5
590f295e3a530f8e263848415d0a1fa6

SHA1
cf2adb633ab920a6fffb27554a9b5bd3602c9e5e

SHA256
d3a4622565c166e60ffa5b2312aa1ea6cd73581dee83eb44aa0c8e0df88d17aa

SHA512
1f0de538ce45f609ef2ba3824e19e6152d7da5496fdd4230778832bb7ad0309997ad447572642e52a5e5bdef8028e756aa4fa434191de79fd01b5fb1a988d1e7

Download Submit
\Users\Admin\AppData\Local\Temp\TASDPOPLJQLBOWF\service.exe

Filesize
520KB

MD5
2bab7265a3f0fa4749f5988a30f84b59

SHA1
d137f4d87f7be5f98debf9319d332a192880aaf7

SHA256
57e3dec31080f6469affa0581703ed5e96597413b81ceb0a66d5de757147a32a

SHA512
43e18f2b2d4fe0b9d357e21dee2ad02da1bc1505611561a9be3362dfa15691bbca43d09b5b0b80386dd7422c55b916210cff1fe7230d4c8e51af44af3b741a4b

Download Submit
\Users\Admin\AppData\Local\Temp\WPOWKJLGELGWKRA\service.exe

Filesize
520KB

MD5
607fc185c5f1e8f0333609c4c6f72ac3

SHA1
daf31f47a01058ef9fd68da7e16ab22f6afae852

SHA256
ccfaea023281b9072ec12b8dd637ee7f0be8c3afd475a2d9b4293d743b0ef5f8

SHA512
4cdd374d0c70e0f88f546363aac2850603d901d4825a7ad8c8585971b1c76e4d63910f7213363bc27cfef00db23312eb32f38f2d69f6d258e1c712689cbd12b4

Download Submit
memory/3052-498-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3052-503-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3052-506-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3052-507-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3052-508-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3052-510-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3052-511-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3052-512-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3052-514-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3052-515-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3052-516-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3052-518-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads